The control that works… until it doesn’t
Emergency access in SAP, commonly managed through Firefighter IDs (FFIDs), is one of the most widely adopted compensating controls within access governance frameworks. It is designed to provide temporary, elevated access during exceptional situations such as production incidents or critical business disruptions.
In most organizations, the control appears formally sound. Access is requested, approved, logged, and reviewed. From a compliance standpoint, FFID processes often appear robust and audit-ready.
However, across SAP environments and audit cycles, a more subtle pattern is emerging.
Emergency access is no longer exceptional. It is becoming operational.
What audit observations are increasingly revealing
In a recent SAP GRC Access Control audit, FFID design and usage were evaluated. The review revealed that access was often broader than required and not aligned to defined reason codes. Multiple Firefighter IDs were created within the same functional areas for similar purposes, enabling extended and repeated usage. A subset of users relied on FFIDs more frequently than their primary IDs, while log reviews were largely treated as procedural checkpoints rather than meaningful control activities.
This pattern is not isolated. Similar observations have been highlighted in internal audits and advisory engagements across industries.
Importantly, these scenarios do not immediately fail compliance checks, as FFIDs are properly requested, the required artifacts exist, approvals are documented in the GRC workflow, logs are generated and are reviewed by controllers. The typical cycle is well within the audit requirements.
Yet the underlying control objective is already compromised.
This pattern is not an exception. It is increasingly becoming a characteristic of SAP environments where access governance has not evolved with operational demands.
This distinction between “control compliance” and “control effectiveness” is well established in audit and risk literature.
The risks associated with frequent emergency access usage align with broader privileged access management principles. NIST emphasizes that privileged access must be strictly controlled, monitored, and limited to necessary scenarios to reduce risk exposure in the special publication - Security and Privacy Controls for Information Systems and Organizations
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
Additionally, Big 4 audit firms such as PwC and Deloitte highlight that organizations often operate controls that appear effective from a documentation standpoint but fail to mitigate risk due to design or usage gaps.
The issue, therefore, is not non-compliance. It is misalignment between control intent and control usage.
How was the study conducted? A real-world use case: when FFIDs become the default
In our audit across a production SAP landscape, FFID usage was analyzed over a 90-day period. The expectation was that emergency access would be limited, event-driven, and rare.
The data, however, revealed a different reality.
FFIDs were frequently approved for extended durations, with an average assignment period of approximately 18 days. Individual sessions often lasted between four to six hours, indicating that users were spending significant operational time under emergency access. In several cases, the same FFIDs were repeatedly used for similar transactions, demonstrating that the usage was not event-driven but operational in nature.
From an audit standpoint, the key observations are as follows:
FFID Usage vs Regular Access
The pattern was clear. FFID usage had transitioned from supplemental to primary access for certain users.
Activity Pattern Under FFIDs
A large portion of activity performed under FFIDs was predictable and repeatable. This indicated that emergency access was being used to execute standard business operations.
From exception to convenience
This transition rarely happens intentionally. It is typically driven by structural inefficiencies, such as delays in provisioning, restrictive role models, and pressure to execute business-critical tasks, which push users toward faster alternatives. Emergency access becomes the most efficient route. Over time, this behavior normalizes.
What was designed as a controlled exception becomes an operational shortcut.
Notably, this pattern was consistent across the observation period and was not limited to isolated users or transactions.
Why this represents a material control risk
When FFIDs become routine, the control environment weakens in ways that are not immediately visible.
Preventive controls lose effectiveness because FFIDs inherently bypass standard role restrictions, including Segregation of Duties enforcement. Sensitive activities begin to operate outside the primary control framework.
Accountability becomes less precise. Although FFID frameworks include ownership and review layers, repeated usage introduces ambiguity in user intent and responsibility.
Visibility becomes misleading. Control dashboards reflect approvals and completed reviews, but they do not capture dependency on emergency access as a substitute for proper role design.
KPMG, in its internal control framework insights, emphasizes that control effectiveness must be evaluated based on whether controls continue to address underlying risks, not merely whether they are executed.
Why traditional FFID reviews fall short
Most FFID reviews are designed as procedural validations. They confirm that approvals exist, logs are maintained, and reviews are completed.
While necessary, these checks do not evaluate behavioral patterns.
ISACA’s COBIT framework highlights that effective control monitoring requires performance and usage-based evaluation, not just compliance validation.
Source: https://www.isaca.org/resources/cobit
In this context, a control can pass every audit checkpoint while failing its intended purpose.
What needs to change
Addressing this issue requires a shift from transactional review to pattern-based analysis. The first step is reviewing the FFIDs, access provided to FFIDs, and Reason code definitions.
A deeper perspective on SAP GRC EAM reason codes and Firefighter ID design can be found here:
The next step is to establish a process for deep analysis/review of logs. Organizations must evaluate how frequently FFIDs are used, who is using them, and whether the activities performed under emergency access are truly exceptional. In more mature environments, organizations are also exploring automation to enhance the depth and consistency of log reviews.
More importantly, repeated FFID usage should be treated as a signal of deeper issues. In most cases, it points to gaps in role design, provisioning workflows, or governance processes.
The response should not be limited to tightening FFID controls. It should focus on correcting the underlying access model.
The broader shift in access governance
The normalization of emergency access reflects a broader challenge in modern SAP landscapes.
Organizations are investing in governance frameworks, but operational realities are creating parallel access paths that weaken control effectiveness.
As SAPinsider research highlights, organizations are increasingly moving toward continuous monitoring and intelligence-driven access governance to address evolving risks.
Source: https://sapinsider.org/research/cybersecurity/
Static controls and periodic reviews are no longer sufficient.
Closing Perspective
The most critical SAP risks today do not always appear as violations. They exist within accepted practices. FFIDs were designed as a safeguard, but when they become routine, they signal a deeper issue in how access controls are functioning. This is not just about misuse, but about a shift in control effectiveness, where the operating model no longer aligns with the original control intent. Some of these patterns and ongoing observations from SAP environments are being continuously documented for deeper analysis.

