SAP Controls 523



  • We are using a control objective framework from our auditors to document our IT controls. However our auditors are also insisting that we must also document andtest some additional SAP specific application controls mainly around access. We are arguing that we are not going to that level of detail on any of the other applications which we are documenting therefore we should not need to do so for SAP. Has anyone else gt any experience of this.



  • We are using a control objective framework from our auditors to document our IT controls. However our auditors are also insisting that we must also document andtest some additional SAP specific application controls mainly around access. We are arguing that we are not going to that level of detail on any of the other applications which we are documenting therefore we should not need to do so for SAP. Has anyone else gt any experience of this.
    After a shallow risk analysis of applications, commonly appears that SAP is the riskier system. Our auditors expect from us to establish a set of controls specific for SAP, e.g: job and transactions documentation, job monitoring, deep segregation of duties for development and administration, proactive fault logging assesment. Access audits are to be performed on a periodic basis to ensure a ‘minimal rights’ policy for users. :.: :.:


Log in to reply