Cloud Responsibilities & Controls (Part 1.3)
Regardless of whether the ERP system is an onPremise (e.g. SAP S/4HANA onPremise / SAP ECC) or Software-as-a-Service (SaaS) solution, all layers (physical data storage, database, operating system, middleware and application) must be considered by the IT auditor. The main difference for the auditor between an onPremise and SaaS solution is, that the auditor has to audit all layers directly in case of an onPremise solution (“direct audit”) whereas he/she “solely” needs to audit defined areas on application level directly in case of a SaaS solution:
|Service Model||Audit Directly||Rely on Third Party Report|
|OnPremise||Physical data storage, database, operating system, middleware and application||N/A|
|Infrastructure-as-a-Service (IaaS)||Operating system, middleware and application||Physical data storage, database|
|Platform-as-a-Service (PaaS)||(Middleware) and application||Physical data storage, database, Operating system (and middleware)|
|SaaS||Application||Physical data storage, database, operating system, middleware and application|
In case SAP’s client is using an IaaS, PaaS or SaaS solution by SAP, defined layers of the IT audit are covered by a third party report, the so called “SOC1 Type 2 Report”. According to the American Institute of CPAs (AICPA), Service Organization Control 1 (SOC1) Reports serve to assist service organizations “that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant”. A SOC 1 type 2 report describes the design and testing of operating effectiveness of defined IT-related internal controls by the service proivder over a period of time, including the test results. The SOC1 type 2 report can be downloaded from SAP’s trust center is then available for the customer’s internal and external auditors. During an external year-end audit, IT auditors need to request the SOC1 type 2 reports that cover the clients fiscal year and make an opionion on wheather all IT-audit areas are considered according to the interal audit requirements and wheather the potential findings / observations described in the report have an impact on the customer’s financial statements. Details will be described in the blog posts to chapter 6“Consideration of Service Organization Controls Report”.
Relevance of on-premise controls vs. SAP S/4HANA controls:
|Access Management||User provisioning||Management approves the nature and extent of user-access privileges for new and modified user access.||Relevant for the IT-Audit in SAP S/4HANA Cloud.|
|Access Management||User deprovisioning||Access for terminated and/or transferred users is removed or modified in a timely manner.||Relevant for the IT-Audit in SAP S/4HANA Cloud.|
|Access Management||User review||User access is periodically reviewed.||Relevant for the IT-Audit in SAP S/4HANA Cloud.|
|Access Management||SoD monitoring||Segregation of duties is monitored and conflicting access is either removed or mapped to mitigating controls.||Relevant for the IT-Audit in SAP S/4HANA Cloud.|
|Access Management||Access Authentication||Access is authenticated through unique user IDs and passwords. Password parameters meet company and/or industry standards.||Relevant for the IT-Audit in SAP S/4HANA Cloud.|
|Access Management||Privileged Access||Privileged-level access is authorized and appropriately restricted.||Relevant for the IT-Audit in SAP S/4HANA Cloud.|
|Access Management||Table Access||Table update access is restricted based on specific business need.||Customers do not have access on table level per default. Therefore, this audit activity is not always relevant for an IT-Audit in SAP S/4HANA Cloud.|
|Access Management||Password Parameters||The default passwords for standard SAP IDs have been changed in all clients and secured appropriately.||Default password: Standard users (SAP*, DDIC, EARLYWATCH, and SAPCPIC) cannot be locked/unlocked/edited by the business itself. This means that the business has no influence over these standard users. The above-mentioned standard users can only be displayed in a list. The client is therefore unable to log in to SAP Cloud with these standard (technical) users. This can only be done with the business users.|
|Change Management||Application Changes||Application changes are appropriately tested and approved before being moved into the production environment.||Include in the IT-Audit for changes to the system configuration. Changes to SAP’s programs are not possible.|
|Access Management||Password Changes Authorization||Access to change the password parameters is granted appropriately based on job responsibilities.||Password parameters are defined in the Identity Authentication Service (IAS) by the customer. Therefore, relevant for the IT-Audit in SAP S/4HANA Cloud.|
|Access Management||Change Authorization||Access to implement changes into the application production environment is appropriately restricted and segregated from the development environment.||Include in the IT-Audit for changes to the system configuration. Changes to SAP’s programs are not possible.|
|Access Management||Privileged Access||Powerful profiles SAP_ALL and SAP_NEW are adequately secured by ensuring no dialog or service user has access to these profiles.||SAP_ALL and SAP_NEW profiles do not exist for the customer in SAP S/4 HANA Cloud. Therefore, not relevant for an IT-Audit in SAP S/4HANA Cloud.|
|Access Management||Remote Access||Remote access to SAP for software maintenance for the SAP vendor is restricted, approved by management and removed in a timely manner.||Relevant for the IT-Audit in SAP S/4HANA Cloud.|
|Access Management||Emergency Access||Emergency access to SAP is permitted only with prior approval, logged, monitored by someone other than users who administer the access and removed in a timely manner.||Relevant for the IT-Audit in SAP S/4HANA Cloud.|
|Access Management||BI/BW workbench Access||Access to the BI/BW workbench, data flows, queries and variables is appropriately restricted.||Not relevant for the IT-Audit in the S/4HANA Cloud.|
|System Parameter Settings||Production Client Settings||The production client settings have been flagged to not allow changes to programs and configuration. Client and system setting changes are logged, monitored and approved by management.||Production client settings are not accessible in S/4 HANA for customers. Therefore, not relevant for the IT-Audit in the S/4HANA Cloud.|
|System Parameter Settings||Global System Change||The ability to maintain the global system change option and client maintenance settings is restricted.||Global system change option and client maintenance settings are not accessible S/4 HANA for customers. Therefore, not relevant for the IT-Audit in the S/4HANA Cloud.|
|Access Management||Development Access||Development access is not granted in the production environment. In case development access is granted, it is limited to authorized accounts (e.g., emergency access) and the usage is monitored.||Development access is not available for customers in S/4 HANA. Therefore, not relevant for the IT-Audit in the S/4HANA Cloud.|
|Access Management||Privileged Access||Debug access is not permanently granted in the production environment.||Debug access is not available for customers in S/4 HANA. Therefore, not relevant for the IT-Audit in the S/4HANA Cloud.|
|IT Operations||IDOC Monitoring||IDOCS are monitored and identified issues are resolved timely.||Relevant for the IT-Audit in SAP S/4HANA Cloud.|
|Access Management||Access to Shared Accounts||Access granted to privileged-level shared and/or generic accounts is appropriately secured, and passwords to such accounts are modified on a periodic basis.||Relevant for the IT-Audit in SAP S/4HANA Cloud.|
 In the following, „clients“ and „customers“ are used as synonyms and refer to the organizations that use a SAP ERP system.
Engage with us
To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.
Or contact us on LinkedIn.
Feel free to share your feedback and thoughts in the comment section below.
A big thank you to my colleagues for their collaboration and support while I was writing this post!
Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA and Chief Security Product Owner S/4HANA
With more than 20 years of experience in SAP Security, Auditing and Compliance, Matthias leads a team of Security Experts, responsible for Cloud Operations Security, Secure Development, Data Protection & Privacy and Security Attestation & Certification.
Florian Eller (SAP) – Product Management SAP S/4HANA Security
Florian has more than 15 years of experience working at SAP. For the past 8 years, his focus has been on application security.
Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA
Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing.
Patrick Boch (SAP) – Product Management SAP S/4HANA Security
Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade.
Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance)
Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.
Christina Köhler (Deloitte) – Senior Manager Risk Advisory (IT & Specialized Assurance)
Christina Köhler has more than 5 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.