Quantcast
Channel: Governance, Risk and Compliance (SAP GRC)
Viewing all articles
Browse latest Browse all 205

Auditbot SAP Quick GRC Compliance Tool: A User’s Perspective

$
0
0

Auditbot SAP Quick
GRC Compliance Tool: A User’s Perspective

 

 

Many organizations spend large sums of money deploying ERP systems yet they have
little or no visibility on how well it is being used or what types and level of
activities users are engaged in. SAP ERP is no exception. While some SAP
standard reports are available, they require specialist skills and
disproportionate amount of time in order to detect and decipher exceptions and
irregular patterns for remedial action.

 

 

To be of effective, auditor or functional security analyst should be able to pre-define
the types and levels of risk beforehand and be able to monitor those risks on a
continuous basis. Furthermore he or she should be able to promptly identify,
investigate and respond to non-compliance and other exceptions, preferably through
a single interface using a central cockpit and without having to rely on
technical experts to do so.

 

 

One such powerful yet cost effective tool we came across is AuditBot™ GRC monitoring suite.

 

AuditBot provides a round- the-clock view via a central cockpit security status, what
the users can do and did do in the areas of security settings, master data
changes and transaction postings.

 

Among many benefits of AuditBot GRC tool is reduced risk of fraud and accounting errors; lower
audit compliance costs through continuous compliance monitoring against
organizational policies on SAP security and the elimination of manual control
testing. 

 

AuditBot addresses the following key aspects of SAP related tasks:

 

 

  • Instant Security assessment with summaries and details of vulnerabilities;
  • Risk Analysis:  SOD, Sensitive Transaction and Sensitive object risks within a user or role. Also shows the documents posted with
    such risks.
  • Detailed lists of transactions used during a review period broken down to individual users
    or a group of users
  • Mitigation control management and authorized exception handling;
  • Emergency and elevated access monitoring and control: This feature helps provision of emergency
    access to selected users as well as to track the transaction used by them;
  • Master data, sensitive table update and transaction processing control and alerts:
    This gives the Auditor a list of table updates made for further review;
  • Periodic review and re-affirmation of user roles by the Managers;
  • FI Document Posting Analyzer gives the Functional Team an overview of the postings
    made by doc type. Alerts can also be setup to warn when certain doc types are
    posted;
  • SAP license saver incorporating license cost reports and other exception reports.
  • Constant monitoring of the system for inactive users with automatic locking features
  • Track the Transaction used or table updates made, batch job executed of the
    particular user or group of users.
  • Monitors system parameter across the landscape to ensure high level of security and
    compliance
  • Monitors remote access to ensure they are authorized, restricted and secured;.
  • Compliance check for custom objects developed by the customer for transaction assignment,
    authorization groups and authority check statements

    

My experience in using this nifty tool in most of the above features in monitoring
SAP security in a large Emergency Services Organization has been nothing short
of exhilarating.

 

Apart from shorter installation and configuration timeframe and low TCO the ease of use of
this product is truly amazing. As it is fully integrated with SAP, the look and
feel and shortcuts are much akin to the standard SAP Gui interface.

 

 

AuditBot System Architecture 

 

 

AuditBot Quick GRC tool is written in SAP ABAP language and does not require additional
hardware to run. We were advised by AuditBot that as a SAP Certified- Powered
by Net Weaver Partner that they have their our own name space and hence will
not interfere with the clients custom programs.

 

 

Configuring AuditBot

 

 

We found AuditBot’s configuration menus to be intuitive and easy to use. With the full
features of ABAP engine available at the Administrator’s fingertips,  the system was up and running use in a matter
of few hours, only pre-requisite being to predefine and be ready with having
necessary Sensitive TCodes and SOD conflicts roles lists and user IDs for
monitoring and Transaction alerts etc.

 

 

img1.jpg

   

Navigating AuditBot Menu Tree

 

We found Auditbot’s navigation menu tree to be intuitive and easy to follow, some menu
items could even be accessed through several different menu paths. For example,
Security assessment Cockpit provides a snap shot of all security exposures at
the present moment, from Users, Roles, Authorizations and Tcodes:

 

img2.jpg

Once the Security Assessment Cockpit is activated, the following summary report giving
an overview of SAP security is displayed:

 

img3.jpg

 

In this  example, the reports highlights 24 users having T-Code full access. This can be further drilled down to determine who
they are which then enables the management to determine whether continued access is needed:

 

 

img4.jpg

 

 

Checklists

 

 

The Checklists available for monitoring SAP system usage and transaction processing
are also very broad as shown in the menu options screen:

 

img5.jpg

 

User Log Analysis:

 

 

The AuditBot in-depth log analysis tool facilitates:

 

  • Determining what program was run at the time
  • Monitoring all transport and objects moved in to the system
  • Monitoring critical table changes including user master changes and system changes
  • Analyzing time spent in the system  by individual
    users
  • Repeated transaction failures
  • Sensitive transaction access
  • Excessive access rights
  • System errors
  • Job failures

 

img6.jpg

 

 
Log Summary Report

 

 

One drawback in using standard user log reports is the need to run multiple log
reports and review individually. This could be both time consuming and prone to
error due to risk of overlooking some logs. When individual logs are obtained viewed
separately the reviewer fails to get a single unified view of the situation.

 

In Auditbot we found that obtaining all the logs (all 11 of them –see diagram x below) in a
single report can be achieved with click of a button.

 

img7.jpg

The output could be refined further by using one or more of the 13 filtering options
available:

img8.jpg

The line items could be drilled down further for detailed information.

 
img9.jpg

img10.jpg

 

Trending Reports

 

Another fascinating feature of AuditBot is its ability to provide comparisons of audit
security status among almost any two dates. This is provided in a number of
Trending reports – Risk Trending, User Trending, Role Trending and User/ role
assign Trending reports just to name a few.

 

img11.jpg

We found this feature particularly useful in periodic review of new user creation,
change to authorizations and roles. For example answers to questions like these
are only a mouse click away in AuditBot Trending reports:

 

  • Who are the new users created during the current year with monthly
    break-downs? 
  • What roles were assigned to them and what Tcodes and what authorizations were
    granted?

img12.jpg   

img13.jpg

img14.jpg

 

img15.jpg

 

img16.jpg

 

 

System Parameter Analyzer

 

When there are multiple systems in multiple environments and these keep changing, matching
system profile parameters manually for non-compliance become increasingly
difficult for the Audit team. AuditBot System Parameter analyzer automates this
task, highlighting non-compliant parameters through dashboard buttons. It also
allow simulated parameter changes and evaluate the outcomes.

img17.jpg

 

SOD Conflicts, Critical Transactions and Sensitive Objects

 

Using Auditbot it is possible to define SOD conflicts in roles through to the Transaction code and authorization object level and then to test
the system to determine whether SOD violations exist.

 

Sensitive object access Risk monitoring:

 

AuditBot allows to determine users assigned with sensitive general authorization objects
(create, change, delete etc.) as well as specific authorization objects (e.g.
table maintenance or program execution) which would constitute a risk unless
they are properly secured.

 

Critical Transaction Risk monitoring

 

These are mostly system related transactions or mass change transactions which can affect
large amount of data. Auditbot can be configured to monitor access and execution
of single sensitive transaction code.

 

Segregation of duties (SOD) Risk monitoring

 

 

Using AuditBot, SOD risk can be defined and then monitored.

 

 

Monitoring elevated SAP access

 

 

Another valuable feature we found AuditBot was its user provisioning and emergency
access management feature whereby extensive privileges granted to System
Administrators and Basis Administrators to facilitate emergency fixes can be
documented, authorized, monitored and removed with ease.

 

We are yet to review License cost saver, Sensitive table update monitoring and several
other options although we are confident these too would be as easy to configure
and use with similar value adding value adding features.

 

 

Conclusion

 

 

Overall we found AuditBot GRC tool to be versatile, easy to configure and easy to use
powerful set of tools. Using Auditbot, we have effectively addressed several pressing
audit issues regarding security and user provisioning with significant reduction in time and expertise required

in continuously monitoring the use of SAP ERP system.


Viewing all articles
Browse latest Browse all 205

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>