Managing compliance risks associated with SAP audits

Published: Friday, 01 July 2022 08:40

SAP systems are widely used for enterprise resource planning and are subject to regular auditing as a result. Failing an audit can lead to system shutdowns, expensive remediation, and non-compliance with standards. Here, Tim Wallen explores how organizations can improve the SAP audit process and their compliance efforts.

SAP has obtained a dominant position in the enterprise resource planning (ERP) market. Today, it is estimated that as much as 70 percent of corporate data is stored in SAP systems.

Given their central role in the data landscape, SAP applications are naturally subject to IT audits every year that seek to determine the effectiveness of system controls, such as proper segmentation and access control, that are critical to achieving security and data integrity.

The introduction of GDPR and other associated data protection regulations means that companies now face large fines if they fail to handle data properly and correctly. Compliance is therefore vital – something that is only achievable when firms understand where their data is stored, how it is monitored, and who has access.

Naturally, a thorough understanding of SAP applications is needed. However, building up this understanding can take time. Indeed, companies must go through an extensive process that begins with outlining key processes before establishing security measures from the ground up.

As mentioned, this needs to begin with the sufficient segregation of duties in order to effectively monitor who has access to data and processes. Beyond that, companies also need to consider who can authorise changes to systems, from test to product, to again ensure the security and integrity of the system.

Auditors require information relating to system settings, data integrity and processes to assess whether or not regulations have been followed. Further, to stay one step ahead in terms of compliance, firms should also look to continually monitor systems for security, remediating any deficiencies as and when they arise.

Siloed SAP

Unfortunately, many firms can and do indeed fail these audits.

All too often, SAP applications are implemented under the domain of the department (HR, finance) where they are used. In such instances, not only do they often end up in siloed pockets away from the central security and IT teams, but the management and patching of such systems becomes sporadic due to the prioritisation of system availability over security and compliance.

Such applications thus routinely find themselves in a security vacuum – something that can be exacerbated by the difficulties that security teams encounter when attempting to bring SAP systems under the central security strategy.

Resembling a collection of independent networks with their own rules, SAP applications typically use logs to capture events – something that can be relatively standard practice. However, not only do these applications use differentiated formats and structures, but SAP also has its own unique vocabulary to describe IT network equipment that doesn’t conform to that used in security standards.

Therefore, while SAP does have some built-in defences, the difficulties that security teams have in integrating applications can often limit any ability to monitor attack patterns.

Indeed, the statistics speak for themselves. According to a May 2022 Twitter poll conducted by Logpoint, four in 10 respondents admitted that their enterprise does not monitor business critical applications like those provided by SAP in their security practices, with a further 27 percent stating that they were unsure if this was the case.

The poll also asked how SAP logs for cyber security events or cyber threat activity are currently reviewed, with three in 10 admitting to not reviewing SAP logs at all, and a further three in 10 again expressing uncertainty.

Such figures are telling us that the divide between SAP and security strategies is a major challenge for organizations. When these barriers continue to persist, security teams are left unable to see the full security picture, potentially leaving their most foundational applications exposed to attacks. 

Impact of failed SAP audits

The potential implications of a cyber attack and breach of such systems can see all kinds of data jeopardised, from employees’ personal information to the publication of salaries or the leak of information on tax evaders held by tax authorities.
However, critically, it is not just cyber attacks that organizations need to worry about when failing to integrate SAP systems within their central security strategies.

Failed SAP system audits can likewise lead to several other potentially severe consequences, often leaving companies in a position where they are unable to maintain day-to-day business operations. This can include potential system or transaction shutdown in SAP, triggering the leveraging of expensive resources.

If an SAP system fails an audit, it needs to be rectified immediately. But correcting system deficiencies identified during the audit often requires investment and external consultants, which can be a costly affair.   

Compliance with industry standards such as SOX, PCI DSS or GDPR can also be jeopardised. In the case of SAP, Read Access Log stores read and write access to specific fields of transactions, reports or programs – something that is a very important component in meeting the obligations under GDPR (namely, the logging of access to personal data).

It may also create problems with customers, partners, and suppliers whose data is stored in the SAP systems, resulting in a lack of trust and reputational damage. Payments could also be inhibited, further compounding any potential mishaps in these vital relationships.

Complete system visibility

Be it financial losses or reputational damages, the potential implications of improper management of SAP systems, and in turn failed audits, can be enough to hurt or even cripple the most robust of businesses.

Mindsets therefore need to shift towards prioritising security best practice and compliance in order to both protect against potential attacks and de-risk the audit process – something that can be achieved by bringing SAP systems directly under the remit of cyber security solutions.

Accommodating SAP directly within the SIEM, for example, can help to ensure business critical applications are able to benefit from automation and continuous monitoring, making the audit process smoother and reducing costs.

Maintaining centralised visibility of SAP systems in this manner can equally enable organizations to outline key criteria for SAP audits and develop normalised and consistent procedures for their success. Further, improving visibility will also serve to reduce compliance risks and significantly improve a company’s security posture. 

This might seem like a daunting undertaking, yet there are several tools capable of supporting those organizations looking to bridge these problematic gaps. Business-critical security (BCS) solutions, for example, can bring critical application activity under the central security monitoring of SIEM while also automating compliance monitoring of critical applications to unlock time efficiencies, backed by ready-to-use controls, checks, dashboards, and comprehensive reports.

In the case of SAP, BCS solutions have been designed specifically to solve the language barrier, translating SAP data so that it aligns with typical security terminology before being inputted into the SIEM system. 

When these divides between SAP and security systems are broken down, business critical applications become empowered to benefit from a multitude of robust security technologies including not just SIEM, but equally SOAR and UEBA.

Together, these solutions can help to unlock transformative threat insights thanks to automated threat detection, investigation, and response capabilities alongside the deliverance of accurate, risk-based analytics.

The result? Security teams become empowered to stamp out the threat of advanced attacks across the entire network, eliminating the existence of any blind spots. Not only does this provide peace of mind, but the efficiency benefits equally empower security professionals to focus on important tasks, prioritising incident response activities to pursue continuous improvement practices and keep businesses safe. 

Continuous automated system monitoring

To reiterate, SAP audits are not just vital to securing business critical applications and protecting data integrity. Equally, the consequences of failing an audit can be as catastrophic as a cyber attack, both financially and operationally.

SAP audits are repetitive and expensive, potentially leading to financial losses if system deficiencies are not addressed at speed. If the company does fail an audit, costs are ramped up even further – not just through the disruption inflicted on the business, but also because they have to bring in expensive resources to solve the issues that led to the failure.

Many firms could be tempted to simply monitor their SAP system when an audit comes around, yet in the modern threat landscape this is highly inadvisable as it leaves systems vulnerable to attack for the remainder of the year.

Indeed, SAP systems are often the home of intellectual property, company secrets and personal data – data that can be used to manipulate any business should it fall into the wrong hands.

For all these reasons and more, it is necessary to monitor SAP systems continuously and automatically beyond annual audits.

By adopting the right technologies and developing an intelligent, all-encompassing holistic approach to security, organizations can detect any threats facing their SAP systems early, and thus proactively respond with appropriate countermeasures.

The author

Tim Wallen is Regional Director UK&I at Logpoint.