toaz.info-sod-risk-summary-sap-with-mitigating-controls-pr_491224bde91398f14208f46b3c547d9c.pdf

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
F019 FI06Maintain Posting PeriodsAP01AP Payments MIT-F019
Open previously closed accounting periods and inappropriately post
payments after month end.
Medium
F020 FI06Maintain Posting PeriodsAR02Cash Application MIT-F020
User able to open accounting periods previously closed and enter incoming
payments after month end reporting.
Medium
F021 FI06Maintain Posting PeriodsMM04Goods Movements MIT-F021
Open previously closed accounting periods and inappropriately receive or
issue goods after month end.
Medium
F022 GL02 Maintain GL Master DataGL03
Post Journal Entry (misc
Tax/Currency)
MIT-F022
Create a fictitious GL account and generate miscellaneous general ledger
activity or hide fraudulent activity via posting entries.
Medium
F023 CC02
Maintain CC or CE
Groups
GL03
Post Journal Entry (misc
Tax/Currency)
MIT-F023
Manipulate cost center reports to hide inappropriate miscellaneous journal
entry postings.
Medium
F024 FI06Maintain Posting PeriodsGL03
Post Journal Entry (misc
Tax/Currency)
MIT-F024
Open previously closed accounting periods and inappropriately post tax and
currency journal entries after month end.
Medium
F025 FI04
Maintain Bank Master
Data
AP04
Manual Check
Processing
MIT-F025 Create a non bona-fide bank account and create manual checks from it High
F026 FI06Maintain Posting PeriodsAP04
Manual Check
Processing
MIT-F026
Open previously closed accounting periods and inappropriately post manual
payments
Medium
F027 FI08
Create / Change
Treasury Item
FI09
Confirm a Treasury
Trade
MIT-F027
Users can create a fictitious trade and fraudulently confirm or exercise the
trade
High
F028 GL01 Post Journal Entry AP02Process Vendor InvoicesMIT-F028
Adjust the subsidiary balance using the vendor invoice entry and then cover
it up using journal entries
Medium
F029 GL01 Post Journal Entry AR01AR Payments MIT-F029
Adjust the subsidiary balance using the AR payment transaction and then
cover it up using journal entries
Medium
F030 GL01 Post Journal Entry AR02Cash Application MIT-F030
Adjust the subsidiary balance using the AR payment transaction and then
cover it up using journal entries
Medium
F031 GL01 Post Journal Entry AR05AR Payments MIT-F031
Adjust the subsidiary balance using the AR payment transaction and then
cover it up using journal entries
Medium
M001 PP02
Production Order
Processing
FI05Product Costing MIT-M001 Increase Production to reduce cost variances Low
M002 PP02
Production Order
Processing
PP01
Confirm Production
Order
MIT-M002 Production order processing and confirming production orders Low
M003 PP01
Confirm Production
Order
FI05Product Costing MIT-M003 Increase Production to reduce cost variances due to productivity Low
M004 QM01
Quality Results
Reporting
SD02Delivery Processing MIT-M004 Transfer stock to general release to meet delivery schedules Low
M005 QM01
Quality Results
Reporting
MM07Enter Counts - WM MIT-M005 MM08 Clear Differences - WMRemove inferior materials by adjusting out via WM inventory Medium
Materials Management / Quality Management / Production Planning
Page 2 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
M006 MM04 Goods Movements MM07Enter Counts - WM MIT-M006 MM08 Clear Differences - WM
Accept goods via goods receipts and perform a WM physical inventory
adjustment afterwards.
High
M007 QM01
Quality Results
Reporting
PP01
Confirm Production
Order
MIT-M007 Release produced materials to GR stock to maintain production quotasMedium
M008 GL01 Post Journal Entry MM07Enter Counts - WM MIT-M008 MM08 Clear Differences - WMHide WM inventory adjustments via ledger entries Medium
M009 QM01
Quality Results
Reporting
MM02Enter Counts - IM MIT-M009 MM01
Clear Differences -
Inventory Management
Remove inferior materials by adjusting out via IM inventories Medium
M010 QM01
Quality Results
Reporting
MM03
Enter Counts & Clear
Diff - IM
MIT-M010 Remove inferior materials by adjusting out via IM inventories Medium
M011 MM04 Goods Movements MM02Enter Counts - IM MIT-M011 MM01
Clear Differences -
Inventory Management
Accept goods via goods receipts and perform an IM physical inventory
adjustment afterwards.
High
M012 MM04 Goods Movements MM03
Enter Counts & Clear
Diff - IM
MIT-M012
Accept goods via goods receipts and perform an IM physical inventory
adjustment afterwards.
High
M013 GL01 Post Journal Entry MM03
Enter Counts & Clear
Diff - IM
MIT-M013 Hide IM inventory adjustments via ledger entries Medium
M014 GL01 Post Journal Entry MM02Enter Counts - IM MIT-M014 MM01
Clear Differences -
Inventory Management
Hide IM inventory adjustments via ledger entries Medium
P001 PR01
Vendor Master
Maintenance
AP02Process Vendor Invoices
Maintain a fictitious vendor and enter a Vendor invoice for automatic
payment
High
P002 AP01 AP Payments PR01
Vendor Master
Maintenance
Maintain a fictitious vendor and create a payment to that vendor High
P003 AP02 Process Vendor InvoicesAP01AP Payments Enter fictitious vendor invoices and then render payment to the vendorHigh
P004 PR02 Maintain Purchase OrderAP02Process Vendor Invoices Purchase unauthorized items and initiate payment by invoicing High
P005 PR02 Maintain Purchase OrderMM05Goods Receipts to PO
Enter fictitious purchase orders for personal use and accept the goods
through goods receipt
High
P006 AP02 Process Vendor InvoicesMM05Goods Receipts to PO Enter fictitious vendor invoices and accept the goods via goods receiptHigh
P007 PR02 Maintain Purchase OrderAP01AP Payments Enter a fictitious purchase order and enter the covering payment High
P008 PR01
Vendor Master
Maintenance
PR02Maintain Purchase Order Create a fictitious vendor and initiate purchases to that vendor High
Procure to Pay
Page 3 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
P009 AP03
Release Blocked
Invoices
PR08Service Acceptance
Receive or accept services and release a previously blocked Invoice to
offset the receipt
Medium
P010 AP03
Release Blocked
Invoices
PR02Maintain Purchase Order
Enter unauthorized purchase order and release a previously blocked Invoice
to offset the purchase order
Medium
P011 PR02 Maintain Purchase OrderMM03
Enter Counts & Clear
Diff - IM
Inappropriately procure an item and manipulating the IM physical inventory
counts to hide.
High
P012 PR03
Service Master
Maintenance
PR07Requisitioning
Risk of modifying or adding to service master data (to add item that normally
is not ordered by the company) and then create / change a requisition.
Medium
P013 MM06
Maintain Material Master
Data
PR02Maintain Purchase Order
Add items to the material master or service master file and create fraudulent
purchase orders for those items
Medium
P014 FI03Bank Reconciliation AP02Process Vendor Invoices Can hide differences between bank payments & posted AP records High
P015 AP03
Release Blocked
Invoices
MM05Goods Receipts to PO
Receive goods against a purchase order and release a previously blocked
Invoice to offset the receipt
Medium
P016 PR08 Service Acceptance AP01AP Payments Receive or accept services and enter the covering payments High
P017 PR02 Maintain Purchase OrderPR08Service Acceptance
Enter fictitious purchase orders for personal use and accept the services
through service acceptance
Medium
P018 MM06
Maintain Material Master
Data
PR05Purchasing Agreements
Add an item to the material master or service master file and then
fraudulently adding those items to purchasing agreements
Medium
P019 PR04 PO Approval MM05Goods Receipts to PO
Approve the purchase of unauthorized goods and hide the misuse of
inventory by not fully receiving the order
High
P020 PR04 PO Approval AP01AP Payments
Commit the company to fraudulent purchase contracts and initiate payment
for unauthorized goods and services.
High
P021 PR04 PO Approval AP02Process Vendor Invoices
Release a non bona-fide purchase order and initiate payment for the order
by entering invoices
High
P022 PR04 PO Approval MM02Enter Counts - IM MM01
Clear Differences -
Inventory Management
Release a non bona-fide purchase order and the action remain undetected
by manipulating the IM physical inventory counts
High
P023 PR04 PO Approval PR01
Vendor Master
Maintenance
Create a fictitious vendor or change existing vendor master data and
approve purchases to this vendor
High
P024 PR04 PO Approval MM06
Maintain Material Master
Data
Add or modify material master data and release an order for personal useMedium
P025 AP03
Release Blocked
Invoices
PR05Purchasing Agreements
Modify a purchasing agreement and release a previously blocked invoice to
offset the vendor account.
Medium
P026 AP01 AP Payments PR05Purchasing Agreements Enter fictitious purchasing agreements and then render payment High
Page 4 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
P027 PR01
Vendor Master
Maintenance
PR05Purchasing Agreements
Risk of entry of fictitious Purchasing Agreements and the entry of fictitious
Vendor or modification of existing Vendor especially account data.
High
P028 PR05 Purchasing Agreements MM05Goods Receipts to PO
Modify purchasing agreements and then receive goods for fraudulent
purposes.
High
P029 AP02 Process Vendor InvoicesPR05Purchasing Agreements
Enter unauthorized items to a purchasing agreement and create an invoice
to obtain those items for personal use
High
P030 AP01 AP Payments PR03
Service Master
Maintenance
Risk of modifying service master data (to add a service that is normally not
ordered by the company) and the entry of covering payments
High
P031 PR03
Service Master
Maintenance
PR06Release Requisitions
Risk of addition of services to the Service Master File (services not related
to business purpose) and the ability to create a Requisition for those
services.
Medium
P032 PR06 Release Requisitions PR05Purchasing Agreements
Risk of entering or maintaining a purchasing agreement and authorizing the
related requisition through its release.
Medium
P033 PR07 Requisitioning PR02Maintain Purchase Order
Risk of the same person requisitioning an item and creating a purchase
order from that requisition.
Medium
P034 PR02 Maintain Purchase OrderPR03
Service Master
Maintenance
Add items to the service master file and create fraudulent purchase orders
for those items
Medium
P035 PR05 Purchasing Agreements MM03
Enter Counts & Clear
Diff - IM
Risk of the same person entering a Purchasing Agreement for materials and
then adjusting the IM inventory for those materials.
Medium
P036 MM06
Maintain Material Master
Data
PR07Requisitioning
Risk of modifying or adding to material master data (to add material that
normally is not ordered by the company) and then the release of a material
requisition.
Medium
P037 PR07 Requisitioning PR06Release Requisitions
Risk of the same person requisitioning an item and then releasing a
requisition for purchase, bypassing the authorization process.
Medium
P038 AP01 AP Payments FI03Bank Reconciliation
Risk of entering unauthorized payments and reconcile with the bank through
the same person.
High
P039 AP02 Process Vendor InvoicesPR08Service Acceptance
Risk of entering Vendor invoices and the ability to accept those services in
the Service Receipts Entry.
Medium
P040 PR06 Release Requisitions PR02Maintain Purchase Order
Risk of the same person releasing a requisitioning and generating the
accompanying purchase order.
Medium
P041 PR03
Service Master
Maintenance
PR05Purchasing Agreements
Add an item to the material master or service master file and then
fraudulently adding those items to purchasing agreements
Medium
P042 PR04 PO Approval PR03
Service Master
Maintenance
Add or modify service master data and release an order for personal useMedium
P043 AP03
Release Blocked
Invoices
PR04PO Approval
Release a purchase order and release a previously blocked invoice to offset
the vendor account.
Medium
Page 5 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
P044 PR04 PO Approval PR08Service Acceptance
Release a fictitious purchase order for personal use and accept the services
through service acceptance
Medium
P045 PR02 Maintain Purchase OrderMM02Enter Counts - IM MM01
Clear Differences -
Inventory Management
Inappropriately procure an item and manipulating the IM physical inventory
counts to hide.
High
P046 PR02 Maintain Purchase OrderMM07Enter Counts - WM MM08 Clear Differences - WM
Inappropriately procure an item and manipulating the WM physical inventory
counts to hide.
High
P047 PR04 PO Approval MM03
Enter Counts & Clear
Diff - IM
Release a non bona-fide purchase order and the action remain undetected
by manipulating the IM physical inventory counts
High
P048 PR04 PO Approval MM07Enter Counts - WM MM08 Clear Differences - WM
Release a non bona-fide purchase order and the action remain undetected
by manipulating the WM physical inventory counts
High
P049 PR05 Purchasing Agreements MM02Enter Counts - IM MM01
Clear Differences -
Inventory Management
Risk of the same person entering a Purchasing Agreement for materials and
then adjusting the IM inventory for those materials.
Medium
P050 PR05 Purchasing Agreements MM07Enter Counts - WM MM08 Clear Differences - WM
Risk of the same person entering a Purchasing Agreement for materials and
then adjusting the WM inventory for those materials.
Medium
P051 AP04
Manual Check
Processing
PR01
Vendor Master
Maintenance
Maintain a fictitious vendor and create a payment to that vendor High
P052 AP02 Process Vendor InvoicesAP04
Manual Check
Processing
Enter fictitious vendor invoices and then render payment to the vendorHigh
P053 PR02 Maintain Purchase OrderAP04
Manual Check
Processing
Enter a fictitious purchase order and enter the covering payment High
P054 PR08 Service Acceptance AP04
Manual Check
Processing
Receive or accept services and manually enter the covering check
payments
High
P055 PR04 PO Approval AP04
Manual Check
Processing
Commit the company to fraudulent purchases and initiate manual check
payments for unauthorized goods and services.
High
P056 AP04
Manual Check
Processing
PR05Purchasing Agreements
Enter fictitious purchasing agreements and then render manual checks for
payment
High
P057 AP04
Manual Check
Processing
PR03
Service Master
Maintenance
Risk of modifying service master data (to add a service that is normally not
ordered by the company) and the entry of covering payments
High
P058 AP04
Manual Check
Processing
FI03Bank Reconciliation
Risk of entering unauthorized manual payments and reconcile with the bank
through the same person.
High
P059 PR02 Maintain Purchase OrderPR04PO Approval
Where release strategies are utilized, the same user should not maintain the
purchase order and release or approve it.
High
P060 AP02 Process Vendor InvoicesAP03
Release Blocked
Invoices
The automated controls for invoicing can be circumvented. Invoices are
usually blocked due to price or quantity differences.
Medium
P061 PR11
Maintain Vendor Pricing
Conditions
AP01AP Payments Transactional processing should be segregated from pricing master data.Medium
Page 6 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
P062 PR11
Maintain Vendor Pricing
Conditions
AP02Process Vendor Invoices Transactional processing should be segregated from pricing master data.Medium
P063 PR11
Maintain Vendor Pricing
Conditions
AP03
Release Blocked
Invoices
Transactional processing should be segregated from pricing master data.Medium
P064 PR11
Maintain Vendor Pricing
Conditions
AP04
Manual Check
Processing
Transactional processing should be segregated from pricing master data.Medium
P065 PR11
Maintain Vendor Pricing
Conditions
PR04PO Approval Transactional processing should be segregated from pricing master data.Medium
P066 PR11
Maintain Vendor Pricing
Conditions
PR06Release Requisitions Transactional processing should be segregated from pricing master data.Medium
P067 PR11
Maintain Vendor Pricing
Conditions
PR07Requisitioning Transactional processing should be segregated from pricing master data.Medium
S001 AR04 Credit Management SD05Sales Order Processing Enter or modify sales documents and approve customer credit limits High
S002 SD05 Sales Order Processing AR03Clear Customer Balance Create sales documents and immediately clear customer's obligation High
S003 SD05 Sales Order Processing SD01
Maintain Customer
Master Data
Create a fictitious customer and initiate fraudulent sales document High
S004 SD01
Maintain Customer
Master Data
AR07
Process Customer
Invoices
Make an unauthorized change to the master record (payment terms,
tolerance level) in favor of the customer and enter an inappropriate invoice.
High
S005 SD01
Maintain Customer
Master Data
SD03Sales Rebates
Inappropriately create or change rebate agreements and manage a
customer's master record in the favor of the customer. Could also change a
customer's master record to direct payment to an inappropriate location.
High
S006 AR03 Clear Customer Balance AR05
Maintain Billing
Documents
Potentially clear a customer's balance before and create or make the same
change to the billing document for the same customer, clearing them of their
obligation.
High
S007 SD05 Sales Order Processing AR05
Maintain Billing
Documents
Inappropriately create or change a sales documents and generate a
corresponding billing document for it.
High
S008 AR04 Credit Management SD03Sales Rebates
Manipulate the user's credit limit and assign generous rebates to execute a
marginal customer's order.
High
S009 SD05 Sales Order Processing AR02Cash Application Enter a fictitious sales document and then render fictitious payments.Medium
S010 AR02 Cash Application AR05
Maintain Billing
Documents
Create a billing document for a customer and inappropriately post a
payment from the same customer to conceal non-payment.
High
S011 SD01
Maintain Customer
Master Data
AR01AR Payments
Create a fictitious customer and initiate payment to the unauthorized
customer.
High
Order to Cash
Page 7 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
S012 AR06
Process Customer
Credit Memos
AR01AR Payments
Initiate an unauthorized payment to the customer by entering fictitious credit
memos.
High
S013 AR02 Cash Application SD04
Sales Document
Release
Change the accounts receivable records to cover differences with customer
statements.
High
S014 SD05 Sales Order Processing SD02Delivery Processing Cover up unauthorized shipment by creating a fictitious sales documentsHigh
S015 AR07
Process Customer
Invoices
SD06Sales Pricing Condition Sales price modifications for sales invoicing. High
S016 SD05 Sales Order Processing SD06Sales Pricing Condition Enter sales documents and lower prices for fraudulent gain High
S017 AR04 Credit Management AR02Cash Application
Perform credit approval function and modify cash received for fraudulent
purposes.
High
S018 AR02 Cash Application SD03Sales Rebates Enter a fictitious sales rebates and then render fictitious payments.High
S019 AR02 Cash Application SD01
Maintain Customer
Master Data
Risk of the same person entering changes to the Customer Master file and
modifying the Cash Received for the customer.
High
S020 SD05 Sales Order Processing SD04
Sales Document
Release
Risk of entering and releasing sales documents by the same person Medium
S021 SD05 Sales Order Processing SD03Sales Rebates
Risk of entering sales documents and giving sales rebates by the same
person, effectively granting an indirect price discount.
Medium
S022 AR07
Process Customer
Invoices
AR04Credit Management
Risk of modifying and entering Sales Invoices and approving Credit Limits
by the same person.
High
S023 AR05
Maintain Billing
Documents
SD06Sales Pricing Condition Risk of Sales Price modifications for Sales invoicing. High
S024 SD01
Maintain Customer
Master Data
AR03Clear Customer Balance Maintain a customer master record and post a fraudulent payment against itHigh
S025 SD01
Maintain Customer
Master Data
AR05
Maintain Billing
Documents
User can create a fictitious customer and then issue invoices to the
customer.
High
S026 AR02 Cash Application AR07
Process Customer
Invoices
User can create/change an invoice and enter/change payments against the
invoice.
High
S027 SD02 Delivery Processing AR02Cash Application
User can create fictitious/incorrect delivery and enter payments against
these, potentially misappropriating goods.
High
S028 SD05 Sales Order Processing AR07
Process Customer
Invoices
User able to create a fraudulent sales contract to include additional goods
and enter an incorrect customer invoice to hide the deception.
High
S029 AR03 Clear Customer Balance AR06
Process Customer
Credit Memos
Create a credit memo then clear the customer to prompt a payment. High
HR and Payroll
Page 8 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
H001 HR03
Maintain Employee (PA)
Master Data - 0008 -
0009 (
PY04Process Payroll
Modify payroll master data and then process payroll. Potential for fraudulent
activity.
High
H002 HR01 HR Benefits PY04Process Payroll
Change employee HR Benefits then process payroll without authorization.
Potential for fraudulent activity.
High
H003 PY07 3rd Party Remittance HR02HR Vendor Data
Change to master data and creating the remittance could result in fraudulent
payments.
High
H004 HR04 Maintain Time Data PY01Approve Time
Change payroll master data and enter time data applied to incorrect
settings.
High
H005 HR04 Maintain Time Data PY04Process Payroll Modify time data and process payroll resulting in fraudulent paymentsHigh
H006 PY02
Maintain Payroll
Configuration
PY04Process Payroll
Change configuration of payroll then process payroll resulting in fraudulent
payments
High
H007 HR03
Maintain Employee (PA)
Master Data - 0008 -
0009 (
PY02
Maintain Payroll
Configuration
Change configuration of payroll then modify payroll master data resulting in
fraudulent payments
High
H008 HR05 Modify PD Structure HR03
Maintain Employee (PA)
Master Data - 0008 -
0009 (
Change payroll master data and modify PD Structure High
H009 HR04 Maintain Time Data PY03Payroll Maintenance Enter false time data and perform payroll maintenance. High
H010 PY03 Payroll Maintenance PY04Process Payroll Change payroll and process payroll without proper authorization. High
H011 PY02
Maintain Payroll
Configuration
PY03Payroll Maintenance Change payroll configuration and perform maintenance on payroll settings.High
H012 HR04 Maintain Time Data PY02
Maintain Payroll
Configuration
Modify payroll configuration and enter false time data. High
H013 HR04 Maintain Time Data HR05Modify PD Structure Enter false time data and maintain PD structure High
H014 HR03
Maintain Employee (PA)
Master Data - 0008 -
0009 (
HR04Maintain Time Data
Users may enter false time data and process payroll resulting in fraudulent
payments.
High
H015 HR03
Maintain Employee (PA)
Master Data - 0008 -
0009 (
PY03Payroll Maintenance
Users may maintain employee master data including pay rates and delete
the payroll result
High
H016 PY06 Payroll Schemas HR04Maintain Time Data Users may enter false time data and perform work schedule evaluationsHigh
H017 PY05 Time Evaluations HR04Maintain Time Data Users may enter false time data and perform time evaluations Medium
Page 9 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
H018 PY05 Time Evaluations HR05Modify PD Structure
Perform time evaluations and change the PD structure to mis route the data
for approvals
Medium
H019 PY05 Time Evaluations PY03Payroll Maintenance
Perform time evaluations and delete payroll results which could disrupt the
payroll process
Medium
H020 PY05 Time Evaluations PY04Process Payroll
Users who perform both the time evaluation and process payroll could hide
fraudulent actions.
Medium
H021 PY05 Time Evaluations PY06Payroll Schemas
Users who can perform both the time evaluations and maintain payroll
schemas to hide fraudulent actions
Medium
B001 BS02 Basis Development BS11System Administration MIT-B001
A developer could modify an existing program in production, perform traces
to the program, and configure the production environment to run the
program. This may affect system performance, data integrity and
inappropriate program modification.
Medium
B002 BS02 Basis Development BS06Configuration MIT-B002
A developer could modify an existing program in production, perform traces
to the program and configure the production environment to limit monitoring
of the program run by increasing alarm thresholds and eliminating audit trails
through external OS comma
High
B003 BS02 Basis Development BS05Client Administration MIT-B003
A developer could create or modify a program in production and replicate
these changes to other clients. This bypasses the inherent controls in the
transport process and could negatively impact the DV and QA clients.
Medium
B004 BS02 Basis Development BS12Transport AdministrationMIT-B004
A developer could create or modify a program in production and force the
transport of these changes after the fact to conceal irregular development
practices. This also enables the reverting back to the program's original
version without any trace of the changes made in production.
High
B005 BS04 Basis Utilities BS11System Administration MIT-B005
A developer could modify program components (menus, screen layout,
messages, queries) and configure the production environment to execute
the program with these changes. This may affect system performance, data
integrity and inappropriate program modification
Medium
B006 BS04 Basis Utilities BS06Configuration MIT-B006
A developer could modify program components (menus, screen layout,
messages, queries) and configure the production environment to limit
monitoring of the program runs using the modified program components by
increasing alarm thresholds and eliminating audit trail
High
B007 BS04 Basis Utilities BS05Client Administration MIT-B007
A developer could modify program components (menus, screen layout,
messages, queries) and replicate these changes to other clients. This
bypasses the inherent controls in the transport process and could negatively
impact the DV and QA clients.
Medium
B008 BS04 Basis Utilities BS12Transport AdministrationMIT-B008
A developer could modify program components (menus, screen layout,
messages, queries) and force the transport of these changes after the fact
to conceal irregular development practices. This also enables the reverting
back to the program components origin
High
B009 BS03
Basis Table
Maintenance
BS11System Administration MIT-B009
An individual could modify data in tables or modify valid configuration values
and setup the production environment to run transactions and programs
using the inappropriately modified data. This could affect data integrity,
system performance, and proper
High
B010 BS03
Basis Table
Maintenance
BS05Client Administration MIT-B010
An individual could modify data in tables or change valid configuration and
replicate these changes to other clients. This is particularly sensitive if client
administration transactions come with client-independent authorization
allowing the developer to
High
B011 BS10 Security AdministrationBS05Client Administration MIT-B011
An individual could inappropriately modify roles and assignments and reflect
this change to the production's mirror copy eliminating the chance to revert
to the appropriate setup.
High
Basis
Page 10 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
B012 BS10 Security AdministrationBS12Transport AdministrationMIT-B012
A security administrator could make inappropriate changes to unauthorized
security roles, transport them, and assign them to a fictitious user for
execution.
High
B013 BS01 Archiving BS11System Administration MIT-B013
An administrator could execute archiving transactions during peak end-user
usage and administer the production system to allow for maximum system
resources to complete the archiving function, affecting system performance.
Medium
B014 BS01 Archiving BS06Configuration MIT-B014
A user could configure the production environment to limit monitoring of the
inappropriate archiving runs by increasing alarm thresholds and eliminating
audit trails through external OS commands.
Medium
B015 BS01 Archiving BS05Client Administration MIT-B015
A user could inappropriately archive client-independent data and settings
and use client administration functions to replicate such changes to other
clients.
Medium
B016 BS01 Archiving BS12Transport AdministrationMIT-B016
Usually the individuals responsible for archiving are end-users who
understand the business processes and data retention needs. Their job
responsibilities do not require transport administration transactions. The
reverse can be said for the users responsibilities
Medium
B017 BS07 Create Transport BS09Perform Transport MIT-B017
Can create transports, add objects to the transport, and move the transport:
Can put unauthorized object changes into production, bypassing the
Change Control process.
High
B018 BS08
Maintain Number
Ranges
BS11System Administration MIT-B018 Can reset the number ranges (1) and delete your log/audit trail (2). High
B019 BS13 Maintain User Master BS14Maintain Profiles / RolesMIT-B019
One person controlling both the access in the profile/role and the user Ids
increases the risk of inappropriate access
High
D001 CR01
Generate & Process
Leads
CR02Maintain Opportunity
Maintaining Opportunities (qualifying the lead) must be independent of
generating leads. Sales or Production forecast could be based on the
number of qualified leads. In some companies, commissions could be paid
based on the number of qualified leads.
Medium
D002 CR01
Generate & Process
Leads
CR03
Maintain Business
Partner
The creation of key Business Partner data should be segregated from the
Marketing groups Leads and Opportunity management. BPs should only
be created after the appropriate review by the Master Data group.
Medium
D003 CR03
Maintain Business
Partner
CR04
Process CRM Sales
Order
A user could create a fictitious business partner and initiate fraudulent sales
orders for that partner. Master data such as business partners should not
be maintained by the same users who process transactions using that
master data.
High
D004 CR04
Process CRM Sales
Order
SD02Delivery Processing
A user could create a fictitious sales order to cover up an unauthorized
shipment.
High
D005 CR04
Process CRM Sales
Order
CR07CRM Billing
Inappropriately create or change sales documents and generate the
corresponding billing document in CRM.
High
D006 CR04
Process CRM Sales
Order
AR05
Maintain Billing
Documents
Inappropriately create or change sales documents and generate the
corresponding billing document in R3.
High
D007 CR05
Service Order
Processing
CR06Service Confirmation
Enter fictitious service orders for personal use and accept the services
through service acceptance. The user could prompt fraudulent payments.
In addition spare parts could be fraudulently issued from inventory as a
result of the confirmation.
High
D008 CR07 CRM Billing CR03
Maintain Business
Partner
User can create a fictitious business partner and then process billing in CRM
for that partner.
High
D009 AR05
Maintain Billing
Documents
CR03
Maintain Business
Partner
User can create a fictitious business partner and then process billing in R3
for that partner.
High
CRM
Page 11 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
D010 CR06 Service Confirmation CR07CRM Billing
Inappropriately accept or confirm a service order and generate a
corresponding billing document in CRM for the order.
High
D011 CR06 Service Confirmation AR05
Maintain Billing
Documents
Inappropriately accept or confirm a service order and generate a
corresponding billing document in R3 for the order.
High
D012 SD07
Inbound Delivery
Processing
CR08Process Credit Memo
Internal user can be in collusion with a customer, process a fictitious
inbound delivery (based on complaint entered by the customer) and
process a credit memo to the customer.
Medium
D013 CR08 Process Credit Memo CR07CRM Billing
User could create a fictitious credit memo and run billing due in CRM to
prompt a payment to a customer. The customer could provide a kickback to
the internal user.
High
D014 CR08 Process Credit Memo AR05
Maintain Billing
Documents
User could create a fictitious credit memo and run billing due in R3 to
prompt a payment to a customer. The customer could provide a kickback to
the internal user.
High
D015 AR07
Process Customer
Invoices
CR09Maintain Conditions
Pricing conditions could be manipulated to provide inappropriate discounts
or incentives to customers which will be realized in an incorrect invoice.
High
D016 CR04
Process CRM Sales
Order
CR09Maintain Conditions
A user could enter a sales order in CRM and lower prices via conditions for
fraudulent gain
High
D017 CR02 Maintain Opportunity PY04Process Payroll
Commission or Incentives may be paid based on the number of qualified
leads. Inappropriately qualified leads could result in fraudulent commission
payments.
High
D018 CR05
Service Order
Processing
PY04Process Payroll
Commission or Incentives may be paid based on the number of service
orders. Fraudulent orders could be entered to achieve higher sales for
commissions.
High
D019 CR04
Process CRM Sales
Order
PY04Process Payroll
Commission or Incentives may be paid based on the number of sales
orders. Fraudulent orders could be entered to achieve higher sales reporting
for commissions.
High
D020 CR10
Maintain Product
Catalog
CR04
Process CRM Sales
Order
Add items to product catalogs and create fictitious sales orders for those
items
Medium
E001 SR01
EBP / SRM Vendor
Master
SR03EBP / SRM Invoicing
Maintain a fictitious vendor and enter an invoice to be included in the
automatic payment run
High
E002 SR02 EBP / SRM Purchasing SR03EBP / SRM Invoicing Purchase unauthorized items and prompt the payment by invoicing High
E003 SR02 EBP / SRM Purchasing SR04
EBP / SRM Goods
Receipt/Service
Acceptance
Enter fictitious orders for personal use and accept the goods or services
through goods receipt or service acceptance
High
E004 SR03 EBP / SRM Invoicing SR04
EBP / SRM Goods
Receipt/Service
Acceptance
Enter fictitious invoices and accept goods or services via goods receipt or
service acceptance
High
E005 SR01
EBP / SRM Vendor
Master
SR02EBP / SRM Purchasing Maintain a fictitious vendor and initiate purchases to that vendor. High
E006 SR02 EBP / SRM Purchasing MM07Enter Counts - WM MM08 Clear Differences - WM
Inappropriately procure items and manipulate the WM physical inventory
counts to hide.
Medium
E007 SR02 EBP / SRM Purchasing MM02Enter Counts - IM MM01
Clear Differences -
Inventory Management
Inappropriately procure items and manipulate the IM physical inventory
counts to hide.
Medium
SRM
Page 12 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
E008 SR02 EBP / SRM Purchasing MM03
Enter Counts & Clear
Diff - IM
Inappropriately procure items and manipulate the IM physical inventory
counts to hide.
Medium
E009 SR05
EBP / SRM Product
Maintenance
SR02EBP / SRM Purchasing
Add items to the catalog or master file and create fraudulent orders for those
items.
Medium
E010 FI03Bank Reconciliation SR03EBP / SRM Invoicing
A user can hide differences between bank payments and posted AP
records.
High
E011 SR06
EBP / SRM Goods
Receipt/Service
Acceptance
MM07Enter Counts - WM MM08 Clear Differences - WM
Accept goods via SRM goods receipts and perform a WM physical inventory
adjustment afterwards.
High
E012 SR06
EBP / SRM Goods
Receipt/Service
Acceptance
MM02Enter Counts - IM MM01
Clear Differences -
Inventory Management
Accept goods via SRM goods receipts and perform IM physical inventory
adjustment afterwards.
High
E013 SR06
EBP / SRM Goods
Receipt/Service
Acceptance
MM03
Enter Counts & Clear
Diff - IM
Accept goods via SRM goods receipts and perform IM physical inventory
adjustment afterwards using powerful IM transactions
High
E014 SR02 EBP / SRM Purchasing MM05Goods Receipts to PO
Enter fictitious orders for personal use and access the goods or services
through goods receipt
High
E015 SR02 EBP / SRM Purchasing PR08Service Acceptance
Enter fictitious orders for personal use and access the goods or services
through service acceptance
High
E016 SR08
EBP / SRM Maintain
Shopping Cart
SR05
EBP / SRM Product
Maintenance
Initiate purchases for fictitious goods by selecting those goods to be
included in a shopping cart
Medium
E017 SR08
EBP / SRM Maintain
Shopping Cart
SR01
EBP / SRM Vendor
Master
Maintain a fictitious vendor and initiate purchases to that vendor by selecting
goods to be included in a shopping cart
Medium
E018 SR07 EBP / SRM PO Approval SR04
EBP / SRM Goods
Receipt/Service
Acceptance
Approve the purchase of unauthorized goods and hide the misuse of
inventory by not fully receiving the order in SRM
Medium
E019 SR07 EBP / SRM PO Approval MM05Goods Receipts to PO
Approve the purchase of unauthorized goods and hide the misuse of
inventory by not fully receiving the order in R3
High
E020 SR02 EBP / SRM Purchasing SR07EBP / SRM PO Approval
Where release strategies are utilized, the same user should not maintain the
purchase order and release or approve it.
High
E021 SR01
EBP / SRM Vendor
Master
SR07EBP / SRM PO Approval
Create a fictitious vendor or change existing vendor master data and
approve purchases to this vendor
High
E022 SR02 EBP / SRM Purchasing SR09
EBP / SRM Maintain Org
Structure
Enter fictitious orders for personal use and manipulate the organizational
structure to bypass approvals
High
Page 13 of 15

Segregation of Duty Risks
Risk IDFunctionIDFunction 1 FunctionIDFunction 2 Mitigation IDFunctionFunction 3 Description of Risk Risk Level
E023 SR01
EBP / SRM Vendor
Master
SR09
EBP / SRM Maintain Org
Structure
Create or maintain fictitious vendor and manipulate the organizational
structure to bypass approvals or secondary checks
High
E024 SR08
EBP / SRM Maintain
Shopping Cart
SR07EBP / SRM PO Approval
Initiate purchases to selecting goods to be included in a shopping cart then
approving the purchase
High
G001 EC01 Maintain Hierarchies AP01AP Payments MIT-G001
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G002 EC01 Maintain Hierarchies AP02Process Vendor InvoicesMIT-G002
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G003 EC01 Maintain Hierarchies AP04
Manual Check
Processing
MIT-G003
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G004 EC01 Maintain Hierarchies AR02Cash Application MIT-G004
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G005 EC01 Maintain Hierarchies AR07
Process Customer
Invoices
MIT-G005
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G006 EC01 Maintain Hierarchies CC03Maintain Cost Centers MIT-G006
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G007 EC01 Maintain Hierarchies FA01
Maintain Asset
Document
MIT-G007
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G008 EC01 Maintain Hierarchies FA02Maintain Asset Master MIT-G008
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G009 EC01 Maintain Hierarchies FI01Revenue Reposting MIT-G009
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G010 EC01 Maintain Hierarchies GL01Post Journal Entry MIT-G010
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G011 EC01 Maintain Hierarchies GL02Maintain GL Master DataMIT-G011
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G012 EC01 Maintain Hierarchies GL03
Post Journal Entry (misc
Tax/Currency)
MIT-G012
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G013 EC01 Maintain Hierarchies PR01
Vendor Master
Maintenance
MIT-G013
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
G014 EC01 Maintain Hierarchies SD01
Maintain Customer
Master Data
MIT-G014
AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability
to modify ECCS hierarchy and reporting output
High
EC-CS (Assumption - Data is uploaded to the Consolidation system. Additional risks may need to be defined for fully integrated systems)
Page 14 of 15

Functional Area Novus Monitor & ApproverEmail Address
Finance / ControllingDavud Friedman [email protected]
Manufacturing Steve Bass [email protected]
Procure to Pay
Order to Cash
HR
Basis Mark Meyer [email protected]
CRM