mm sd fico gl sod risks

Material Management SODs

SoD Controls (Functions that should be segragated)

Post Goods Receipt and Post Payments

Post Goods Receipt and Process Outgoing Payments

Post Goods Receipt and Process Inventory

Post Goods Receipt and Process Inventory Documents

Post Goods Receipt and Goods Issue

Post Goods Receipt and Process Materials

Description

IM Inventory Management

Post Goods Receipt (IM)

Post Goods Receipt for PO

Change Material Document

Post GR for PO

Other Goods Receipt

Goods Receipt for Production Order

Goods Movement

Goods Movement

Goods Movement

Goods Movement

Transfer Posting

Process Goods Movement w. Errors

Post Payments (IM)

Parameters for Automatic Payment

Create Check Information

Process Outgoing Payments (IM)

Post Outgoing Payments

Post Vendor Down Payment

Post Outgoing Payment

Process Inventory

Create System Inventory Record

Change System Inventory Record

Enter Inventory Count

Change Inventory Count

Clear Inventory Differences

Clear Inventory Differences - MM-IM

Process Inventory Documents

Create Physical Inventory Document

Change Physical Inventory Document

Enter Inventory Count with Document

Change Inventory Count

Process List of Difference

Enter Inventory Count w/o Document

Print List of Differences

Goods Issue

Goods Withdrawal

Process Materials

Create Material

Change Material

Change Material Type

Create Material - General

Risks RISK LEVEL

H

H

H

H

H

H

Transaction

MB01

MB02

MB0A

MB1C

MB31

MIGO

MIGO_GR

MIGO_GI

MIGO_GO

MIGO_TR

COGI

F110

FCH5

FBZ2

F-48

F-53

LI01

LI02

LI11

LI12

LI20

LI21

MI01

A user could post or change a fictitious or incorrect goods receipt and set up a fraudulent automatic payment or create a fraudulent check.

A user could post or change a fictitious or incorrect goods receipt and post a fraudulent payment or clear the invoice to hide the deception.

A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the deception or clear the inventory count to hide the deception.

A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the deception or clear the inventory count to hide the deception.

A user could post or change a fictitious or incorrect goods receipt and then use a goods issue to hide the deception. The vendor would be paid for the excess recorded receipt.

A user could create or change a fictitious receipt and create/change a material document to hide the deception.

MI02

MI04

MI05

MI07

MI09

MI20

MB1A

MM01

MM02

MMAM

MMZ1

Sales Distribution SODs

Activity AND Activity

Customer master data maintenance AND Post customer down-payment

Clear customer down-payment AND Process customer credit note (FI)

Customer master data maintenance AND Process outbound deliveries

Customer master data maintenance AND Incoming payments

Process outbound deliveries AND Incoming payments

Process sales orders AND Process customer credit note (FI)

Process outbound deliveries AND Process customer credit note (FI)

Process outbound deliveries AND Process customer invoices (FI)

Process outbound deliveries AND Process customer invoices (SD)

Process outbound deliveries AND Post parked customer invoice/credit note

Process sales orders AND Incoming payments

Process sales orders AND Process outbound deliveries

Process sales orders AND Process Revenue Recognition

Clear customer down-payment AND Process customer invoices (FI)

Clear customer down-payment AND Process customer invoices (SD)

Clear customer down-payment AND Post parked customer invoice/credit note

Clear customer down-payment AND Incoming payments

Incoming payments AND Process customer credit note (FI)

Maintain contract/scheduling agreement AND Maintain sales deal

Maintain contract/scheduling agreement AND Maintain pricing condition records

Maintain contract/scheduling agreement AND Incoming payments

Maintain credit master data AND Customer master data maintenance

Create down-payment request AND Post customer down-payment

Maintain contract/scheduling agreement AND Create rebate agreement

Maintain contract/scheduling agreement AND Process sales orders

Process outbound deliveries AND Maintain contract/scheduling agreement

Customer master data maintenance AND Process sales orders

Maintain contract/scheduling agreement AND Customer master data maintenance

Customer master data maintenance AND Process customer credit note (FI)

Customer master data maintenance AND Process customer invoices (FI)

Customer master data maintenance AND Process customer invoices (SD)

Customer master data maintenance AND Post parked customer invoice/credit note

Maintain contract/scheduling agreement AND Maintain sales promotion

Settle rebate agreement AND Process customer credit note (FI)

Process customer invoices (SD) AND Maintain sales deal

Process customer invoices (SD) AND Maintain sales promotion

Process customer invoices (SD) AND Maintain pricing condition records

Settle rebate agreement AND Process customer invoices (FI)

Settle rebate agreement AND Process customer invoices (SD)

Settle rebate agreement AND Post parked customer invoice/credit note

Process sales orders AND Maintain sales deal

Process sales orders AND Maintain sales promotion

Process sales orders AND Maintain pricing condition records

Process sales orders AND Process customer invoices (FI)

Process sales orders AND Process customer invoices (SD)

Process sales orders AND Post parked customer invoice/credit note

Incoming payments AND Process customer invoices (FI)

Incoming payments AND Process customer invoices (SD)

Incoming payments AND Post parked customer invoice/credit note

Create rebate agreement AND Settle rebate agreement

Maintain credit master data AND Maintain contract/scheduling agreement

Maintain credit master data AND Process sales orders

Park customer invoice/credit note AND Post parked customer invoice/credit note

Post customer down-payment AND Process customer invoices (FI)

Post customer down-payment AND Process customer invoices (SD)

Post customer down-payment AND Post parked customer invoice/credit note

Post customer down-payment AND Process customer credit note (FI)

Process sales orders AND Create rebate agreement

Customer master data maintenance AND Clear customer down-payment

Description Transaction

Revenues

Maintain contract/scheduling agreement

Create scheduling agreement VA31

Change scheduling agreement VA32

Create contract VA41

Change contract VA42

Maintain credit master data

Credit limit changes FD24

Change customer credit management FD32

Credit management mass change FD37

Credit management mass change F.34

Customers: Reset credit limit F.28

Credit Limit Data mass change S_ALR_87009999

Reset Credit Limit for Customers S_ALR_87012220

Create down-payment request

Create down-payment request F-37

Create down-payment request FBA1

Post customer down-payment

Post customer down payment F-29

Post customer down payment FBA2

Clear customer down-payment

Clear customer down payment F-39

Clear customer down payment FBA3

Process sales orders

Create sales order V-01

Create sales order VA01

Change sales order VA02

Maintain sales deal

Create sales deal VB21

Change sales deal VB22

Maintain sales promotion

Create promotion VB31

Change promotion VB32

Create promotion WAK1

Maintain promotion items WAK12

Change promotion WAK2

Maintain pricing condition records

Create condition table (SD price) V/03

Change condition table (sales pr) V/04

Condit: Pricing SD - Index in Backgr V_I7

Condit: Pricing SD - Index in Backgr V/I5

Create condition VK11

Change condition VK12

Creation condition with reference VK14

Create condition VK15

Creation condition with reference VK16

Change condition VK17

Change condition without menu VK19

Condition maintenance: Create VK31

Condition maintenance: Change VK32

Condition maint: create with refer VK34

VK04

VK03

Create material price V-41

Change material price V-43

Change price list V-47

Change Cust. Price V-51

Create rebate agreement

Create rebate agreement VBO1

Change rebate agreement VBO2

Condition table: create rebate OV20

Condition table: change rebate OV21

Rebate Group Maintenance VB(6

Settle rebate agreement

Rebate agreement settlement VB(7

Rebate agreement settlement VB(D

Process outbound deliveries

Create delivery VL01

Create outbound delivery with order ref VL01N

Create outbound delivery w/o order ref VL01NO

Change outbound delivery VL02

Change outbound delivery VL02N

List of outbound deliveries for Goods Issue VL06G

Edit user-specific delivery due list VL10

Sales orders due for delivery VL10A

VL10 Background planning VL10BATCH

Order items due for delivery VL10C

Order schedule lines due for delivery VL10E

Documents due for delivery VL10G

Items due for delivery VL10H

Schedule lines due for delivery VL10I

Create decentralised delivery VL11

Delivery creation in background VL12

Post goods issue in background VL21

Goods issue (background processing) VL23

Goods issue (background processing) VL23N

Sales Orders/Purchase Orders Worklist : Select VL04

Process customer credit note (FI)

Enter customer credit memo F-27

Enter outgoing credit memos FB75

Process customer invoices (FI)

Enter customer invoice F-22

Enter outgoing invoice FB70

Change condition table

Create condition table

Process customer invoices (SD)

Create billing document VF01

Change billing document VF02

Process billing due list VF04

Batch billing VF06

Cancel billing document VF11

Create invoice list VF21

Change invoice list VF22

List blocked billing documents VFX3

Park customer invoice/credit note

Park customer invoice F-64

Park customer credit memo F-67

Park document FBV1

Change parked document FBV2

Change parked document (header) FBV4

Park outgoing invoice FV70

Park outgoing credit note FV75

Post parked customer invoice/credit note

Post parked document FBV0

Post parked document FBVB

Incoming payments

Post with clearing F-04

Post incoming payments F-06

Incoming payments fast entry F-26





Post with clearing FB05

Post with clearing FB05_OLD

Post incoming payments FBZ1

Incoming payments fast entry FBZ3

Create payment advice FBE1

Change payment advice FBE2

Clear customer FB1D

Cash journal FBCJ

Clear customer F-32

Post lockbox data FLBP

Postprocessing lockbox data FLB1

Post check deposit data entered externally FFB5

Interface for check deposit data entered extern FFB4

Interface for check deposit data entered extern FF/4

Post check deposit data entered externally FF/5

Customer master data maintenance

Create customer (accounting) FD01

Change customer (accounting) FD02

Block customer (accounting) FD05

Mark customer for deletion (acctng) FD06

Create customer (sales) VD01

Change customer (sales) VD02

Block customer (sales) VD05

Mark customer for deletion (sales) VD06

Create customer (centrally) XD01

Change customer (centrally) XD02

Block customer (centrally) XD05

Mark customer for deletion (centr) XD06

Customer master mass maintenance XD99

Mass change MASS

Maintain customer FD02CORE

Create ordering party V-03

Create invoice recipient V-04

Create payer V-05

Create consignee V-06

Process Revenue Recognition

Revenue recognition worklist VF44

Revenue recognition: Revenue report VF45

Revenue recognition: Cancellation VF46

Risk RISK LEVEL

H

User can clear down-payment and process credit notes. H

User can create a customer and delivery goods to that customer, thereby misappropriating goods. H

User can create a customer and then post payments against the customer. H

H

User can create/change a credit memo request and then process the credit note. H

H

User can create/change a delivery and create/change an invoice. H



H

User can create/change sales orders and deliveries to hid the misappropriation of goods. H

H

User can clear down-payment and create/change an invoice, thereby reducing customer balances. M



User can clear down-payment and process incoming payments. M

M

M

M

User can create a contract for a customer and then post payments against that contract/customer. M

M

User can create a down-payment request and post a down-payment. M

M

User can create a fictitious contract and then create sales orders against that contract. M

User can create a fictitious contract for a customer and process outbound deliveries against the contract. M

M

User can create a fictitious customer and then create a contract against that customer. M

User can create a fictitious customer and then issue a credit note to the customer. M

User can create a fictitious customer and then issue invoices to the customer. M



M

The ability to enter or modify down payments for customers and the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. This could result in reduced cash collections, potentially inflated accounts receivable general ledger balances, fraud, etc.

User can create fictitious/incorrect delivery and enter payments against these, potentially misappropriating goods.

User can create/change a delivery and create/change a credit note to hide the deception, thereby misappropriating goods.

User can create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.

Users with authorization to process sales orders as well as the authorization to process the revenue recognition list have the ability to create/change sales orders and edit the amount/timing of the related revenue recognition.

User can clear invoices inappropriately through maintaining customer receipts and customer credit notes.

User can create a contract and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.

User can create a contract and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.

User can create a customer and potentially assign/increase a customer credit limit inappropriately thereby potentially increasing exposure to bad debts.

User can create a fictitious contract and then create rebates against that contract, granting customers inappropriate credits.

User can create a fictitious customer and create orders for delivery to them thereby misappropriating goods.

User can create a contract and then maintaining pricing against that contract, thereby over-charging customers or giving them unauthorised discounts.

User can create credit notes and settle rebates, therefore changing the authorised rebate amount. M

M

M

M

User can create invoices and settle rebates, therefore changing the authorised rebate amount. M



M

M

M

User can create/change a sales order and create/change an invoice for the order. M



User can create/change an invoice and enter/change payments against the invoice. M



User can create/change and settle rebate agreements, thereby granting customers inappropriate credits. M

M

M

User can park and post customer invoices. M

User can post down-payment and create/change an invoice, thereby reducing customer balances. M



User can post down-payment and process credit notes. M

M

User can create invoices and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.



User can create sales orders and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.User can create sales orders and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.

User can create sales orders and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.

User can increase a customer credit limit and then process a contract for that customer leading to irrecoverable debt.

User can increase a customer credit limit and then process sales orders for that customer leading to irrecoverable debt.

Users with authorization to maintain sales rebates as well as process sales orders have the ability to create sales orders to customers with unapproved sales rebates.

The ability to enter or modify down payments for customers and the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. This could result in reduced cash collections, potentially inflated accounts receivable general ledger balances, fraud, etc.

FI /GL SoD Matrix

Test Name Test Name

AND Maintain Customer

AND Maintain Customer

AND Maintain Revenue

AND Depreciation

AND Depreciation

AND Depreciation

AND Depreciation

AND Depreciation

AND Depreciation

AND Multiple Asset

AND Multiple Asset

AND Multiple Asset

AND Multiple Asset

General Ledger

Activity AND Activity

Maintain FI/Company Code table data AND N/A

Maintain Accounting Periods AND N/A

Maintain Currencies AND N/A

Post Journal Entries AND Maintain Accounting Periods

Post Parked Document AND Maintain Accounting Periods

Maintain Parked Document AND Post Parked Document

Post Journal Entries AND Maintain G/L Accounts

Description Transaction

General Ledger

Post journal entries

Mass reversal of documents F.80

Enter G/L account posting F-02


Post document FB01

Change document FB02

Post with clearing FB05

Post with clearing FB05_OLD

Reverse document FB08

Change line items FB09

Post held document FB11

G/L Acct Pstg: Single Screen Trans FB50

Enter recurring entry FBD1

Change recurring entry FBD2

Change G/L account line items FBL4

Maintain Vendors

Maintain Billing

Maintain Vendors

Maintain Checks

Maintain Postings

Maintain Vendor Invoices

Create PO with Source Determination

Change Purchase Order

Create Purchase Order

Delete Asset

Block Asset

Change Asset

Create Asset

Post document FBR2

Invoice/Credit Fast Entry FB10

Change intercompany document FBU2

Maintain G/L Accounts

G/L acct master record maintenance FS00

Create Master Record FS01

Change Master Record FS02

Maintain G/L account FS02CORE

G/L Account Changes (Centrally) FS04

G/L account master record in chrt/accts FSP0

Create Master Record in Chart/Accts FSP1

Change Master Record in Chart/Accts FSP2

G/L Account Changes in Chart/Accts FSP4

G/L account master record in co code FSS0

Create Master Record in company code FSS1

Change Master Record in company code FSS2

G/L account changes in company code FSS4

Create G/L accounts with reference OB_GLACC01

Create G/L accounts with reference OB_GLACC02

G/L acct record: Mass maintenance 01 OB_GLACC11

G/L acct record: Mass maintenance 02 OB_GLACC12

C FI Copy company code (G/L account) OBY2

C FI Copy chart of accounts OBY7

Maintain Parked Document

Preliminary posting F-65

Park vendor invoice F-63

Park customer invoice F-64

Park vendor credit memo F-66

Park customer credit memo F-67

Park document FBV1

Change parked document FBV2

Change parked document (header) FBV4

Park G/L account items FV50

Post Parked Document

Post Parked Document FBV0

Post Parked Document FBVB

Maintain currencies

Maintain Table: Exchange Rates F-62

C FI Maintain Table TCURR OB08

Maintain accounting periods

Schedule Manager: Scheduler SCMA

C FI Maintain Table T001B OB52

Maintain Table: Posting Periods F-60

Maintain FI/Company Code table data

Change View 'Company Code Global Data': Overview OBY6

Change View 'List of all Charts of Accounts': Overview OB13

Maintain Accounting Configuration : Posting Keys - List OB41

Change View 'Financial Statement Versions': Overview OB58

Change Financial Statement Version FSE2

Change View 'Assign Company Code-> Chart of Accounts': OB62

Maintain Customers

Create Customer (FI) FD01

Change Customer (FI) FD02

Change Customer (FI) FD04

Create Customer (SD) VD01

Change Customer (SD) VD02

Change Customer (SD) VD04

Create Customer (Centrally) XD01

Change Customer (Centrally) XD02

Change Customer (Centrally) XD04

Maintain Vendors

Create Vendor (FI) FK01

Change Vendor (FI) FK02

Change Vendor (FI) FK04

Create Vendor (MM) MK01

Change Vendor (MM) MK02

Change Vendor (MM) MK04

Create Vendor (Centrally) XK01

Change Vendor (Centrally) XK02

Change Vendor (Centrally) XK04

Maintain Billing

Create Sales Order VA01

Change Sales Order VA02

Create Billing Document VF01

Change Billing Document VF02

Cancel Billing Document VF11

List Blocked Billing Documents VFX3

Maintain Revenue

Revenue recognition worklist VF44

Revenue recognition: Revenue report VF45

Maintain Checks

Void Check FCH3

Renumber Check FCH4

Create Check Information FCH5

Change Check Information/ Cash Check FCH6

Reprint Check FCH7

Reverse Check Payment FCH8

Void Issued Check FCH9

Delete Payment Run Check Information FCHD

Online Cashed Check FCHR

Changed Check/ Payment Allocation FCHT

Check Extract - Creation FCHX

Depreciation

Manual Depreciation ABMA

Unplanned Depreciation ABAA

Asset Retirement by Scrapping ABAVN

Write-up ABZU

Maintain Postings

Post with Clearing FB05

Invoice/ Credit Fast Entry FB10

Parameters for Automatic Payment F110

Maintain Vendor Invoices

Enter Vendor Credit Memo F-41

Enter Transfer Posting F-42

Enter Vendor Invoice F-43

Park Vendor Invoice F-63

Park Vendor Credit Memo F-66

Create PO with Source Determination

Create PO with Source Determination ME25

Create Purchase Order

Access to Create Purchase Order ME21

Access to Create Purchase Order ME21N

Change Purchase Order

Access to Change Purchase Order ME22

Access to Change Purchase Order ME22N

Delete Asset

Delete Asset Record AS06

Multiple Asset

Asset Acquisition to Clearing Account F-91

Acquisition from Purchase with Vendor F-90

Acquisition from In-house Production ABZE

Manual Depreciation ABMA

Unplanned Depreciation ABAA

Recalculate Depreciation AFAR

Enter Asset Transaction: Acquisition w/Auto Off. Entry ABZON

Asset Retire from Sale with Customer F-92

Acquisition from affiliated company ABZP

Enter Asset Transaction: Acquisition within Comp. Code ABUMN

Enter Asset Transaction: I/C Asset Transfer ABT1N

Enter Asset Transaction: Asset Sale w/o customer ABAON

Balance Sheet Re-valuation ABAW

Create Asset

Create Asset Master Record AS01

Change Asset

Change Asset Master Record AS02

Asset Change AS04

Block Asset

Access to Block Asset AS05

FI /GL SoD Matrix

Risks

Assets are sold to non-existent or fraudulent customers.

Assets are disposed at less than the true value.

Inadequate segregation of duties may result in fraudulent or unintended acquisition, which may not be detected in a timely manner.




Risk

Unauthorised users can change FI/company code table data.

Unauthorised users can open or close accounting periods.

Unauthorised users can change currency exchange rates.

User can open accounting periods previously closed and make postings after month end.

User can open accounting periods previously closed and make postings after month end.

User can park and post journals.

User can post journals against G/L accounts they have created / changed.

Access to maintain revenues could result in assets acquired from a valid or fictitious vendor directly and may not be detected in a timely manner.

Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.


Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.



FI /GL SoD Matrix

Risks

H

H

H

H

H

H

H

H

H

M

M

M

M

RISK

H

H

H

H

H

M

M