All SAP customers can create custom transactions, tables and programs in the SAP System. This makes the internal audit team’s job very difficult, having to track every custom object entered into the SAP system. Without an unified view of all the custom objects, it is next to impossible for the team to figure out which objects are not compliant. To realize the magnitude of the SAP Risk is only possible when all information is seen in one report, like the ones generated by SAP Audit. Generally the best practice is to create transactions to all the custom programs and custom tables. Each of the programs should have authority check statements and should be added in SU24 configuration to avoid SAP Risk being introduced through unsecured custom transactions. SAP Audit can handle that!