SAP Trust Center
Reasonable Assurance Report (ISAE 3000) on the S/4 HANA Cloud Edition Authorization Role Concept
The scope of this reports includes assurance procedures on the design and implementation as well as the effectiveness of the SAP S/4 HANA Cloud Edition 2202 Authorization Role Concept of SAP regarding development, design and implementation of Business Catalog Roles in order to avoid segregation of duty conflicts.
An external auditor has been engaged to perform assurance procedures as a reasonable assurance engagement in accordance with the International Standard on Assurance Engagements 3000 "Assurance Engagements Other Than Audits or Reviews of Historical Financial Information” (ISAE 3000).
The assurance included the assessment of the role concept structure covered following aspects (technical view):
- Business catalog roles implemented naming conventions
- SAP Role development process
- Rule-compliant definition of S/4 HANA Cloud Edition Business Catalog Roles
- SoD-compliant definition of S/4 HANA Cloud Edition Business Catalog Roles
In order to gain reasonable assurance evidence, the external auditor decided to assess all relevant processes that influence the quality and usage of the deployed roles by SAP to customers. Some of these assurance procedures refer to the technical backend view on the Business Catalogs, called Business Catalog Roles. The technical backend cannot be accessed by SAP customers.
The authorization role change process was inspected as a second step to assess to what extent controls exist to prevent changes that may influence the consistency and existence of critical functionalities, authorization objects or segregation of duties. Therefore, the external auditor inspected the following areas of the role change process:
- SAP Authorization role testing procedures
- SAP Authorization Change Management
The third step included the assessment of the proper role concept implementation by SAP in the SAP S/4 HANA Cloud Edition as it is delivered to customers. The assessment of the deployed roles has been done through both automated and manual assurance activities. The manual assurance activities included walkthroughs of newly added Fiori Apps to the S/4 HANA Cloud Edition (compared to previous review) as well as meetings with relevant stakeholders.
The use of this report is restricted. A copy of this report is available for all SAP S/4 HANA Cloud Edition customers with productive systems. This report is also available for prospective customers under the signed non-disclosure agreement. The report may include a qualified opinion.