Reverse Engineering for the SAP security concept
Is the organization secure with the current set up of the roles in SAP? Are your users happy with the assigned authorizations? If they are, the auditor probably is not happy with the assigned authorizations to the roles and users.
Maybe there are already plans to redesign the current authorization concept? How easy would it be if you can redesign the authorization concept with reverse business engineering? Instead of thinking and designing which authorization should be included in which role from scratch, just have a look at the authorization the users have and analyze the functionality the users have been using (or wanted to use) based on the executed transactions and assign these needed authorizations to the roles.