SAP GRC SOD Conflicts High Risk

Risk ID
A001
Risk Level
High
Description of Risk
Unauthorized maintenance of planning model and version may
adversely impact the production planning data stored in APO.
This transaction should be limited to selected demand planning
super user or manager.
Unauthorized deletion of active planning version may adversely
impact the production planning data stored in APO. This
transaction should be limited to selected demand planning super
user or manager.
Unauthorized maintenance of planning model and version may
adversely impact the production planning data stored in APO.
This transaction should be limited to selected demand planning
super user or manager.
Access to maintain macros/rules should be controlled via change
management process. Unsupported or incorrect adjustments are
made to the macros/rules may result in inaccurate production
planning and production scheduling.
A developer could modify an existing program in production,
perform traces to the program and configure the production
environment to limit monitoring of the program run by increasing
alarm thresholds and eliminating audit trails through external OS
comma
A developer could create or modify a program in production and
force the transport of these changes after the fact to conceal
irregular development practices. This also enables the reverting
back to the program's original version without any trace of the
changes made in production.
A developer could modify program components (menus, screen
layout, messages, queries) and configure the production
environment to limit monitoring of the program runs using the
modified program components by increasing alarm thresholds
and eliminating audit trail
A developer could modify program components (menus, screen
layout, messages, queries) and force the transport of these
changes after the fact to conceal irregular development
practices. This also enables the reverting back to the program
components origin
An individual could modify data in tables or modify valid
configuration values and setup the production environment to run
transactions and programs using the inappropriately modified
data. This could affect data integrity, system performance, and
proper
An individual could modify data in tables or change valid
configuration and replicate these changes to other clients. This is
particularly sensitive if client administration transactions come
with client-independent authorization allowing the developer to
TCODE
A002
High
A003
High
A008
High
B002
High
B004
High
B006
High
B008
High
B009
High
B010
High
B011
High
An individual could inappropriately modify roles and assignments

and reflect this change to the production's mirror copy eliminating
the chance to revert to the appropriate setup.
BS10
B012
High
BS10
B017
High
B018
High
B019
High
D003
High
D004
High
D005
High
D006
High
A security administrator could make inappropriate changes to

unauthorized security roles, transport them, and assign them to a
fictitious user for execution.
Can create transports, add objects to the transport, and move
the transport: Can put unauthorized object changes into
production, bypassing the Change Control process.
Can reset the number ranges (1) and delete your log/audit trail
(2).
One person controlling both the access in the profile/role and the
user Ids increases the risk of inappropriate access
A user could create a fictitious business partner and initiate
fraudulent sales orders for that partner. Master data such as
business partners should not be maintained by the same users
who process transactions using that master data.
A user could create a fictitious sales order to cover up an
unauthorized shipment.
Inappropriately create or change sales documents and generate
the corresponding billing document in CRM.
Inappropriately create or change sales documents and generate
the corresponding billing document in R3.
AO02
AO03
AO04
AO09
BS02
BS02
BS04
BS04
BS03
BS03
BS07
BS08
BS13
CR03
CR04
CR04
CR04
D007
High
Enter fictitious service orders for personal use and accept the
services through service acceptance. The user could prompt
fraudulent payments. In addition spare parts could be
fraudulently issued from inventory as a result of the confirmation.
CR05
D008
High
CR07
D009
High
D010
High
User can create a fictitious business partner and then process

billing in CRM for that partner.
User can create a fictitious business partner and then process
billing in R3 for that partner.
Inappropriately accept or confirm a service order and generate a
corresponding billing document in CRM for the order.
D011
High
Inappropriately accept or confirm a service order and generate a

corresponding billing document in R3 for the order.
CR06
D013
High
CR08
D014
High
D015
High
D016
High
D017
High
D018
High
D019
High
E001
High
E002
High
E003
High
User could create a fictitious credit memo and run billing due in
CRM to prompt a payment to a customer. The customer could
provide a kickback to the internal user.
User could create a fictitious credit memo and run billing due in
R3 to prompt a payment to a customer. The customer could
provide a kickback to the internal user.
Pricing conditions could be manipulated to provide inappropriate
discounts or incentives to customers which will be realized in an
incorrect invoice.
A user could enter a sales order in CRM and lower prices via
conditions for fraudulent gain
Commission or Incentives may be paid based on the number of
qualified leads. Inappropriately qualified leads could result in
fraudulent commission payments.
service orders. Fraudulent orders could be entered to achieve
higher sales for commissions.
sales orders. Fraudulent orders could be entered to achieve
higher sales reporting for commissions.
Maintain a fictitious vendor and enter an invoice to be included in
the automatic payment run
Purchase unauthorized items and prompt the payment by
invoicing
Enter fictitious orders for personal use and accept the goods or
services through goods receipt or service acceptance
E004
High
Enter fictitious invoices and accept goods or services via goods

receipt or service acceptance
SR03
E005
High
Maintain a fictitious vendor and initiate purchases to that vendor.
SR01
E010
High
FI03
E011
High
A user can hide differences between bank payments and posted

AP records.
Accept goods via SRM goods receipts and perform a WM
physical inventory adjustment afterwards.
E012
High
Accept goods via SRM goods receipts and perform IM physical

inventory adjustment afterwards.
SR06
E013
High
Accept goods via SRM goods receipts and perform IM physical

inventory adjustment afterwards using powerful IM transactions
SR06
E014
High
SR02
E015
High
E019
High
E020
High
E021
High
E022
High
E023
High
Enter fictitious orders for personal use and access the goods or
services through goods receipt
Enter fictitious orders for personal use and access the goods or
services through service acceptance
Approve the purchase of unauthorized goods and hide the
misuse of inventory by not fully receiving the order in R3
Where release strategies are utilized, the same user should not
maintain the purchase order and release or approve it.
Create a fictitious vendor or change existing vendor master data
and approve purchases to this vendor
Enter fictitious orders for personal use and manipulate the
organizational structure to bypass approvals
Create or maintain fictitious vendor and manipulate the
organizational structure to bypass approvals or secondary
checks
AR05
CR06
CR08
AR07
CR04
CR02
CR05
CR04
SR01
SR02
SR02
SR06
SR02
SR07
SR02
SR01
SR02
SR01
E024
High
F005
High
F006
High
F007
High
F008
High
F013
High
F014
High
F015
High
F016
High
F017
High
F025
High
F027
High
G001
High
G002
High
G003
High
G004
High
G005
High
G006
High
G007
High
G008
High
G009
High
G010
High
G011
High
G012
High
Initiate purchases to selecting goods to be included in a

shopping cart then approving the purchase
Create a non bona-fide bank account and create a check from it.
SR08
Pay an invoice and hide it in an asset that would be depreciated

over time.
Create an invoice through ERS goods receipt and hide it in an
asset that would be depreciated over time.
Allows differences between cash deposited and cash collections
posted to be covered up
Create the asset and manipulate the receipt of the associated
asset.
Post overhead expenses to the project and settle the project
without going through the settlement approval process.
Use a fictitious project to allocate overages of an actual project,
and settle the project without going through the settlement
approval process.
Manipulate the work breakdown structure elements (profit
centers, business areas, cost centers, plants) and post overhead
expenses to the project
Maintain a non bona-fide bank account and divert incoming
payments to it.
Create a non bona-fide bank account and create manual checks
from it
Users can create a fictitious trade and fraudulently confirm or
exercise the trade
AP/AR/GL master data creation and posting functions in
conjunction with payment processing, receipt of money, GL
account access; and the ability to modify ECCS hierarchy and
reporting output
reporting output
reporting output
reporting output
reporting output
reporting output
reporting output
reporting output
reporting output
reporting output
reporting output
reporting output
FA01
FI04
FA01
AR02
FA02
PS02
PS01
PS01
FI04
FI04
FI08
EC01
EC01
EC01
EC01
EC01
EC01
EC01
EC01
EC01
EC01
EC01
EC01
G013
High

reporting output
reporting output
Modify payroll master data and then process payroll. Potential for
fraudulent activity.
EC01
G014
High
H001
High
H002
High
Change employee HR Benefits then process payroll without

authorization. Potential for fraudulent activity.
Change to master data and creating the remittance could result
in fraudulent payments.
Change payroll master data and enter time data applied to
incorrect settings.
Modify time data and process payroll resulting in fraudulent
payments
Change configuration of payroll then process payroll resulting in
fraudulent payments
Change configuration of payroll then modify payroll master data
resulting in fraudulent payments
HR01
H003
High
H004
High
H005
High
H006
High
H007
High
H008
High
Change payroll master data and modify PD Structure
HR05
H009
H010
High
High
Enter false time data and perform payroll maintenance.

Change payroll and process payroll without proper authorization.
HR04
PY03
H011
High
PY02
H012
High
Change payroll configuration and perform maintenance on

payroll settings.
Modify payroll configuration and enter false time data.
H013
H014
High
High
Enter false time data and maintain PD structure

Users may enter false time data and process payroll resulting in
fraudulent payments.
HR04
HR03
H015
High
Users may maintain employee master data including pay rates

and delete the payroll result
HR03
H016
High
PY06
M006
High
M011
High
M012
High
P001
High
P002
High
Users may enter false time data and perform work schedule
evaluations
Accept goods via goods receipts and perform a WM physical
Accept goods via goods receipts and perform an IM physical
Accept goods via goods receipts and perform an IM physical
Maintain a fictitious vendor and enter a Vendor invoice for
automatic payment
Maintain a fictitious vendor and create a payment to that vendor
P003
High
AP02
P004
High
Enter fictitious vendor invoices and then render payment to the

vendor
Purchase unauthorized items and initiate payment by invoicing
P005
High
PR02
P006
High
P007
High
Enter fictitious purchase orders for personal use and accept the
goods through goods receipt
Enter fictitious vendor invoices and accept the goods via goods
receipt
Enter a fictitious purchase order and enter the covering payment
P008
High
Create a fictitious vendor and initiate purchases to that vendor
PR01
P011
High
PR02
P014
High
P016
P019
High
High
Inappropriately procure an item and manipulating the IM physical

inventory counts to hide.
Can hide differences between bank payments & posted AP
records
Receive or accept services and enter the covering payments
Approve the purchase of unauthorized goods and hide the
misuse of inventory by not fully receiving the order
EC01
HR03
PY07
HR04
HR04
PY02
HR03
HR04
MM04
MM04
MM04
PR01
AP01
PR02
AP02
PR02
FI03
PR08
PR04
P020
High
Commit the company to fraudulent purchase contracts and

initiate payment for unauthorized goods and services.
Release a non bona-fide purchase order and initiate payment for
the order by entering invoices
Release a non bona-fide purchase order and the action remain
undetected by manipulating the IM physical inventory counts
PR04
P021
High
P022
High
P023
High
Create a fictitious vendor or change existing vendor master data

and approve purchases to this vendor
Enter fictitious purchasing agreements and then render payment
PR04
P026
High
P027
High
Risk of entry of fictitious Purchasing Agreements and the entry of

fictitious Vendor or modification of existing Vendor especially
account data.
Modify purchasing agreements and then receive goods for
fraudulent purposes.
Enter unauthorized items to a purchasing agreement and create
an invoice to obtain those items for personal use
Risk of modifying service master data (to add a service that is
normally not ordered by the company) and the entry of covering
payments
Risk of entering unauthorized payments and reconcile with the
bank through the same person.
Inappropriately procure an item and manipulating the IM physical
inventory counts to hide.
Inappropriately procure an item and manipulating the WM
physical inventory counts to hide.
undetected by manipulating the IM physical inventory counts
PR01
P028
High
P029
High
P030
High
P038
High
P045
High
P046
High
P047
High
P048
High

undetected by manipulating the WM physical inventory counts
PR04
P051
High
Maintain a fictitious vendor and create a payment to that vendor
AP04
P052
High
AP02
P053
High
Enter fictitious vendor invoices and then render payment to the

vendor
Enter a fictitious purchase order and enter the covering payment
P054
High
PR08
P055
High
Receive or accept services and manually enter the covering

check payments
Commit the company to fraudulent purchases and initiate
manual check payments for unauthorized goods and services.
P056
High
AP04
P057
High
P058
High
P059
High
S001
High
S002
High
S003
High
S004
High
S005
High
S006
High
S007
High
S008
High
Enter fictitious purchasing agreements and then render manual

checks for payment
Risk of modifying service master data (to add a service that is
normally not ordered by the company) and the entry of covering
payments
Risk of entering unauthorized manual payments and reconcile
with the bank through the same person.
Where release strategies are utilized, the same user should not
maintain the purchase order and release or approve it.
Enter or modify sales documents and approve customer credit
limits
Create sales documents and immediately clear customer's
obligation
Create a fictitious customer and initiate fraudulent sales
document
Make an unauthorized change to the master record (payment
terms, tolerance level) in favor of the customer and enter an
inappropriate invoice.
Inappropriately create or change rebate agreements and manage
a customer's master record in the favor of the customer. Could
also change a customer's master record to direct payment to an
inappropriate location.
Potentially clear a customer's balance before and create or make
the same change to the billing document for the same customer,
clearing them of their obligation.
Inappropriately create or change a sales documents and
generate a corresponding billing document for it.
Manipulate the user's credit limit and assign generous rebates to
execute a marginal customer's order.
PR04
PR04
AP01
PR05
AP02
AP01
AP01
PR02
PR02
PR04
PR02
PR04
AP04
AP04
PR02
AR04
SD05
SD05
SD01
SD01
AR03
SD05
AR04
S010
High
S011
High
S012
High
S013
High
S014
High
S015
High
S016
S017
High
High
S018
High
S019
High
S022
High
S023
High
S024
High
S025
High
S026
High
S027
High
S028
High
S029
High
Create a billing document for a customer and inappropriately

post a payment from the same customer to conceal nonpayment.
Create a fictitious customer and initiate payment to the
unauthorized customer.
Initiate an unauthorized payment to the customer by entering
fictitious credit memos.
Change the accounts receivable records to cover differences
with customer statements.
Cover up unauthorized shipment by creating a fictitious sales
documents
Sales price modifications for sales invoicing.
AR02
Enter sales documents and lower prices for fraudulent gain

Perform credit approval function and modify cash received for
fraudulent purposes.
Enter a fictitious sales rebates and then render fictitious
payments.
Risk of the same person entering changes to the Customer
Master file and modifying the Cash Received for the customer.
SD05
AR04
Risk of modifying and entering Sales Invoices and approving

Credit Limits by the same person.
Risk of Sales Price modifications for Sales invoicing.
AR07
Maintain a customer master record and post a fraudulent

payment against it
User can create a fictitious customer and then issue invoices to
the customer.
User can create/change an invoice and enter/change payments
against the invoice.
User can create fictitious/incorrect delivery and enter payments
against these, potentially misappropriating goods.
User able to create a fraudulent sales contract to include
additional goods and enter an incorrect customer invoice to hide
the deception.
Create a credit memo then clear the customer to prompt a
payment.
SD01
SD01
AR06
AR02
SD05
AR07
AR02
AR02
AR05
SD01
AR02
SD02
SD05
AR03
Function 1
APO Maintain Model
APO Model
Management
&
TCODE
AO01
Version
Function 2
APO Supply &
Planning
Tc
Demand
AO01
APO Supply &

Planning
Demand
APO active version)
AO01
APO Supply &

Planning
Demand
APO
Define
Macros
AO01
APO Supply &

Planning
Demand
Basis Development
BS06
Configuration
Basis Development
BS12
Transport Administration
Basis Utilities
BS06
Configuration
Basis Utilities
BS12
Basis Table Maintenance
BS11
System Administration
Basis Table Maintenance
BS05
Client Administration
Security Administration
BS05
Client Administration
Security Administration
BS12
Create Transport
BS09
Perform Transport
Maintain Number Ranges
BS11
System Administration
Maintain User Master
BS14
Maintain Profiles / Roles
Maintain Business Partner
CR04
Process CRM Sales Order
SD02
Delivery Processing
CR07
CRM Billing
AR05
Maintain Billing Documents
Advanced
Function 3
Service Order Processing
CR06
Service Confirmation
CRM Billing
CR03
CR03
CR07
CRM Billing
AR05
Process Credit Memo
CR07
CRM Billing
Process Credit Memo
AR05
Process Customer Invoices
CR09
Maintain Conditions
CR09
Maintain Conditions
Maintain Opportunity
PY04
Process Payroll
Service Order Processing
PY04
Process Payroll
PY04
Process Payroll
EBP / SRM Vendor Master
SR03
EBP / SRM Invoicing
EBP / SRM Purchasing
SR03
EBP / SRM Invoicing
SR04
EBP
/
SRM
Goods
Receipt/Service Acceptance
EBP / SRM Invoicing
SR04
EBP
/
SRM
Goods
SR02
Bank Reconciliation
SR03
EBP / SRM Invoicing
EBP
/
SRM
Goods
MM07 Enter Counts - WM
MM08 Clear Differences - WM
EBP
/
SRM
Goods
MM02 Enter Counts - IM
MM01 Clear
Differences
Inventory Management
EBP
/
SRM
Goods
MM03 Enter Counts & Clear Diff IM
MM05 Goods Receipts to PO
PR08
EBP / SRM PO Approval
SR07
SR07
SR09
SR09
EBP / SRM Maintain Org

Structure
EBP / SRM Maintain Org
Structure
Service Acceptance
EBP / SRM Maintain

Shopping Cart
Maintain Bank Master Data
SR07
AP01
AP Payments
Maintain Asset Document
AP02
Process Vendor Invoices
Cash Application
FI03
Maintain Asset Master
Process Overhead Postings
PS03
Settle Projects
Maintain Projects and WBS

Elements
PS03
Settle Projects
Maintain Projects and WBS

Elements
PS02
Process Overhead Postings
AR02
Cash Application
AP04
Manual Check Processing
Create / Change Treasury

Item
Maintain Hierarchies
FI09
Confirm a Treasury Trade
AP01
AP Payments
AP02
AP04
AR02
Cash Application
AR07
CC03
Maintain Cost Centers
FA01
FA02
Maintain Asset Master
FI01
Revenue Reposting
GL01
Post Journal Entry
GL02
Maintain GL Master Data
GL03
Post Journal Entry (misc

Tax/Currency)
Bank Reconciliation
PR01
Vendor Master Maintenance
SD01
Maintain Customer Master

Data
Maintain Employee (PA)

Master Data - 0008 - 0009 (
PY04
Process Payroll
HR Benefits
PY04
Process Payroll
3rd Party Remittance
HR02
HR Vendor Data
Maintain Time Data
PY01
Approve Time
Maintain Time Data
PY04
Process Payroll
Maintain
Payroll
Configuration
Master Data - 0008 - 0009 (
PY04
Process Payroll
PY02
Maintain
Configuration
Modify PD Structure
HR03

Master Data - 0008 - 0009 (
Maintain Time Data

Payroll Maintenance
PY03
PY04
Payroll Maintenance
Process Payroll
Maintain
Payroll
Configuration
Maintain Time Data
PY03
Payroll Maintenance
PY02
Maintain Time Data

Master Data - 0008 - 0009 (
HR05
HR04
Maintain
Payroll
Configuration
Modify PD Structure
Maintain Time Data

Master Data - 0008 - 0009 (
PY03
Payroll Maintenance
Payroll Schemas
HR04
Maintain Time Data
Goods Movements
Goods Movements
MM01 Clear
Differences
Goods Movements

AP02 Process Vendor Invoices
AP Payments
PR01
AP01
AP Payments
Maintain Purchase Order
AP02
AP01
AP Payments
PR02

Bank Reconciliation

AP02 Process Vendor Invoices
Service Acceptance
PO Approval
AP01 AP Payments
Payroll
PO Approval
AP01
AP Payments
PO Approval
AP02
PO Approval
PO Approval
PR01
AP Payments
PR05
Purchasing Agreements
PR05
PR05
AP Payments
PR03
Service
Maintenance
AP Payments
FI03
Bank Reconciliation
PO Approval
PO Approval
PR01
AP04
AP04
Service Acceptance
AP04
PO Approval
AP04
PR05
PR03
Service
Maintenance
FI03
Bank Reconciliation
PR04
PO Approval
Credit Management
SD05
Sales Order Processing
AR03
Clear Customer Balance
SD01

Data
AR07

Data

Data
SD03
Sales Rebates
AR05
AR05
Credit Management
SD03
Sales Rebates
MM01 Clear
Differences
MM01 Clear
Differences
Master
Master
Cash Application
AR05

Data
Process Customer Credit
Memos
Cash Application
AR01
AR Payments
AR01
AR Payments
SD04
Sales Document Release
SD02
Delivery Processing
SD06
Sales Pricing Condition

Credit Management
SD06
AR02

Cash Application
Cash Application
SD03
Sales Rebates
Cash Application
SD01

Data
AR04
Credit Management
SD06

Data
Data
Cash Application
AR03
AR05
AR07
Delivery Processing
AR02
Cash Application
AR07
AR06
Process Customer Credit

Memos

SAP GRC SOD Conflicts High Risk

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SAP GRC SOD Conflicts High Risk

Загружено:

Авторское право:

Доступные форматы

Risk ID

An individual could inappropriately modify roles and assignments

A security administrator could make inappropriate changes to

User can create a fictitious business partner and then process

Inappropriately accept or confirm a service order and generate a

Enter fictitious invoices and accept goods or services via goods

Maintain a fictitious vendor and initiate purchases to that vendor.

A user can hide differences between bank payments and posted

Accept goods via SRM goods receipts and perform IM physical

Accept goods via SRM goods receipts and perform IM physical

Initiate purchases to selecting goods to be included in a

Pay an invoice and hide it in an asset that would be depreciated

AP/AR/GL master data creation and posting functions in

Change employee HR Benefits then process payroll without

Change payroll master data and modify PD Structure

Enter false time data and perform payroll maintenance.

Change payroll configuration and perform maintenance on

Enter false time data and maintain PD structure

Users may maintain employee master data including pay rates

Enter fictitious vendor invoices and then render payment to the

Create a fictitious vendor and initiate purchases to that vendor

Inappropriately procure an item and manipulating the IM physical

Commit the company to fraudulent purchase contracts and

Create a fictitious vendor or change existing vendor master data

Risk of entry of fictitious Purchasing Agreements and the entry of

Release a non bona-fide purchase order and the action remain

Maintain a fictitious vendor and create a payment to that vendor

Enter fictitious vendor invoices and then render payment to the

Receive or accept services and manually enter the covering

Enter fictitious purchasing agreements and then render manual

Create a billing document for a customer and inappropriately

Enter sales documents and lower prices for fraudulent gain

Risk of modifying and entering Sales Invoices and approving

Maintain a customer master record and post a fraudulent

APO Supply &

APO active version)

APO Supply &

APO Supply &

Basis Table Maintenance

Basis Table Maintenance

Maintain Number Ranges

Maintain User Master

Maintain Profiles / Roles

Maintain Business Partner

Process CRM Sales Order

Process CRM Sales Order

Process CRM Sales Order

Process CRM Sales Order

Maintain Billing Documents

Service Order Processing

Maintain Business Partner

Maintain Billing Documents

Maintain Business Partner

Maintain Billing Documents

Process Credit Memo

Process Credit Memo

Maintain Billing Documents

Process Customer Invoices

Process CRM Sales Order

Service Order Processing

Process CRM Sales Order

EBP / SRM Vendor Master

EBP / SRM Invoicing

EBP / SRM Purchasing