Trigger & Background
Ironic as it is, the quote above does carry some truth. For every larger and/or publicly listed company, an annual audit is mandatory. This audit is required to validate correctness of the annual financial statements, but these days also covers the IT systems used to prepare the financial statement.
SAP’s S/4HANA solution – and its predecessors ECC and R/3 – is used by many companies, and therefore specific guidelines to audit those systems have evolved in the past. However, audit activities conducted in SAP’s R/3 / ECC system do often not apply to the S/4HANA Cloud as customers and auditors only have restricted access. More generally speaking, SAP S/4HANA Cloud, public edition, represents a “Software as a service” solution and therefore works significantly different than the previous ECC / R/3 system.
As SAP has announced that they will end support and maintenance for SAP ERP ECC / R/3-systems from 2027 onwards, many companies are currently in the process of migrating to SAP S/4HANA. As this includes instances of SAP S/4HANA Cloud, public edition, we decided to create this series of blog post, which details the differences in auditing an SAP S/4HANA Cloud, public edition, system versus an SAP S/4HANA system on premise.
The project
In order to identify the differences in auditing SAP S/4HANA on premise versus SAP S/4HANA Cloud, public edition, Deloitte and SAP conducted a “dry run” audit of SAP S/4HANA Cloud, public edition, and compared it with an existing on-premise system audit. The findings we generated from this project were summarized and presented to our development organization. More importantly, however, these findings are the basis of this blog series.
Objective
The objective of this blog post series is to explain changes in the IT audit procedures as part of the annual year-end audit in the SAP S/4HANA[1] environment in a comprehensible and concise manner. For this purpose, new features, functions and reports of the S/4HANA Cloud, public edition are compared to existing ones in the SAP ERP ECC system (version 6.0) and best practice recommendations for the IT audits are derived. Therefore, the blog posts describe the existing IT General Controls (ITGC)-related system functionalities, especially in access security and change management. Furthermore, it describes the system’s configuration as well as security by default settings. One note: while this series of blog posts focuses on SAP S/4HANA Cloud, public edition, some of the findings can be applied to SAP S/4HANA Cloud, private edition, as well, since the responsibilities for both solutions partly shift from the customer to SAP as the cloud provider.
Who we are
This project was conducted by:
Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA and Chief Security Product Owner S/4HANA
With more than 20 years of experience in SAP Security, Auditing and Compliance, Matthias leads a team of Security Experts, responsible for Cloud Operations Security, Secure Development, Data Protection & Privacy and Security Attestation & Certification. |
|
Florian Eller (SAP) – Product Management SAP S/4HANA Security
Florian has more than 15 years of experience working at SAP. For the past 8 years, his focus has been on application security. |
|
Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA
Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing. |
|
Patrick Boch (SAP) – Product Management SAP S/4HANA Security
Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade. |
|
Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance)
Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers. |
|
Christina Köhler (Deloitte) – Senior Manager Risk Advisory (IT & Specialized Assurance)
Christina Köhler has more than 5 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers. |
To read all upcoming posts in this series, please follow the “S4HANACloud audit” tag we’ve created for this purpose.