How SAP ETD can help to mitigate or eliminate audit relevant risks?
Why is a monitoring system like SAP Enterprise Threat Detection (ETD) required to safeguard your core business data?
In times of very fast changing IT technology and infrastructure and the use of data analytics with an increasing amount of data it becomes more and more important to safeguard these data. Your core business data are distributed across hybrid SAP system landscape, cloud solutions and self-developed applications. It is essential in such an environment to secure these core data against unauthorized access from internal and external employees, business partners etc. and have the right mechanisms in place to protect against threats and vulnerabilities.
IT – applications underlying business and financial operations and assist users in inputting information, in processing transactions and for recording the transactions into the financial statements. Audit rules for the usage of IT mapped to defined risks and compensating controls shall help set up a baseline of security safeguarding your core business data and ensuring compliance with IT security standards and financial regulations.
How to detect suspicious activities through the system landscape and related IT applications?
Regularly during audits, we experience that teams are overwhelmed with new tasks piling up. Compensating controls are mostly time consuming and still base on manual work or building together single pieces like several SAP tables to combine the relevant data for executing the compensating controls showing evidence that no suspicious activities have been identified and implemented measures are effective.
A continuous tool-based monitoring of relevant system components, infrastructure and applications can help to analyze the chain of data and activities of relevant business process to identify suspicious activities. For good results an initial sustainable risk-based rule set needs to be defined and translated for the used tool (e.g. development of patterns for the monitoring tool like SAP ETD). Furthermore, the right questions need to be asked, a monitoring tool should answer. Not all data and transactions are relevant. The combination of several patterns can be even more precise and help to eliminate false positives.
How to integrate SAP ETD into existing risk and controls framework?
Using a monitoring tool like SAP ETD helps to significantly reduce the effort of implementing compensating controls and managing them more precise if an issue has been identified. With the continuous monitoring you can avoid creating a big chunk of controls in a very short time after an audit. Furthermore, by defining and implementing the right governance process you ensure the link between defined risks, related controls and mapped SAP ETD pattern sets to be governed. Technically SAP and Non-SAP GRC tools can be linked with SAP ETD enabling a sustainable end-to-end risk and controls framework.
Ernst & Young (EY) as Audit Company has defined standards for IT audits based on relevant security standards and provides expertise in IT risk details as well as critical system settings. Our approach to develop a fitting pattern set together with our clients bases on this expertise and best practice. Furthermore, it is important to implement new patterns in acceptable packages to handle the related effort of defining controls, handling alerts and implementing required measures. A prioritization regularly follows audit findings, risk-based audit standards defined by EY and prioritized IT risks by client.
The results and detailed reporting of the monitoring tool ensure required evidence for compensating controls and their effectiveness and provide details on mitigation measures do be created and implemented. Tools like SAP ETD provide a bench of dashboard options that can be customized for specific needs to enable the organization handling alerts and routing tasks to the right business units, IT areas and person responsible. A workflow management helps to implement the defined governance model.
Benefits from using a monitoring tool like ETD to protect from audit relevant risks
By using continuous monitoring of relevant system components, infrastructure and applications business core data can be secured from threats and vulnerabilities.
Using a risk-based audit related approach helps organizations to continuously improve and automate audit preparation for IT audits. This avoids intensive work for creating a bulk of compensation controls, manual handling of controls and collecting evidence.
The link between the monitoring tool like SAP ETD and the existing risk and controls framework ensures an integrated sustainable end-to-end risk and controls framework supported by the monitoring.
Elements like the dashboard functionality or the workflow component help to implement existing and newly to be defined governance structures for related risks and controls.
Using a monitoring tool like SAP ETD can thus help to reduce the risk and improve system integrity throughout the financial year and not only during the audit period. It can prevent from risks caused by the usage of IT and from violating financial requirements proved during regular audits, avoiding financial loss or reputation.