Manage Risk Confidently
SAP Risk Analysis on SAP BTP. Set up in hours. First results the next day.
Nashcon SAP Risk Analyzer gives your SAP team and auditors full visibility into critical authorization risks and SoD conflicts – with a ready-to-use, S/4HANA-ready rule set included. No new tools. No rule set development. No maintenance. Secure on SAP BTP.
Most SAP environments have critical access risks. Most companies don't know where.
Out-of-date rule sets
Many organizations rely on outdated SAP risk rule sets – not S/4HANA or Fiori-ready – missing entire categories of modern access risks.
No clear separation between open and controlled risks
Without proper documentation of mitigating controls, auditors and management cannot tell which risks are truly open and which are already under control.
Months of implementation before any results
Building your own SAP risk analysis solution – rule set development, tool setup, testing, maintenance – takes months and requires ongoing internal resources
Design. Implement. Operate.
Nashcon SAP Risk Analyzer – built for SAP teams and auditors who need answers fast.
A cloud-based risk analysis solution on SAP BTP that identifies, visualizes, prioritizes and documents your SAP authorization and SoD risks – distinguishing clearly between open risks and mitigated, documented ones.”
Ready-to-use Rule Set
Comes with a comprehensive, S/4HANA and Fiori-ready rule set covering critical actions, critical permissions and SoD conflicts across all major business processes. No development required.
Open vs. Mitigated Risks
Mitigated risks are documented and separately tracked. Only real, open risks remain in the active risk view – giving auditors and management a clear, unambiguous picture.
Direct Access for Auditors
Auditors and internal control teams get direct access to a structured, filterable risk overview – including risk classification, number of affected users, and individual risk documentation per risk.
Secure on SAP BTP
Your data is processed and stored securely on SAP Business Technology Platform – within the SAP ecosystem you already trust. No third-party tools. No unknown cloud environments.
How It Works
A cloud-based risk analysis solution on SAP BTP that identifies, visualizes, prioritizes and documents your SAP authorization and SoD risks – distinguishing clearly between open risks and mitigated, documented ones.”
Step 1: Setup
Connect to your SAP system and identify the risk parameters you want to analyze. It's quick and straightforward.
Step 2: Analyze
Run the risk analysis tool which provides quick insights based on your data. Results start rolling in fast.
Step 3: Review
Evaluate the generated reports to understand your risks clearly. Make informed decisions without delay.
Risk Coverage
Comprehensive risk coverage across all major SAP business processes
The Nashcon SAP Risk Analyzer covers critical actions, critical permissions and SoD conflicts across:
- Finance (FI)
- Controlling(CO)
- Materials Management (MM)
- Sales & Distribution (MM)
- Logistics & Warehouse (WM/EWM)
- Basis (BC)
- Human Ressources (HR)
- Production Planning (PP)
Compatible with SAP ECC, SAP S/4HANA on-premise, SAP S/4HANA Cloud and RISE with SAP
- Business Warehouse (BW)
- Advanced Planning and Optimization (APO)
- Customer Relationship Management (CRM)
- Supplier Relationship Management (SRM)
- Enterprise Buyer (EBP)
- Industry Solutions for Utilities (IS-U)
- HANA privileges
Designed to support internal and external audit requirements
The Nashcon SAP Risk Analyzer directly addresses the five key questions auditors ask when assessing SAP access controls:
The Nashcon SAP Risk Analyzer provides a complete, user-level overview of all critical authorizations across financially relevant SAP processes – including Finance (FI), Controlling (CO), Accounts Payable, Accounts Receivable and more. For each risk, you see exactly which users hold critical access, which transactions are involved, and which authorization objects grant that access. No manual extraction. No spreadsheets. A clear, filterable list – ready for your review.
The analyzer identifies all Segregation of Duties conflicts across your SAP system – based on a comprehensive, S/4HANA and Fiori-ready rule set aligned to established audit standards. Each SoD conflict is clearly described: which two functions are in conflict, why the combination is critical, and which users are affected. Results are filterable by business process – Finance, Procurement, Sales, Logistics and more – so you can focus your audit on the areas that matter most.
For every identified risk – whether a critical action, critical permission or SoD conflict – the Nashcon SAP Risk Analyzer shows the exact number of affected users. This allows auditors to immediately assess the scope and materiality of each finding. A risk affecting 1 user is evaluated differently than one affecting 50. The user count is visible in the risk overview and in the detailed drill-down view, giving you both a high-level summary and the detail you need.
The Nashcon SAP Risk Analyzer clearly distinguishes between open risks and mitigated risks. Where a compensating control has been defined and documented by the organization, the corresponding risk is marked as mitigated and removed from the active risk view. Each mitigating control is documented within the system – including a description of the control measure. This gives auditors a transparent picture: what risks exist, which are under control, and what evidence supports that assessment.
Yes. Every risk in the Nashcon SAP Risk Analyzer is classified into one of four criticality levels: Critical, High, Medium and Low – based on the potential business and compliance impact. This classification is built into the rule set and allows auditors to immediately prioritize their findings. Filter the risk overview by criticality level to focus on the most significant issues first – and document your audit findings accordingly.
Simple, transparent packages. No hidden costs.
Choose the package that fits your needs – or start with a single snapshot to see your risks before committing to an annual plan.
All packages are priced per SAP system and client. Running multiple SAP systems? Multi-system discounts are available. Contact us for a tailored quote.
Need an additional risk analysis run outside your quarterly schedule – for example after a remediation activity? Additional snapshot runs are available at any time. Ask us for add-on pricing.
Single Risk Snapshot
Choose the package that fits your needs – or start with a single snapshot to see your risks before committing to an annual plan.
- 1 SAP system, 1 client
- 1 complete risk analysis run
- Full access to Nashcon SAP Risk Analyzer on SAP BTP
- 30-day platform access
- Risk results including criticality classification, number of affected users and individual risk documentation
- 60-minute results walkthrough call with Nashcon
⭐Annual Risk Snapshot Package
Choose the package that fits your needs – or start with a single snapshot to see your risks before committing to an annual plan.
- 1 SAP system, 1 client
- Up to 4 risk analysis runs per year (quarterly cadence)
- Full access to Nashcon SAP Risk Analyzer on SAP BTP
- 12-month platform access
- List Item
- Continuous rule set updates for S/4HANA and Fiori – included at no extra cost
- Risk results including criticality classification, number of affected users and individual risk documentation
- Standard Platform support included
- Additional snapshot runs available on request (e.g. post-remediation verification)
Add-on: Risk Remediation Workshop
Already have your risk results? Take the next step. Work with Nashcon experts to define your remediation strategy, document mitigating controls and prioritize your cleanup activities.
- 1 day workshop (remote)
- Structured review of open risks with your SAP and compliance team
- Remediation roadmap with prioritized action items
- Available as standalone service or in combination with any package
We deliver real impact in SAP Security and GRC.
Trusted by SAP teams and auditors
See your real SAP risks – open, mitigated and fully documented
Request a demo and see the Nashcon SAP Risk Analyzer in action – live, with a real system landscape.
FAQs
What SAP systems do you support?
SAP ERP, SAP S/4HANA on-premise, SAP S/4HANA Cloud and RISE with SAP. Runs on the ABAP stack.
How is data protection handled?
All data is processed exclusively on SAP Business Technology Platform (SAP BTP) – encrypted, tenant-separated and never shared with third parties.
What are the setup requirements?
No installation required. You run a standard SAP report provided by Nashcon, which generates an encrypted snapshot of the relevant data.
How long does analysis take?
The snapshot generation takes a few hours on your side. Nashcon configures the analysis and delivers first results the next business day.
Can I perform independent analysis?
Yes. After onboarding, your SAP team can independently trigger analyses – no Nashcon involvement required.
Can we run the analysis independently after onboarding?
Yes. After onboarding, your SAP team can independently go through analyses – no Nashcon involvement required.
How do auditors access the results?
Auditors receive a secure guest access via Microsoft SSO – no installation or configuration required on their side.
What types of risks does the analyzer identify?
The Nashcon SAP Risk Analyzer identifies three categories of SAP access risks: critical actions (single transactions or authorizations that are inherently high-risk), critical permissions (combinations of authorization objects and field values that grant excessive access), and SoD conflicts (combinations of two or more functions that should never be held by the same user). All risk categories are covered across the major SAP business processes – Finance, Controlling, Procurement, Sales, Logistics, HR and Basis.
What happens if we already have compensating controls in place?
If your organization has defined and documented compensating controls for specific risks, these are recorded within the Nashcon SAP Risk Analyzer. Risks with documented mitigating controls are marked as mitigated and removed from the active risk view. This ensures that your risk results reflect only genuine, open risks – not risks that are already under control. Nashcon supports you in assigning your compensating controls as part of the onboarding process.
Is the rule set regularly updated?
Yes. The Nashcon rule set is continuously maintained and updated to reflect changes in SAP – including new S/4HANA releases, Fiori app authorizations and evolving audit standards. Rule set updates are included in the annual package at no additional cost. This means your risk analysis always reflects the current SAP landscape – without any effort on your side.