Security measures image


Application Controls

SAP is an extremely complex system, and considered by most senior management to be a ‘black box’ where detailed day to day transactions are input and reports and account balances are output.

Explore Content

Deloitte have created a number of robust methodologies and approaches for supporting clients with SAP implementations, ranging from complete implementations to project assurance and steering committee attendance. Our in-house tools allow management to gain insight into SAP, and understand and quantify their risks and exposure. These tools allow automatic extraction of detailed access, configuration, and general IT settings for all key business processes; and can provide 100% comfort over the controls they test.


Our SAP resources span the globe ensuring we can quickly get experienced professionals on the ground anywhere in the world to help address business challenges.

  • Limited visibility of the risks associated with SAP for key business processes, and limited oversight relating to the compliance for SAP.
  • Due to the complexity of the system, the volume of transactions and the material nature of account balances, there is a high risk that material misstatement of the account balances could occur.
  • Management and internal and External auditors review and place reliance on appropriateness of controls in SAP. If irregularities are found, reliance on the control environment for the integrity of financial accounts is reduced, which may result in additional costs to manually substantiate the business financial accounts and low confidence in the control environment.


  • Process and control design - creating efficient processes, designing strong controls and robust control frameworks, by effectively utilising system configuration and reporting controls.
  • Security and role design - remediating and redesigning security and role design, to minimise segregation of duties conflicts and sensitive and privileged access issues.
  • Optimisation - monitoring deviation from the original business case
  • and business needs, to ensure efficient use of SAP, allowing clients to maximise the functionality of their SAP landscape.
  • Business change and system embedding - performing risk assessments, creating business governance, designing processes and controls and business training to ensure embedding and realisation of SAP projects.
  • Implementation healthcheck – provide a complete picture of system upgrades and implementations throughout project lifecycle by performing an independent rigorous top down and bottom view across the programme.
  • Use of 3rd party tools (i.e. eQSmart / ACTT / SAP GRC / Approva BizRights)-identifying and quantifying audit and compliance risks, and enabling clients to effectively monitor and react to SAP business and IT risks.