SAP Trust Center
SAP Enterprise Management System SOC 1 (ISAE 3402) Audit Report 2022 H1
The scope of this SOC 1 report includes SAP Enterprise Management, SAP S/4HANA Cloud, SAP Marketing Cloud, and SAP Integrated Business Planning as offered in the primary data centers in Ashburn (US), Amsterdam, (The Netherlands), Colorado Springs (US), Sydney (Australia), Toronto (Canada), Dubai (UAE), Frankfurt (Germany), Moscow (Russia), Newtown Square (US), Riyadh (Saudi Arabia), St. Leon-Rot (Germany), Shanghai (China), Sterling (US), Tokyo (Japan), Council Bluffs (US), India (Mumbai), Eemshaven (Netherlands), Washington (USA), and Sao Paulo (Brazil).
SAP Product Engineering (PE) department consists of product management, engineering, cloud operations and infrastructure. PE supports teams to consolidate and operate the organization with the objective to be able to respond to changes, challenges and trends in the cloud industry and to customer expectations. The portfolio includes the SAP S/4 HANA Cloud suite, SAP Digital Supply Chain, Small and Mid-Sized Enterprises (SME), and industry solutions as well as cloud offerings. Cross-functions in the Product Engineering (PE) include Architecture, global SAP Labs Network, SAP Knowledge & Education, Globalization Services, and SAP User Experience teams with the responsibility for the overall quality of SAP software products.
SOC 1 reports specifically address service organizations internal control over financial reporting and controls specified by the service provider. The SOC 1 reports are intended solely for the information and use of existing user entities (for ex. Existing customers of the service organization), their financial statement auditors and management of the service organization. SOC 1 reports are prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No.18, a new guidance that the auditors use to conduct a SOC 1 engagement. SOC 1 Type 1 covers management’s description of a service organization’s system and the suitability of the design of controls at a specific point in time, whereas a SOC 1 Type 2 also includes the operating effectiveness of controls for a dedicated period of time.
The use of these reports is restricted. A copy of this report is available for all SAP Enterprise Management System customers who had productive and had financially-relevant systems during the audit period covered by the report.
This version of the report covers the audit period 1. November 2021 to 31. October 2022.