Update 09/29

SAP access audit – the key to security and compliance

Why are authorizations so important?

In SAP, every access begins with authorization: user → role → permissions → transactions/applications/authorization objects. It determines who can create a document, change data, approve a payment, or open an accounting period. If the authorization system is designed and maintained correctly, SAP operates securely, efficiently, and in compliance with regulations.
However, if there is no consistent concept or control, security gaps arise that can lead to abuse, errors, or non-compliance with audit requirements.

The authorization structure in SAP is multi-layered and restricted at the application, transaction, object, and field value levels. This depends, of course, on the course of processes and business concepts, and even on the way teams work. This has practical implications: without consistent rules and constant control, it is easy to end up with redundant access, duplicate roles, and SoD conflicts that are difficult to detect “by eye.”

Security and order in roles

Well-designed roles strengthen financial control, reduce abuse and errors, and at the same time speed up audits. Order in permissions also means lower costs: fewer expensive “just in case” licenses, easier migrations (e.g., to S/4HANA), and more efficient updates. Auditing user permissions and access verifies that users have exactly the permissions they actually need to perform their job duties. The purpose of the audit is to ensure compliance with security rules, legal regulations, and internal company policy.

The audit analyzes, among other things:

•       Compliance of roles with security policy and the principle of least privilege – whether the user has only the permissions necessary for their work.

•       The occurrence of Segregation of Duties (SoD) conflicts – e.g., cases where one person can both create a supplier and approve a payment.

•       Redundant, unused, or obsolete privileges – e.g., roles assigned long ago that are no longer needed or have not been used for a long time.

•       User lifecycle management processes (Joiner–Mover–Leaver) – whether access is granted to new employees in a controlled manner, updated when they change positions, and revoked when they leave the company.

•       Preparation for internal and external audits – e.g., compliance with ITGC, SOX, GDPR, or ISO 27001 audit requirements and completeness of access approval documentation.

•       Emergency access (Firefighter/Emergency Access) – whether it is properly accounted for and monitored after use.

•       Technical and system users – do they have the appropriate scope of permissions and are their actions properly logged and supervised?

Risks resulting from uncontrolled access

Overly broad or poorly assigned permissions can lead to:

• Financial abuse – e.g., an employee with access to the accounting system can approve their own invoices, create fictitious contractors, or independently initiate and authorize transfers.
• Data leaks – e.g., administrators with unlimited permissions copy customer databases to external media or private clouds, which can result in the loss of confidential information and customer trust.
• Operational errors – e.g., a user with access to the production system configuration accidentally deletes or modifies critical data, causing downtime or malfunctioning business processes.
• Costs and penalties resulting from non-compliance – e.g., lack of control over permissions results in regulatory violations (GDPR, SOX, ISO 27001), which can lead to financial penalties, loss of certification, or damage to the organization’s reputation.
• Unnecessary licensing expenses – e.g., users have access to modules and applications they never use, resulting in the company paying for unused licenses or overly high license categories.
• Difficulties in auditing and internal control – e.g., a lack of transparency in assigned permissions makes it difficult to identify responsible persons, analyze logs, and verify compliance with security policies.
• Loss of system integrity – e.g., improperly assigned technical permissions allow control mechanisms to be bypassed, which can lead to unauthorized configuration or data changes.

Audit and regulatory compliance

Access control in SAP allows you to meet legal and industry requirements such as GDPR, SOX, and JSOX. It ensures that personal data is protected and that financial processes are reliable and compliant with the requirements of external auditors.

Auditor’s checklist

During the audit, aspects such as the following are analyzed:

• Access granting and revocation policies, including compliance with the authorization concept, business responsibilities, and the least privilege principle (granting the minimum necessary permissions).
• Regular recertification of roles and users, carried out periodically (e.g., quarterly or semi-annually) to confirm the validity of access rights.
• Documentation of changes in the system and compliance with the access management process (Access Management Lifecycle), including approval paths and decision logging.
• Emergency access control (Firefighter / Privileged Access Management) – supervision over the granting, use, and accounting of temporary administrative privileges.
• Identification and handling of inactive accounts and roles assigned beyond necessity, including automatic detection of users who have not logged in for an extended period.
• Segregation of Duties (SoD) conflicts – their identification, justification (mitigation), and implementation of compensating mechanisms, e.g., dual authorization or additional business controls.
• Matching license types and scopes to actual system usage (e.g., in the context of SAP FUE/PUPM or Named User Licenses).
• Correct handling of indirect access/digital access scenarios, including integration and system users.
• Monitoring and logging of sensitive activities, as well as periodic reviews of SoD reports and access to critical transactions.
• Compliance of authorizations with regulatory requirements (including GDPR, SOX, J-SOX, ICFR, KRI), taking into account the protection of personal data and control of access to confidential information.
• Regular internal and external audits (e.g., ITGC, ISO 27001) to verify process compliance and the effectiveness of implemented controls.
• Supervision of technical and integration accounts, including control of their use and assigned permissions.
• Reporting and analysis of access risk trends to identify areas requiring improvement or additional security measures.

The role of GRC tools

Manual auditing in a complex SAP system is difficult and time-consuming. That is why GRC tools are used, such as:

SAP GRC Access Control – a mature SAP solution for managing permissions and segregation of duties (SoD) risk in on-premise environments. The system enables comprehensive permission assignment, maintenance of the SoD matrix, support for user provisioning processes (Access Request Management), and access risk analysis. In the so-called “bridge” scenario, it is also possible to connect the on-premise system with cloud applications, ensuring consistent access management in hybrid environments. SAP Access Control is the most popular solution in large organizations that use SAP ERP or SAP S/4HANA systems in a local model. They enable automatic risk detection, continuous monitoring, and quick preparation of reports for auditors. These tools support audits by providing real-time data, reducing manual work, and enabling the presentation of compliance evidence in a transparent form.

SAP IAG (Identity Access Governance) is a new SAP solution designed for access management in cloud environments such as SAP Concur, SAP SuccessFactors, SAP Ariba, and SAP S/4HANA Cloud. This system provides centralized user lifecycle management, SoD risk analysis, and access approval processes in a cloud-based architecture. IAG is a natural complement or successor to Access Control in organizations that are migrating to the SAP cloud and need native integration with SaaS applications while maintaining compliance with security and audit policies.

SmartGRC
This is an alternative solution for granting access, managing the SoD risk database, monitoring the use of broad and administrative accounts, and supporting periodic privilege reviews. The tool can be installed on-premise or used in a cloud subscription model. SmartGRC integrates natively with SAP S/4HANA and can connect to other systems, including those outside the SAP ecosystem, via web service or XML file exchange, with any system that can export authorization data from a database. This enables centralized access risk management in complex IT environments involving various technologies.  SmartGRC stands out for its short implementation time, intuitive interface, and flexibility in adapting to the needs of the organization.

GRC systems have the following functions:

Detection function – GRC systems, such as SAP GRC Access Control, enable the detection of existing risks and irregularities in the authorization system. Analyses may include:

• Identification of SoD (Segregation of Duties) conflicts – e.g., a user who has the ability to create a vendor and initiate a payment (F110) at the same time. Such a conflict poses a potential risk of financial abuse.
• Detection of access to critical transactions – e.g., a user who has access to SU01 (user management) or OB52 (change of accounting periods), even though they do not belong to the IT or accounting department.
• Analysis of inactive or obsolete user accounts – e.g., accounts that have not been used for 90 days but still have active roles assigned to them.
• Detection of redundant roles and permissions – e.g., a user in the purchasing department also has roles in sales or production that are not necessary for their duties.
• Identification of so-called emergency access (Firefighter ID) that has not been properly accounted for after use (no log or session report).

Preventive function – GRC systems also serve to prevent new risks from arising before they reach the production SAP system. In this regard, SAP GRC Access Control offers, among other things:

• Blocking the assignment of roles containing SoD conflicts – e.g., when applying for a new role, the system automatically detects that the user already has invoice posting rights and cannot be granted access to initiate payments, as these two accesses create a segregation of duties conflict.
• Approval workflow for access requests (Access Request Management) – each role request must be approved by the supervisor and role owner, ensuring business control and compliance with segregation of duties rules.
• Recertification of roles and users (Access Review / User Access Review) – periodic privilege review campaigns allow managers to confirm the validity of access rights, e.g., every six months.
• Control at the role creation stage – the built-in Role Management module analyzes designed roles for potential SoD conflicts before they are implemented.
• Emergency Access Management – granting temporary access to critical transactions is logged, can be approved, and a report of the actions performed is generated after the work is completed, which reduces the risk of abuse.

As a result, GRC tools act as a security filter – on the one hand, they ensure immediate detection of violations, and on the other, they help prevent them by reducing the number of potential errors and abuses before they occur.

Summary

SAP access auditing is a continuous process that should combine security policies with automation and regular reviews.

Effective control is based on two pillars:

• detection controls – reports, alerts, log analysis,
• preventive controls – least privilege principle, SoD rules, automatic locks.

This approach ensures data security, regulatory compliance, and full audit readiness for the organization.