In SAP, User Security is managed by assigning Roles/Profiles to Users. In majority of the companies, this is a manual process and even in cases where the security is position based, there are roles/profiles that are assigned manually. The Internal and External Audit teams would require the companies to recertify the security at regular intervals (annual or semiannual).