Symptom
The Ministry for Corporate Affairs in India has recently published a rule for all the Indian corporates that they need to ensure correct and compliant audit trail in their accounting software for each and every transaction, creating a log for each change ensuring that the audit trail cannot be disabled for the financial year starting April 1st 2021 or later ammended to April 1st 2023(Refer the attachments).
Environment
SAP Business ByDesign
Resolution
Our default set of database-level auditing policies is enabled by default in systems. Therefore, we confirm that the requested action to enable auditing is already in place.
The Audit Trail is automatically activated at the database level. While we can't provide the user list, access is controlled by a Cloud Access Manager (CAM) profile, ensuring that only authorized individuals can gain access with Line of Business (LoB) approvals. Once enabled, the standard audit trail remains consistently active without any changes.
The ask is to capture audit trails for various transactions in other words business data in the system then this has been conveyed that the system takes care of this. These are the application logs or change logs, that are enabled with their respective transactions capturing data like created/changed by, created/ changed on, etc. This feature is enabled by default for all ByDesign customers.
FAQ:
1. Whether the audit trail feature has been enabled and is operated throughout the year for all transactions recorded in the SAP Business ByDesign (i.e., the feature has not been disabled at any point in time)?
Ans: The audit trail is always active throughout the year, with logs retained for six months.
2. Is the audit trail enabled for all the audit policies at the database level? Could you please share the complete screenshot of the audit policies to verify?
Ans: Raise a case to SAP for the screenshot.
2. Whether client (i.e., your company) users have access to enable or disable the audit trail feature in SAP Business ByDesign?
Ans: No.
3. Whether the audit trail (edit log) can be tempered by anyone (SAP or client or support service provider)?
Ans: The audit trail remains secure under the governance of the line of business (LOB) and the access controller. User Access Management (UAM) undergoes periodic audits.
4. Whether there is any option with client (i.e., your company) users to tamper with the audit trail?
Ans: No.
5. What is the duration for which audit trail is preserved?
Ans: Six months.
6. Is there any option with client (i.e., your company) users to download a report of all the audit trail (edit log)?
Ans: No.
7. Whether periodic backups of audit trails are taken and archived?
Ans: Yes, but with six months retention.
8. Whether any report on audit trail (edit log) is available to enable client (i.e., your company) Management to review and monitor such audit trail (edit log)?
Ans: No.
9. Whether audit trail is enabled at the database level for logging any direct changes and is operated throughout the year (i.e. the feature has not been disabled at any point in time)?
Ans: The Audit Trail is automatically activated at the database level
10. Whether client (i.e., your company) users have access to make any direct change at database level?
Ans: No.
11. Can you please provide the configuration screenshots for the audit trail in the front-end application? Additionally, can you confirm if the audit trail is an inherent feature in SAP Business ByDesign and cannot be disabled during the period at the front-end application level, starting from April 1st, 2023?
Ans: If you are referring to audit logs on application server, then we have audit logs enabled for our landscape and customer can request for same via raising a ticket. Security log Configurations details are confidential, and we are not supposed to share configuration details. We retain the audit logs for 1year, so customer can request for same mentioning the duration of logs that they need, user details & timestamps and we can provide them the logs.
12. What is the configuration that controls the enabling or disabling of the audit trail?
Ans: The audit trail feature in the database is automatically activated by default during system setup and remains active throughout the entire system lifecycle.
13. How does SAP ensure compliance with the audit trail requirement and prevent tampering, considering the periodic review mechanism for changes to the audit trail configuration, as well as the completeness and accuracy of audit trails or edit logs generated by the software or database? Additionally, why does the SOC report released by SAP not mention the audit trail feature, leading to qualifications in our auditor's report?
Ans: The security and integrity of the audit trail are ensured through oversight by the line of business (LoB) and an access controller. The LoB oversees compliance with audit trail requirements and regularly reviews the configuration to verify its completeness and accuracy. User Access Management (UAM) is subject to regular audits to ensure proper authorization and control, preventing unauthorized access and tampering with audit logs. Access to audit controls is restricted and exclusively managed by an admin user through the UAM tool, which secures the audit process and ensures that all changes are recorded.
Additional info covered by KBAs:
2681625 - How to Get SOC1, SOC2 or ISO 27001 Reports for Audits
2560675 - How to get the Audit Related SOC report
Keywords