« Cost Avoidance versus Return on Investment, a SOX Security perspective
Connecting Compliance, Security and Business Goals »

Sarbanes Oxley Compliance for SAP R/3 Resources

From a regulatory compliance perspective, IT teams have two responsibilities: support enterprise-wide compliance efforts and ensure that IT itself is compliant with internal and external regulations such as Sarbanes-Oxley (SOX), HIPAA, PCI DSS, FDA, etc. In other words, the IT and SAP teams support the compliance efforts across all departments in the company as well as ensure their own governance, risk, controls and systems are compliant.

This means IT is second only to the finance department when you assess the day to day impact of SOX. Most of the internal compliance effort is focused on the change management controls driven by section 404, which dictates management’s responsibility to implement/document internal controls, implement good segregation of duties, assess their effectiveness, and report on their ultimate compliance to the documented process.

For SAP teams, this translates into several specific tasks that must be performed for a compliant process. The first is implementing and documenting compliant software implementation, upgrade, and maintenance procedures. Since transports are the mechanism for change in SAP landscapes, the change control processes are focused on transport migration and the security functions. All transport actions must be recorded to an audit trail that can be verified by the auditors. The processes must also include adequate approvals for both the SAP team and business process owners.

Everything from how SAP is implemented to how maintenance projects are selected, prioritized, developed and migrated will be put under scrutiny during the audit. The SAP team must not only illustrate that there is a compliant process in place, they must also prove that the process is being followed. Proving that the process is being followed typically causes the most problems during the audit and is the area where SAP customers need the most help.

Section 404 is the portion of SOX that impacts the SAP team the most. Section 404 vaguely specifies that management must implement, document, assess and then report on controls.

SAPlib provide useful information about Sarbanes Oxley compliance for SAP R/3 below some of article that could be used for your company.

Popularity: 52% [?]

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • StumbleUpon
  • Digg
  • del.icio.us
  • Technorati
  • Sphinn
  • Facebook
  • Mixx
  • Google
  • blinkbits
  • BlinkList
  • NewsVine

This entry was posted on Wednesday, June 25th, 2008 at 4:46 am and is filed under article, sarbanes oxley, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply