Julius,
I bow in deference to your knowledge of this area. It’s extremely helpful to
get a thorough understanding on the nuances surrounding DDIC and SM20.
Some background on me. I am an IT auditor and I inherited this process.
Apparently way before I started here (4 years ago) this discussion must have come up
as a result of SOX testing and the Basis group must have successfully defended
against locking DDIC for the very same reasons you note. The IT Audit Director at the
time understood the situation but PWC wanted some assurances that this activity
was at least being reviewed and it became one of the ITGC’s to run the SM20 log
report each month in each instance and have the Basis group review and sign off on all activity
related to DDIC. If the SM20 output showed that DDIC signed in with reference to
a terminal name or ip address they needed to explain why this was necessary.
They were always able to explain the reasons behind this and the occurrences
seemed minimal considering all the events logged related to that ID. Up until a
few months ago I ran for all audit classes excluding user master changes with
events of Severe and Critical.
Fast forward to 2015 and PWC runs an independent SM20 report from our system
and ran it for all audit classes and events = All. As you can imagine even for
one month worth of activity the number of records was astronomical compared to
running it the way I did. That was when I started taking a closer look at the
log message text and the security levels associated. It didn’t make sense which
brought me here.
I will take you up on your offer to post a blog or wiki on the minimum
authorizations required by user DDIC so that I can confirm we are truly looking
at high risk events and filter out some of the noise to make this report
readable and more accurate. It appears that we probably won’t be able to lock
the ID and for valid reasons.
PS
Is there an OSS note or other governing document that refutes the security
best practice of locking DDIC in production? Every SAP system security related manual
I have read recommends locking this ID in production right after go live as if it’s one of those check the box and be done with it. It really is misleading to do this as you suggest as it could have
greater implications that impact the business. Can I just tell the external auditors that you said it was ok? 
Thank you very much for your time.
Regards,
Mark