How to audit SAP S/4HANA Cloud, public edition
Trigger & Background
Ironic as it is, the quote above does carry some truth. For every larger and/or publicly listed company, an annual audit is mandatory. This audit is required to validate correctness of the annual financial statements, but these days also covers the IT systems used to prepare the financial statement.
SAP’s S/4HANA solution – and its predecessors ECC and R/3 – is used by many companies, and therefore specific guidelines to audit those systems have evolved in the past. However, audit activities conducted in SAP’s R/3 / ECC system do often not apply to the S/4HANA Cloud as customers and auditors only have restricted access. More generally speaking, SAP S/4HANA Cloud represents a “Software as a service” solution and therefore works significantly different than the previous ECC / R/3 system.
As SAP has announced that they will end support and maintenance for SAP ERP ECC / R/3-systems from 2027 onwards, many companies are currently in the process of migrating to SAP S/4HANA. As this includes instances of SAP S/4HANA Cloud, public edition, we decided to create this series of blog post, which details the differences in auditing an SAP S/4HANA Cloud, public edition, system versus an SAP S/4HANA system on premise.
The objective of this blog post series is to explain changes in the IT audit procedures as part of the annual year-end audit in the SAP S/4HANA environment in a comprehensible and concise manner. For this purpose, new features, functions and reports of the S/4HANA Cloud, public edition are compared to existing ones in the SAP ERP ECC system (version 6.0) and best practice recommendations for the IT audits are derived. Therefore, the blog posts describe the existing IT General Controls (ITGC)-related system functionalities, especially in access security and change management. Furthermore, it describes the system’s configuration as well as security by default settings.
Who we are
Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA and Chief Security Product Owner S/4HANA
With more than 20 years of experience in SAP Security, Auditing and Compliance, Matthias leads a team of Security Experts, responsible for Cloud Operations Security, Secure Development, Data Protection & Privacy and Security Attestation & Certification.
Florian Eller (SAP) – Product Management SAP S/4HANA Security
Florian has more than 15 years of experience working at SAP. For the past 8 years, his focus has been on application security.
Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA
Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing.
Patrick Boch (SAP) – Product Management SAP S/4HANA Security
Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade.
Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance)
Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.
Christina Köhler (Deloitte) – Senior Manager Risk Advisory (IT & Specialized Assurance)
Christina Köhler has more than 5 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.
The chapters are published regularly in the following structure and order (when available, chapters will be linked to the respective blog post):
2. Secure by Default
3. Access Management
4. Operations Management
5. Change Management
6. Consideration of Service Organization Controls Report
7. Further Guidance Provided by SAP