How to Prepare for an SAP Audit
Updated: Aug 14, 2020
This blog post is part of a four-part series on SAP audits. You can read part one here.
We urge clients to be proactive when faced with an SAP audit — to be the audit driver, not the passenger — whether for a Basic or an Enhanced Audit. The best way to do this is to establish a clear audit framework. If you don't currently have an audit framework in your organization, I encourage you to create one that includes policies and procedures surrounding an audit AND achieves executive support before any audit begins. This will enable you to set the scope of the audit and prevent the auditor from going over your head.
The next step is to assign a single point of contact within your team, through whom all information, data requests, submissions and follow up questions pass through. I cannot over-emphasize how important this is. This designated person will serve as a watchdog, and filter all requests coming from SAP, determine what’s important to whom, and what data gets provided to SAP. A single point of contact is also necessary to discern areas of risk, and make sure that the team is not providing too much information. This person will not be cajoled or bluffed into providing data that you are not legally required to provide.
Step three is to review your Audit Right, found in the SAP contract, which stipulates how the vendor can audit you. You may discover that it contains a clause that actually prevents an SAP audit, such as “any audit shall be conducted by a third party,” or simply that it’s too soon to conduct an audit because you just underwent one.
Step four is to control the timeline of the audit. As eager as you may be to get it over with, you do not want to rush the process, because rushing often leads to costly mistakes. You want to allow your team to conduct a thorough system clean-up process before providing SAP with anything. We counsel clients to conduct a system clean-up quarterly, so that when an audit comes around, you’re prepared.
The areas to validate during clean-up are license counts, purchase dates, and user classifications. Many organizations have processes or tools in place that recognize when a person leaves the organization and makes sure they no longer have access, but these tools are not always accurate and warrant your scrutiny. For example, we have seen a lot situations where users are not properly classified, and the tool automatically assigns the user to the highest (most expensive) classification level.
When you receive notification for a Basic Audit, SAP will include something called a Measurement Plan which list all your SAP systems. You must review this document and identify for SAP any systems that are no longer in use.
The next thing to examine is your Self-Declared Products, and make sure you understand the metrics and corresponding contracts.
Now it’s time to inspect your entitlements. It’s imperative to have all your entitlements uploaded in one place to get a complete and verifiable overview of what you’ve bought and deployed. Remember, if you’re relying on a SAM tool, it may not count everything, and further, a tool is only as good as the information that was loaded into it.
The same best practices for a Basic Audit apply to an Enhanced Audit, but there are a few additional pointers I’d like to share. First and foremost: never agree to an on-site meeting. The SAP auditor will request this as a way to involve more people and get around your single point of contact. This can be very dangerous to organization because SAP will take the opportunity to gain insight into your business processes, such as sales orders, purchase orders, vendor management, quality management, and so forth. The auditor is expert at driving these conversations when they’re on site and following up with probing questions. Before you know it, people start talking without thinking, and they’re divulging information that need not be shared.
Given today’s technology, there is no reason to let the auditor come in for a personal meeting. Instead, inform the auditor that it's against company policy to allow anyone on-site for any kind of audit or meeting, and reiterate that all information must go through your single point of contact.
Let’s look at a typical SAP audit request. The following pages come from SAP’s audit practice, outlining the deliverables they want in an Enhanced Audit — some of which they have no right to ask for. They’re looking for any instances of unauthorized and/or indirect access and will try to probe every system they can to find these instances.
They start out by looking into your development system, examining anyone that’s been assigned a dev access key. They compare that data against the USRO2 tables, looking for anyone that’s active. Of course, many developers are contractors who come in on an ad hoc basis, or every six months, and then they’re gone. Because they might still have a dev access key, they’re counted in an audit, even if they haven’t done any work for you in a year. You must be prepared to prove that these people were inactive and should not be counted.
The areas I want to caution you about are slipped in at the bottom of the page, under Order Tables. These tables should only be requested if you are licensed for sales and service order processing, or purchase order processing. If you're not licensed for either one of those engines, you do not have to provide this information. This would provide them with a table of all the sales orders and purchase orders created by users. The auditor would use it to identify any users with high watermarks and claim those are not users, but are created by non-dialog users, indicating indirect access.
The next thing they’ll ask for is a business process worksheet, to explain your business process. This is another fishing expedition to discover indirect access, and you are not required to provide this.
The last thing they ask is for is a diagram of your business process, which is just a “Hail Mary Pass” for information.
You are not obligated to provide this, and if you do, it will supply them with all sorts of data from which they can make connections and inferences about usage. You would be surprised at how many people provide this information without question. They just think, “This request came from an auditor, so I need to provide it.” Or, they're in a hurry, or they don't have a single point of contact and an inexperienced SAP admin winds up with the request. Just say “no!"
This all goes back to my first point: establish an audit framework, with clear policies and procedures and a single point of contact that protects you from far-reaching audit scopes, backed up with executive support.
Richard Wright is a ClearEdge Senior Manager on the Compliance and SAM team, a former SAP auditor and an SAP expert at Accenture.
This blog post was inspired by part two of the SAP Audit Webinar Series, Audit Preparation. You can access the full recording to this webinar below. To learn more about SAP audits, read part three of the blog series here or contact a member of the ClearEdge Compliance team.