The document outlines the importance of maintaining a robust audit process for IT systems, particularly in relation to SAP environments, highlighting key risks such as segregation of duties (SoD) conflicts and single critical authorizations. It emphasizes a proactive approach to risk management through regular monitoring and the use of the SAST suite for effective compliance and security solutions. The authors advocate for continuous improvement post-audit and the necessity for a holistic strategy to manage risks effectively within SAP systems.

1. Clean up the TOP
findings before the
auditor arrives.

2. WELCOME!
Introducing your hosts today:
- 2 -
AXEL DALDORF
Senior PreSales Consultant SAST SUITE
Sascha Heckmann
Lead Consultant SAST SUITE

3. AUDITING
Tasks of the auditor

4.  Section 2 (1) of the German Auditors' Code –
WPO
 Report on the confirmation or refusal of the
audit results
 Financial statements, creditworthiness,
profitability and control of corporate
IT systems
 Among other things, SoD risks and single
critical authorizations are examined in
corporate IT systems.
Auditing
- 5 -
Auditors are increasingly auditing IT systems!
!

5. EXCURSUS
SoD and critical permissions

6. SoD conflict based on an accounting example
- 8 -
Sigle critical authorizations:
In contrast to SoD conflicts, risks here arise from single functions.
Examples: Debug and replace, deletion of change documents, start of all reports...
Risk of posting incoming invoices to
fictitious accounts
Cash outflow due to invoice
settlement
Posting Documents/Invoicing
Incoming goods
Posting of fictitious invoices
FB60 / FB65 /
FB01 / F-53
FUNCTION RISK AUTHORIZATION
Maintenance
Supplier master data Creation of non-existent vendors FK01 / XK01
+
=
Maintenance master data
AND
Transactional data
(FK01 / XK01) +
(FB60 / FB65 / FB01 / F-53)

7. Dealing with corporate risks:
Separation of functions conflicts and single critical authorizations.
- 9 -
Accept
Revoke
Mitigate
Risks cannot always be removed while maintaining economic efficiency.
!

8. TOGETHER ON
THE STRAIGHT
Let’s find a sustainable
solution together.

9. With the SAST SOLUTIONS portfolio of akquinet AG, we are your world-class provider for the holistic protection
of SAP ERP as well as S/4HANA systems - with real-time monitoring. In addition to our proprietary software suite,
we offer SAP security and authorization consulting and managed services from a single source.
Worldwide, more than 200 customers with 3.5 million SAP users currently rely on our vast expertise in protecting
their SAP systems from cyberattacks, manipulation, espionage and data theft.
Facts and figures
- 11 -
SAST SOLUTIONS customers worldwide
71
Turnovers Mio. €
5,3
16,3
41,5
28,2
2002 2005 2008 2011 2014 2019 2020 2021
121
125
akquinet AG
129
Employees
970
305
165
325
556
64
845
920

10. Your IT security is our number one concern – in real time.
All solutions from one source:
- 12 -

11. You have the choice for your SAP ERP and S/4HANA systems!
- 13 -
SAP Security & Compliance – make or buy?!
SOFTWARE SUITE CONSULTING MANAGED SERVICES
SAP Security Consulting
SAP Authorization Consulting
SAP HANA & S/4HANA Migration
SAP Threat Detection &
Vulnerability Assessment
SAP Cyber Security
SAP Access Governance SAP User & Authorization Management

12. After the audit
is before the audit

13.  Old WP findings are processed (eliminated or mitigated) for the next audit.
 The WP will carry out further checks and draw up a new finding list.
 The game starts again or “after the audit is before the audit”…
Audit of the WPs at the end of each year
- 16 -
2020
no audit
activity
2021
no audit
activity
Old finding list:
▪ Debug replace
▪ SAP_ALL
▪ SoD
▪ …
Clean-up
Analysis
/
Clean-up
Analysis
/
Clean-up
Clean-up
November2019 November 2020 November 2021
New findings?
▪ Debug replace
▪ SAP_ALL
▪ SoD
▪ …
New findings?
▪ Debugr eplace
▪ SAP_ALL
▪ SoD
▪ …

14. YES, for the reporting-date, but not promising for the future, since…
 …the compliance status of the system deteriorates immediately afterwards.
 …many risks are not identified during the year.
 …no continuous work is done to improve the situation.
 …no permanent risk control takes place.
Question: Is this reporting-date based audit/action useful?
- 17 -

15. Stop flying blind, close the gap!
November2019 November 2020 November 2021
2020
Cyclic checks
2021
Cyclic checks
- 18 -

16.  Create a separate policy for WP Finding list
 Create an audit plan for cyclical control of the mentioned risks
 Derive measures
Risk tracking with the SAST SUITE
Using the finding list
A finding list only ever shows a small section of the risks in an SAP system.
A holistic approach must be adopted.
!
- 19 -

17. A NEW LEVEL:
STAY CLEAN
Start an active
risk management.

18.  Define and map risks with the SAST rules
 Create supplementary content for your own developments
 Define manual checks
 Derive customer policies
 Check the system -> derive measures -> clean up/mitigate
 Cyclical check incl. compensating checks
 Smaller policies especially for WP audit still possible
 Consideration of upstream systems for a proactive security from the beginning
Defining the business risks: the way to "stay clean"
SAST SUITE
✓ With SAST SUITE you document and mitigate all risks effectively and efficiently.
- 21 -

19. SAP Security and Compliance at a glance
Regular analyses "Stay Clean“
Cleaning up permissions to
minimise risk
Definition of audit
requirements
(legal, internal, BSI,
DSAG, ...)
Initial analysis
of the system
landscape
Cyclical internal
audit
(Stay Clean)
- 22 -

20. Auditplan
 Definition of the audit scope
 Planning of recurring audits
 Automated audit execution
Cyclical audits with SAST SUITE
- 23 -
TARGET
Cyclical audit with equal scope for reporting.
✓

21. Take Home Messages
An ad hoc clean-up of the WP findings is quickly and effectively achieved
with SAST SUITE.
The initial action should be the exception, as it creates a large temporal monitoring gap.
The desired solution should be a holistically conceived Stay Clean process
adapted to the company, which can be established effectively and easily with us.
Our recommendation: An extension of the monitoring to technical aspects of your
SAP systems.
✓
✓
✓
✓
- 24 -

22. AXEL DALDORF
Senior PreSales Consultant SAST SUITE
Tel: +49 40 88173-109
Email: mail@sast-solutions.de
Web: sast-solutions.com
© Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright.
All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the prior
written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions.
The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information.
YOU HAVE QUESTIONS?
WE ANSWER. FORE SURE.