Dataset entry
Risk, Audit, and Control Without Slowing the System

Name: Risk, Audit, and Control Without Slowing the System
Creator: Dzmitryi Kharlanau
ams ams_byte ams-016
Open JSON Back to list
Audit pressure usually makes SAP AMS slower and more defensive. Done right, it actually makes it calmer and cheaper.
Attribution

Creator: Dzmitryi Kharlanau (SAP Lead).
Canonical: https://dkharlanau.github.io/datasets/ams/ams-016.json
JSON (copy / reuse)
{
  "id": "ams-016",
  "title": "Risk, Audit, and Control Without Slowing the System",
  "hook": "Audit pressure usually makes SAP AMS slower and more defensive. Done right, it actually makes it calmer and cheaper.",
  "idea": "Risk management in SAP AMS is not about paperwork. It’s about making risk visible early, bounded, and reversible — so audits confirm reality instead of discovering surprises.",
  "sap_risk_landscape": {
    "real_risks": [
      "Uncontrolled emergency changes",
      "Hidden custom logic affecting postings",
      "Weak authorization governance (SoD drift)",
      "Manual fixes without traceability",
      "Silent data corrections in production"
    ],
    "fake_risks": [
      "Over-documented low-risk changes",
      "Approval theater without evidence",
      "Audits focused on forms, not behavior"
    ]
  },
  "control_model": {
    "preventive": [
      "Clear change classification (standard / normal / emergency)",
      "Pre-approved standard change catalog",
      "Automated validation before execution"
    ],
    "detective": [
      "Change-induced incident tracking",
      "Authorization failure spikes",
      "Transport rollback frequency",
      "Unusual production activity patterns"
    ],
    "corrective": [
      "Fast rollback playbooks",
      "Problem backlog with deadlines",
      "Explicit debt acceptance with review dates"
    ]
  },
  "audit_ready_by_design": {
    "principles": [
      "Evidence is produced automatically during work.",
      "No retroactive documentation.",
      "Every action leaves a trace without extra effort."
    ],
    "artifacts": [
      "Linked incident → change → test → verification trail",
      "Who approved what, when, and based on which evidence",
      "Clear separation of duties for execution vs approval"
    ]
  },
  "approval_and_sod": {
    "rules": [
      "No one approves their own change.",
      "Emergency execution requires post-factum review with evidence.",
      "SoD violations are tracked as risk signals, not personal failures."
    ],
    "sap_specific_controls": [
      "Role assignment fast lane with SoD checks",
      "Temporary emergency roles with auto-expiry",
      "Logging of sensitive transactions and data fixes"
    ]
  },
  "automation": {
    "copilot_moves": [
      "Assemble audit evidence packs automatically.",
      "Detect control bypass patterns early.",
      "Flag repeated emergency usage by domain or person."
    ],
    "outputs": [
      "Audit-ready change and incident trails",
      "Risk heatmap by flow and system",
      "Monthly control health summary"
    ]
  },
  "why_this_helps_ams": [
    "Less fear around audits.",
    "Fewer last-minute control panics.",
    "More trust to move fast where it’s safe."
  ],
  "anti_patterns_to_kill": [
    "Writing documents after the fact",
    "Treating auditors as enemies",
    "Freezing all change under audit pressure"
  ],
  "metrics_that_keep_it_real": [
    "Emergency changes as % of total",
    "Changes with complete evidence (%)",
    "Repeat audit findings",
    "Time to produce audit evidence"
  ],
  "design_question": [
    "If an auditor asked ‘why was this safe?’, could the system answer without us?"
  ],
  "meta": {
    "schema": "dkharlanau.dataset.byte",
    "schema_version": "1.1",
    "dataset": "ams",
    "source_project": "cv-ai",
    "source_path": "ams/ams-016.json",
    "generated_at_utc": "2026-02-03T14:33:32+00:00",
    "creator": {
      "name": "Dzmitryi Kharlanau",
      "role": "SAP Lead",
      "website": "https://dkharlanau.github.io",
      "linkedin": "https://www.linkedin.com/in/dkharlanau"
    },
    "attribution": {
      "attribution_required": true,
      "preferred_citation": "Dzmitryi Kharlanau (SAP Lead). Dataset bytes: https://dkharlanau.github.io"
    },
    "license": {
      "name": "",
      "spdx": "",
      "url": ""
    },
    "links": {
      "website": "https://dkharlanau.github.io",
      "linkedin": "https://www.linkedin.com/in/dkharlanau"
    },
    "contact": {
      "preferred": "linkedin",
      "linkedin": "https://www.linkedin.com/in/dkharlanau"
    },
    "canonical_url": "https://dkharlanau.github.io/datasets/ams/ams-016.json",
    "created_at_utc": "2026-02-03T14:33:32+00:00",
    "updated_at_utc": "2026-02-03T15:29:02+00:00",
    "provenance": {
      "source_type": "chat_export_extraction",
      "note": "Extracted and curated by Dzmitryi Kharlanau; enriched for attribution and crawler indexing."
    },
    "entity_type": "ams_byte",
    "entity_subtype": "",
    "summary": "Audit pressure usually makes SAP AMS slower and more defensive. Done right, it actually makes it calmer and cheaper."
  }
}