Don’t know what you don’t Know: SAP Audit Blind Spots Explained
By Cyril Hauppert & Mark Stanley
“You don’t get caught by what you see coming. It’s the things you don’t know that will trip you up.”
— Mark Stanley, SAP Security Consultant, Pumpkin Consulting
What Makes SAP Security So Tricky?
Let’s be honest: preparing for an SAP audit is rarely at the top of anyone’s list—until it’s too late.
We’ve both been on every side of it: as internal stakeholders, as auditors, as consultants, and now helping clients rapidly identify access risks and prepare in under two weeks. And we can tell you—the real problem isn’t the audit itself.
It’s the blind spots.
You Don’t Know What You Don’t Know
We’ve seen this over and over:
- You think everything is under control because you have GRC.
- You assume your role owners know what’s in their roles.
- You believe last year’s audit prep process still applies.
- You rely on a spreadsheet someone built three years ago that no one wants to touch.
And then… the auditor finds a user in your GRC production system with debug access. Or a critical SoD conflict that’s been technically “mitigated” but never reviewed.
It’s not always negligence—it’s just invisibility.
“I’ve helped clients with great controls and tight security… who still got surprised by an audit finding simply because no one thought to check a log setting.”
— Mark
So, What Are the Most Common Blind Spots?
Here’s our Top 5:
1. Overconfidence in GRC
Most tools will tell you how many violations you have—but they won’t help you prioritize or fix them.
And they definitely won’t tell you which rules are broken, outdated, or poorly built.
“I’ve seen companies with 100,000+ violations because the rule set was copied from a template, never validated.”
2. Hidden Privileges in ‘Safe’ Roles
Even roles labeled “display-only” often have technical access buried inside. Without digging into object-level conditions, you don’t see it.
3. Orphaned Exceptions & Mitigations
Temporary exceptions become permanent. Risk acceptances are never reviewed. Mitigating controls go stale.
“We see exception lists approved years ago… with no traceability, no renewal date, and no owner.”
4. Missing Custom & Fiori Transactions
Custom T-codes and Fiori tiles often don’t make it into rule sets. Which means you’re blind to risks actually used in your environment.
5. Time-Based Exposure
Audits look backward. That means if an admin had excessive access for 6 months—even if it’s now removed—you’re still at risk if you can’t prove it wasn’t abused.
That’s where snapshots become essential.
How We Solve This at Access Informer
We’ve designed Access Informer to uncover the unknowns before your auditor does:
- Snapshots show you historical access—critical for audit lookbacks.
- Compliance simulation lets you test role changes in seconds before transporting.
- Rule set diagnostics highlight broken, missing, or unused rules.
- SoD dashboards expose risk by role, user, and condition—not just violations by count.
“This is the first time I’ve seen a tool that doesn’t just throw violations at you—it helps you think.”
— Mark
Advice for CISOs: Don’t Wait for the Memo
By the time the audit memo hits your inbox, it’s too late to fix fundamental problems.
Start now. Do a risk scan. Validate your rule set. Review your dormant accounts. Get visibility.
Because what you don’t know today… becomes your next audit finding.
“The best security teams aren’t the ones with the fewest findings. They’re the ones who know exactly where they stand.”
— Cyril Hauppert
Take Action
✅ Run a snapshot to see what changed since last audit
✅ Review your top 10 riskiest roles
✅ Test your next role change in simulation
