GDPR & SAP: Implementing Data Protection in SAP Systems
GDPR requirements in SAP: identify data, deletion concept and data subject rights.
Read more →An SAP audit is approaching – for many IT teams a cause for anxiety. It need not be: with systematic preparation and good documentation, the review becomes routine rather than a stress factor. This article provides a field-tested checklist for audit preparation.
Audit Types and Scope
First understand which audit type is pending: internal audit checks compliance with internal policies. External auditors focus on financial statement-relevant IT controls (SOX/ITGC). ISO 27001 auditors assess the information security management system. Clarify the audit scope early with the auditors – this allows you to target your preparation.
Typical Audit Areas in SAP
Regardless of audit type, the following areas are almost always examined:
- Access management: User lifecycle (creation, modification, lock), recertification, SoD conflicts, privileged access
- Change management: Transport system, dual control, emergency changes, documentation
- IT operations: Patch management, backup & recovery, monitoring, incident management
- Data protection: Access to personal data, deletion concepts, logging
Pre-Audit Self-Assessment
Conduct a self-assessment 6–8 weeks before the audit: check all controls against expected requirements. Identify weaknesses and remediate them before the audit. Ensure all evidence is available and current. Walk through critical processes once (e.g. emergency user activation, transport workflow). The self-assessment is your chance to avoid findings before the auditor discovers them.
Gathering and Preparing Evidence
Auditors assess based on evidence. Prepare the following documents: user lists with roles and last logon date (SUIM reports), SoD analysis results with risk assessment and measures, transport logs with change ticket assignment, patch status overview (installed security notes, open notes with justification), backup logs and recovery test reports, emergency user usage logs with controller confirmation and policy documents (authorisation concept, emergency concept, patch policy). Present evidence in a structured manner – a well-prepared audit folder saves time for everyone involved.
Avoiding Common Findings
The top 5 findings in SAP audits:
- Users with SAP_ALL or equivalent authorisations in production: Remove these before the audit or document the justification and compensating controls
- Missing segregation of duties: Document all known SoD conflicts with risk assessment and measures
- Developer access to production: Debugging authorisations and direct interventions must be documented and justified
- Missing or incomplete documentation: Auditors can only assess what is documented
- Security notes not applied promptly: Show an active patch process with prioritisation
During the Audit
Designate a single point of contact for the auditor. Answer questions precisely and completely – but do not voluntarily reveal additional problem areas. Deliver requested evidence promptly. Document all discussions and requirements. For unclear questions, ask for clarification rather than speculating.
Conclusion
The best audit preparation is a well-functioning IT operation with clean documentation. If you continuously implement the points described here, every audit becomes routine. Start preparation early and use the self-assessment as a quality check.
Related Articles
SoD Conflicts in SAP: Detection, Assessment & Resolution
Systematically detect and pragmatically resolve SoD conflicts.
Read more →SAP Security Hardening 2026
10 measures for secure SAP systems.
Read more →Need support with this topic?
We help you with implementation – from analysis to go-live.
Get in touch