Auditbot SAP Quick
GRC Compliance Tool: A User’s Perspective
Many organizations spend large sums of money deploying ERP systems yet they have
little or no visibility on how well it is being used or what types and level of
activities users are engaged in. SAP ERP is no exception. While some SAP
standard reports are available, they require specialist skills and
disproportionate amount of time in order to detect and decipher exceptions and
irregular patterns for remedial action.
To be of effective, auditor or functional security analyst should be able to pre-define
the types and levels of risk beforehand and be able to monitor those risks on a
continuous basis. Furthermore he or she should be able to promptly identify,
investigate and respond to non-compliance and other exceptions, preferably through
a single interface using a central cockpit and without having to rely on
technical experts to do so.
One such powerful yet cost effective tool we came across is AuditBot™ GRC monitoring suite.
AuditBot provides a round- the-clock view via a central cockpit security status, what
the users can do and did do in the areas of security settings, master data
changes and transaction postings.
Among many benefits of AuditBot GRC tool is reduced risk of fraud and accounting errors; lower
audit compliance costs through continuous compliance monitoring against
organizational policies on SAP security and the elimination of manual control
testing.
AuditBot addresses the following key aspects of SAP related tasks:
- Instant Security assessment with summaries and details of vulnerabilities;
- Risk Analysis: SOD, Sensitive Transaction and Sensitive object risks within a user or role. Also shows the documents posted with
such risks. - Detailed lists of transactions used during a review period broken down to individual users
or a group of users - Mitigation control management and authorized exception handling;
- Emergency and elevated access monitoring and control: This feature helps provision of emergency
access to selected users as well as to track the transaction used by them; - Master data, sensitive table update and transaction processing control and alerts:
This gives the Auditor a list of table updates made for further review; - Periodic review and re-affirmation of user roles by the Managers;
- FI Document Posting Analyzer gives the Functional Team an overview of the postings
made by doc type. Alerts can also be setup to warn when certain doc types are
posted; - SAP license saver incorporating license cost reports and other exception reports.
- Constant monitoring of the system for inactive users with automatic locking features
- Track the Transaction used or table updates made, batch job executed of the
particular user or group of users. - Monitors system parameter across the landscape to ensure high level of security and
compliance - Monitors remote access to ensure they are authorized, restricted and secured;.
- Compliance check for custom objects developed by the customer for transaction assignment,
authorization groups and authority check statements
My experience in using this nifty tool in most of the above features in monitoring
SAP security in a large Emergency Services Organization has been nothing short
of exhilarating.
Apart from shorter installation and configuration timeframe and low TCO the ease of use of
this product is truly amazing. As it is fully integrated with SAP, the look and
feel and shortcuts are much akin to the standard SAP Gui interface.
AuditBot System Architecture
AuditBot Quick GRC tool is written in SAP ABAP language and does not require additional
hardware to run. We were advised by AuditBot that as a SAP Certified- Powered
by Net Weaver Partner that they have their our own name space and hence will
not interfere with the clients custom programs.
Configuring AuditBot
We found AuditBot’s configuration menus to be intuitive and easy to use. With the full
features of ABAP engine available at the Administrator’s fingertips, the system was up and running use in a matter
of few hours, only pre-requisite being to predefine and be ready with having
necessary Sensitive TCodes and SOD conflicts roles lists and user IDs for
monitoring and Transaction alerts etc.
Navigating AuditBot Menu Tree
We found Auditbot’s navigation menu tree to be intuitive and easy to follow, some menu
items could even be accessed through several different menu paths. For example,
Security assessment Cockpit provides a snap shot of all security exposures at
the present moment, from Users, Roles, Authorizations and Tcodes:
Once the Security Assessment Cockpit is activated, the following summary report giving
an overview of SAP security is displayed:
In this example, the reports highlights 24 users having T-Code full access. This can be further drilled down to determine who
they are which then enables the management to determine whether continued access is needed:
Checklists
The Checklists available for monitoring SAP system usage and transaction processing
are also very broad as shown in the menu options screen:
User Log Analysis:
The AuditBot in-depth log analysis tool facilitates:
- Determining what program was run at the time
- Monitoring all transport and objects moved in to the system
- Monitoring critical table changes including user master changes and system changes
- Analyzing time spent in the system by individual
users - Repeated transaction failures
- Sensitive transaction access
- Excessive access rights
- System errors
- Job failures
Log Summary Report
One drawback in using standard user log reports is the need to run multiple log
reports and review individually. This could be both time consuming and prone to
error due to risk of overlooking some logs. When individual logs are obtained viewed
separately the reviewer fails to get a single unified view of the situation.
In Auditbot we found that obtaining all the logs (all 11 of them –see diagram x below) in a
single report can be achieved with click of a button.
The output could be refined further by using one or more of the 13 filtering options
available:
The line items could be drilled down further for detailed information.
Trending Reports
Another fascinating feature of AuditBot is its ability to provide comparisons of audit
security status among almost any two dates. This is provided in a number of
Trending reports – Risk Trending, User Trending, Role Trending and User/ role
assign Trending reports just to name a few.
We found this feature particularly useful in periodic review of new user creation,
change to authorizations and roles. For example answers to questions like these
are only a mouse click away in AuditBot Trending reports:
- Who are the new users created during the current year with monthly
break-downs? - What roles were assigned to them and what Tcodes and what authorizations were
granted?
System Parameter Analyzer
When there are multiple systems in multiple environments and these keep changing, matching
system profile parameters manually for non-compliance become increasingly
difficult for the Audit team. AuditBot System Parameter analyzer automates this
task, highlighting non-compliant parameters through dashboard buttons. It also
allow simulated parameter changes and evaluate the outcomes.
SOD Conflicts, Critical Transactions and Sensitive Objects
Using Auditbot it is possible to define SOD conflicts in roles through to the Transaction code and authorization object level and then to test
the system to determine whether SOD violations exist.
Sensitive object access Risk monitoring:
AuditBot allows to determine users assigned with sensitive general authorization objects
(create, change, delete etc.) as well as specific authorization objects (e.g.
table maintenance or program execution) which would constitute a risk unless
they are properly secured.
Critical Transaction Risk monitoring
These are mostly system related transactions or mass change transactions which can affect
large amount of data. Auditbot can be configured to monitor access and execution
of single sensitive transaction code.
Segregation of duties (SOD) Risk monitoring
Using AuditBot, SOD risk can be defined and then monitored.
Monitoring elevated SAP access
Another valuable feature we found AuditBot was its user provisioning and emergency
access management feature whereby extensive privileges granted to System
Administrators and Basis Administrators to facilitate emergency fixes can be
documented, authorized, monitored and removed with ease.
We are yet to review License cost saver, Sensitive table update monitoring and several
other options although we are confident these too would be as easy to configure
and use with similar value adding value adding features.
Conclusion
Overall we found AuditBot GRC tool to be versatile, easy to configure and easy to use
powerful set of tools. Using Auditbot, we have effectively addressed several pressing
audit issues regarding security and user provisioning with significant reduction in time and expertise required
in continuously monitoring the use of SAP ERP system.