SAP Knowledge Base Article - Public

3494515 - HANA Database Audit Trail & Statutory Requirement For India

Symptom

SAP Business ByDesign includes a default database-level audit trail functionality to ensure system security and compliance, continuously tracking system changes and logging modifications. This feature is automatically activated during the initial system setup and remains active throughout the system’s lifecycle.

Additionally, with recent legislative updates from the Ministry of Corporate Affairs in India, starting from 1st April 2023, all Indian corporates are required to ensure the correct and compliant audit trail for every transaction, with logs created for each change and ensuring that the audit trail cannot be disabled for the fiscal year beginning 1st April 2023.

Environment

SAP Business ByDesign

Resolution

HANA Database Audit Trail (General)

  • The default set of database-level auditing policies is enabled by default in all SAP Business ByDesign systems.
  • The Audit Trail is automatically activated at the database level, and access to the system is controlled via a Cloud Access Manager (CAM) profile, ensuring that only authorized individuals can access the system, with approvals from the Line of Business (LoB).
  • Transaction logs are retained for six months, and audit data cannot be altered by end users. Any modifications can only be performed by administrators with appropriate configuration access through the User Access Management (UAM) tool.

Statutory Requirement in India (1st April 2023)

  • The new regulation mandates that Indian companies maintain audit trail logs for all financial transactions, with a configuration that cannot be disabled for the fiscal year beginning 1st April 2023.
  • SAP confirms that the audit trail feature is set up to ensure compliance with this legislation, capturing all transactions and changes made in the system.

FAQ

1. Whether the audit trail feature has been enabled and is operated throughout the year for all transactions recorded in SAP Business ByDesign?

  • Answer: The audit trail is always active throughout the year, with logs retained for six months.

2. Whether users have access to enable or disable the audit trail feature in SAP Business ByDesign?

  • Answer: No, users do not have the ability to enable or disable the audit trail feature. Only authorized administrators via the UAM tool can manage configurations.

3. Whether the audit trail (edit log) can be tampered with by anyone (SAP or customer or support service provider)?

  • Answer: The audit trail remains secure under the governance of the Line of Business (LoB) and the access controller. User Access Management (UAM) undergoes periodic audits.

4. Whether there is any option for users to tamper with the audit trail?

  • Answer: No, there are no options for users to tamper with the audit trail.

5. What is the duration for which audit trail is preserved?

  • Answer: Six months.

6. Is there any option with users to download a report of all the audit trail (edit log)?

  • Answer: No, users cannot download reports of the audit trail. For review of logs, the support team can be contacted to provide the necessary information.

7. Whether periodic backups of audit trails are taken and archived?

  • Answer: Yes, periodic backups are performed with a retention period of six months.

8. Whether any report on audit trail (edit log) is available to enable customer's management to review and monitor such audit trail (edit log)?

  • Answer: No, audit trail reports are not available for customers directly. For review, support must be contacted to provide the logs.

9. Whether the audit trail is enabled at the database level for logging any direct changes and is operated throughout the year (i.e., the feature has not been disabled at any point in time)?

  • Answer: Yes, the audit trail is automatically activated at the database level and remains operational throughout the year.

10. Whether users have access to make any direct changes at the database level?

  • Answer: No, direct access to the database is restricted.

11. Is the audit trail an inherent feature in SAP Business ByDesign that cannot be disabled during the period at the front-end application level, starting from 1st April 2023?

  • Answer: Yes, the audit trail is an inherent feature and cannot be disabled at the application level starting from 1st April 2023.

12. What is the configuration that controls the enabling or disabling of the audit trail?

  • Answer: The audit trail feature is automatically activated during system setup and remains active throughout the entire system lifecycle.

13. How does SAP ensure compliance with the audit trail requirement and prevent tampering, considering the periodic review mechanism for changes to the audit trail configuration, as well as the completeness and accuracy of audit trails or edit logs generated by the software or database?

  • Answer: The security and integrity of the audit trail are ensured through oversight by the Line of Business (LoB) and the access controller. The LoB reviews the configuration regularly to verify its completeness and accuracy. User Access Management (UAM) undergoes periodic audits to ensure proper authorization and control, preventing unauthorized access and tampering with audit logs.

14. Whether there is a list of users who have access to the HANA database?

  • Answer: A specific list is not provided. However, database access is managed through the CAM profile, ensuring that only authorized users have the necessary permissions.

15. Is the audit trail feature enabled and consistently active on the HANA database for SAP Business ByDesign?

  • Answer: Yes, the audit trail is automatically enabled and remains active on the HANA database for SAP Business ByDesign.

16. Can customer users enable, disable, or tamper with the audit trail feature?

  • Answer: No, customer users cannot enable, disable, or modify the audit trail. The configuration is managed exclusively by authorized administrators through the UAM tool.

17. Is the audit trail secure from unauthorized access or tampering by customer users or external service providers?

  • Answer: Yes, the audit trail is secured under the governance of the Line of Business (LoB) and the access controller, and is subject to regular audits.

18. What is the retention period for audit trail data on the HANA database? Are periodic backups taken?

  • Answer: Audit trail data is retained for six months, with daily backups performed to safeguard data availability.

19. Can customer users download or access a report of the audit trail for review?

  • Answer: No, direct download or review of database audit trail reports by customer users is not permitted. For review of relevant records, support can be contacted for assistance with the Application & Change Logs section.

20. Whether the change log in the application-level can be modified, archived or deleted?

  • Answer: No, It is not possible to modify, archive or delete the change log in the system.

See Also

2681625 - How to Get SOC1, SOC2 or ISO 27001 Reports for Audits

2560675 - How to get the Audit Related SOC report

Keywords

HANA Database, Audit Trail, Statutory Requirement For India, SOC Report, Audit, Business ByDesign. , KBA , SRD-CC-CI-CCS , ByD Service Control Center , How To

Product

SAP Business ByDesign all versions