In organizations using SAP GRC Access Control, internal and external auditors regularly review access management processes to ensure compliance and prevent fraud. During audits, several security gaps and control weaknesses are commonly identified in SAP ERP systems.

Below are 30 real SAP GRC audit findings with examples and remediation steps that SAP Security consultants frequently encounter in live projects.

1. Excessive Firefighter Access

Finding:
Too many users assigned to firefighter IDs.

Example:
10 users assigned to one firefighter ID.

Risk:
Difficult to trace accountability.

Fix:
Assign dedicated firefighter IDs or restrict assignments.

2. Firefighter Logs Not Reviewed

Finding:
Controllers are not reviewing emergency access logs.

Example:
Logs pending review for 3 months.

Risk:
Unauthorized activities may go unnoticed.

Fix:
Implement mandatory controller review workflow.

3. SoD Conflicts Not Mitigated

Finding:
Users have unresolved Segregation of Duties conflicts.

Example:
User can create vendor and process vendor payments.

Risk:
Potential fraud.

Fix:
Remove conflicting roles or assign mitigation controls.

4. Expired Mitigation Controls

Finding:
Mitigation controls assigned but validity expired.

Example:
Mitigation valid until 2024 but still used in 2025.

Fix:
Update mitigation validity dates.

5. Inactive Users Still Assigned Roles

Finding:
Users inactive for months still have active roles.

Example:
Employee left company but SAP account active.

Fix:
Disable or delete user accounts.

6. Excessive SAP_ALL Access

Finding:
Too many users assigned SAP_ALL profile.

Example:
Multiple consultants have unrestricted access.

Risk:
Full system control.

Fix:
Restrict SAP_ALL to temporary emergency use.

7. Missing Role Ownership

Finding:
Roles do not have defined owners.

Example:
Audit cannot identify who approves access to role.

Fix:
Assign role owners in GRC.

8. Access Request Without Proper Approval

Finding:
Roles assigned without workflow approval.

Example:
Manual role assignment done in PFCG.

Fix:
Enforce access provisioning through GRC workflow.

9. Weak Password Policies

Finding:
Password settings not aligned with security standards.

Example:
Passwords do not expire frequently.

Fix:
Implement strong password policies.

10. Generic User Accounts Active

Finding:
Generic users like ADMIN or TEST used for multiple purposes.

Risk:
Accountability cannot be tracked.

Fix:
Disable generic accounts or restrict usage.

11. Excessive Role Assignments

Finding:
Users assigned too many roles.

Example:
User with 40+ roles.

Risk:
Increased SoD conflicts.

Fix:
Review and remove unnecessary roles.

12. Unauthorized Table Access

Finding:
Users have unrestricted table access.

Example:
Authorization object S_TABU_DIS with full access.

Fix:
Restrict table access based on business needs.

13. Missing User Access Reviews

Finding:
Periodic access review not performed.

Example:
No quarterly user access validation.

Fix:
Implement regular access certification process.

14. Critical Transactions Assigned Without Control

Finding:
Transactions like SE16 or SU01 widely assigned.

Risk:
Unauthorized data changes.

Fix:
Restrict critical transactions.

15. Firefighter Access Used for Daily Work

Finding:
Users regularly log in using emergency access.

Example:
Firefighter used for routine configuration changes.

Fix:
Provide proper roles instead.

16. Role Design Violates Least Privilege Principle

Finding:
Roles provide more access than required.

Example:
Finance clerk role includes configuration access.

Fix:
Redesign roles with minimum permissions.

17. Workflow Not Enforced for Role Changes

Finding:
Role modifications done directly in production.

Fix:
Use change management process.

18. Role Validity Not Maintained

Finding:
Roles assigned without expiration dates.

Fix:
Maintain role validity periods.

19. Critical Authorizations in End User Roles

Finding:
Authorization objects like S_USER_AGR assigned to end users.

Risk:
Users can modify roles.

Fix:
Restrict to security administrators.

20. No Monitoring of Sensitive Transactions

Finding:
Critical transactions not monitored.

Example:
No logs for SU01 changes.

Fix:
Enable security audit logs.

21. Incomplete Risk Rule Set

Finding:
SoD rule set not updated.

Example:
New transactions not included in risk analysis.

Fix:
Update GRC rule set regularly.

22. Access Request Workflow Misconfiguration

Finding:
Requests bypass required approval stages.

Fix:
Correct MSMP workflow configuration.

23. Users Assigned Conflicting Roles

Example:

Role A – Vendor creation
Role B – Vendor payment

Risk:
Fraud risk.

Fix:
Separate duties.

24. Background Users With Excessive Privileges

Finding:
System users have unnecessary authorizations.

Fix:
Restrict privileges.

25. Test Users Active in Production

Finding:
Test accounts not removed.

Fix:
Disable unused accounts.

26. Transport Management Access Uncontrolled

Finding:
Developers have unrestricted transport access.

Fix:
Restrict transport permissions.

27. Missing Logging for Critical Activities

Finding:
No monitoring of sensitive system changes.

Fix:
Enable system logging.

28. Emergency Access Not Time Restricted

Finding:
Firefighter access available indefinitely.

Fix:
Limit validity period.

29. Role Documentation Missing

Finding:
No documentation explaining role purpose.

Fix:
Maintain role description and documentation.

30. Inconsistent Risk Analysis Reports

Finding:
Risk analysis reports outdated.

Example:
Repository sync not executed.

Fix:
Run synchronization jobs regularly.

Conclusion

Audits in SAP GRC Access Control environments focus on ensuring strong internal controls and preventing fraud in SAP ERP systems. Most audit findings arise due to:

Poor role design
Lack of access reviews
Misuse of emergency access
Unresolved SoD conflicts

By proactively monitoring these areas, SAP Security consultants can maintain a secure, compliant, and audit-ready SAP environment.

SAP SECURITY

30 Real SAP GRC Audit Findings

1. Excessive Firefighter Access

2. Firefighter Logs Not Reviewed

3. SoD Conflicts Not Mitigated

4. Expired Mitigation Controls

5. Inactive Users Still Assigned Roles

6. Excessive SAP_ALL Access

7. Missing Role Ownership

8. Access Request Without Proper Approval

9. Weak Password Policies

10. Generic User Accounts Active

11. Excessive Role Assignments

12. Unauthorized Table Access

13. Missing User Access Reviews

14. Critical Transactions Assigned Without Control

15. Firefighter Access Used for Daily Work

16. Role Design Violates Least Privilege Principle

17. Workflow Not Enforced for Role Changes

18. Role Validity Not Maintained

19. Critical Authorizations in End User Roles

20. No Monitoring of Sensitive Transactions

21. Incomplete Risk Rule Set

22. Access Request Workflow Misconfiguration

23. Users Assigned Conflicting Roles

24. Background Users With Excessive Privileges

25. Test Users Active in Production

26. Transport Management Access Uncontrolled

27. Missing Logging for Critical Activities

28. Emergency Access Not Time Restricted

29. Role Documentation Missing

30. Inconsistent Risk Analysis Reports

Conclusion

No comments:

Post a Comment

Subscribe To

Popular Posts

Search This Blog

50 Real SAP Security Incidents with P1–P4 Priorities and Solutions

Blog Archive

Tags

About Me

Report Abuse

Blog Archive

Total Pageviews

Popular Posts

Subscribe To

Pages

Popular Posts