Automating SAP Audits with Solution Manager
According to IDC, 80% of ERP applications are audited at least once every 12 months. Driven by regulatory requirements, audits can drain valuable resources from projects targeted at business growth. They can also lead to audit fatigue and undermine relationships between IT and audit stakeholders.
Compliance Reporting in SAP Solution Manager enables organizations to automate audits for SAP systems and reallocate resources to projects and audits focused on other organizational goals. The continuous monitoring powered by the application also enables auditors to identify compliance gaps immediately rather than at the end of a reporting period. This can reduce regulatory risk by providing owners with more time to remediate control gaps.
Compliance Reporting is accessed from the Fiori launchpad in SAP Solution Manager. Results are automatically updated by daily scheduled scans.
Compliance frameworks and systems are selected in the report filter. There are optional filters to select specific control requirements and systems based on environment or priority. Reports can also be filtered to include or exclude controls based on risk rating and compliance result.
Compliance Reporting currently supports the frameworks below. This includes CIS, IT-SOX, NIST and PCI-DSS. Support for additional frameworks including GDPR and NERC CIP is expected at the end of Q2 2020. Customers can import custom frameworks to automate auditing for internal security policies and other requirements.
Results for applications and databases are reported in separate columns. The report provides an overall compliance score based on the selected framework and systems. Results are summarized for each requirement.
Users can drilldown into each requirement to review the results for specific controls. Control ratings and descriptions are included in the report to support analysis.
Reports can be exported to CSV or PDF. The Report Detail option specifies whether results are exported at the Requirement, Control or Description level.