mm sd fico gl sod risks
DESCRIPTION
SDTRANSCRIPT
Material Management SODs
SoD Controls (Functions that should be segragated)
Post Goods Receipt and Post Payments
Post Goods Receipt and Process Outgoing Payments
Post Goods Receipt and Process Inventory
Post Goods Receipt and Process Inventory Documents
Post Goods Receipt and Goods Issue
Post Goods Receipt and Process Materials
Description
IM Inventory Management
Post Goods Receipt (IM)
Post Goods Receipt for PO
Change Material Document
Post GR for PO
Other Goods Receipt
Goods Receipt for Production Order
Goods Movement
Goods Movement
Goods Movement
Goods Movement
Transfer Posting
Process Goods Movement w. Errors
Post Payments (IM)
Parameters for Automatic Payment
Create Check Information
Process Outgoing Payments (IM)
Post Outgoing Payments
Post Vendor Down Payment
Post Outgoing Payment
Process Inventory
Create System Inventory Record
Change System Inventory Record
Enter Inventory Count
Change Inventory Count
Clear Inventory Differences
Clear Inventory Differences - MM-IM
Process Inventory Documents
Create Physical Inventory Document
Change Physical Inventory Document
Enter Inventory Count with Document
Change Inventory Count
Process List of Difference
Enter Inventory Count w/o Document
Print List of Differences
Goods Issue
Goods Withdrawal
Process Materials
Create Material
Change Material
Change Material Type
Create Material - General
Risks RISK LEVEL
H
H
H
H
H
H
Transaction
MB01
MB02
MB0A
MB1C
MB31
MIGO
MIGO_GR
MIGO_GI
MIGO_GO
MIGO_TR
COGI
F110
FCH5
FBZ2
F-48
F-53
LI01
LI02
LI11
LI12
LI20
LI21
MI01
A user could post or change a fictitious or incorrect goods receipt and set up a fraudulent automatic payment or create a fraudulent check.
A user could post or change a fictitious or incorrect goods receipt and post a fraudulent payment or clear the invoice to hide the deception.
A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the deception or clear the inventory count to hide the deception.
A user could post or change a fictitious or incorrect goods receipt and create/change an inventory document/count to hide the deception or clear the inventory count to hide the deception.
A user could post or change a fictitious or incorrect goods receipt and then use a goods issue to hide the deception. The vendor would be paid for the excess recorded receipt.
A user could create or change a fictitious receipt and create/change a material document to hide the deception.
MI02
MI04
MI05
MI07
MI09
MI20
MB1A
MM01
MM02
MMAM
MMZ1
Sales Distribution SODs
Activity AND Activity
Customer master data maintenance AND Post customer down-payment
Clear customer down-payment AND Process customer credit note (FI)
Customer master data maintenance AND Process outbound deliveries
Customer master data maintenance AND Incoming payments
Process outbound deliveries AND Incoming payments
Process sales orders AND Process customer credit note (FI)
Process outbound deliveries AND Process customer credit note (FI)
Process outbound deliveries AND Process customer invoices (FI)
Process outbound deliveries AND Process customer invoices (SD)
Process outbound deliveries AND Post parked customer invoice/credit note
Process sales orders AND Incoming payments
Process sales orders AND Process outbound deliveries
Process sales orders AND Process Revenue Recognition
Clear customer down-payment AND Process customer invoices (FI)
Clear customer down-payment AND Process customer invoices (SD)
Clear customer down-payment AND Post parked customer invoice/credit note
Clear customer down-payment AND Incoming payments
Incoming payments AND Process customer credit note (FI)
Maintain contract/scheduling agreement AND Maintain sales deal
Maintain contract/scheduling agreement AND Maintain pricing condition records
Maintain contract/scheduling agreement AND Incoming payments
Maintain credit master data AND Customer master data maintenance
Create down-payment request AND Post customer down-payment
Maintain contract/scheduling agreement AND Create rebate agreement
Maintain contract/scheduling agreement AND Process sales orders
Process outbound deliveries AND Maintain contract/scheduling agreement
Customer master data maintenance AND Process sales orders
Maintain contract/scheduling agreement AND Customer master data maintenance
Customer master data maintenance AND Process customer credit note (FI)
Customer master data maintenance AND Process customer invoices (FI)
Customer master data maintenance AND Process customer invoices (SD)
Customer master data maintenance AND Post parked customer invoice/credit note
Maintain contract/scheduling agreement AND Maintain sales promotion
Settle rebate agreement AND Process customer credit note (FI)
Process customer invoices (SD) AND Maintain sales deal
Process customer invoices (SD) AND Maintain sales promotion
Process customer invoices (SD) AND Maintain pricing condition records
Settle rebate agreement AND Process customer invoices (FI)
Settle rebate agreement AND Process customer invoices (SD)
Settle rebate agreement AND Post parked customer invoice/credit note
Process sales orders AND Maintain sales deal
Process sales orders AND Maintain sales promotion
Process sales orders AND Maintain pricing condition records
Process sales orders AND Process customer invoices (FI)
Process sales orders AND Process customer invoices (SD)
Process sales orders AND Post parked customer invoice/credit note
Incoming payments AND Process customer invoices (FI)
Incoming payments AND Process customer invoices (SD)
Incoming payments AND Post parked customer invoice/credit note
Create rebate agreement AND Settle rebate agreement
Maintain credit master data AND Maintain contract/scheduling agreement
Maintain credit master data AND Process sales orders
Park customer invoice/credit note AND Post parked customer invoice/credit note
Post customer down-payment AND Process customer invoices (FI)
Post customer down-payment AND Process customer invoices (SD)
Post customer down-payment AND Post parked customer invoice/credit note
Post customer down-payment AND Process customer credit note (FI)
Process sales orders AND Create rebate agreement
Customer master data maintenance AND Clear customer down-payment
Description Transaction
Revenues
Maintain contract/scheduling agreement
Create scheduling agreement VA31
Change scheduling agreement VA32
Create contract VA41
Change contract VA42
Maintain credit master data
Credit limit changes FD24
Change customer credit management FD32
Credit management mass change FD37
Credit management mass change F.34
Customers: Reset credit limit F.28
Credit Limit Data mass change S_ALR_87009999
Reset Credit Limit for Customers S_ALR_87012220
Create down-payment request
Create down-payment request F-37
Create down-payment request FBA1
Post customer down-payment
Post customer down payment F-29
Post customer down payment FBA2
Clear customer down-payment
Clear customer down payment F-39
Clear customer down payment FBA3
Process sales orders
Create sales order V-01
Create sales order VA01
Change sales order VA02
Maintain sales deal
Create sales deal VB21
Change sales deal VB22
Maintain sales promotion
Create promotion VB31
Change promotion VB32
Create promotion WAK1
Maintain promotion items WAK12
Change promotion WAK2
Maintain pricing condition records
Create condition table (SD price) V/03
Change condition table (sales pr) V/04
Condit: Pricing SD - Index in Backgr V_I7
Condit: Pricing SD - Index in Backgr V/I5
Create condition VK11
Change condition VK12
Creation condition with reference VK14
Create condition VK15
Creation condition with reference VK16
Change condition VK17
Change condition without menu VK19
Condition maintenance: Create VK31
Condition maintenance: Change VK32
Condition maint: create with refer VK34
VK04
VK03
Create material price V-41
Change material price V-43
Change price list V-47
Change Cust. Price V-51
Create rebate agreement
Create rebate agreement VBO1
Change rebate agreement VBO2
Condition table: create rebate OV20
Condition table: change rebate OV21
Rebate Group Maintenance VB(6
Settle rebate agreement
Rebate agreement settlement VB(7
Rebate agreement settlement VB(D
Process outbound deliveries
Create delivery VL01
Create outbound delivery with order ref VL01N
Create outbound delivery w/o order ref VL01NO
Change outbound delivery VL02
Change outbound delivery VL02N
List of outbound deliveries for Goods Issue VL06G
Edit user-specific delivery due list VL10
Sales orders due for delivery VL10A
VL10 Background planning VL10BATCH
Order items due for delivery VL10C
Order schedule lines due for delivery VL10E
Documents due for delivery VL10G
Items due for delivery VL10H
Schedule lines due for delivery VL10I
Create decentralised delivery VL11
Delivery creation in background VL12
Post goods issue in background VL21
Goods issue (background processing) VL23
Goods issue (background processing) VL23N
Sales Orders/Purchase Orders Worklist : Select VL04
Process customer credit note (FI)
Enter customer credit memo F-27
Enter outgoing credit memos FB75
Process customer invoices (FI)
Enter customer invoice F-22
Enter outgoing invoice FB70
Change condition table
Create condition table
Process customer invoices (SD)
Create billing document VF01
Change billing document VF02
Process billing due list VF04
Batch billing VF06
Cancel billing document VF11
Create invoice list VF21
Change invoice list VF22
List blocked billing documents VFX3
Park customer invoice/credit note
Park customer invoice F-64
Park customer credit memo F-67
Park document FBV1
Change parked document FBV2
Change parked document (header) FBV4
Park outgoing invoice FV70
Park outgoing credit note FV75
Post parked customer invoice/credit note
Post parked document FBV0
Post parked document FBVB
Incoming payments
Post with clearing F-04
Post incoming payments F-06
Incoming payments fast entry F-26
Post incoming payments F-28
Post with clearing F-30
Post with clearing F-51
Post incoming payments F-52
Post with clearing FB05
Post with clearing FB05_OLD
Post incoming payments FBZ1
Incoming payments fast entry FBZ3
Create payment advice FBE1
Change payment advice FBE2
Clear customer FB1D
Cash journal FBCJ
Clear customer F-32
Post lockbox data FLBP
Postprocessing lockbox data FLB1
Post check deposit data entered externally FFB5
Interface for check deposit data entered extern FFB4
Interface for check deposit data entered extern FF/4
Post check deposit data entered externally FF/5
Customer master data maintenance
Create customer (accounting) FD01
Change customer (accounting) FD02
Block customer (accounting) FD05
Mark customer for deletion (acctng) FD06
Create customer (sales) VD01
Change customer (sales) VD02
Block customer (sales) VD05
Mark customer for deletion (sales) VD06
Create customer (centrally) XD01
Change customer (centrally) XD02
Block customer (centrally) XD05
Mark customer for deletion (centr) XD06
Customer master mass maintenance XD99
Mass change MASS
Maintain customer FD02CORE
Create ordering party V-03
Create invoice recipient V-04
Create payer V-05
Create consignee V-06
Process Revenue Recognition
Revenue recognition worklist VF44
Revenue recognition: Revenue report VF45
Revenue recognition: Cancellation VF46
Risk RISK LEVEL
H
User can clear down-payment and process credit notes. H
User can create a customer and delivery goods to that customer, thereby misappropriating goods. H
User can create a customer and then post payments against the customer. H
H
User can create/change a credit memo request and then process the credit note. H
H
User can create/change a delivery and create/change an invoice. H
User can create/change a delivery and create/change an invoice. H
User can create/change a delivery and create/change an invoice. H
H
User can create/change sales orders and deliveries to hid the misappropriation of goods. H
H
User can clear down-payment and create/change an invoice, thereby reducing customer balances. M
User can clear down-payment and create/change an invoice, thereby reducing customer balances. M
User can clear down-payment and create/change an invoice, thereby reducing customer balances. M
User can clear down-payment and process incoming payments. M
M
M
M
User can create a contract for a customer and then post payments against that contract/customer. M
M
User can create a down-payment request and post a down-payment. M
M
User can create a fictitious contract and then create sales orders against that contract. M
User can create a fictitious contract for a customer and process outbound deliveries against the contract. M
M
User can create a fictitious customer and then create a contract against that customer. M
User can create a fictitious customer and then issue a credit note to the customer. M
User can create a fictitious customer and then issue invoices to the customer. M
User can create a fictitious customer and then issue invoices to the customer. M
User can create a fictitious customer and then issue invoices to the customer. M
M
The ability to enter or modify down payments for customers and the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. This could result in reduced cash collections, potentially inflated accounts receivable general ledger balances, fraud, etc.
User can create fictitious/incorrect delivery and enter payments against these, potentially misappropriating goods.
User can create/change a delivery and create/change a credit note to hide the deception, thereby misappropriating goods.
User can create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
Users with authorization to process sales orders as well as the authorization to process the revenue recognition list have the ability to create/change sales orders and edit the amount/timing of the related revenue recognition.
User can clear invoices inappropriately through maintaining customer receipts and customer credit notes.
User can create a contract and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.
User can create a contract and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.
User can create a customer and potentially assign/increase a customer credit limit inappropriately thereby potentially increasing exposure to bad debts.
User can create a fictitious contract and then create rebates against that contract, granting customers inappropriate credits.
User can create a fictitious customer and create orders for delivery to them thereby misappropriating goods.
User can create a contract and then maintaining pricing against that contract, thereby over-charging customers or giving them unauthorised discounts.
User can create credit notes and settle rebates, therefore changing the authorised rebate amount. M
M
M
M
User can create invoices and settle rebates, therefore changing the authorised rebate amount. M
User can create invoices and settle rebates, therefore changing the authorised rebate amount. M
User can create invoices and settle rebates, therefore changing the authorised rebate amount. M
M
M
M
User can create/change a sales order and create/change an invoice for the order. M
User can create/change a sales order and create/change an invoice for the order. M
User can create/change a sales order and create/change an invoice for the order. M
User can create/change an invoice and enter/change payments against the invoice. M
User can create/change an invoice and enter/change payments against the invoice. M
User can create/change an invoice and enter/change payments against the invoice. M
User can create/change and settle rebate agreements, thereby granting customers inappropriate credits. M
M
M
User can park and post customer invoices. M
User can post down-payment and create/change an invoice, thereby reducing customer balances. M
User can post down-payment and create/change an invoice, thereby reducing customer balances. M
User can post down-payment and create/change an invoice, thereby reducing customer balances. M
User can post down-payment and process credit notes. M
M
User can create invoices and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.
User can create invoices and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.
User can create invoices and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.
User can create sales orders and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.User can create sales orders and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.
User can create sales orders and maintain pricing, therefore over-charging customers or giving then unauthorised discounts.
User can increase a customer credit limit and then process a contract for that customer leading to irrecoverable debt.
User can increase a customer credit limit and then process sales orders for that customer leading to irrecoverable debt.
Users with authorization to maintain sales rebates as well as process sales orders have the ability to create sales orders to customers with unapproved sales rebates.
The ability to enter or modify down payments for customers and the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. This could result in reduced cash collections, potentially inflated accounts receivable general ledger balances, fraud, etc.
FI /GL SoD Matrix
Test Name Test Name
AND Maintain Customer
AND Maintain Customer
AND Maintain Revenue
AND Depreciation
AND Depreciation
AND Depreciation
AND Depreciation
AND Depreciation
AND Depreciation
AND Multiple Asset
AND Multiple Asset
AND Multiple Asset
AND Multiple Asset
General Ledger
Activity AND Activity
Maintain FI/Company Code table data AND N/A
Maintain Accounting Periods AND N/A
Maintain Currencies AND N/A
Post Journal Entries AND Maintain Accounting Periods
Post Parked Document AND Maintain Accounting Periods
Maintain Parked Document AND Post Parked Document
Post Journal Entries AND Maintain G/L Accounts
Description Transaction
General Ledger
Post journal entries
Mass reversal of documents F.80
Enter G/L account posting F-02
Post with clearing F-04
Post document FB01
Change document FB02
Post with clearing FB05
Post with clearing FB05_OLD
Reverse document FB08
Change line items FB09
Post held document FB11
G/L Acct Pstg: Single Screen Trans FB50
Enter recurring entry FBD1
Change recurring entry FBD2
Change G/L account line items FBL4
Maintain Vendors
Maintain Billing
Maintain Vendors
Maintain Checks
Maintain Postings
Maintain Vendor Invoices
Create PO with Source Determination
Change Purchase Order
Create Purchase Order
Delete Asset
Block Asset
Change Asset
Create Asset
Post document FBR2
Invoice/Credit Fast Entry FB10
Change intercompany document FBU2
Maintain G/L Accounts
G/L acct master record maintenance FS00
Create Master Record FS01
Change Master Record FS02
Maintain G/L account FS02CORE
G/L Account Changes (Centrally) FS04
G/L account master record in chrt/accts FSP0
Create Master Record in Chart/Accts FSP1
Change Master Record in Chart/Accts FSP2
G/L Account Changes in Chart/Accts FSP4
G/L account master record in co code FSS0
Create Master Record in company code FSS1
Change Master Record in company code FSS2
G/L account changes in company code FSS4
Create G/L accounts with reference OB_GLACC01
Create G/L accounts with reference OB_GLACC02
G/L acct record: Mass maintenance 01 OB_GLACC11
G/L acct record: Mass maintenance 02 OB_GLACC12
C FI Copy company code (G/L account) OBY2
C FI Copy chart of accounts OBY7
Maintain Parked Document
Preliminary posting F-65
Park vendor invoice F-63
Park customer invoice F-64
Park vendor credit memo F-66
Park customer credit memo F-67
Park document FBV1
Change parked document FBV2
Change parked document (header) FBV4
Park G/L account items FV50
Post Parked Document
Post Parked Document FBV0
Post Parked Document FBVB
Maintain currencies
Maintain Table: Exchange Rates F-62
C FI Maintain Table TCURR OB08
Maintain accounting periods
Schedule Manager: Scheduler SCMA
C FI Maintain Table T001B OB52
Maintain Table: Posting Periods F-60
Maintain FI/Company Code table data
Change View 'Company Code Global Data': Overview OBY6
Change View 'List of all Charts of Accounts': Overview OB13
Maintain Accounting Configuration : Posting Keys - List OB41
Change View 'Financial Statement Versions': Overview OB58
Change Financial Statement Version FSE2
Change View 'Assign Company Code-> Chart of Accounts': OB62
Maintain Customers
Create Customer (FI) FD01
Change Customer (FI) FD02
Change Customer (FI) FD04
Create Customer (SD) VD01
Change Customer (SD) VD02
Change Customer (SD) VD04
Create Customer (Centrally) XD01
Change Customer (Centrally) XD02
Change Customer (Centrally) XD04
Maintain Vendors
Create Vendor (FI) FK01
Change Vendor (FI) FK02
Change Vendor (FI) FK04
Create Vendor (MM) MK01
Change Vendor (MM) MK02
Change Vendor (MM) MK04
Create Vendor (Centrally) XK01
Change Vendor (Centrally) XK02
Change Vendor (Centrally) XK04
Maintain Billing
Create Sales Order VA01
Change Sales Order VA02
Create Billing Document VF01
Change Billing Document VF02
Cancel Billing Document VF11
List Blocked Billing Documents VFX3
Maintain Revenue
Revenue recognition worklist VF44
Revenue recognition: Revenue report VF45
Maintain Checks
Void Check FCH3
Renumber Check FCH4
Create Check Information FCH5
Change Check Information/ Cash Check FCH6
Reprint Check FCH7
Reverse Check Payment FCH8
Void Issued Check FCH9
Delete Payment Run Check Information FCHD
Online Cashed Check FCHR
Changed Check/ Payment Allocation FCHT
Check Extract - Creation FCHX
Depreciation
Manual Depreciation ABMA
Unplanned Depreciation ABAA
Asset Retirement by Scrapping ABAVN
Write-up ABZU
Maintain Postings
Post with Clearing FB05
Invoice/ Credit Fast Entry FB10
Parameters for Automatic Payment F110
Maintain Vendor Invoices
Enter Vendor Credit Memo F-41
Enter Transfer Posting F-42
Enter Vendor Invoice F-43
Park Vendor Invoice F-63
Park Vendor Credit Memo F-66
Create PO with Source Determination
Create PO with Source Determination ME25
Create Purchase Order
Access to Create Purchase Order ME21
Access to Create Purchase Order ME21N
Change Purchase Order
Access to Change Purchase Order ME22
Access to Change Purchase Order ME22N
Delete Asset
Delete Asset Record AS06
Multiple Asset
Asset Acquisition to Clearing Account F-91
Acquisition from Purchase with Vendor F-90
Acquisition from In-house Production ABZE
Manual Depreciation ABMA
Unplanned Depreciation ABAA
Recalculate Depreciation AFAR
Enter Asset Transaction: Acquisition w/Auto Off. Entry ABZON
Asset Retire from Sale with Customer F-92
Acquisition from affiliated company ABZP
Enter Asset Transaction: Acquisition within Comp. Code ABUMN
Enter Asset Transaction: I/C Asset Transfer ABT1N
Enter Asset Transaction: Asset Sale w/o customer ABAON
Balance Sheet Re-valuation ABAW
Create Asset
Create Asset Master Record AS01
Change Asset
Change Asset Master Record AS02
Asset Change AS04
Block Asset
Access to Block Asset AS05
FI /GL SoD Matrix
Risks
Assets are sold to non-existent or fraudulent customers.
Assets are disposed at less than the true value.
Inadequate segregation of duties may result in fraudulent or unintended acquisition, which may not be detected in a timely manner.
Inadequate segregation of duties may result in fraudulent or unintended acquisition, which may not be detected in a timely manner.
Inadequate segregation of duties may result in fraudulent or unintended acquisition, which may not be detected in a timely manner.
Inadequate segregation of duties may result in fraudulent or unintended acquisition, which may not be detected in a timely manner.
Risk
Unauthorised users can change FI/company code table data.
Unauthorised users can open or close accounting periods.
Unauthorised users can change currency exchange rates.
User can open accounting periods previously closed and make postings after month end.
User can open accounting periods previously closed and make postings after month end.
User can park and post journals.
User can post journals against G/L accounts they have created / changed.
Access to maintain revenues could result in assets acquired from a valid or fictitious vendor directly and may not be detected in a timely manner.
Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
Assets are acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
FI /GL SoD Matrix
Risks
H
H
H
H
H
H
H
H
H
M
M
M
M
RISK
H
H
H
H
H
M
M