Srini P,July 14, 2026 3
FREE – Anyone can read

Common SAP Security Audit Findings and How to Fix Them

📌 Key Takeaways

  • Most SAP Security audit findings stem from weak governance rather than missing security tools or technologies.
  • Excessive privileged access, Segregation of Duties (SoD) conflicts, dormant user accounts, and poor role design remain the most frequently reported SAP Security audit findings.
  • Regular user access reviews, privileged access monitoring, and periodic role reviews significantly reduce compliance issues and improve audit readiness.
  • Automating SAP Security activities such as dormant user detection, access reviews, SoD analysis, and audit reporting improves operational efficiency while reducing human error.
  • Continuous monitoring using SAP Security Audit Log (SAL), SAP Enterprise Threat Detection (ETD), SAP Security Analyzer, or enterprise SIEM platforms enables earlier detection of suspicious activities and potential security incidents.
  • Organizations that integrate SAP Security into daily operations through continuous governance and monitoring consistently perform better during internal and external audits than those relying on last-minute remediation.

If you've participated in a few SAP security audits, you've probably noticed a pattern. The findings may come from different auditors, but many of the observations are surprisingly similar.

Whether the audit is performed by an internal audit team, external auditors, SOX compliance specialists, or regulatory agencies, the same observations continue to appear year after year. Excessive privileges, Segregation of Duties conflicts, dormant user accounts, over-privileged roles, and missing access reviews are among the most common issues identified across SAP landscapes.

In my experience working with SAP customers across manufacturing, banking, retail, healthcare, oil & gas, and the public sector for more than two decades, one thing has become clear to me: most organizations don't struggle because they lack security tools. They struggle because the controls they implemented years ago gradually become less effective as the business evolves.

Most organizations already have security policies, documented procedures, and often SAP GRC or other governance solutions in place. The challenge isn't the absence of controls - it's ensuring those controls continue to operate effectively as the business evolves.

Understanding why auditors repeatedly identify these issues is the first step toward building a mature SAP security program.

Why Do SAP Security Audit Findings Keep Reappearing?

One misconception I hear quite often is that an audit finding automatically means the SAP environment is insecure. That’s rarely the case.

In my experience, most audit findings simply indicate that a security control is missing, isn't operating consistently, or no longer reflects how the business works.

Often, recurring audit findings point to governance gaps rather than technical shortcomings.

For example, assigning SAP_ALL to a consultant during an implementation or go-live project is often completely justified. The issue begins when that temporary access quietly becomes permanent because nobody revisits it after the project ends. 

Similarly, a SoD conflict isn’t always evidence of fraud. It often reflects business growth, organizational restructuring, or emergency operational decisions that were never revisited.

Auditors focus on these areas because they directly influence the confidentiality, integrity, and availability of business data while increasing the organization’s exposure to fraud, financial misstatement, and cyber threats.

Let’s look at the findings that appear most frequently and more importantly, how to address them effectively.

1. Excessive Privileged Access

One of the very first requests in almost every SAP security audit is a list of users who have been granted SAP_ALL, SAP_NEW, or other highly privileged roles. Auditors start here because these users can potentially bypass many of the preventive controls built into SAP.

From an auditor’s perspective, unrestricted access represents a significant risk because it allows users to bypass many preventive controls built into SAP.

I can't count the number of SAP systems where I've found consultants still holding SAP_ALL months after the go-live. Nobody intended to leave that access in place. It simply became one of those things everyone assumed someone else had already cleaned up.

Instead of immediately removing privileged access, organizations should first understand how it is being used. Reviewing transaction usage, redesigning roles based on actual business responsibilities, and replacing permanent administrative access with controlled emergency access processes significantly reduces both operational disruption and audit risk.

The objective isn't to eliminate privileged access altogether. It's to ensure that every privileged assignment is justified, approved, periodically reviewed, and removed when it's no longer required.

2. Segregation of Duties Conflicts

Ask any SAP auditor what they look for first, and Segregation of Duties will almost always be near the top of the list. There's a good reason for that.

Consider a user who can create a vendor, modify bank account details, and process vendor payments. Individually, each authorization may be legitimate. Combined, they create an opportunity for fraudulent payments without independent oversight.

In practice, many SoD conflicts arise unintentionally. Organizations merge departments, employees take on temporary responsibilities, or copied roles introduce unexpected combinations of access.

Generating a SoD report once a year may satisfy a compliance requirement, but it rarely provides effective risk management.

Organizations with mature SAP security programs review SoD risks continuously, validate whether the conflicts are genuinely required, and implement mitigation controls only when removing the access isn't practical.

3. Poor Role Design

Many audit findings originate long before the audit begins - during role design.

I've worked with organizations managing thousands of custom roles that had evolved over more than a decade. Many of those roles had been copied repeatedly, modified by different teams, and never properly reviewed.

Over time, this creates excessive access, duplicate roles, inconsistent authorization values, and an authorization landscape that becomes increasingly difficult to understand or maintain.

Good role design isn't about creating the highest number of roles or having a master/derived design. It's about creating roles that accurately reflect business responsibilities while remaining simple enough to maintain over time.

Periodic role optimization, reviewing SU24 proposals, removing obsolete transactions, and standardizing naming conventions can significantly improve both security and administration.

A well-designed authorization concept also makes future audits much easier because access decisions become easier to explain and justify.

4. Dormant and Orphaned User Accounts

This is one of the easiest audit findings to prevent, yet it continues to appear in organizations of every size.

  • Employees resign.
  • Contractors complete projects.
  • Temporary consultants leave.
Yet their SAP accounts often remain active for months.

In one customer environment, we discovered over 300 users who hadn't logged in for more than a year. None of them had been compromised - but if even one credential had leaked, an attacker would have had access that nobody was actively monitoring.

Organizations should establish automated processes to identify users who have not logged into SAP within a defined period and review whether continued access is justified. Integrating SAP identity management with HR processes further reduces the likelihood of orphaned accounts remaining active after employee termination.

As a general principle, user access should never outlive the business requirement that justified it in the first place.

💡 Consultant's Note

Consider implementing an SAP Security Analyzer ABAP program to automatically identify dormant user accounts that have never logged in or have remained inactive for more than 90 days. The solution can send automated email notifications, allowing users five days to reactivate their accounts before any action is taken.

If no login activity is detected during the notification period, a scheduled background job can automatically lock the accounts. This approach helps organizations reduce the risk of unauthorized access, strengthen SAP Security governance, improve audit compliance, and significantly minimize manual user administration efforts.

5. Critical Authorization Objects Without Justification

Not every security risk comes from SAP_ALL.

Authorization objects in groups - S_TABU*, S_USER*, S_PROGRAM, S_RFC*, and S_DEVELOP provide powerful capabilities that can significantly affect system security.

During audits, it's common to find these authorization objects assigned to users simply because they inherited an existing role or someone copied another role without reviewing its contents.

Instead of focusing only on role names, organizations should periodically review critical authorization objects directly and validate whether each assignment continues to support legitimate business activities.

Least privilege should apply not only to roles but also to individual authorization values.

6. Missing Periodic User Access Reviews

Business responsibilities change constantly. Access that was appropriate a year ago may no longer reflect the user's current responsibilities.

This is why User Access Reviews have become a standard governance practice across many industries.

Unfortunately, many organizations still rely on spreadsheets and email approvals, making reviews time-consuming, inconsistent, and difficult to audit.

An effective access review should give business owners enough information to make an informed decision rather than asking them to approve access blindly.

For example, reviewers benefit from seeing transaction usage, last login date, licensing information, business ownership, SoD conflicts, and critical authorizations before making a decision.

When reviews become evidence-based rather than checkbox exercises, both security and compliance improve significantly.

7. Weak Logging and Security Monitoring

Enabling SAP Security Audit Logs (SAL) is only the beginning. During almost every audit, one question eventually comes up:

“Who reviews the logs?”

If security events are collected but never monitored, the organization may not detect suspicious activities until long after an incident has occurred.

Organizations should define which events require monitoring, establish ownership for reviewing alerts, integrate SAP logs with enterprise SIEM platforms where appropriate, and periodically verify that logging remains enabled after upgrades or system changes.

Logging is valuable only when someone is actively reviewing and responding to what the logs reveal.

💡 Consultant's Note

During one of my SAP Security engagements, a client had implemented SAP Enterprise Threat Detection (ETD) to collect and correlate security events from multiple SAP systems in real time. Rather than relying solely on periodic reviews of the SAP Security Audit Log (SAL), ETD continuously analyzed high-risk activities such as repeated failed logon attempts, privilege escalations, emergency access usage, suspicious RFC communications, and other anomalous user behavior.

This continuous monitoring approach enabled the security team to detect suspicious activities much earlier, prioritize investigations, and respond to potential threats before they developed into security incidents. The result was improved visibility across the SAP landscape and a more proactive security posture.

Recommendation: If your organization operates a large SAP environment or must comply with regulations such as SOX, GDPR, or industry-specific security standards, consider integrating SAP Security Audit Logs with SAP Enterprise Threat Detection (ETD), SAP Security Analyzer, or an enterprise SIEM platform. Continuous monitoring and automated threat detection can significantly improve audit readiness, accelerate incident response, and reduce the risk of unauthorized access.

Moving Beyond Audit Compliance

One observation I've made over the years is that organizations with the fewest audit findings usually aren't the ones spending weeks preparing before an audit. They're the ones that treat SAP security as an ongoing business process rather than an annual compliance exercise. Because governance happens continuously, they're already prepared when the auditors arrive.

  • They regularly review privileged access.
  • They optimize roles instead of continuously adding new ones.
  • They automate access reviews.
  • They monitor critical activities rather than waiting for annual assessments.

More importantly, security activities become part of normal operations instead of something that's only revisited before an audit.

When governance becomes part of day-to-day operations, audit findings naturally decrease because the underlying risks are addressed continuously rather than retrospectively.

Final Thoughts

None of the audit findings discussed in this article are new. Most SAP security professionals have encountered them repeatedly over the years. The difference is that mature organizations address these risks continuously instead of waiting until they're highlighted in an audit report.

They are well understood, predictable, and, in most cases, entirely preventable.

While every organization has unique business processes, the underlying principles remain consistent: provide only the access users genuinely need, review that access regularly, monitor privileged activities, and continuously improve authorization design as the business evolves.

In my experience, passing an audit should be viewed as a milestone - not the ultimate objective. Strong SAP security is built through consistent governance every day, not just during audit season.

The real objective is to build an SAP environment where security controls operate consistently every day, regardless of whether an audit is scheduled.

Organizations that adopt this mindset don't just perform better during audits - they build a stronger, more resilient SAP security program that reduces operational risk, strengthens regulatory compliance, and increases confidence in the integrity of their SAP landscape.

Frequently Asked Questions

What are the most common SAP Security audit findings?

<p>The most common findings include excessive privileged access, Segregation of Duties conflicts, poor role design, dormant user accounts, critical authorization assignments, missing access reviews, and inadequate security monitoring.</p>

Is SAP Security Analyzer a standard SAP tool?

<p>No. There is no standard SAP solution or SAP-delivered product called SAP Security Analyzer. The recommendation in this article refers to a custom, in-house ABAP solution designed to automate common SAP security administration and monitoring activities. You can name the solution according to your organization's internal naming standards.</p><p>Depending on your organization's requirements, a custom SAP Security Analyzer can include features such as:</p><p></p><ul><li>Identifying dormant or inactive user accounts</li><li>Reporting users with critical authorizations (for example, SAP_ALL, SAP_NEW, or sensitive authorization objects)</li><li>Detecting roles with excessive or broad authorizations</li><li>Identifying users with expired, locked, or unused accounts</li><li>Highlighting Segregation of Duties (SoD) risk indicators</li><li>Monitoring privileged access assignments and emergency access usage</li><li>Generating scheduled security reports and sending automated email notifications</li></ul><span style="font-family:Inter, sans-serif">Most of these reports can be developed using standard SAP tables and authorization data, including AGR* (roles and authorizations), USR* (user master data), TSTC (transaction codes), USOBT* and USOBX* (authorization proposals), along with other standard SAP security tables. Building such a solution can significantly reduce manual effort while helping security teams perform regular health checks and proactively identify potential security risks.</span>

Why do SAP audit findings repeat every year?

<p>Recurring findings are usually caused by weak governance rather than technical limitations. Temporary access becomes permanent, role designs are not maintained, and access reviews are either delayed or performed without sufficient business context.</p>

How can organizations reduce SAP Security audit findings?

<p>Organizations should adopt continuous governance practices, including periodic user access reviews, regular SoD analysis, role optimization, privileged access monitoring, and automated identification of dormant accounts. These proactive measures reduce both audit observations and overall security risk.</p>

Is implementing SAP GRC enough to pass an SAP audit?

<p>No. SAP GRC provides valuable capabilities for access governance, risk analysis, emergency access management, and access certification. However, successful audits also depend on effective governance processes, business ownership, well-designed roles, and ongoing monitoring of security controls.</p>

How often should SAP Security controls be reviewed?

<p>Although review frequency depends on regulatory requirements and business risk, most organizations perform quarterly reviews for privileged access and critical authorizations, while broader access certifications and role reviews are typically conducted every six to twelve months.</p>

Srini P

SAP GRC Team Lead

Srini P is an experienced SAP Security & GRC Advisor and independent consultant with extensive expertise in designing, implementing, and optimizing SAP Security and Governance, Risk, and Compliance (GRC) solutions. He has helped organizations strengthen access governance, regulatory compliance, and security controls across complex SAP landscapes. With a practical, business-focused approach, Srini specializes in SAP authorization design, Segregation of Duties (SoD), user access governance, and security assessments. As a trusted advisor, he works closely with clients to deliver scalable, compliant, and risk-aware SAP security strategies that align with business objectives.

Common SAP Security Audit Findings and How to Fix Them | SAP Security Expert