Download as xls, pdf, or txt
Download as xls, pdf, or txt
You are on page 1of 14

Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Create a fictitious GL account and generate journal activity or hide activity via posting
F001 GL02 Maintain GL Master Data GL01 Post Journal Entry MIT-F001

Alter a cost center without authorization and process unauthorized cost transfers to this
F002 CC03 Maintain Cost Centers CC06 Cost Transfer Processing MIT-F002
center, possibly distorting CO reporting.

Alter a cost center without authorization and process unauthorized revenue entries to
F003 CC03 Maintain Cost Centers FI01 Revenue Reposting MIT-F003
this center, possibly distorting CO reporting.

F004 CC02 Maintain CC or CE Groups GL01 Post Journal Entry MIT-F004 Manipulate cost center reports to hide inappropriate journal entry posting. Medium

F005 FI04 Maintain Bank Master Data AP01 AP Payments MIT-F005 Create a non bona-fide bank account and create a check from it. High

F006 FA01 Maintain Asset Document AP02 Process Vendor Invoices MIT-F006 Pay an invoice and hide it in an asset that would be depreciated over time. High

Create an invoice through ERS goods receipt and hide it in an asset that would be
F007 FA01 Maintain Asset Document MM05 Goods Receipts to PO MIT-F007
depreciated over time.

Allows differences between cash deposited and cash collections posted to be covered
F008 AR02 Cash Application FI03 Bank Reconciliation MIT-F008

Maintain Cost Center Execute Cost Center

F009 CC01 CC04 MIT-F009 Allocate costs to unauthorized cost centers thereby distorting financial reporting. Low
Distributions Distributions

F010 CC05 Maintain Internal CO Order CC07 Internal Order Settlement MIT-F010 Settle expenses from an unauthorized order and distort CO reporting. Low

Alter an activity type used for cost allocation purposes with fictitious data, thereby
F011 FI07 Maintain Activity Types FI02 Activity Allocation MIT-F011
distorting the cost allocation process.

User responsible for asset masters records could process transactions that would allow
F012 FA02 Maintain Asset Master FA01 Maintain Asset Document MIT-F012
the asset to be depreciated over time.

F013 FA02 Maintain Asset Master MM05 Goods Receipts to PO MIT-F013 Create the asset and manipulate the receipt of the associated asset. High

Post overhead expenses to the project and settle the project without going through the
F014 PS02 Process Overhead Postings PS03 Settle Projects MIT-F014
settlement approval process.

Maintain Projects and WBS Use a fictitious project to allocate overages of an actual project, and settle the project
F015 PS01 PS03 Settle Projects MIT-F015
without going through the settlement approval process.

Maintain Projects and WBS Manipulate the work breakdown structure elements (profit centers, business areas, cost
F016 PS01 PS02 Process Overhead Postings MIT-F016
centers, plants) and post overhead expenses to the project

F017 FI04 Maintain Bank Master Data AR02 Cash Application MIT-F017 Maintain a non bona-fide bank account and divert incoming payments to it. High

Open previously closed accounting periods and inappropriately post entries after month
F018 FI06 Maintain Posting Periods GL01 Post Journal Entry MIT-F018

Open previously closed accounting periods and inappropriately post payments after
F019 FI06 Maintain Posting Periods AP01 AP Payments MIT-F019
month end.

User able to open accounting periods previously closed and enter incoming payments
F020 FI06 Maintain Posting Periods AR02 Cash Application MIT-F020
after month end reporting.

Page 1 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Open previously closed accounting periods and inappropriately receive or issue goods
F021 FI06 Maintain Posting Periods MM04 Goods Movements MIT-F021
after month end.

Post Journal Entry (misc Create a fictitious GL account and generate miscellaneous general ledger activity or
F022 GL02 Maintain GL Master Data GL03 MIT-F022
hide fraudulent activity via posting entries.

Post Journal Entry (misc Manipulate cost center reports to hide inappropriate miscellaneous journal entry
F023 CC02 Maintain CC or CE Groups GL03 MIT-F023

Post Journal Entry (misc Open previously closed accounting periods and inappropriately post tax and currency
F024 FI06 Maintain Posting Periods GL03 MIT-F024
journal entries after month end.

F025 FI04 Maintain Bank Master Data AP04 Manual Check Processing MIT-F025 Create a non bona-fide bank account and create manual checks from it High

F026 FI06 Maintain Posting Periods AP04 Manual Check Processing MIT-F026 Open previously closed accounting periods and inappropriately post manual payments Medium

Create / Change Treasury

F027 FI08 FI09 Confirm a Treasury Trade MIT-F027 Users can create a fictitious trade and fraudulently confirm or exercise the trade High

Adjust the subsidiary balance using the vendor invoice entry and then cover it up using
F028 GL01 Post Journal Entry AP02 Process Vendor Invoices MIT-F028
journal entries

Adjust the subsidiary balance using the AR payment transaction and then cover it up
F029 GL01 Post Journal Entry AR01 AR Payments MIT-F029
using journal entries

Adjust the subsidiary balance using the AR payment transaction and then cover it up
F030 GL01 Post Journal Entry AR02 Cash Application MIT-F030
using journal entries

Adjust the subsidiary balance using the AR payment transaction and then cover it up
F031 GL01 Post Journal Entry AR05 AR Payments MIT-F031
using journal entries

Materials Management / Quality Management / Production Planning

M001 PP02 Production Order Processing FI05 Product Costing MIT-M001 Increase Production to reduce cost variances Low

M002 PP02 Production Order Processing PP01 Confirm Production Order MIT-M002 Production order processing and confirming production orders Low

M003 PP01 Confirm Production Order FI05 Product Costing MIT-M003 Increase Production to reduce cost variances due to productivity Low

M004 QM01 Quality Results Reporting SD02 Delivery Processing MIT-M004 Transfer stock to general release to meet delivery schedules Low

M005 QM01 Quality Results Reporting MM07 Enter Counts - WM MIT-M005 MM08 Clear Differences - WM Remove inferior materials by adjusting out via WM inventory Medium

Accept goods via goods receipts and perform a WM physical inventory adjustment
M006 MM04 Goods Movements MM07 Enter Counts - WM MIT-M006 MM08 Clear Differences - WM afterwards.

M007 QM01 Quality Results Reporting PP01 Confirm Production Order MIT-M007 Release produced materials to GR stock to maintain production quotas Medium

M008 GL01 Post Journal Entry MM07 Enter Counts - WM MIT-M008 MM08 Clear Differences - WM Hide WM inventory adjustments via ledger entries Medium

Clear Differences -
M009 QM01 Quality Results Reporting MM02 Enter Counts - IM MIT-M009 MM01 Remove inferior materials by adjusting out via IM inventories Medium
Inventory Management

Page 2 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Enter Counts & Clear Diff -

M010 QM01 Quality Results Reporting MM03 MIT-M010 Remove inferior materials by adjusting out via IM inventories Medium

Clear Differences - Accept goods via goods receipts and perform an IM physical inventory adjustment
M011 MM04 Goods Movements MM02 Enter Counts - IM MIT-M011 MM01
Inventory Management

Enter Counts & Clear Diff - Accept goods via goods receipts and perform an IM physical inventory adjustment
M012 MM04 Goods Movements MM03 MIT-M012

Enter Counts & Clear Diff -

M013 GL01 Post Journal Entry MM03 MIT-M013 Hide IM inventory adjustments via ledger entries Medium

Clear Differences -
M014 GL01 Post Journal Entry MM02 Enter Counts - IM MIT-M014 MM01 Hide IM inventory adjustments via ledger entries Medium
Inventory Management

Procure to Pay

P001 PR01 Vendor Master Maintenance AP02 Process Vendor Invoices Maintain a fictitious vendor and enter a Vendor invoice for automatic payment High

P002 AP01 AP Payments PR01 Vendor Master Maintenance Maintain a fictitious vendor and create a payment to that vendor High

P003 AP02 Process Vendor Invoices AP01 AP Payments Enter fictitious vendor invoices and then render payment to the vendor High

P004 PR02 Maintain Purchase Order AP02 Process Vendor Invoices Purchase unauthorized items and initiate payment by invoicing High

Enter fictitious purchase orders for personal use and accept the goods through goods
P005 PR02 Maintain Purchase Order MM05 Goods Receipts to PO receipt

P006 AP02 Process Vendor Invoices MM05 Goods Receipts to PO Enter fictitious vendor invoices and accept the goods via goods receipt High

P007 PR02 Maintain Purchase Order AP01 AP Payments Enter a fictitious purchase order and enter the covering payment High

P008 PR01 Vendor Master Maintenance PR02 Maintain Purchase Order Create a fictitious vendor and initiate purchases to that vendor High

P009 AP03 Release Blocked Invoices PR08 Service Acceptance Receive or accept services and release a previously blocked Invoice to offset the receipt Medium

Enter unauthorized purchase order and release a previously blocked Invoice to offset
P010 AP03 Release Blocked Invoices PR02 Maintain Purchase Order the purchase order

Enter Counts & Clear Diff - Inappropriately procure an item and manipulating the IM physical inventory counts to
P011 PR02 Maintain Purchase Order MM03

Risk of modifying or adding to service master data (to add item that normally is not
P012 PR03 Service Master Maintenance PR07 Requisitioning ordered by the company) and then create / change a requisition.

Maintain Material Master Add items to the material master or service master file and create fraudulent purchase
P013 MM06 PR02 Maintain Purchase Order orders for those items

P014 FI03 Bank Reconciliation AP02 Process Vendor Invoices Can hide differences between bank payments & posted AP records High

Receive goods against a purchase order and release a previously blocked Invoice to
P015 AP03 Release Blocked Invoices MM05 Goods Receipts to PO offset the receipt

Page 3 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

P016 PR08 Service Acceptance AP01 AP Payments Receive or accept services and enter the covering payments High

Enter fictitious purchase orders for personal use and accept the services through service
P017 PR02 Maintain Purchase Order PR08 Service Acceptance acceptance

Maintain Material Master Add an item to the material master or service master file and then fraudulently adding
P018 MM06 PR05 Purchasing Agreements those items to purchasing agreements

Approve the purchase of unauthorized goods and hide the misuse of inventory by not
P019 PR04 PO Approval MM05 Goods Receipts to PO fully receiving the order

Commit the company to fraudulent purchase contracts and initiate payment for
P020 PR04 PO Approval AP01 AP Payments unauthorized goods and services.

Release a non bona-fide purchase order and initiate payment for the order by entering
P021 PR04 PO Approval AP02 Process Vendor Invoices invoices

Clear Differences - Release a non bona-fide purchase order and the action remain undetected by
P022 PR04 PO Approval MM02 Enter Counts - IM MM01
manipulating the IM physical inventory counts
Inventory Management

Create a fictitious vendor or change existing vendor master data and approve purchases
P023 PR04 PO Approval PR01 Vendor Master Maintenance to this vendor

Maintain Material Master

P024 PR04 PO Approval MM06 Add or modify material master data and release an order for personal use Medium

Modify a purchasing agreement and release a previously blocked invoice to offset the
P025 AP03 Release Blocked Invoices PR05 Purchasing Agreements vendor account.

P026 AP01 AP Payments PR05 Purchasing Agreements Enter fictitious purchasing agreements and then render payment High

Risk of entry of fictitious Purchasing Agreements and the entry of fictitious Vendor or
P027 PR01 Vendor Master Maintenance PR05 Purchasing Agreements modification of existing Vendor especially account data.

P028 PR05 Purchasing Agreements MM05 Goods Receipts to PO Modify purchasing agreements and then receive goods for fraudulent purposes. High

Enter unauthorized items to a purchasing agreement and create an invoice to obtain

P029 AP02 Process Vendor Invoices PR05 Purchasing Agreements those items for personal use

Risk of modifying service master data (to add a service that is normally not ordered by
P030 AP01 AP Payments PR03 Service Master Maintenance the company) and the entry of covering payments

Risk of addition of services to the Service Master File (services not related to business
P031 PR03 Service Master Maintenance PR06 Release Requisitions purpose) and the ability to create a Requisition for those services.

Risk of entering or maintaining a purchasing agreement and authorizing the related

P032 PR06 Release Requisitions PR05 Purchasing Agreements requisition through its release.

Risk of the same person requisitioning an item and creating a purchase order from that
P033 PR07 Requisitioning PR02 Maintain Purchase Order requisition.

Add items to the service master file and create fraudulent purchase orders for those
P034 PR02 Maintain Purchase Order PR03 Service Master Maintenance items

Enter Counts & Clear Diff - Risk of the same person entering a Purchasing Agreement for materials and then
P035 PR05 Purchasing Agreements MM03
adjusting the IM inventory for those materials.

Page 4 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Maintain Material Master Risk of modifying or adding to material master data (to add material that normally is not
P036 MM06 PR07 Requisitioning ordered by the company) and then the release of a material requisition.

Risk of the same person requisitioning an item and then releasing a requisition for
P037 PR07 Requisitioning PR06 Release Requisitions purchase, bypassing the authorization process.

Risk of entering unauthorized payments and reconcile with the bank through the same
P038 AP01 AP Payments FI03 Bank Reconciliation person.

Risk of entering Vendor invoices and the ability to accept those services in the Service
P039 AP02 Process Vendor Invoices PR08 Service Acceptance Receipts Entry.

Risk of the same person releasing a requisitioning and generating the accompanying
P040 PR06 Release Requisitions PR02 Maintain Purchase Order purchase order.

Add an item to the material master or service master file and then fraudulently adding
P041 PR03 Service Master Maintenance PR05 Purchasing Agreements those items to purchasing agreements

P042 PR04 PO Approval PR03 Service Master Maintenance Add or modify service master data and release an order for personal use Medium

Release a purchase order and release a previously blocked invoice to offset the vendor
P043 AP03 Release Blocked Invoices PR04 PO Approval account.

Release a fictitious purchase order for personal use and accept the services through
P044 PR04 PO Approval PR08 Service Acceptance service acceptance

Clear Differences - Inappropriately procure an item and manipulating the IM physical inventory counts to
P045 PR02 Maintain Purchase Order MM02 Enter Counts - IM MM01
Inventory Management

Inappropriately procure an item and manipulating the WM physical inventory counts to

P046 PR02 Maintain Purchase Order MM07 Enter Counts - WM MM08 Clear Differences - WM hide.

Enter Counts & Clear Diff - Release a non bona-fide purchase order and the action remain undetected by
P047 PR04 PO Approval MM03
manipulating the IM physical inventory counts

Release a non bona-fide purchase order and the action remain undetected by
P048 PR04 PO Approval MM07 Enter Counts - WM MM08 Clear Differences - WM manipulating the WM physical inventory counts

Clear Differences - Risk of the same person entering a Purchasing Agreement for materials and then
P049 PR05 Purchasing Agreements MM02 Enter Counts - IM MM01
adjusting the IM inventory for those materials.
Inventory Management

Risk of the same person entering a Purchasing Agreement for materials and then
P050 PR05 Purchasing Agreements MM07 Enter Counts - WM MM08 Clear Differences - WM adjusting the WM inventory for those materials.

P051 AP04 Manual Check Processing PR01 Vendor Master Maintenance Maintain a fictitious vendor and create a payment to that vendor High

P052 AP02 Process Vendor Invoices AP04 Manual Check Processing Enter fictitious vendor invoices and then render payment to the vendor High

P053 PR02 Maintain Purchase Order AP04 Manual Check Processing Enter a fictitious purchase order and enter the covering payment High

P054 PR08 Service Acceptance AP04 Manual Check Processing Receive or accept services and manually enter the covering check payments High

Commit the company to fraudulent purchases and initiate manual check payments for
P055 PR04 PO Approval AP04 Manual Check Processing unauthorized goods and services.

Page 5 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

P056 AP04 Manual Check Processing PR05 Purchasing Agreements Enter fictitious purchasing agreements and then render manual checks for payment High

Risk of modifying service master data (to add a service that is normally not ordered by
P057 AP04 Manual Check Processing PR03 Service Master Maintenance the company) and the entry of covering payments

Risk of entering unauthorized manual payments and reconcile with the bank through the
P058 AP04 Manual Check Processing FI03 Bank Reconciliation same person.

Where release strategies are utilized, the same user should not maintain the purchase
P059 PR02 Maintain Purchase Order PR04 PO Approval order and release or approve it.

The automated controls for invoicing can be circumvented. Invoices are usually blocked
P060 AP02 Process Vendor Invoices AP03 Release Blocked Invoices due to price or quantity differences.

Maintain Vendor Pricing

P061 PR11 AP01 AP Payments Transactional processing should be segregated from pricing master data. Medium

Maintain Vendor Pricing

P062 PR11 AP02 Process Vendor Invoices Transactional processing should be segregated from pricing master data. Medium

Maintain Vendor Pricing

P063 PR11 AP03 Release Blocked Invoices Transactional processing should be segregated from pricing master data. Medium

Maintain Vendor Pricing

P064 PR11 AP04 Manual Check Processing Transactional processing should be segregated from pricing master data. Medium

Maintain Vendor Pricing

P065 PR11 PR04 PO Approval Transactional processing should be segregated from pricing master data. Medium

Maintain Vendor Pricing

P066 PR11 PR06 Release Requisitions Transactional processing should be segregated from pricing master data. Medium

Maintain Vendor Pricing

P067 PR11 PR07 Requisitioning Transactional processing should be segregated from pricing master data. Medium

Order to Cash

S001 AR04 Credit Management SD05 Sales Order Processing Enter or modify sales documents and approve customer credit limits High

S002 SD05 Sales Order Processing AR03 Clear Customer Balance Create sales documents and immediately clear customer's obligation High

Maintain Customer Master

S003 SD05 Sales Order Processing SD01 Create a fictitious customer and initiate fraudulent sales document High

Maintain Customer Master Make an unauthorized change to the master record (payment terms, tolerance level) in
S004 SD01 AR07 Process Customer Invoices favor of the customer and enter an inappropriate invoice.

Inappropriately create or change rebate agreements and manage a customer's master

Maintain Customer Master
S005 SD01 SD03 Sales Rebates record in the favor of the customer. Could also change a customer's master record to High
Data direct payment to an inappropriate location.

Potentially clear a customer's balance before and create or make the same change to
S006 AR03 Clear Customer Balance AR05 Maintain Billing Documents the billing document for the same customer, clearing them of their obligation.

Inappropriately create or change a sales documents and generate a corresponding

S007 SD05 Sales Order Processing AR05 Maintain Billing Documents billing document for it.

Manipulate the user's credit limit and assign generous rebates to execute a marginal
S008 AR04 Credit Management SD03 Sales Rebates customer's order.

Page 6 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

S009 SD05 Sales Order Processing AR02 Cash Application Enter a fictitious sales document and then render fictitious payments. Medium

Create a billing document for a customer and inappropriately post a payment from the
S010 AR02 Cash Application AR05 Maintain Billing Documents same customer to conceal non-payment.

Maintain Customer Master

S011 SD01 AR01 AR Payments Create a fictitious customer and initiate payment to the unauthorized customer. High

Process Customer Credit

S012 AR06 AR01 AR Payments Initiate an unauthorized payment to the customer by entering fictitious credit memos. High

S013 AR02 Cash Application SD04 Sales Document Release Change the accounts receivable records to cover differences with customer statements. High

S014 SD05 Sales Order Processing SD02 Delivery Processing Cover up unauthorized shipment by creating a fictitious sales documents High

S015 AR07 Process Customer Invoices SD06 Sales Pricing Condition Sales price modifications for sales invoicing. High

S016 SD05 Sales Order Processing SD06 Sales Pricing Condition Enter sales documents and lower prices for fraudulent gain High

S017 AR04 Credit Management AR02 Cash Application Perform credit approval function and modify cash received for fraudulent purposes. High

S018 AR02 Cash Application SD03 Sales Rebates Enter a fictitious sales rebates and then render fictitious payments. High

Maintain Customer Master Risk of the same person entering changes to the Customer Master file and modifying
S019 AR02 Cash Application SD01
the Cash Received for the customer.

S020 SD05 Sales Order Processing SD04 Sales Document Release Risk of entering and releasing sales documents by the same person Medium

Risk of entering sales documents and giving sales rebates by the same person,
S021 SD05 Sales Order Processing SD03 Sales Rebates effectively granting an indirect price discount.

Risk of modifying and entering Sales Invoices and approving Credit Limits by the same
S022 AR07 Process Customer Invoices AR04 Credit Management person.

S023 AR05 Maintain Billing Documents SD06 Sales Pricing Condition Risk of Sales Price modifications for Sales invoicing. High

Maintain Customer Master

S024 SD01 AR03 Clear Customer Balance Maintain a customer master record and post a fraudulent payment against it High

Maintain Customer Master

S025 SD01 AR05 Maintain Billing Documents User can create a fictitious customer and then issue invoices to the customer. High

S026 AR02 Cash Application AR07 Process Customer Invoices User can create/change an invoice and enter/change payments against the invoice. High

User can create fictitious/incorrect delivery and enter payments against these,
S027 SD02 Delivery Processing AR02 Cash Application potentially misappropriating goods.

User able to create a fraudulent sales contract to include additional goods and enter an
S028 SD05 Sales Order Processing AR07 Process Customer Invoices incorrect customer invoice to hide the deception.

Process Customer Credit

S029 AR03 Clear Customer Balance AR06 Create a credit memo then clear the customer to prompt a payment. High

HR and Payroll

Page 7 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Maintain Employee (PA)

H001 HR03 PY04 Process Payroll Modify payroll master data and then process payroll. Potential for fraudulent activity. High
Master Data - 0008 - 0009 (

Change employee HR Benefits then process payroll without authorization. Potential for
H002 HR01 HR Benefits PY04 Process Payroll fraudulent activity.

H003 PY07 3rd Party Remittance HR02 HR Vendor Data Change to master data and creating the remittance could result in fraudulent payments. High

H004 HR04 Maintain Time Data PY01 Approve Time Change payroll master data and enter time data applied to incorrect settings. High

H005 HR04 Maintain Time Data PY04 Process Payroll Modify time data and process payroll resulting in fraudulent payments High

Maintain Payroll
H006 PY02 PY04 Process Payroll Change configuration of payroll then process payroll resulting in fraudulent payments High

Maintain Employee (PA) Maintain Payroll Change configuration of payroll then modify payroll master data resulting in fraudulent
H007 HR03 PY02
Master Data - 0008 - 0009 ( Configuration

Maintain Employee (PA)

H008 HR05 Modify PD Structure HR03 Change payroll master data and modify PD Structure High
Master Data - 0008 - 0009 (

H009 HR04 Maintain Time Data PY03 Payroll Maintenance Enter false time data and perform payroll maintenance. High

H010 PY03 Payroll Maintenance PY04 Process Payroll Change payroll and process payroll without proper authorization. High

Maintain Payroll
H011 PY02 PY03 Payroll Maintenance Change payroll configuration and perform maintenance on payroll settings. High

Maintain Payroll
H012 HR04 Maintain Time Data PY02 Modify payroll configuration and enter false time data. High

H013 HR04 Maintain Time Data HR05 Modify PD Structure Enter false time data and maintain PD structure High

Maintain Employee (PA)

H014 HR03 HR04 Maintain Time Data Users may enter false time data and process payroll resulting in fraudulent payments. High
Master Data - 0008 - 0009 (

Maintain Employee (PA) Users may maintain employee master data including pay rates and delete the payroll
H015 HR03 PY03 Payroll Maintenance result
Master Data - 0008 - 0009 (

H016 PY06 Payroll Schemas HR04 Maintain Time Data Users may enter false time data and perform work schedule evaluations High

H017 PY05 Time Evaluations HR04 Maintain Time Data Users may enter false time data and perform time evaluations Medium

Perform time evaluations and change the PD structure to mis route the data for
H018 PY05 Time Evaluations HR05 Modify PD Structure approvals

Perform time evaluations and delete payroll results which could disrupt the payroll
H019 PY05 Time Evaluations PY03 Payroll Maintenance process

Page 8 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Users who perform both the time evaluation and process payroll could hide fraudulent
H020 PY05 Time Evaluations PY04 Process Payroll actions.

Users who can perform both the time evaluations and maintain payroll schemas to hide
H021 PY05 Time Evaluations PY06 Payroll Schemas fraudulent actions


A developer could modify an existing program in production, perform traces to the

B001 BS02 Basis Development BS11 System Administration MIT-B001 program, and configure the production environment to run the program. This may affect Medium
system performance, data integrity and inappropriate program modification.

A developer could modify an existing program in production, perform traces to the

B002 BS02 Basis Development BS06 Configuration MIT-B002 program and configure the production environment to limit monitoring of the program run High
by increasing alarm thresholds and eliminating audit trails through external OS comma

A developer could create or modify a program in production and replicate these changes
B003 BS02 Basis Development BS05 Client Administration MIT-B003 to other clients. This bypasses the inherent controls in the transport process and could Medium
negatively impact the DV and QA clients.

A developer could create or modify a program in production and force the transport of
these changes after the fact to conceal irregular development practices. This also
B004 BS02 Basis Development BS12 Transport Administration MIT-B004
enables the reverting back to the program's original version without any trace of the
changes made in production.

A developer could modify program components (menus, screen layout, messages,

queries) and configure the production environment to execute the program with these
B005 BS04 Basis Utilities BS11 System Administration MIT-B005
changes. This may affect system performance, data integrity and inappropriate program

A developer could modify program components (menus, screen layout, messages,

queries) and configure the production environment to limit monitoring of the program
B006 BS04 Basis Utilities BS06 Configuration MIT-B006
runs using the modified program components by increasing alarm thresholds and
eliminating audit trail

A developer could modify program components (menus, screen layout, messages,

B007 BS04 Basis Utilities BS05 Client Administration MIT-B007 queries) and replicate these changes to other clients. This bypasses the inherent Medium
controls in the transport process and could negatively impact the DV and QA clients.

A developer could modify program components (menus, screen layout, messages,

queries) and force the transport of these changes after the fact to conceal irregular
B008 BS04 Basis Utilities BS12 Transport Administration MIT-B008
development practices. This also enables the reverting back to the program components

An individual could modify data in tables or modify valid configuration values and setup
B009 BS03 Basis Table Maintenance BS11 System Administration MIT-B009 the production environment to run transactions and programs using the inappropriately High
modified data. This could affect data integrity, system performance, and proper

An individual could modify data in tables or change valid configuration and replicate
B010 BS03 Basis Table Maintenance BS05 Client Administration MIT-B010 these changes to other clients. This is particularly sensitive if client administration High
transactions come with client-independent authorization allowing the developer to

An individual could inappropriately modify roles and assignments and reflect this change
B011 BS10 Security Administration BS05 Client Administration MIT-B011
to the production's mirror copy eliminating the chance to revert to the appropriate setup.

A security administrator could make inappropriate changes to unauthorized security

B012 BS10 Security Administration BS12 Transport Administration MIT-B012
roles, transport them, and assign them to a fictitious user for execution.

An administrator could execute archiving transactions during peak end-user usage and
B013 BS01 Archiving BS11 System Administration MIT-B013 administer the production system to allow for maximum system resources to complete Medium
the archiving function, affecting system performance.

A user could configure the production environment to limit monitoring of the

B014 BS01 Archiving BS06 Configuration MIT-B014 inappropriate archiving runs by increasing alarm thresholds and eliminating audit trails Medium
through external OS commands.

A user could inappropriately archive client-independent data and settings and use client
B015 BS01 Archiving BS05 Client Administration MIT-B015
administration functions to replicate such changes to other clients.

Page 9 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Usually the individuals responsible for archiving are end-users who understand the
business processes and data retention needs. Their job responsibilities do not require
B016 BS01 Archiving BS12 Transport Administration MIT-B016
transport administration transactions. The reverse can be said for the users

Can create transports, add objects to the transport, and move the transport: Can put
B017 BS07 Create Transport BS09 Perform Transport MIT-B017
unauthorized object changes into production, bypassing the Change Control process.

B018 BS08 Maintain Number Ranges BS11 System Administration MIT-B018 Can reset the number ranges (1) and delete your log/audit trail (2). High

One person controlling both the access in the profile/role and the user Ids increases the
B019 BS13 Maintain User Master BS14 Maintain Profiles / Roles MIT-B019
risk of inappropriate access

Maintaining Opportunities (qualifying the lead) must be independent of generating leads.
D001 CR01 Generate & Process Leads CR02 Maintain Opportunity Sales or Production forecast could be based on the number of qualified leads. In some Medium
companies, commissions could be paid based on the number of qualified leads.

The creation of key Business Partner data should be segregated from the Marketing
D002 CR01 Generate & Process Leads CR03 Maintain Business Partner groups Leads and Opportunity management. BPs should only be created after the Medium
appropriate review by the Master Data group.

A user could create a fictitious business partner and initiate fraudulent sales orders for
D003 CR03 Maintain Business Partner CR04 Process CRM Sales Order that partner. Master data such as business partners should not be maintained by the High
same users who process transactions using that master data.

D004 CR04 Process CRM Sales Order SD02 Delivery Processing A user could create a fictitious sales order to cover up an unauthorized shipment. High

Inappropriately create or change sales documents and generate the corresponding

D005 CR04 Process CRM Sales Order CR07 CRM Billing billing document in CRM.

Inappropriately create or change sales documents and generate the corresponding

D006 CR04 Process CRM Sales Order AR05 Maintain Billing Documents billing document in R3.

Enter fictitious service orders for personal use and accept the services through service
D007 CR05 Service Order Processing CR06 Service Confirmation acceptance. The user could prompt fraudulent payments. In addition spare parts could High
be fraudulently issued from inventory as a result of the confirmation.

User can create a fictitious business partner and then process billing in CRM for that
D008 CR07 CRM Billing CR03 Maintain Business Partner partner.

User can create a fictitious business partner and then process billing in R3 for that
D009 AR05 Maintain Billing Documents CR03 Maintain Business Partner partner.

Inappropriately accept or confirm a service order and generate a corresponding billing

D010 CR06 Service Confirmation CR07 CRM Billing document in CRM for the order. High

Inappropriately accept or confirm a service order and generate a corresponding billing

D011 CR06 Service Confirmation AR05 Maintain Billing Documents document in R3 for the order.

Internal user can be in collusion with a customer, process a fictitious inbound delivery
D012 SD07 Inbound Delivery Processing CR08 Process Credit Memo (based on complaint entered by the customer) and process a credit memo to the Medium

User could create a fictitious credit memo and run billing due in CRM to prompt a
D013 CR08 Process Credit Memo CR07 CRM Billing payment to a customer. The customer could provide a kickback to the internal user.

User could create a fictitious credit memo and run billing due in R3 to prompt a payment
D014 CR08 Process Credit Memo AR05 Maintain Billing Documents to a customer. The customer could provide a kickback to the internal user. High

Pricing conditions could be manipulated to provide inappropriate discounts or incentives

D015 AR07 Process Customer Invoices CR09 Maintain Conditions to customers which will be realized in an incorrect invoice.

Page 10 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

A user could enter a sales order in CRM and lower prices via conditions for fraudulent
D016 CR04 Process CRM Sales Order CR09 Maintain Conditions gain

Commission or Incentives may be paid based on the number of qualified leads.

D017 CR02 Maintain Opportunity PY04 Process Payroll Inappropriately qualified leads could result in fraudulent commission payments.

Commission or Incentives may be paid based on the number of service orders.

D018 CR05 Service Order Processing PY04 Process Payroll Fraudulent orders could be entered to achieve higher sales for commissions.

Commission or Incentives may be paid based on the number of sales orders. Fraudulent
D019 CR04 Process CRM Sales Order PY04 Process Payroll orders could be entered to achieve higher sales reporting for commissions.

D020 CR10 Maintain Product Catalog CR04 Process CRM Sales Order Add items to product catalogs and create fictitious sales orders for those items Medium

Maintain a fictitious vendor and enter an invoice to be included in the automatic payment
E001 SR01 EBP / SRM Vendor Master SR03 EBP / SRM Invoicing run

E002 SR02 EBP / SRM Purchasing SR03 EBP / SRM Invoicing Purchase unauthorized items and prompt the payment by invoicing High

EBP / SRM Goods Enter fictitious orders for personal use and accept the goods or services through goods
E003 SR02 EBP / SRM Purchasing SR04
receipt or service acceptance
Receipt/Service Acceptance

EBP / SRM Goods Enter fictitious invoices and accept goods or services via goods receipt or service
E004 SR03 EBP / SRM Invoicing SR04
Receipt/Service Acceptance

E005 SR01 EBP / SRM Vendor Master SR02 EBP / SRM Purchasing Maintain a fictitious vendor and initiate purchases to that vendor. High

E006 SR02 EBP / SRM Purchasing MM07 Enter Counts - WM MM08 Clear Differences - WM Inappropriately procure items and manipulate the WM physical inventory counts to hide. Medium

Clear Differences -
E007 SR02 EBP / SRM Purchasing MM02 Enter Counts - IM MM01 Inappropriately procure items and manipulate the IM physical inventory counts to hide. Medium
Inventory Management

Enter Counts & Clear Diff -

E008 SR02 EBP / SRM Purchasing MM03 Inappropriately procure items and manipulate the IM physical inventory counts to hide. Medium

EBP / SRM Product

E009 SR05 SR02 EBP / SRM Purchasing Add items to the catalog or master file and create fraudulent orders for those items. Medium

E010 FI03 Bank Reconciliation SR03 EBP / SRM Invoicing A user can hide differences between bank payments and posted AP records. High

EBP / SRM Goods Accept goods via SRM goods receipts and perform a WM physical inventory adjustment
E011 SR06 MM07 Enter Counts - WM MM08 Clear Differences - WM afterwards.
Receipt/Service Acceptance

EBP / SRM Goods Clear Differences - Accept goods via SRM goods receipts and perform IM physical inventory adjustment
E012 SR06 MM02 Enter Counts - IM MM01
Receipt/Service Acceptance Inventory Management

EBP / SRM Goods Enter Counts & Clear Diff - Accept goods via SRM goods receipts and perform IM physical inventory adjustment
E013 SR06 MM03
afterwards using powerful IM transactions High
Receipt/Service Acceptance IM

Enter fictitious orders for personal use and access the goods or services through goods
E014 SR02 EBP / SRM Purchasing MM05 Goods Receipts to PO receipt

Page 11 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Enter fictitious orders for personal use and access the goods or services through service
E015 SR02 EBP / SRM Purchasing PR08 Service Acceptance acceptance

EBP / SRM Maintain EBP / SRM Product Initiate purchases for fictitious goods by selecting those goods to be included in a
E016 SR08 SR05
shopping cart
Shopping Cart Maintenance

EBP / SRM Maintain Maintain a fictitious vendor and initiate purchases to that vendor by selecting goods to
E017 SR08 SR01 EBP / SRM Vendor Master be included in a shopping cart Medium
Shopping Cart

EBP / SRM Goods Approve the purchase of unauthorized goods and hide the misuse of inventory by not
E018 SR07 EBP / SRM PO Approval SR04
fully receiving the order in SRM
Receipt/Service Acceptance

Approve the purchase of unauthorized goods and hide the misuse of inventory by not
E019 SR07 EBP / SRM PO Approval MM05 Goods Receipts to PO fully receiving the order in R3

Where release strategies are utilized, the same user should not maintain the purchase
E020 SR02 EBP / SRM Purchasing SR07 EBP / SRM PO Approval order and release or approve it.

Create a fictitious vendor or change existing vendor master data and approve purchases
E021 SR01 EBP / SRM Vendor Master SR07 EBP / SRM PO Approval to this vendor

EBP / SRM Maintain Org Enter fictitious orders for personal use and manipulate the organizational structure to
E022 SR02 EBP / SRM Purchasing SR09
bypass approvals

EBP / SRM Maintain Org Create or maintain fictitious vendor and manipulate the organizational structure to
E023 SR01 EBP / SRM Vendor Master SR09
bypass approvals or secondary checks

EBP / SRM Maintain Initiate purchases to selecting goods to be included in a shopping cart then approving
E024 SR08 SR07 EBP / SRM PO Approval the purchase
Shopping Cart

EC-CS (Assumption - Data is uploaded to the Consolidation system. Additional risks may need to be defined for fully integrated systems)
AP/AR/GL master data creation and posting functions in conjunction with payment
G001 EC01 Maintain Hierarchies AP01 AP Payments MIT-G001 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G002 EC01 Maintain Hierarchies AP02 Process Vendor Invoices MIT-G002 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G003 EC01 Maintain Hierarchies AP04 Manual Check Processing MIT-G003 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G004 EC01 Maintain Hierarchies AR02 Cash Application MIT-G004 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G005 EC01 Maintain Hierarchies AR07 Process Customer Invoices MIT-G005 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G006 EC01 Maintain Hierarchies CC03 Maintain Cost Centers MIT-G006 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G007 EC01 Maintain Hierarchies FA01 Maintain Asset Document MIT-G007 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G008 EC01 Maintain Hierarchies FA02 Maintain Asset Master MIT-G008 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

Page 12 of 14
Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
AP/AR/GL master data creation and posting functions in conjunction with payment
G009 EC01 Maintain Hierarchies FI01 Revenue Reposting MIT-G009 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G010 EC01 Maintain Hierarchies GL01 Post Journal Entry MIT-G010 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G011 EC01 Maintain Hierarchies GL02 Maintain GL Master Data MIT-G011 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
Post Journal Entry (misc
G012 EC01 Maintain Hierarchies GL03 MIT-G012 processing, receipt of money, GL account access; and the ability to modify ECCS High
Tax/Currency) hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G013 EC01 Maintain Hierarchies PR01 Vendor Master Maintenance MIT-G013 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
Maintain Customer Master
G014 EC01 Maintain Hierarchies SD01 MIT-G014 processing, receipt of money, GL account access; and the ability to modify ECCS High
Data hierarchy and reporting output

Page 13 of 14
Functional Area Novus Monitor & Approver Email Address
Finance / Controlling Davud Friedman
Manufacturing Steve Bass
Procure to Pay
Order to Cash
Basis Mark Meyer

You might also like