SAP audit: from risk mapping to action strategy

In an increasingly complex SAP environment, auditing authorizations is no longer limited to a simple technical verification. It has become a strategic tool for controlling risks, reinforcing security and supporting digital transformation. Secureway has established itself as a benchmark player in this field, combining functional expertise, rigorous methodology and cutting-edge tools.

Step 1: Risk mapping

The first phase of a SAP audit is to establish a precise mapping of the risks associated with authorizations. Secureway is based on standard risk matrices that can be adapted to the specific needs of each customer. This customization makes it possible to integrate critical processes specific to the organization, or to integrate specific transactions/tiles.

Functional design workshops are used to gather business requirements, define rules for segregation of duties (SoD) and access to sensitive data, and validate a customized matrix.

Example of a SOD risk matrix for the "Procure to Pay" process

Stage 2: Analysis and diagnosis

Once the risk matrix has been drawn up, Secureway integrates it into the risk management module of the SWAWE solution which enables in-depth analysis of roles, profiles and users in just a few days.

This step reveals SoD conflicts, critical accesses and users with extended rights.

Taking the example of a recently audited customer, the analyses revealed 13,716 active risks spread over 991 users. All these risks stem from the 738 roles containing segregation-of-duty conflicts, and the conclusion is clear: the roles need to be overhauled...

At ADOVA Group, using the SWAWE risk analysis engine enabled us to identify and track risks throughout our remediation project to achieve 87% of SOD risk reduction.

Stage 3: Recommendations and action plan

The audit doesn't stop with the findings. Secureway proposes a costed action plan, including remediation measures, compensatory controls and automation solutions. The aim is to bring the system under long-term control, while complying with business and regulatory constraints.

Deliverables include :

• A validated risk matrix
• A detailed report
• Operational recommendations
• Technical solutions 

Expertise and support

Secureway mobilizes experienced consultants capable of dialoguing with business units, IT departments and auditors. The approach is collaborative, with regular workshops, documented exchanges and a high level of responsiveness. Project follow-up meetings ensure rigorous monitoring and continuous adaptation.

This approach enabled us to reassure a customer who had a very satisfactory level of risk and who could still improve it very quickly thanks to the recommendations :

"A rapid action plan to archive accounts, remove SAP_ALLs and clean up unused roles would significantly reduce the number of conflicts.

These "quickwins" would make it possible to have more adapted rights and a reduction in risk of the order of 75%".

L'SAP audit becomes a lever for governance, compliance and performance. Using a structured approach and proven tools, Secureway helps its customers transform their risks into opportunities.