SAP General Computer Controls

Summary

Critical to any organization’s SAP control environment are SAP General Computer Controls and ensuring that they are properly designed, tested, and monitored. Our SAP Audit resources are experienced in not only performing the generic activities related to GCC, but also have the skills and knowledge related to the specific complexities associated with SAP General Computer Controls. If an organization’s GCC’s are not operating effectively auditors may determine they cannot rely on your application and other key controls. Our SAP General Computer Controls services are designed to ensure this does not happen to your organization. Winterhawk’s review and testing services are targeted at:

  • Verifying the adequacy of key SAP policies and procedures,
  • Verifying the adequacy of back-up policies and procedures,
  • Verifying the adequacy of operating system and database security,
  • Ensuring controls associated with the Basis layer are properly configured, and
  • Verifying the appropriateness of activities occurring in the SAP environment that impact GCC

 Approach

Winterhawk uses a three phase approach to ensure that the SAP General Computer Controls are properly designed, tested, and monitored. Click on each tab for details:

Winterhawk SAP Audit resources leverage our methodologies to perform comprehensive SAP GCC design reviews and deliver a comprehensive report to management documenting the adequacy of the overall design, highlighting deficiencies, and providing actionable remediation recommendations.

To test the SAP GCC controls and the appropriateness of key data changes we leverage our scripting tool to ensure that key parameters and settings are correctly defined, sensitive administrative access is granted correctly, and data changes are appropriate. Some of the issues our scripting tool identifies are:

  • unauthorized/untested changes in SAP production systems,
  • inappropriate profile parameter settings,
  • inappropriate table logging settings,
  • incorrect implementation of administration/ownership policies,
  • inappropriate changes to system and client settings,
  • inappropriate access to high risk Basis transactions and authorization objects, and
  • improperly secured system ids.

In order to assist organizations with monitoring their SAP GCCs, Winterhawk can deploy our SAP GCC scripting tool or assist an organization with implementing the functionality within SAP GRC that focuses on monitoring general computing controls.

For additional informaiton

Get in touch for SAP General Computer Control Reviews and Testing

E-mail us!