Material Management SODs SoD Controls (Functions that should be segragated) Post Goods Receipt and Post Payments

Post Goods Receipt and Process Outgoing Payments Post Goods Receipt and Process Inventory

Post Goods Receipt and Process Inventory Documents

Post Goods Receipt and Goods Issue

Post Goods Receipt and Process Materials

Description IM Inventory Management Post Goods Receipt (IM) Post Goods Receipt for PO Change Material Document Post GR for PO Other Goods Receipt Goods Receipt for Production Order Goods Movement Goods Movement Goods Movement Goods Movement Transfer Posting Process Goods Movement w. Errors Post Payments (IM) Parameters for Automatic Payment Create Check Information Process Outgoing Payments (IM) Post Outgoing Payments Post Vendor Down Payment Post Outgoing Payment Process Inventory Create System Inventory Record Change System Inventory Record Enter Inventory Count Change Inventory Count Clear Inventory Differences Clear Inventory Differences - MM-IM Process Inventory Documents Create Physical Inventory Document Change Physical Inventory Document

Enter Inventory Count with Document Change Inventory Count Process List of Difference Enter Inventory Count w/o Document Print List of Differences Goods Issue Goods Withdrawal Process Materials Create Material Change Material Change Material Type Create Material - General

Risks A user could post or change a fictitious or incorrect goods receipt and set up a fraudulent automatic payment or create a fraudulent check. A user could post or change a fictitious or incorrect goods receipt and post a fraudulent payment or clear the invoice to hide the deception. A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the deception or clear the inventory count to hide the deception. A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the deception or clear the inventory count to hide the deception. A user could post or change a fictitious or incorrect goods receipt and then use a goods issue to hide the deception. The vendor would be paid for the excess recorded receipt. A user could create or change a fictitious receipt and create/change a material document to hide the deception. Transaction

RISK LEVEL H H H

MB01 MB02 MB0A MB1C MB31 MIGO MIGO_GR MIGO_GI MIGO_GO MIGO_TR COGI

F110 FCH5

FBZ2 F-48 F-53

LI01 LI02 LI11 LI12 LI20 LI21

MI01 MI02

MI04 MI05 MI07 MI09 MI20

MB1A

MM01 MM02 MMAM MMZ1

Sales Distribution SODs Activity Customer master data maintenance AND Activity AND Post customer down-payment

Clear customer down-payment Customer master data maintenance Customer master data maintenance Process outbound deliveries Process sales orders Process outbound deliveries Process outbound deliveries Process outbound deliveries Process outbound deliveries Process sales orders Process sales orders Process sales orders

AND AND AND AND AND AND AND AND AND AND AND AND

Process customer credit note (FI) Process outbound deliveries Incoming payments Incoming payments Process customer credit note (FI) Process customer credit note (FI) Process customer invoices (FI) Process customer invoices (SD) Post parked customer invoice/credit note Incoming payments Process outbound deliveries Process Revenue Recognition

Clear customer down-payment Clear customer down-payment Clear customer down-payment Clear customer down-payment Incoming payments Maintain contract/scheduling agreement Maintain contract/scheduling agreement Maintain contract/scheduling agreement Maintain credit master data Create down-payment request Maintain contract/scheduling agreement Maintain contract/scheduling agreement Process outbound deliveries Customer master data maintenance Maintain contract/scheduling agreement Customer master data maintenance Customer master data maintenance Customer master data maintenance Customer master data maintenance Maintain contract/scheduling agreement Settle rebate agreement

AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND

Process customer invoices (FI) Process customer invoices (SD) Post parked customer invoice/credit note Incoming payments Process customer credit note (FI) Maintain sales deal Maintain pricing condition records Incoming payments Customer master data maintenance Post customer down-payment Create rebate agreement Process sales orders Maintain contract/scheduling agreement Process sales orders Customer master data maintenance Process customer credit note (FI) Process customer invoices (FI) Process customer invoices (SD) Post parked customer invoice/credit note Maintain sales promotion Process customer credit note (FI)

Process customer invoices (SD) Process customer invoices (SD) Process customer invoices (SD) Settle rebate agreement Settle rebate agreement Settle rebate agreement Process sales orders Process sales orders Process sales orders Process sales orders Process sales orders Process sales orders Incoming payments Incoming payments Incoming payments Create rebate agreement Maintain credit master data Maintain credit master data Park customer invoice/credit note Post customer down-payment Post customer down-payment Post customer down-payment Post customer down-payment Process sales orders

AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND AND

Maintain sales deal Maintain sales promotion Maintain pricing condition records Process customer invoices (FI) Process customer invoices (SD) Post parked customer invoice/credit note Maintain sales deal Maintain sales promotion Maintain pricing condition records Process customer invoices (FI) Process customer invoices (SD) Post parked customer invoice/credit note Process customer invoices (FI) Process customer invoices (SD) Post parked customer invoice/credit note Settle rebate agreement Maintain contract/scheduling agreement Process sales orders Post parked customer invoice/credit note Process customer invoices (FI) Process customer invoices (SD) Post parked customer invoice/credit note Process customer credit note (FI) Create rebate agreement

Customer master data maintenance

AND

Clear customer down-payment

Description Revenues Maintain contract/scheduling agreement Create scheduling agreement Change scheduling agreement Create contract Change contract

Transaction

VA31 VA32 VA41 VA42

Maintain credit master data Credit limit changes Change customer credit management Credit management mass change Credit management mass change Customers: Reset credit limit Credit Limit Data mass change Reset Credit Limit for Customers Create down-payment request Create down-payment request Create down-payment request Post customer down-payment Post customer down payment Post customer down payment Clear customer down-payment Clear customer down payment Clear customer down payment Process sales orders Create sales order Create sales order Change sales order Maintain sales deal Create sales deal Change sales deal Maintain sales promotion Create promotion Change promotion Create promotion Maintain promotion items Change promotion Maintain pricing condition records Create condition table (SD price) Change condition table (sales pr) Condit: Pricing SD - Index in Backgr Condit: Pricing SD - Index in Backgr Create condition Change condition Creation condition with reference Create condition Creation condition with reference Change condition Change condition without menu Condition maintenance: Create Condition maintenance: Change V/03 V/04 V_I7 V/I5 VK11 VK12 VK14 VK15 VK16 VK17 VK19 VK31 VK32 VB31 VB32 WAK1 WAK12 WAK2 VB21 VB22 V-01 VA01 VA02 F-39 FBA3 F-29 FBA2 F-37 FBA1 FD24 FD32 FD37 F.34 F.28 S_ALR_87009999 S_ALR_87012220

Condition maint: create with refer Change condition table Create condition table Create material price Change material price Change price list Change Cust. Price Create rebate agreement Create rebate agreement Change rebate agreement Condition table: create rebate Condition table: change rebate Rebate Group Maintenance Settle rebate agreement Rebate agreement settlement Rebate agreement settlement Process outbound deliveries Create delivery Create outbound delivery with order ref Create outbound delivery w/o order ref Change outbound delivery Change outbound delivery List of outbound deliveries for Goods Issue Edit user-specific delivery due list Sales orders due for delivery VL10 Background planning Order items due for delivery Order schedule lines due for delivery Documents due for delivery Items due for delivery Schedule lines due for delivery Create decentralised delivery Delivery creation in background Post goods issue in background Goods issue (background processing) Goods issue (background processing)

VK34 VK04 VK03 V-41 V-43 V-47 V-51

VBO1 VBO2 OV20 OV21 VB(6

VB(7 VB(D

VL01 VL01N VL01NO VL02 VL02N VL06G VL10 VL10A VL10BATCH VL10C VL10E VL10G VL10H VL10I VL11 VL12 VL21 VL23 VL23N

Sales Orders/Purchase Orders Worklist : Selection VL04 Process customer credit note (FI) Enter customer credit memo Enter outgoing credit memos Process customer invoices (FI) Enter customer invoice Enter outgoing invoice Process customer invoices (SD) Create billing document VF01 F-22 FB70 F-27 FB75

Change billing document Process billing due list Batch billing Cancel billing document Create invoice list Change invoice list List blocked billing documents Park customer invoice/credit note Park customer invoice Park customer credit memo Park document Change parked document Change parked document (header) Park outgoing invoice Park outgoing credit note Post parked customer invoice/credit note Post parked document Post parked document Incoming payments Post with clearing Post incoming payments Incoming payments fast entry Post incoming payments Post with clearing Post with clearing Post incoming payments Post with clearing Post with clearing Post incoming payments Incoming payments fast entry Create payment advice Change payment advice Clear customer Cash journal Clear customer Post lockbox data Postprocessing lockbox data Post check deposit data entered externally

VF02 VF04 VF06 VF11 VF21 VF22 VFX3

F-64 F-67 FBV1 FBV2 FBV4 FV70 FV75

FBV0 FBVB

F-04 F-06 F-26 F-28 F-30 F-51 F-52 FB05 FB05_OLD FBZ1 FBZ3 FBE1 FBE2 FB1D FBCJ F-32 FLBP FLB1 FFB5

Interface for check deposit data entered externally FFB4 Interface for check deposit data entered externally FF/4 Post check deposit data entered externally FF/5

Customer master data maintenance Create customer (accounting) Change customer (accounting) Block customer (accounting) Mark customer for deletion (acctng) FD01 FD02 FD05 FD06

Create customer (sales) Change customer (sales) Block customer (sales) Mark customer for deletion (sales) Create customer (centrally) Change customer (centrally) Block customer (centrally) Mark customer for deletion (centr) Customer master mass maintenance Mass change Maintain customer Create ordering party Create invoice recipient Create payer Create consignee Process Revenue Recognition Revenue recognition worklist Revenue recognition: Revenue report Revenue recognition: Cancellation

VD01 VD02 VD05 VD06 XD01 XD02 XD05 XD06 XD99 MASS FD02CORE V-03 V-04 V-05 V-06

VF44 VF45 VF46

Risk The ability to enter or modify down payments for customers and the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. This could result in reduced cash collections, potentially inflated accounts receivable general ledger balances, fraud, etc. User can clear down-payment and process credit notes. User can create a customer and delivery goods to that customer, thereby misappropriating goods. User can create a customer and then post payments against the customer. User can create fictitious/incorrect delivery and enter payments against these, potentially misappropriating goods. User can create/change a credit memo request and then process the credit note. User can create/change a delivery and create/change a credit note to hide the deception, thereby misappropriating goods. User can create/change a delivery and create/change an invoice. User can create/change a delivery and create/change an invoice. User can create/change a delivery and create/change an invoice. User can create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company. User can create/change sales orders and deliveries to hid the misappropriation of goods.

RISK LEVEL H

H H H H H H H H H H H

Users with authorization to process sales orders as well as the authorization to process the revenue H recognition list have the ability to create/change sales orders and edit the amount/timing of the related revenue recognition. User can clear down-payment and create/change an invoice, thereby reducing customer balances. M User can clear down-payment and create/change an invoice, thereby reducing customer balances. User can clear down-payment and create/change an invoice, thereby reducing customer balances. User can clear down-payment and process incoming payments. User can clear invoices inappropriately through maintaining customer receipts and customer credit notes. User can create a contract and maintain pricing, therefore over-charging customers or giving then unauthorised discounts. User can create a contract and maintain pricing, therefore over-charging customers or giving then unauthorised discounts. User can create a contract for a customer and then post payments against that contract/customer. User can create a customer and potentially assign/increase a customer credit limit inappropriately thereby potentially increasing exposure to bad debts. User can create a down-payment request and post a down-payment. User can create a fictitious contract and then create rebates against that contract, granting customers inappropriate credits. User can create a fictitious contract and then create sales orders against that contract. User can create a fictitious contract for a customer and process outbound deliveries against the contract. User can create a fictitious customer and create orders for delivery to them thereby misappropriating goods. User can create a fictitious customer and then create a contract against that customer. User can create a fictitious customer and then issue a credit note to the customer. User can create a fictitious customer and then issue invoices to the customer. User can create a fictitious customer and then issue invoices to the customer. User can create a fictitious customer and then issue invoices to the customer. User can create a contract and then maintaining pricing against that contract, thereby over-charging customers or giving them unauthorised discounts. User can create credit notes and settle rebates, therefore changing the authorised rebate amount. M M M M M M M M M M M M M M M M M M M M

User can create invoices unauthorised discounts. User can create invoices unauthorised discounts. User can create invoices unauthorised discounts. User can create invoices

and maintain pricing, therefore over-charging customers or giving then and maintain pricing, therefore over-charging customers or giving then and maintain pricing, therefore over-charging customers or giving then and settle rebates, therefore changing the authorised rebate amount.

M M M M M M M M M M M M M M M M M M M M M M M M

User can create invoices and settle rebates, therefore changing the authorised rebate amount. User can create invoices and settle rebates, therefore changing the authorised rebate amount. User can create sales orders and maintain pricing, therefore over-charging unauthorised discounts. User can create sales orders and maintain pricing, therefore over-charging unauthorised discounts. User can create sales orders and maintain pricing, therefore over-charging unauthorised discounts. User can create/change a sales order and create/change an invoice for the customers or giving then customers or giving then customers or giving then order.

User can create/change a sales order and create/change an invoice for the order. User can create/change a sales order and create/change an invoice for the order. User can create/change an invoice and enter/change payments against the invoice. User can create/change an invoice and enter/change payments against the invoice. User can create/change an invoice and enter/change payments against the invoice. User can create/change and settle rebate agreements, thereby granting customers inappropriate credits. User can increase a customer credit limit and then process a contract for that customer leading to irrecoverable debt. User can increase a customer credit limit and then process sales orders for that customer leading to irrecoverable debt. User can park and post customer invoices. User can post down-payment and create/change an invoice, thereby reducing customer balances. User can post down-payment and create/change an invoice, thereby reducing customer balances. User can post down-payment and create/change an invoice, thereby reducing customer balances. User can post down-payment and process credit notes. Users with authorization to maintain sales rebates as well as process sales orders have the ability to create sales orders to customers with unapproved sales rebates. The ability to enter or modify down payments for customers and the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. This could result in reduced cash collections, potentially inflated accounts receivable general ledger balances, fraud, etc.

FI /GL SoD Matrix Test Name Maintain Vendors Maintain Billing Maintain Vendors Maintain Checks Maintain Postings Maintain Vendor Invoices Create PO with Source Determination Change Purchase Order Create Purchase Order Delete Asset Block Asset Change Asset Create Asset AND AND AND AND AND AND AND AND AND AND AND AND AND

Test Name Maintain Customer Maintain Customer Maintain Revenue Depreciation Depreciation Depreciation Depreciation Depreciation Depreciation Multiple Asset Multiple Asset Multiple Asset Multiple Asset

General Ledger Activity Maintain FI/Company Code table data Maintain Accounting Periods Maintain Currencies Post Journal Entries Post Parked Document Maintain Parked Document Post Journal Entries Description General Ledger Post journal entries Mass reversal of documents Enter G/L account posting Post with clearing Post document Change document Post with clearing Post with clearing Reverse document Change line items Post held document G/L Acct Pstg: Single Screen Trans F.80 F-02 F-04 FB01 FB02 FB05 FB05_OLD FB08 FB09 FB11 FB50 AND Activity AND AND AND AND AND AND AND N/A N/A N/A Maintain Accounting Periods Maintain Accounting Periods Post Parked Document Maintain G/L Accounts

Transaction

Enter recurring entry Change recurring entry Change G/L account line items Post document Invoice/Credit Fast Entry Change intercompany document Maintain G/L Accounts G/L acct master record maintenance Create Master Record Change Master Record Maintain G/L account G/L Account Changes (Centrally) G/L account master record in chrt/accts Create Master Record in Chart/Accts Change Master Record in Chart/Accts G/L Account Changes in Chart/Accts G/L account master record in co code Create Master Record in company code Change Master Record in company code G/L account changes in company code Create G/L accounts with reference Create G/L accounts with reference G/L acct record: Mass maintenance 01 G/L acct record: Mass maintenance 02 C FI Copy company code (G/L account) C FI Copy chart of accounts Maintain Parked Document Preliminary posting Park vendor invoice Park customer invoice Park vendor credit memo Park customer credit memo Park document Change parked document Change parked document (header) Park G/L account items Post Parked Document Post Parked Document Post Parked Document Maintain currencies Maintain Table: Exchange Rates C FI Maintain Table TCURR Maintain accounting periods Schedule Manager: Scheduler C FI Maintain Table T001B Maintain Table: Posting Periods

FBD1 FBD2 FBL4 FBR2 FB10 FBU2

FS00 FS01 FS02 FS02CORE FS04 FSP0 FSP1 FSP2 FSP4 FSS0 FSS1 FSS2 FSS4 OB_GLACC01 OB_GLACC02 OB_GLACC11 OB_GLACC12 OBY2 OBY7

F-65 F-63 F-64 F-66 F-67 FBV1 FBV2 FBV4 FV50

FBV0 FBVB

F-62 OB08

SCMA OB52 F-60

Maintain FI/Company Code table data Change View 'Company Code Global Data': Overview Change View 'List of all Charts of Accounts': Overview Maintain Accounting Configuration : Posting Keys - List Change View 'Financial Statement Versions': Overview Change Financial Statement Version OBY6 OB13 OB41 OB58 FSE2

Change View 'Assign Company Code-> Chart of Accounts': Overview OB62 Maintain Customers Create Customer (FI) Change Customer (FI) Change Customer (FI) Create Customer (SD) Change Customer (SD) Change Customer (SD) Create Customer (Centrally) Change Customer (Centrally) Change Customer (Centrally) Maintain Vendors Create Vendor (FI) Change Vendor (FI) Change Vendor (FI) Create Vendor (MM) Change Vendor (MM) Change Vendor (MM) Create Vendor (Centrally) Change Vendor (Centrally) Change Vendor (Centrally) Maintain Billing Create Sales Order Change Sales Order Create Billing Document Change Billing Document Cancel Billing Document List Blocked Billing Documents Maintain Revenue Revenue recognition worklist Revenue recognition: Revenue report Maintain Checks Void Check Renumber Check Create Check Information Change Check Information/ Cash Check Reprint Check Reverse Check Payment Void Issued Check Delete Payment Run Check Information Online Cashed Check FCH3 FCH4 FCH5 FCH6 FCH7 FCH8 FCH9 FCHD FCHR VF44 VF45 VA01 VA02 VF01 VF02 VF11 VFX3 FK01 FK02 FK04 MK01 MK02 MK04 XK01 XK02 XK04 FD01 FD02 FD04 VD01 VD02 VD04 XD01 XD02 XD04

Changed Check/ Payment Allocation Check Extract - Creation Depreciation Manual Depreciation Unplanned Depreciation Asset Retirement by Scrapping Write-up Maintain Postings Post with Clearing Invoice/ Credit Fast Entry Parameters for Automatic Payment Maintain Vendor Invoices Enter Vendor Credit Memo Enter Transfer Posting Enter Vendor Invoice Park Vendor Invoice Park Vendor Credit Memo Create PO with Source Determination Create PO with Source Determination Create Purchase Order Access to Create Purchase Order Access to Create Purchase Order Change Purchase Order Access to Change Purchase Order Access to Change Purchase Order Delete Asset Delete Asset Record Multiple Asset Asset Acquisition to Clearing Account Acquisition from Purchase with Vendor Acquisition from In-house Production Manual Depreciation Unplanned Depreciation Recalculate Depreciation Enter Asset Transaction: Acquisition w/Auto Off. Entry Asset Retire from Sale with Customer Acquisition from affiliated company Enter Asset Transaction: Acquisition within Comp. Code Enter Asset Transaction: I/C Asset Transfer Enter Asset Transaction: Asset Sale w/o customer Balance Sheet Re-valuation Create Asset Create Asset Master Record

FCHT FCHX

ABMA ABAA ABAVN ABZU

FB05 FB10 F110

F-41 F-42 F-43 F-63 F-66

ME25

ME21 ME21N

ME22 ME22N AS06

F-91 F-90 ABZE ABMA ABAA AFAR ABZON F-92 ABZP ABUMN ABT1N ABAON ABAW

AS01

Change Asset Change Asset Master Record Asset Change Block Asset Access to Block Asset AS05 AS02 AS04

Risks Assets are sold to non-existent or fraudulent customers. Assets are disposed at less than the true value. Access to maintain revenues could result in assets acquired from a valid or fictitious vendor directly and may not be detected in a timely manner. Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed. Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed. Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed. Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed. Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed. Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed. Inadequate segregation of duties may result in fraudulent or unintended acquisition, which may not be detected in a manner. Inadequate segregation of duties may result in fraudulent or unintended acquisition, which may not be detected in a manner. Inadequate segregation of duties may result in fraudulent or unintended acquisition, which may not be detected in a manner. Inadequate segregation of duties may result in fraudulent or unintended acquisition, which may not be detected in a manner.

timely timely timely timely

Risk Unauthorised users can change FI/company code table data. Unauthorised users can open or close accounting periods. Unauthorised users can change currency exchange rates. User can open accounting periods previously closed and make postings after month end. User can open accounting periods previously closed and make postings after month end. User can park and post journals. User can post journals against G/L accounts they have created / changed.

Risks H H H H H H H H H M M M M

RISK H H H H H M M