The basic principles of auditing SAP systems

Espresso Tutorials

Fabian Bentz

ET_Cover_Webshop_Nr_248_04Excerpt from Practical Guide to Auditing SAP Systems by Sebastian Mayer and Martin Metz.

Tens of millions of people around the world use SAP systems. Why? One apparent reason is that a lot of companies find it challenging to manage their business using hundreds or thousands of different systems.

Once you separate the material and value flow of the factories in different systems, for example, it might be difficult to bring them back together and align them with each other. The higher the number of relevant systems with subsets of the required data that exist within a company, the more cumbersome a month-end or year-end process becomes.
Having separate sales, production, or accounting processes can quickly lead to inconsistencies and difficulties—a factor that motivates companies to invest in highly integrated systems instead.

This is where SAP comes into play: it offers an integrated business solution that ties together disparate procurement, sales, production, consolidation, and many other processes. Its market-leading Enterprise Resource Planning (ERP) systems are only one aspect. Other solutions offered by SAP include (; 01/01/2018):

  • ERP (for large, medium, and small enterprises)
  • Cloud and data platforms (e.g., SAP HANA platform, big data)
  • Procurement and networks (e.g., Supplier Management, Strategic Sourcing)
  • Analytics (e.g., Business Intelligence, Predictive Analytics)
  • Customer engagement and commerce (e.g., Sales, Marketing)
  • IoT and the digital supply chain (e.g., Manufacturing, Asset Management)
  • Human resources (e.g., Core HR and Payroll, Time and Attendance Management)
  • Finance (e.g., GRC, Financial Planning, Treasury Management)

SAP is most famous for its Enterprise Resource Planning solutions. Its market share within the ERP market has declined in recent years, but SAP still holds the top position with an estimated 19% of the entire market. According to the data available, SAP achieves the highest customer satisfaction by realizing more than 50% of the business benefits anticipated in an implementation. Every time a company requires an ERP solution, it is very likely that SAP will be shortlisted. Once SAP is shortlisted, the likelihood of being finally selected for the job is even higher (


As mentioned above, SAP offers far more than only ERP solutions. To support a company’s customer management and communication, the use of customer data, and other aspects, the CRM market evolved with an estimated volume of roughly $30 billion ( The big shot here is Salesforce. However, SAP holds a leading position even in this market and is a top player with a market share of around 5% (

By 2020, the global market for HR solutions will eventually reach more than $9 billion. HR solutions range from core administrative and payroll solutions to learning platforms, benefits administration, compensation, and much more. With its HR solutions, SAP became one of the market leaders and ranked first in 2015 with an overall market share of 14% (https://

Data is essential to support business decisions and optimize processes. Within the rapidly growing business analytics market, top players offer data mining solutions, statistical analyses, as well as predictive analytics. In 2015, SAP was one of the market leaders in this field (https://www., with the highest year-to-year growth rate (

SAP has also become a leader in many more business areas. According to Gartner, SAP became a market leader in the combined enterprise information management tools market in 2016, offering solutions such as master data management and data quality, as well as data integration solutions (

As you can see, SAP ranks top in a myriad of markets and tool classes. It has significant business relevance in terms of market share and usage.

There are SAP landscapes that use more than 1,000 systems, or immense single implementations with hundreds of thousands of employees. Companies rely on SAP for their most essential business processes. Switching costs in the field of ERP are enormous.

Furthermore, the more comprehensive a solution is, and the more widely it is used, the more difficult it becomes to switch. For this reason, even in cases where SAP implementations might not be best-of-breed anymore, high switching costs may cause companies to be locked in to SAP (the same applies for other ERP vendors as well).
However, SAP tools, especially the ERP software, are in fact among the most relevant systems in a lot of companies. The more than 365,000 customers of SAP include 87% of the Forbes 2000, 98% of the 100 most valued brands, and 100% of the Dow Jones top-scoring sustainability companies (see

An SAP system is the centerpiece of a company’s IT landscape; in most cases, disrupting it would have a devastating business impact. Efficient system operation and a stable security posture are therefore crucial to achieving business targets and ensuring the welfare of the company.

Start reading now.

What do I need to do to successfully complete an SAP system audit? Get expert guidance on the top 12 controls that should be included in your audit activities, including accounts and authorizations, the changeability settings of tables, clients, and entire systems, change logs, and security configuration settings. Written with SAP administrators and security consultants in mind, this book expertly answers these questions and explores the techniques needed to quickly determine the high-level security status of an SAP system. Walk through a standard control framework you can use to improve and strengthen the security position of your SAP system. Get an overview of the impact of SAP HANA, mobile, and cloud on SAP audits.

„- Basic principles of the audit function
„- Common SAP system audit issues
„- SAP tools and functionality auditors can use, including pre-defined reports
„- Top 12 controls that should be included in your audit activities

MetzAuthor Martin Metz is a Cyber Security Evangelist at Accenture who helps clients to increase their security posture. Martin’s expertise includes cyber security strategy and governance, as well as cyber assessments. He has led multiple security programs and integrated SAP security, privileged access management, and multi-factor authentication solutions.
MayerAuthor Sebastian Mayer is an associate director within the IT Internal Audit solution at Protiviti Germany with extensive experience in SAP consulting, IT audit, IT internal control systems, and information security. He has been employed at Protiviti since 2014 after gaining experience as an SAP consultant at T-Systems and CGI.