MTC Skopos is an SAP SoD analysis tool built for auditors. It runs as a portable desktop application, needs no access to the audited SAP system (it works from standard table exports the client's Basis team can produce in minutes), and delivers authorization-level SoD and critical access findings in about an hour. Licensing is a flat $6,718/year, so one license covers every engagement without per-client costs.
| MTC Skopos for audit work | |
|---|---|
| System access required | None: works from SAP table exports (USR02, AGR_USERS, AGR_1251, UST12, etc...) |
| Installation | None, portable executable |
| Where the data goes | Stays on the auditor's machine, fully offline, no telemetry |
| Time to first findings | About an hour from receiving the exports |
| Analysis depth | Authorization-object level, not just transaction codes |
| Output | Risk register, per-user findings, did-do evidence, Excel/CSV exports |
| Pricing | $6,718/year flat, $650 per additional seat |
Can I run SoD analysis without access to the client's SAP system?
Yes, and for most audit engagements that is the better way to work. Requesting an auditor account on a production SAP system means access forms, approval chains, and an account that itself shows up in the next access review. MTC Skopos sidesteps all of it: the client's Basis or security team exports a handful of standard tables, hands them over through whatever secure channel the engagement already uses, and you run the analysis on your own laptop.
This matters for independence too. You are not relying on reports produced inside the client's own GRC configuration. You test their authorizations against a ruleset you control, on infrastructure you control.
What audit evidence does it produce?
A point-in-time analysis gives you:
- SoD conflict findings per user and per role, traced to the exact authorization objects and values that create the conflict, not just the transaction codes
- Critical access findings: who can use SU01, SE38, SCC4, SM59, debug, or any sensitive access you define
- Did-do evidence: whether users with conflicting access actually executed both sides, separating theoretical exposure from exercised risk
- Exportable workpapers: every result table exports to Excel or CSV for your audit file
Because the analysis runs in minutes, you can re-run it during the engagement, for example after the client claims a finding was remediated.
How long does a point-in-time SoD audit take?
From receiving the exports to a complete first-pass risk picture: about an hour. A realistic engagement rhythm looks like this:
- Before fieldwork: send the client the extraction guide
- Day 1: load the exports, run the full analysis, review the risk register
- Fieldwork: drill into findings, gather did-do evidence, discuss with process owners
- Before reporting: re-run to confirm any remediation the client performed
Compare that to engagements where SoD testing means sampling a few users by hand, or waiting for the client to schedule batch runs in their own tooling.
How does this compare to asking the client to run their GRC reports?
If the client has SAP GRC or a similar suite, you can ask them to run reports for you. The limits of that approach are familiar: the reports reflect the client's ruleset, including every exclusion and mitigation they configured, and many clients have no GRC tooling at all. An independent analyzer gives you the same depth of testing on any SAP system, whether the client owns a GRC suite or not. For a market overview, see the 8 SAP SoD tools comparison.
What does it cost?
One flat license: $6,718 per year, additional seats at $650 per seat per year. No per-client, per-user, or per-system fees, so the same license covers every audit you run. Pricing is public and configurable on the pricing section, and there is a 14-day trial to test the workflow on a real engagement. Details on the full pricing model are on the SAP SoD tool pricing page.
Frequently asked questions
Can I run SAP SoD analysis without access to the client's SAP system?
Yes. MTC Skopos works entirely from standard SAP table exports (USR02, AGR_USERS, AGR_1251, UST12 and related tables). The client's Basis or security team extracts the data, you run the analysis offline on your own machine. No auditor account, no installation on client infrastructure, no remote connection.
What SAP data do I need for an offline SoD analysis?
A set of standard authorization tables: user master data (USR02), role assignments (AGR_USERS), role authorization values (AGR_1251), and user-level authorizations (UST12). MTC Skopos ships with an extraction guide the client team can follow; the export typically takes minutes. For did-do analysis, transaction usage data (e.g. ST03N exports) is added.
Is the client's data uploaded anywhere?
No. MTC Skopos is a portable desktop application with no hosted component and no telemetry. The authorization data stays on the machine where you run the analysis, which simplifies confidentiality discussions in audit engagements considerably.
Can I test against my own SoD ruleset?
Yes. You can use the included ruleset, import the client's ruleset, or bring your audit firm's own risk catalog. Rulesets are editable down to authorization-object level, and the same ruleset can be reused across engagements and converted to SAP GRC format.
How much does MTC Skopos cost for audit work?
Licensing is a flat $6,718 per year with additional seats at $650 per seat per year. There are no per-client, per-user, or per-system fees, so one license covers every engagement you run in the year. A 14-day trial is available.
Related reading: SAP Access Risk Analysis · Did-Do Analysis explained · Authorization-level vs transaction-level analysis · SoD tool for consultants