{"id":1767,"date":"2021-11-19T10:23:41","date_gmt":"2021-11-19T09:23:41","guid":{"rendered":"https:\/\/sast-solutions.com\/blog-en\/?p=1767"},"modified":"2021-11-19T10:23:41","modified_gmt":"2021-11-19T09:23:41","slug":"rectify-your-top-findings-before-the-external-auditors-arrive","status":"publish","type":"post","link":"https:\/\/sast-solutions.com\/blog-en\/2021\/11\/19\/rectify-your-top-findings-before-the-external-auditors-arrive\/","title":{"rendered":"Rectify your top findings before the external auditors arrive!"},"content":{"rendered":"

\"RectifyOnce a year, as every SAP administrator and security manager knows, the annual external audit is a given. Despite this, the current risk situation of the SAP systems is often uncertain. Have all the vulnerabilities from the last audit really been taken care of? Have new risks arisen in the meantime? If you don\u2019t take active countermeasures, you might end up in the same situation again and again.<\/p>\n

<\/p>\n

 <\/p>\n

The next audit is always right around the corner<\/strong><\/h2>\n

SAP authorization concepts are subject to continual change, which is why auditors check every year to make sure that authorizations like SAP_ALL and the SAP standard users are protected, along with examining SoD risks. The list of necessary measures is long: from installing security patches to checking and reducing critical authorizations. Security specialists then often get the short-term order of ensuring that the list of findings from the previous year\u2019s external audit has been processed thoroughly and that no serious risks have arisen in the meantime\u00a0\u2013 whether debug and replace, deletion of change documents, or starting all reports that involve individual critical authorizations. One reason for these ad hoc orders: there has been no follow-up of the cleanups from the previous audit due to a lack of resources.<\/p>\n

If you limit yourself to this reactive approach, you\u2019re bound to go through the same cycle over and over again.\"AST
\nIf the previous findings are eliminated or mitigated just before the next audit, the auditor doesn\u2019t test for them alone; they run additional tests as well, of course, and produce a new list of findings\u00a0\u2013 and the game starts all over again. Although this snapshot-based approach is essential to avoiding short-term damage, it is not a viable future strategy. The compliance status of the system deteriorates immediately whenever new authorizations are assigned; this creep cannot be prevented proactively. New risks often remain undetected over the year, at least until the next audit comes around. The end effect: There is no work aimed at continuous improvement of the situation, nor any ongoing risk monitoring.<\/p>\n

Every external audit is merely a snapshot<\/strong><\/h2>\n

A list of findings only reveals a small sample of the risks in an SAP system. But what about analyses of transactions, changes, and system behavior? When and where have employees deviated from the specified working methods? Were differing settings intentionally changed back to the \u201ctarget\u201d state? Still, the solution to this problem is relatively simple: Don\u2019t wait until the next audit! Instead, identify your vulnerabilities today. It\u2019s the only way to guarantee the security of your SAP systems year-round and enable you to react to anomalies quickly.<\/p>\n

Proactive risk management is better than reactive<\/strong><\/h2>\n

The easiest, most thorough way to achieve this is by using an end-to-end, tool-supported solution for SAP threat detection and access governance\u00a0\u2013 like the SAST SUITE<\/a>. It not only provides extensive real-time monitoring, but also facilitates the integration of cyclical checks, even up to producing an audit plan with a dedicated policy for the auditor\u2019s list of findings. As a result, regular internal audits are used in addition to annual review by external auditors, to check the configuration of SAP landscapes and user authorizations. Their benefits: They analyze individual aspects of the system in shorter time intervals, help with preparation for and follow-up to the annual audits, and support internal control systems.\"AST<\/p>\n

Take an end-to-end approach <\/strong><\/h2>\n

The SAST SUITE enables fast, effective ad hoc cleanup of the external auditor\u2019s findings. Initial activities like this should remain the exception, however, and only represent the starting point, to prevent any gaps in monitoring over time. A reliable IT security concept requires a solution like the SAST SUITE\u00a0\u2013 one that enables proactive risk management and helps you reach a continuous \u201cstay clean\u201d stage through regular analyses and cyclical checks, with a clear audit plan, definition of the audit scope, planning of recurring checks, and automated audit execution. All these factors will help to ensure that cleaned systems stay clean, so you\u2019ll never have to dread an auditor visit again.<\/p>\n

For more information, visit our SAST SOLUTIONS website<\/a> or just get in touch<\/a>.<\/p>\n

 <\/p>\n

Further articles on the topic:<\/h2>\n

Knock, knock! What if a hacker has already broken in when your IT auditor is at the door?<\/a><\/p><\/blockquote>\n