Ensuring Regulatory Compliance: Expert Tips for Aligning Your SAP System with MCA Requirements

It’s been almost a year since the Ministry of Corporate Affairs (MCA), India introduced a new set of guidelines to companies on April 1, 2023, aiming to bring transparency and restrict or reduce data manipulation of books within the company. This prompted SAP clients to initiate new processes such as enabling audit trails and change logs. However, many customers are still unsure about what they need to do.

A survey conducted by ToggleNow between September 2023 and March 2024 found that 7 out of 10 customers attempted to implement the rules, but they might not have completed all the necessary steps. Here’s how companies are dealing with the situation:

What the Requirement says?How are companies handling it today?What is the Challenge?
Enable audit trail of every transaction.Companies are enabling the SM19/SM20 audit logs. Enabling SM19/SM20 audit logs will not only occupy lot of space, but also impacts the system performance.
Creating an edit log of each change made in books of account along with the date when such changes were made.This is a standard feature of SAP where the change logs are captured in the following tables:


  • CDHDR: Change document header table

  • CDPOS: Change document item table

  • SCDO: Change document object table

  • SCDO2: Change document object table (newer version)

  • TCURR: Exchange rates table (used for currency conversion)

  • T000: Clients table (tracks changes to client-specific data)

  • T001W: Plant parameters table (tracks changes to plant-related data)

  • T001L: Storage locations table (tracks changes to storage location data)

While this is a standard feature, users in SAP can still delete these logs, which need to be secured. Many of the clients haven’t implemented additional security features to protect the edit/change logs.
Audit trail cannot be disabled/deleted.Audit trails are enabled by Admins in the production environments and will be backed up periodically.Users with administrative authorizations can still disable or delete these audit trails/logs.
No backdated entries, no deleted/amended vouchers allowed.This is controlled with authorizations.Many of the users have wider authorizations which allows them to poste backdated entries.
It's about transparency and no room for data manipulation.Debug authorization is restricted to specific users which allows them to make changes in run-time.Debug authorizations are not properly maintained. Many users have access to SE16 with debug, allowing them to change entries without proper records.
Ensure your software has a timestamp for every action.This is a default functionality. As mentioned, performing changes from RFMs, and in debug mode doesn’t leave the timestamp. This must be controlled.
Track every transactional change, no exceptions.This is a default functionality.Change logs can be deleted. Thus, authorization controls to be implemented.
Keep the edit log permanently on.This is a default functionality.Edit logs can be deleted. Thus, authorization controls to be implemented.
Capture user details for accountability.This is a default functionality.With RFMs, users can utilize other IDs and make changes. RFMs and RFCs to be secured.
Maintain a clear sequence of actions.This is a default functionality.This is a default functionality.

In conclusion, the management of audit logs such as SM19/SM20 presents challenges, as enabling them may consume significant storage space and affect system performance. Despite being a standard feature, users in SAP can still delete these logs, highlighting the necessity for enhanced security measures.

Many clients have not implemented additional safeguards, leaving the system vulnerable to unauthorized alterations. Furthermore, users with administrative privileges can easily disable or erase audit trails, while wider authorizations enable the posting of backdated entries. Debug authorizations are often overlooked, granting users access to SE16 with debug capabilities, compromising data integrity. Moreover, changes made through RFMs and in debug mode lack timestamp records, necessitating stricter controls. The deletion of change and edit logs underscores the imperative for robust authorization controls. To mitigate risks, RFMs and RFCs must be secured to prevent unauthorized access and alterations.

Absolutely! Evaluating your SAP system to ensure compliance with the Ministry of Corporate Affairs (MCA) requirements is crucial for maintaining transparency and data integrity within your organization. Our team of experts specializes in SAP systems and regulatory compliance, and we’re here to assist you every step of the way.

Here’s how ToggleNow can help:

1. Comprehensive Assessment:

Our team will conduct a thorough assessment of your current SAP system to identify any gaps or areas that need improvement to meet MCA requirements.

2. Customized Solutions:

Based on the assessment findings, we’ll tailor solutions specifically for your organization to ensure compliance with MCA guidelines while optimizing system performance and security.

3. Implementation Support:

Our team will provide hands-on support during the implementation phase such as authorization adjustments, guiding you through the process of configuring your SAP system for additional changes to align with MCA requirements effectively.

4. Training and Education:

We offer training sessions to educate your team on best practices for maintaining compliance within the SAP environment, empowering them to utilize the system efficiently and securely.

5. Ongoing Support:

Our commitment doesn’t end with implementation. We’ll provide ongoing support and maintenance to address any evolving compliance needs and ensure your SAP system remains aligned with MCA regulations.

Let’s schedule a consultation to discuss your specific requirements and how our expertise can help you achieve and maintain compliance with MCA guidelines.

Raghu Boddu

Meet Raghu Boddu an expert in SAP Security and Governance, Risk, and Compliance (GRC). With over 20+ years of experience in the field, Raghu has a deep understanding of the nuances and complexities of SAP systems and how to keep them secure. Raghu has worked with various clients across different industries, helping them implement effective security and GRC strategies to protect their sensitive data and meet regulatory compliance requirements. Raghu is a respected thought leader in the SAP security and GRC community, regularly sharing insights and best practices through presentations and publications. Whether you’re looking to improve the security of your SAP system or ensure compliance with relevant regulations, Raghu can provide the guidance and expertise you need to succeed.

Explore our success stories

A case study on analyzing Custom Transaction codes and updating the Risk Ruleset

In today’s dynamic business landscape, many SAP customers leverage custom transaction codes to streamline operations and enhance efficiency. However, with customization comes responsibility, as it introduces risks such as segregation…

How we helped businesses succeed by providing them with innovative and effective solutions to manage risks

In today’s business landscape, managing SAP systems can be challenging. Many companies struggle with Segregation of Duties (SoD) conflicts and irrelevant transaction codes, making audits cumbersome and increasing the risk…

Case study on SAP Licensing Optimization

Today’s business environment requires the efficient management of SAP licensing, though it can be challenging. This problem can be resolved by Optimus for SAP Applications, developed by ToggleNow, by offering…

Learn how we can help you and your enterprise through the GRC transformation journey. Choose the appropriate option and fill out the form. Let’s get started!

Product demo

Explore our range of SAP Access Governance products.

Detailed Discussion

Engage with our SMEs regarding any challenges in Access Governance.

Partnership Discussions

Interested to be part of ToggleNow partner network? Let’s discuss!