In an SAP system, who is allowed to change financial data is precisely regulated.

At least on paper.

Because over the years, alongside the SAP standard, a second world often emerges:

Custom developments.

Individually built, historically grown, and often business-critical.

When custom developments change the same data as the standard

Many of these programs intervene directly in central business processes.

They can, for example:

• Post documents
• Post to accounts
• Change financial data
• Update master data

Clear authorization and control mechanisms apply to SAP standard transactions.

With custom developments, this is often different.

Not because securing them would be technically impossible.

But because it was never systematically checked whether the same rules even apply there.

The real risk arises in secret

The consequence can be critical:

A program changes financial data without reliably checking whether the executing user is authorized to do so.

And the older the system landscape becomes, the more frequently another question arises:

Which of these programs even still exist – and what can they access?

Precisely this transparency is missing in many legacy SAP systems.

Why this is also relevant for auditors

The topic does not only affect IT.

It also affects:

• Governance
• Compliance
• Internal controls
• Financial audits

Because nowadays, auditors expect control mechanisms to apply not only to the SAP standard.

They must also be traceable for custom developments.

This is exactly what auditing standards like ISA 315 aim at.

Mitigate risks before questions arise

The good news:

Such risks can be identified.

As soon as it becomes visible,

• which programs can change financial data
• which authorization checks are missing
• which custom developments are particularly critical

a resilient foundation for governance and risk management is created.

And ideally, this happens before internal or external auditors ask the questions.

Custom developments need the same control as the standard

Anyone who wants to operate SAP systems securely should not only look at standard transactions.

The same transparency and control must also apply to custom developments.

Because risks rarely arise where everyone is looking.

But rather where no one has looked for years.

Decision Intelligence for Governance and Security

Precisely for this purpose, a layer is needed between system reality and decision-making.

A layer that makes visible:

• which programs actually exist
• which data they can change
• which risks arise from this

We call this layer the Decision Intelligence Layer.

Independent.
Read-only.
Without implementation interest.
Without licensing interest.

Clarity instead of blind flight.

👉 Do you know today for sure which custom developments in your SAP system can change financial data? If not, it is worth taking a closer look – before the auditor asks about it.