Many of the applications that SAP has developed or acquired (e.g., SAP Customer Relationship Management, Integrated Planning in SAP NetWeaver Business Warehouse, or SAP BusinessObjects) lend themselves quite easily to an audit. However, SAP Solution Manager has a diverse range of capabilities, including operational, analytical, control, and project management functionalities. As a result, it can confuse and even flummox auditors. Despite the central position it occupies in an SAP landscape, it often falls outside the scope of an SAP audit. This can lead to some auditable information being missed.

I will provide you with an overview of the features of SAP Solution Manager, a peek into the components of a typical system audit, and an approach to auditing this system.

SAP Solution Manager: An Overview

Initially conceived as the central control and support center in an SAP landscape, SAP Solution Manager 7.0 has evolved to become one of its most critical components. It facilitates the following:

• Solution monitoring: It includes features such as the ability to monitor all systems in a landscape, business process monitoring, SAP EarlyWatch Alerts (EWA), centralized system administration (of all connected systems), and Job Scheduling Management.

• Change Request Management (ChaRM): It helps enterprises manage changes in a holistic way, including changes at the administrative, project management, and logistical levels. The logistical level includes all aspects of change and transport management included in the Change and Transport System (CTS).

• Solution implementation: One of the original purposes of SAP Solution Manager was to facilitate solution and project implementations, maintenance, upgrades, and enhancements. It continues to be effective for this. It provides all the collateral (e.g., methodologies, tools, and templates) needed to roll out solutions. Tools such as Customizing Scout and Customizing Distribution help with the synchronization of customizing activities that take place in different SAP systems.

• Maintenance optimization: Using Maintenance Optimizer, you can plan and expedite — and in some cases, automate — a lot of the maintenance work on your SAP systems, such as the application of Support Packages (SPs) and Enhancement Packages (EhPs). Maintenance Optimizer acts a guide on the dependencies, the installation of dependent objects, and the installation of actual SPs or EhPs.

• Services and support: SAP Solution Manager includes automated service delivery, which a user needs for supporting production systems. It also includes a comprehensive support framework for your enterprise’s SAP operations. This framework provides the ability to create, maintain, and respond to problem tickets either by using Service Desk functionality or the Incident Management Work Center.

• Test management: You can create test plans and test cases and link them to specific business processes. You can also run reports and display worklists that help testers monitor the status of their test cases and take corrective action. SAP Solution Manager provides test management support during all phases of an SAP implementation. The incorporation of standard SAP tools such as Computer Aided Test Tool (CATT) and extended Computer Aided Test Tool (eCATT) into SAP Solution Manager (as part of a comprehensive tool called the Test Workbench) has made this system the hub of all test activities.

• Root Cause Analysis: This is the collection of tools and technologies that aid in troubleshooting a problem or error and providing corrective action. The heterogeneous landscape and high degree of integration that enterprises put together have made problem-solving a complex endeavor. These tools include workload analysis, exception analysis, change analysis, and trace analysis.

Audit Categories

SAP audit reviews generally fall into these five categories of security and integrity:

• Data: This category includes a review of all aspects of data integrity, including maintenance of master data, data ownership, retention and archival data conversion, data validation, error correction, testing, and back-out procedures. It may also include a review of the integrity of data that is transferred between SAP and non-SAP systems via interfaces.

• Application: Included in this category is a review of areas such as user access, SAP security roles, and the authorizations to ensure segregation of duties (SoD) in SAP roles and profiles, access to sensitive transactions and objects, and relevant documented procedures. This category includes an assessment of the important security and application configuration of each of the business processes that are realized using your SAP system and that, normally, your audit is going to cover.

• Business process: This is a vast area, and depending on the scope of the audit it can cover all or a subset of the major business processes implemented using SAP systems in a particular enterprise, such as purchase-to-pay, order-to-cash, plan-to-make, or acquire-to-retire. The purpose of this review is to ensure that the business processes supported by the configured SAP functional modules have the necessary manual and automated controls to minimize risk.

• Infrastructure: The auditor performs all necessary activities to assess whether there is an adequate level of security commensurate with the roles and responsibilities of the users at the database level, operating system level, and network level. It also reviews areas such as disaster recovery, management of disruptive events (such as system downtime, installation of patches, and bug fixes), and general adherence to the enterprise’s corporate IT procedures and policies.

• Project: This area is broader and less specific than the other categories. Its purpose is to assess the enterprise’s general project management procedures, methodologies, and activities to determine the nature and magnitude of risk to the project. There is a tendency to use a global standard, such as the Project Management Institute (PMI) best practices, as a template for this review. It includes a review of items such as the project charter, project plan, project communications plan, and HR plan.

Auditing Approach to SAP Solution Manager

SAP Solution Manager 7.0 provides tools, technologies, and functionality that make it the central nervous system of your entire SAP system landscape, but in many cases companies only use a few features. In those cases, only those features need to be audited. Therefore, it is important to realize that an audit or review of SAP Solution Manager is more nuanced than that of any other SAP system, given the multitude of components and their diverse functions.

SAP Solution Manager provides a slew of functions and features, so you have to carefully choose areas that are of relevance to the enterprise. Table 1 is a matrix that you can use as a template for putting together your approach to an SAP Solution Manager audit. You can expand or compress the scope of this audit based on the components that are being used. Even within a given component, you can go deeper than suggested because you are not doing a conventional system audit, which is usually done off a transactional or analytical system.

Table 1

Audit or review matrix for SAP Solution Manager

References

Here are a few helpful references about SAP Solution Manager and auditing. 

• For a general understanding of how you need to approach an SAP audit, read Steve Biskie’s article “How to Prepare for an SAP Audit: What You Need to Do to Ensure a Successful Result.”
• For a good overview of how to prepare your SAP environment to meet various regulatory standards, read Steve Biskie’s article “Audits and Regulatory Reviews – Will Your SAP Project Make the Grade?”

Anurag Barua

Anurag Barua is an independent SAP advisor. He has 23 years of experience in conceiving, designing, managing, and implementing complex software solutions, including more than 17 years of experience with SAP applications. He has been associated with several SAP implementations in various capacities. His core SAP competencies include FI and Controlling FI/CO, logistics, SAP BW, SAP BusinessObjects, Enterprise Performance Management, SAP Solution Manager, Governance, Risk, and Compliance (GRC), and project management. He is a frequent speaker at SAPinsider conferences and contributes to several publications. He holds a BS in computer science and an MBA in finance. He is a PMI-certified PMP, a Certified Scrum Master (CSM), and is ITIL V3F certified.

You may contact the author at Anurag.barua@gmail.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.