Hi,
You are right to be concerned. What you are describing falls under IT General Controls (ITGC's) and I would expect all of the above to be covered by monitoring once fixed. Most importantly is that there are penalties for non-compliance. Speak to your clients infosec team. Often they are not aware of SAP and how SAP teams ignore their rules (SAP teams like to pretend they are special and the rules don't apply because SAP is "different". Simply not true!).
For all of these I would expect monthly monitoring at a minimum, although Solution Manager can do most of the reporting for you through configuration validation and SOS. Your auditors should be able to provide a full ITGC checklist, alternatively there are resources available on auditnet and the IIA.
Your list isn't surprising for smaller companies with no regulatory requirements & poor change control. I have put some comments against each one - with the exception of change management (updates in prod) they should be easy fixes.
- Secure password policy is not sufficiently enforced. (control through password complexity parameters, monitor parameters on a monthly basis, restrict access to change parameters)
- A high number of users has critical authorizations (cleanup & put in process to stop this from happening. Consider use of tooling e.g. SAP GRC or even just RSUSR008_009_NEW to monitor on an ongoing basis)
- Standard users including SAP* or DDIC are having default passwords. (one time cleanup/fix. there is lots of guidance on recommended settings. Monthly monitoring).
- Dialog users are having access to Powerful profiles like SAP_ALL. (cleanup, put in policy to prohibit, put in process to prevent assignment, monitor monthly).
- Changes are carried out directly in Production like tables, roles, configuration changes. (remove production access, monitor changes monthly, implement proper change management process).
- Many users are part of “SUPER” user group (reassign to more appropriate group).
- User master records are not updated with required details. (cleanup, fix process, monitor monthly)..
- User changes are made by SAP* in production. (Remove access to SAP* as part of the lock down activity).
Good luck.