Securing SAP in 2026: from SoD to continuous testing

The SAP safety imperative

In an environment where information systems are at the heart of operations and regulatory obligations (Sarbanes-Oxley, Sapin 2 law), SAP access and authorization management is vital. The slightest authorization loophole, poorly managed segregation of duties (SoD) or manual controls expose the company to major operational and financial risks.

The good news: Securing SAP in 2026 is no longer synonymous with insurmountable complexity if good governance practices are combined with pragmatic automation.

In a nutshell: the roadmap for SAP security in 2026

Securing SAP and being ready for 2026 means moving from a reactive approach to a system of Continuous automated testing (CCM). This transformation is based on three methodological pillars:

1. Governance (Method) : Define a relevant SoD matrix and standardize the access lifecycle (IAM) with workflows and re-certifications.

2. Controls (Automation) : Switch from manual sample checks to automated, comprehensive monitoring of functional processes and access rights.

3. Traceability (Proof) : Rigorously manage privileged access (PAM) and document the entire process to provide irrefutable audit evidence to the statutory auditors.

Putting governance at the center: roles, SoD and processes

Safety starts with structure and method.

Risk assessment and the SoD matrix

Before any role redesign or migration to S/4HANA, It's essential to assess the state of your current authorization model, and to define a matrix SoD relevant.

The Secureway approach: With SWAWE Compliance Companion and its risk analysis module, you have access to a standard SoD matrix that can be immediately customized to provide a precise, actionable diagnosis.

Standardize the access lifecycle (IAM)

Access management must be formalized and automated to eliminate human error:

  • Set up traceable workflows for the applications & approvals.
  • Automate the granting and revocation of rights (provisioning/deprovisioning).
  • Imposing periodic recertification rights by managers.
  • Quick Win : Start with the Top 20 most frequent SoD risks in your organization.

Securing SAP

Building key controls... that really work (CCM)

The major transformation for 2026 is the move from sampling to continuous control to guarantee the integrity and conformity of operations.

From manual controls to automation

The aim is to move to Continuous Automatic Controls (CCM) which cover 100% of transactions and detect anomalies and potential fraud in real time.

Continuous Control of Processes and Rights

The CCM must cover two essential dimensions:

  • Functional Process Control : Automatic monitoring of critical configurations and high-risk operations.
  • Access rights control : Monitoring the granting of extended or sensitive rights.
  • The Secureway approach: With SWAWE and its CCM (Continuous Control Monitoring) module, with a tool that targets both access rights and functional processes.
  • Quick Win : Start by automating 3 high-impact controls (e.g. manual payments, changes to sensitive supplier data).

IAM / PAM: simplify, document, prove

The third pillar is the management of privileged access and the provision of audit trails.

Privileged Access Management (PAM)

Accounts with extended rights (Firefighter-type access) are a major source of risk if they are not managed and tracked.

  • Principle : Apply access of least privilege on a daily basis, and use extended rights only in emergency situations.
  • Traceability : Each use must be time-stamped, validated (approval workflow) and logged.

Simplification and documentation for the audit

The whole process must result in a irrefutable documentation proving risk control.

  • SoD reports : Reports must be precise and highlight priority risk areas.
  • Proof of Control : The GRC/CCM solution must generate audit logs and key performance indicators (KPIs) that demonstrate the effectiveness of compensatory controls.

SAP security S4HANA

Conclusion

Securing SAP in 2026 is a question of method and automation. By integrating a precise risk analysis engine from the outset, switching to continuous controls and rigorously managing privileged access, companies can move from reactive, costly security to a preventive, measurable and sustainable risk governance system.

Talk to a Secureway expert

FAQ: Frequently asked questions about continuous testing and SAP security

What is Continuous Quality Control (CCM) and why is it essential for compliance?

Visit Continuous testing (CCM) is a method of automatically monitoring 100% critical transactions and configurations in SAP in real time. It is essential for compliance (Sarbanes-Oxley, etc.) because it enables anomalies and SoD risks to be detected as soon as they occur, providing comprehensive audit evidence and drastically reducing exposure to fraud.

Our system is old (ECC). Is Continuous Control suitable before migrating to S/4HANA?

Yes, the Contrôle Continu is suitable even before migrating to S/4HANA. Implementing CCM controls on ECC enables you to identify the greatest weaknesses in the current system and apply immediate corrective measures. It also prepares you methodologically for the governance required by S/4HANA.

Does the introduction of the CCM replace the overhaul of SoD roles?

No, the setting up the CCM does not replace the overhaul of SoD roles, But it is complementary and essential. Recasting roles is an action preventive to minimize risk at source. CCM is an action detective which monitors the activity and effectiveness of controls (including compensatory controls) where SoD risks cannot be totally eliminated.

How does Secureway deal with the issue of "false positives" in SoD and CCM risk analysis?

Secureway manages the issue of «false positives» using a customized, non-generic risk matrix. L’SWAWE tool enables risk to be analyzed not just by transaction, but by actual use of privileges, considerably reducing unnecessary alerts and enabling teams to focus on real threats.