How to audit SAP S/4HANA Cloud
source link: https://blogs.sap.com/2022/10/11/how-to-audit-sap-s-4hana-cloud/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
How to audit SAP S/4HANA Cloud
Trigger & Background
Ironic as it is, the quote above does carry some truth. For every larger and/or publicly listed company, an annual audit is mandatory. This audit is required to validate correctness of the annual financial statements, but these days also covers the IT systems used to prepare the financial statement.
SAP’s S/4HANA solution – and its predecessors ECC and R/3 – is used by many companies, and therefore specific guidelines to audit those systems have evolved in the past. However, audit activities conducted in SAP’s R/3 / ECC system do often not apply to the S/4HANA Cloud as customers and auditors only have restricted access. More generally speaking, SAP S/4HANA Cloud represents a “Software as a service” solution and therefore works significantly different than the previous ECC / R/3 system.
As SAP has announced that they will end support and maintenance for SAP ERP ECC / R/3-systems from 2027 onwards, many companies are currently in the process of migrating to SAP S/4HANA. As this includes instances of SAP S/4HANA Cloud, we decided to create this series of blog post, which details the differences in auditing an SAP S/4HANA Cloud system versus an SAP S/4HANA system on premise.
Objective
The objective of this blog post series is to explain changes in the IT audit procedures as part of the annual year-end audit in the SAP S/4HANA[1] environment in a comprehensible and concise manner. For this purpose, new features, functions and reports of the S/4HANA Cloud are compared to existing ones in the SAP ERP ECC system (version 6.0) and best practice recommendations for the IT audits are derived. Therefore, the blog posts describe the existing IT General Controls (ITGC)-related system functionalities, especially in access security and change management. Furthermore, it describes the system’s configuration as well as security by default settings.
Who we are
This blog is written by:
 |
Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA |
| Florian Eller (SAP) – Product Management SAP S/4HANA Security | |
|
|
Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing. |
 |
Patrick Boch (SAP) – Product Management SAP S/4HANA Security Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade. |
 |
Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance) Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers. |
 |
Christina Köhler (Deloitte) – Manager Risk Advisory (IT & Specialized Assurance) Christina Köhler has more than 5 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers. |
Blog Structure
The chapters are published regularly in the following structure and order (when available, chapters will be linked to the respective blog post):
1. Introduction
1.1. Legal and Regulatory Requirements – Local GAAP
1.2. SAP S/4HANA System
1.3. What’s different (SAP S/4HANA onPremise / SAP ERP / SAP ECC vs. S/4HANA Cloud)
1.4. Cloud Responsibilities & Controls
2. Secure by Default
3. Access Management
4. Operations Management
5. Change Management
6. Consideration of Service Organization Controls Report
7. Further Guidance Provided by SAP
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK