SAP authorization audit: from compliance to operational resilience

SAP audit: from diagnosis to sustainable SoD risk reduction

In an environment where information systems are at the heart of operations and regulatory obligations (such as Sarbanes-Oxley or RGPD), access and authorization management in SAP is no longer a simple administrative task. With the growing complexity of S/4HANA architectures and the imperative of digital transformation, auditing authorizations has become a fundamental lever for assessing the resilience of internal controls and the operational and financial risk management.

This article proposes a structured approach, from the mapping of business risks to the implementation of a sustainable governance system.

In a nutshell: SAP auditing as a governance tool

L’SAP authorization audit has gone from a simple technical check-up to a full-scale Governance, Risk and Compliance (GRC) strategy. It's no longer just a question of finding loopholes, but of building a sustainable access architecture aligned with business processes.

This article details a three-step approach:

  1. Custom mapping : Establish a rigorous Separation of Duties (SoD) matrix, modeling risks within critical processes (such as P2P) to avoid false positives.
  2. Comprehensive diagnosis : Technical analysis of roles and users to quantify technical debt and distinguish between risks related to role configuration and those related to individual assignments.
  3. Sustainable control : Proposal of a prioritized action plan including quickwins (e.g. SAP_ALL deletion) and a recasting of roles for measurable and significant risk reduction (illustrated by the monitoring of OTC and PTP risk remediation).

The ultimate aim is to transform a chaotic authorization environment into a continuous assessment system essential for company safety and compliance.

Step 1: Risk mapping and scope definition

The initial phase is critical, and requires close collaboration between business teams, the IT department and internal audit.

Risk modeling (SoD): process analysis

A matrix of Segregation of Duties (SoD) must be established. It must be personalized for :

  • Integrating transactions/tiles Fiori and solution-specific authorization objects (e.g. S/4HANA).
  • Reflecting critical business processes the organization (e.g. Procure to Pay, Order to Cash, Record to Report).

SOD Process P2P

Process diagram Procure-to-Pay illustrates this complexity perfectly. Each red arrow symbolizes a Task Separation (SoD) «High» risk» between two functions (e.g. creation/modification of Supplier Master Data (XK01/XK02) and issue of Supplier Accounting Payment (F110)).

Critical access identification

Mapping must identify critical accesses (e.g. SAP_ALL, SAP_NEW). These accesses must be placed under strict management (Firefighter or Emergency Access Management).

Step 2: Technical analysis and gap analysis

This phase uses dedicated risk analysis engines.

SoD conflict analysis

The analysis tool integrates the validated risk matrix to detect conflicts. An exhaustive analysis must distinguish :

  • Role risks : The role itself contains the ability to carry out an SoD conflict. This type of risk requires a role redesign.
  • Risks to the user : The user has several roles which, when combined, create an SoD conflict. This risk can be managed by adjusting allocations.

Assessment of roles and privileges

Diagnosis focuses on qualitative assessment of roles: over-allocation of rights (Principle of Least Privilege), unused/obsolete roles, and construction quality.

Step 3: Action plan, remediation and sustainable control

The ultimate goal is effective, measurable risk reduction.

Prioritization and remediation

The action plan must prioritize risks according to their business criticality and their technical feasibility.

  • Redesign (Target Operating Model) : The lasting solution is to recast the roles according to the principle of least privilege.
  • Compensatory controls : For risks that cannot be eliminated, regulatory compensatory controls must be put in place.
  • «Quickwins: Quick action, such as removing generic high-privilege roles (SAP_ALL), can often significantly reduce the risk (25-75%).

Monitoring and performance: reducing risk over time

One of the major added values of a structured audit is the ability to objectively measure the effectiveness of the remediation plan.

Account risk by Date

Monitoring Risks on accounts by Date shows the evolution of the safety level.

  • Measuring risk by process : Risk is often concentrated on processes SOD OTC (Order-to-Cash) and SOD PTP (Procure-to-Pay).
  • Assessment of remediation : Comparing the bars between September and October 2025 illustrates the impact of the first actions.
  • Control demonstration : This visualization is essential to reassure management and external auditors that the safety approach is measured, managed and effective.
See our audit offer in detail

Expertise and support

Secureway mobilizes experienced consultants capable of dialoguing with business units, IT departments and auditors. The approach is collaborative, with regular workshops, documented exchanges and a high level of responsiveness. Project follow-up meetings ensure rigorous monitoring and continuous adaptation.

This approach enabled us to reassure a customer who had a very satisfactory level of risk and who could still improve it very quickly thanks to the recommendations :

"A rapid action plan to archive accounts, remove SAP_ALLs and clean up unused roles would significantly reduce the number of conflicts.

These "quickwins" would make it possible to have more adapted rights and a reduction in risk of the order of 75%".

L'SAP audit becomes a lever for governance, compliance and performance. Using a structured approach and proven tools, Secureway helps its customers transform their risks into opportunities.

FAQ : Frequently asked questions about SAP auditing

What's the difference between SoD risk at role level and risk at user level?

The difference between a SoD risk at role level and a risk at user level is crucial for remediation and correction strategy.

  • Role risk : It occurs when the role itself is poorly constructed (for example, a single role can create a supplier AND pay him). This structural problem requires the role to be redesigned.
  • User risk : It arises when a user has several roles which, when cumulated, create an SoD conflict. This problem can be solved by simply adjusting role allocation or by implementing compensatory controls.

What are "quickwins" and what are they really for?

Visit «quickwins are remediation actions that are quick and easy to implement, offering an immediate return on safety investment. Their real benefit is to drastically reduce latent risk (up to 75%) to quickly get management on board. Typical examples include the removal of generic roles (such as SAP_ALL) and obsolete user accounts.

How can we ensure compliance after the audit without having to repeat the exercise every year?

To ensure post-audit compliance without having to repeat the exercise every year, the company needs to migrate to a model of Continuous control. This involves integrating a Governance, Risk and Compliance management solution. (GRC: Governance, Risk and Compliance), essential for prevention (risk simulation before awarding), the monitoring (real-time risk monitoring) and the certification rights.

Our company uses S/4HANA and Fiori. Is the SoD audit still relevant?

Yes, the SoD audit is still relevant even if your company uses S/4HANA and Fiori. Migration to these new technologies is not decreasing, but transforms SoD risk. The audit must be adapted to integrate Fiori applications (as they provide access to the same critical functionality as historical SAP GUI transactions) and new authorization objects of the S/4HANA model.