The following actions are subject to authorization checks that are performed

before the start of a program or table maintenance and which the SAP

applications cannot avoid:

* Starting SAP transactions (authorization object S_TCODE)

* starting reports (authorization object S_PROGRAM)

* Calling RFC function modules (authorization object S_RFC)

* Table maintenance with generic tools (S_TABU_DIS)

The authorization objects S_TCODE, S_PROGRAM, S_RFC, and S_TABU_DIS

are standard SAP provided.

Creating a new authorization object is not in the scope of ABAP developer. It will

be taken care by SAP BASIS team.

The Audit Information System (AIS) has been developed to provide internal and external auditors, Security Administrators and those with data protection and controlling responsibilities with a tool to assist in understanding and completing required tasks in the complex SAP environment. The SAP Audit Information System (AIS) provides a centralized repository for reports, queries, and views of data that have a control implication. AIS was first available for SAP R/3 Version 3.0D, and is delivered as standard in SAP R/3 Versions 4.6 and above. AIS is provided at no additional cost from SAP, and allows an auditor or manager to work online in the production system on a real time basis..

How good you do your security there may come a time when user might need emergency authorizations. Such authorization can be necessary in exceptional situations. It could be a month end close, which got closed before the month end.
Virsa provides tool called firefighter, which can help you. First you have to define what is an emergency for your company. You might have to create roles for these emergencies, and also define the time frame this role will be assigned to users. You might have to define an approval procedure for this. Hoe is this going to be audited. Work with your audit team to make sure they are ok