How to Prepare for Your Next SAP Audit?

by IT Procedure Template

On October 19, 2020
IT procedure template for SAP

The word audit is an alarming one in the B2B (Business-to-business) world!

Whether it’s a financial review or a software system compliance check, an audit is considered time-consuming, overwhelming, and expensive for organizations.

When presented with an audit letter, organizations are facing some common questions:

“Am I non-compliant?”

”There should be a reason why they started an audit!”

“ Am I doing something wrong? What am I missing here?”

The uncertainty comes from a scarcity of a restricted summary of the software system licenses that the organization is entitled to use. What is included (their location and configuration), who has access to licenses, and in what manner are they utilized within the corporation.

Usually, multinational corporations like Oracle, Microsoft, and IBM are famous and dreaded at the same time when we talk about audits. SAP audit is both a complicated and difficult experience for organizations. Preparation is essential in negotiating and passing through an SAP audit with success.

In this article, we will share tips and sensitive recommendations that will increase oversight during the SAP audit.

What is SAP Audit?

SAP stands for System Applications Products. It’s the name of an ERP (Enterprise Resource Management) software program and a company.

A SAP audit checks the integrity and security of your SAP computer systems. It’s also used to discover the company’s potential growth.

Who Conducts the SAP Audit?

The entity known by clients as SAP Global License Auditing and Compliance (GLAC) team performs the SAP audit. It’s based on clearly outlined procedures and protocols.

The purpose of the audit is to review your SAP software system usage compliance position. The SAP engagement team expects you to demonstrate that your software usage is in compliance with the acquired licenses.

It is a particularity of SAP to use very close deadlines to perform the audit. They add extra pressure on organizations that are less organized and require more resources in terms of time and manpower. The auditors contact the end-user continuously for updates regarding the measurements.

Objectives of The SAP Audit Team

Before starting the audit, the GLAC (Global License Auditing and Compliance) team gives the small/ medium companies three weeks to perform the audit. They must provide all the requested deployment and usage information.

On the other hand, large enterprises are expected to come back with the evidence within a  matter of four weeks. This short timeframe limits your and the other users’ capability to properly analyze and perform minor adjustments in case of potential compliance issues.

It is a best practice that your Internal Audit/compliance functions to perform a periodical review of the licenses, ideally before the start of the SAP audit.

Be Aware of Your Rights

Performing a self-assessment is effective when your company has a broad understanding of the contractual agreement with SAP. This is not usually a transparent process, given the complexity of the documents and legal terminology.

At the same time, the original contract might be old and multiple additional clauses have been signed and added since, including or removing additional SAP products and services.

As such, a detailed review of the contract and addendums over the years is crucial for the preparation of your internal audit/review. By going one level deeper, it’s necessary to grasp the context under which those SAP products were sold.

It’s possible that the end-users purchased licenses only for a specific business unit while it was agreed per the contract that an enterprise metric for the entire Company is applicable.

Understanding the product metrics, the number of blocks, and the particular clauses that may have been agreed through contract (e.g. indirect use of service) are just a few examples of contractual terms that need to be taken into account.

What Should You Do?

Question mark.

As it needs to stay within the established boundaries, SAP cannot evaluate products retailed under changed or inconsistent metrics. It will create evaluations in agreement with the current metric maintained within the actual price list.

In this situation, as a client, you have the advantage to negotiate this in your favor if you have a proficient understanding of the written agreement clauses, associated metrics, and rating.

Update System Landscape

We recommend maintaining your company’s system landscape status. For example, production use in your dedicated SAP Support Portal.

If this tool is not updated and you are in the middle of the audit, you can be requested by the SAP audit team to include systems in the USMM (“System Measurement”, transaction code USMM), which may not even be active at that time.

The SAP Support Portal is the reference for the auditors and needs to replicate in real-time your effectiveness and system use. If the particular focus is not granted to this aspect, your company may face a situation in which the measurement of the SAP environments includes usage of modules or engines that the IT personnel have tested long before the audit period, but for which you were never licensed.

The bottom line is you need to be prepared for SAP asking questions about all the SAP systems linked to your company. The inactive SAP systems may be included in the measurement plan as provided by SAP, with negative financial consequences arising from this situation.

The Core of The SAP Audit

Another recommendation to consider is to simply run check measurements with the SAP activity program (transaction USMM). This should be done as an internal analysis of users and engines – it’s not a good idea to send the output to SAP, as this might trigger a response (i.e. audit).

Most organizations do not maintain their systems (users and engines) regularly. This results in the measurements including inaccurate data.

We recommend running a measurement test and have it reviewed by an external SAP consultant. After implementing the SAP consultant’s points (e.g. cleanup of the user base, implementing notes, etc.), the final product can be shared with SAP.

Users

Determining the right classification for SAP users is quite tough for pretty much all end users. Basic user definitions are easily available on the SAP Support Portal. However, the contractual agreement might contain additional definitions and classifications that must be cleared to perform an internal review or to validate the results of your SAP audit.

Inside the SAP activity program (USMM), there are plenty of methods used for user classification. The main classification is based on the user authorization and contractual agreement, which should correspond with the price list (at the core of the SAP contract).

The SAP audit team will surely cover the following points:

  • Locked Users
  • Deleted Users
  • Expired Users
  • Users with Multiple Logins
  • Users with late Logins
  • Users with SSCR Keys used for development purposes
  • Reclassification of “Workbench Development Users”
  • Test Users in production (important: SAP allows 10% per system measurement)
  • Dialog Users vs. Measured Standard Users

Engines

The last step of the SAP measurement is merging all measuring systems within the License Administration Workbench (LAW). After merging the systems, user and user types are recorded and assigned to one contractual user type. The LAW user criteria are regularly updated across the total system landscape, the company eliminates the risk of counting records multiple times.

If the amount of consolidated users detected by LAW is outside the contract limits, it is recommended that you simply ask for verification of the following:

  • LAW criteria (used to deduplicate user counts across multiple SAP systems)
  • Locked users (whether the expiration date has been reported correctly)
  • Unclassified users (per default, counted as professional users on production systems)
  • Technical users declared Dialog Users
  • Users authorizations based on your contractual user type assignment

In addition to LAW measurement results, you will be required to provide additional details as requested by SAP. the additional details include self-declaration product, HANA, business object, etc.

In every step of the audit, SAP has outlined extra information gathering processes to follow.

Increase Internal SAP Experience

You need to ensure that the measurement is validated by an expert SAP consultant before sharing the data with SAP.

In the least desirable situation, when you’ve already shared the output with SAP, ask the external SAP consultant to perform the analysis in parallel. This will help you find the potential nonconformities earlier.

Consider the latest changes in technology changes, including SAP GLAC, when planning for the SAP audit prep phase. Don’t assume that if something didn’t happen last time, you will be spared this time too! Be prepared.

Preparations of a SAP audit is time-consuming, overwhelming, complicated, and extremely difficult for several organizations. We hope that this guide gave you an upper hand in your next SAP audit.

You May Also Like…

Top Cloud Security Challenges in 2021

Top Cloud Security Challenges in 2021

With many organizations leaning towards cloud solutions, cloud security is becoming a pressing concern. It’s important to be aware of top cloud security challenges and concerns to prepare best for them. Cloud computing is easily accessible and easy to access, which...

Top 10 Cybersecurity Threats to Watch out for in 2021

Top 10 Cybersecurity Threats to Watch out for in 2021

Technology is changing the way we operate every day. Latest technologies like Blockchain Artificial Intelligence and Internet of Things (IoT) are the new normal. As technologies evolve, so do the threats. Organizations need to prepare for cyber threats, both internal...

Access Control and Its Role in Information Security

Access Control and Its Role in Information Security

Are you looking for an access control policy template and wondering about access control and its role in information security? In any type of organization, it’s crucial to identify who can access what! It wouldn’t be wrong to say that the organizational structure...

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Get  Your Free Sample

Please use the form below to subscribe to our list and receive a free procedure template!
GET YOUR FREE TEMPLATE
>
close-link