SAP Knowledge Base Article - Public

3032572 - S/4HANA Cloud Reports for Auditors

Symptom

You want to know about auditing related information in S/4HANA Cloud.

Environment

SAP S/4HANA Cloud.

Resolution

Find below how it works on S/4HANA Cloud in relation to OnPremise:

  • Certification and attestations (e.g. SOC1, SOC2): This information can be found in the SAP Trust Center. The Official documentation for S/4HANA Cloud Edition including detailed documentation on S/4HANA Cloud Edition applications can be found here.

  • Overview of the changes made in the system: As part of the S/4HANA Extensibility, customers can customize applications and their UIs, reports, email templates, and form templates (in case applications are marked as extensible). Refer to SAP S/4HANA Cloud Portal Page

    • Product Assistance
    • <select language>
    • Extend and Integrate Your SAP S/4HANA Cloud
    • Extensibility.

Related applications to review the Extensibility can be found S/4HANA Cloud Edition Section "Extensibility" and "Transport Management". For SAP managed transports, please refer to the S/4HANA Cloud Edition SOC reports (e.g. Release & Feature Delivery) in the SAP Trust Center

  • Change documents about user changes (report RSUSR100N) and User overview including last login: In general, authentication of customer users to S/4HANA Cloud Edition is done by a customer specific tenant of SAP Identity Authentication Service (Identity Provider). Customers are in responsibility to maintain the business users in the SAP Identity Authentication Service or connected Customer Identity Providers (IAS in proxy mode). In S/4HANA Cloud Edition, changes to business users can be reviewed in the S/4HANA Cloud Edition Section "Identity and Access Management", e.g. "IAM Information System", "Maintain Business Users -> Display Changes". For SAP managed users, please refer to the S/4HANA Cloud Edition SOC reports (e.g. User Access Management) in the SAP Trust Center.

  • Use of SAP standard users (report RSUSR003): SAP standard users are controlled by SAP. Customers have no possibility to use or adjust SAP standard users. Please refer to the S/4HANA Cloud Edition SOC reports (e.g. SAP Security Policy Framework, Security Configuration Reporting) in the SAP Trust Center.

  • Monitoring of superusers (report RSUSR002 on SAP_ALL- SAP_NEW filtered) and associated protocols (Audit log): In S/4HANA Cloud Edition, activities of customer related users can be reviewed in the S/4HANA Cloud Edition Section "Security", e.g. "Display Security Audit Log". For SAP managed users, please refer to the S/4HANA Cloud Edition SOC reports (e.g. User Access Management, Security Event Management) in the SAP Trust Center.

  • System settings for clients and company codes and overview of certain parameters for logging (RSPARAM and Settings in TP-LOG)System settings are SAP managed configuration. For SAP managed system settings, please refer to the S/4HANA Cloud Edition SOC reports (e.g. SAP Security Policy Framework, Security Configuration Reporting) in the SAP Trust Center.

  • System adjustments (reports RSWBO004 and RSTBHIST) and Logging of SAP tables: Customer changes are visible in the change history / logs of the different applications. Example:

    • Employee Master Data
      • Maintain Employees
      • <Select Employee>
      • Change Log

    • Communication Arrangement
      • <select one>
      • Display Changes

    • Audit Journal
      • Display Journal Entry Changes
      • Maintain Business Partner
      • More -> Extras
      • Change History

For SAP managed changes, please refer to the S/4HANA Cloud Edition SOC reports (e.g. Change Management) in the SAP Trust Center.

  • Overview of changes to tables: Customers are not able to apply changes to table configuration. Table configuration is managed by SAP. Please refer to the S/4HANA Cloud Edition SOC reports (e.g. SAP Security Policy Framework, Security Configuration Reporting) in the SAP Trust Center.

  • Update terminations (transaction SM13): Customers are not able to influence issues with update records. This is managed by SAP. Please refer to the S/4HANA Cloud Edition SOC reports (e.g. System Monitoring) in the SAP Trust Center.

  • Options for monitoring interfaces (analog transactions BD87, SM35 etc.): Interfaces can be monitored using S/4HANA Cloud Edition Section "Message Monitoring".

  • Test report from SAP with regard to operation, administration, etc. (e.g. ISAE 3402, SOC 2, PS951): Certification and attestations (e.g. SOC1, SOC2) available for S/4HANA Cloud Edition can be found in the SAP Trust Center.

In case you need S/4HANA Cloud audit logs or related information that is not available on the system, the component to request this information is XX-S4C-OPR-SRV.

Keywords

KBA , XX-S4C-OPR-SRV , S/4HANA Cloud service requests , How To

Product

SAP S/4HANA Cloud all versions