Professional Documents
Culture Documents
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Finance
Create a fictitious GL account and generate journal activity or hide activity via posting
F001 GL02 Maintain GL Master Data GL01 Post Journal Entry MIT-F001
entries.
Medium
Alter a cost center without authorization and process unauthorized cost transfers to this
F002 CC03 Maintain Cost Centers CC06 Cost Transfer Processing MIT-F002
center, possibly distorting CO reporting.
Medium
Alter a cost center without authorization and process unauthorized revenue entries to
F003 CC03 Maintain Cost Centers FI01 Revenue Reposting MIT-F003
this center, possibly distorting CO reporting.
Medium
F004 CC02 Maintain CC or CE Groups GL01 Post Journal Entry MIT-F004 Manipulate cost center reports to hide inappropriate journal entry posting. Medium
F005 FI04 Maintain Bank Master Data AP01 AP Payments MIT-F005 Create a non bona-fide bank account and create a check from it. High
F006 FA01 Maintain Asset Document AP02 Process Vendor Invoices MIT-F006 Pay an invoice and hide it in an asset that would be depreciated over time. High
Create an invoice through ERS goods receipt and hide it in an asset that would be
F007 FA01 Maintain Asset Document MM05 Goods Receipts to PO MIT-F007
depreciated over time.
High
Allows differences between cash deposited and cash collections posted to be covered
F008 AR02 Cash Application FI03 Bank Reconciliation MIT-F008
up
High
F010 CC05 Maintain Internal CO Order CC07 Internal Order Settlement MIT-F010 Settle expenses from an unauthorized order and distort CO reporting. Low
Alter an activity type used for cost allocation purposes with fictitious data, thereby
F011 FI07 Maintain Activity Types FI02 Activity Allocation MIT-F011
distorting the cost allocation process.
Low
User responsible for asset masters records could process transactions that would allow
F012 FA02 Maintain Asset Master FA01 Maintain Asset Document MIT-F012
the asset to be depreciated over time.
Medium
F013 FA02 Maintain Asset Master MM05 Goods Receipts to PO MIT-F013 Create the asset and manipulate the receipt of the associated asset. High
Post overhead expenses to the project and settle the project without going through the
F014 PS02 Process Overhead Postings PS03 Settle Projects MIT-F014
settlement approval process.
High
Maintain Projects and WBS Use a fictitious project to allocate overages of an actual project, and settle the project
F015 PS01 PS03 Settle Projects MIT-F015
without going through the settlement approval process.
High
Elements
Maintain Projects and WBS Manipulate the work breakdown structure elements (profit centers, business areas, cost
F016 PS01 PS02 Process Overhead Postings MIT-F016
centers, plants) and post overhead expenses to the project
High
Elements
F017 FI04 Maintain Bank Master Data AR02 Cash Application MIT-F017 Maintain a non bona-fide bank account and divert incoming payments to it. High
Open previously closed accounting periods and inappropriately post entries after month
F018 FI06 Maintain Posting Periods GL01 Post Journal Entry MIT-F018
end.
Medium
Open previously closed accounting periods and inappropriately post payments after
F019 FI06 Maintain Posting Periods AP01 AP Payments MIT-F019
month end.
Medium
User able to open accounting periods previously closed and enter incoming payments
F020 FI06 Maintain Posting Periods AR02 Cash Application MIT-F020
after month end reporting.
Medium
Page 1 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Open previously closed accounting periods and inappropriately receive or issue goods
F021 FI06 Maintain Posting Periods MM04 Goods Movements MIT-F021
after month end.
Medium
Post Journal Entry (misc Create a fictitious GL account and generate miscellaneous general ledger activity or
F022 GL02 Maintain GL Master Data GL03 MIT-F022
hide fraudulent activity via posting entries.
Medium
Tax/Currency)
Post Journal Entry (misc Manipulate cost center reports to hide inappropriate miscellaneous journal entry
F023 CC02 Maintain CC or CE Groups GL03 MIT-F023
postings.
Medium
Tax/Currency)
Post Journal Entry (misc Open previously closed accounting periods and inappropriately post tax and currency
F024 FI06 Maintain Posting Periods GL03 MIT-F024
journal entries after month end.
Medium
Tax/Currency)
F025 FI04 Maintain Bank Master Data AP04 Manual Check Processing MIT-F025 Create a non bona-fide bank account and create manual checks from it High
F026 FI06 Maintain Posting Periods AP04 Manual Check Processing MIT-F026 Open previously closed accounting periods and inappropriately post manual payments Medium
Adjust the subsidiary balance using the vendor invoice entry and then cover it up using
F028 GL01 Post Journal Entry AP02 Process Vendor Invoices MIT-F028
journal entries
Medium
Adjust the subsidiary balance using the AR payment transaction and then cover it up
F029 GL01 Post Journal Entry AR01 AR Payments MIT-F029
using journal entries
Medium
Adjust the subsidiary balance using the AR payment transaction and then cover it up
F030 GL01 Post Journal Entry AR02 Cash Application MIT-F030
using journal entries
Medium
Adjust the subsidiary balance using the AR payment transaction and then cover it up
F031 GL01 Post Journal Entry AR05 AR Payments MIT-F031
using journal entries
Medium
M001 PP02 Production Order Processing FI05 Product Costing MIT-M001 Increase Production to reduce cost variances Low
M002 PP02 Production Order Processing PP01 Confirm Production Order MIT-M002 Production order processing and confirming production orders Low
M003 PP01 Confirm Production Order FI05 Product Costing MIT-M003 Increase Production to reduce cost variances due to productivity Low
M004 QM01 Quality Results Reporting SD02 Delivery Processing MIT-M004 Transfer stock to general release to meet delivery schedules Low
M005 QM01 Quality Results Reporting MM07 Enter Counts - WM MIT-M005 MM08 Clear Differences - WM Remove inferior materials by adjusting out via WM inventory Medium
Accept goods via goods receipts and perform a WM physical inventory adjustment
M006 MM04 Goods Movements MM07 Enter Counts - WM MIT-M006 MM08 Clear Differences - WM afterwards.
High
M007 QM01 Quality Results Reporting PP01 Confirm Production Order MIT-M007 Release produced materials to GR stock to maintain production quotas Medium
M008 GL01 Post Journal Entry MM07 Enter Counts - WM MIT-M008 MM08 Clear Differences - WM Hide WM inventory adjustments via ledger entries Medium
Clear Differences -
M009 QM01 Quality Results Reporting MM02 Enter Counts - IM MIT-M009 MM01 Remove inferior materials by adjusting out via IM inventories Medium
Inventory Management
Page 2 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Clear Differences - Accept goods via goods receipts and perform an IM physical inventory adjustment
M011 MM04 Goods Movements MM02 Enter Counts - IM MIT-M011 MM01
afterwards.
High
Inventory Management
Enter Counts & Clear Diff - Accept goods via goods receipts and perform an IM physical inventory adjustment
M012 MM04 Goods Movements MM03 MIT-M012
afterwards.
High
IM
Clear Differences -
M014 GL01 Post Journal Entry MM02 Enter Counts - IM MIT-M014 MM01 Hide IM inventory adjustments via ledger entries Medium
Inventory Management
Procure to Pay
P001 PR01 Vendor Master Maintenance AP02 Process Vendor Invoices Maintain a fictitious vendor and enter a Vendor invoice for automatic payment High
P002 AP01 AP Payments PR01 Vendor Master Maintenance Maintain a fictitious vendor and create a payment to that vendor High
P003 AP02 Process Vendor Invoices AP01 AP Payments Enter fictitious vendor invoices and then render payment to the vendor High
P004 PR02 Maintain Purchase Order AP02 Process Vendor Invoices Purchase unauthorized items and initiate payment by invoicing High
Enter fictitious purchase orders for personal use and accept the goods through goods
P005 PR02 Maintain Purchase Order MM05 Goods Receipts to PO receipt
High
P006 AP02 Process Vendor Invoices MM05 Goods Receipts to PO Enter fictitious vendor invoices and accept the goods via goods receipt High
P007 PR02 Maintain Purchase Order AP01 AP Payments Enter a fictitious purchase order and enter the covering payment High
P008 PR01 Vendor Master Maintenance PR02 Maintain Purchase Order Create a fictitious vendor and initiate purchases to that vendor High
P009 AP03 Release Blocked Invoices PR08 Service Acceptance Receive or accept services and release a previously blocked Invoice to offset the receipt Medium
Enter unauthorized purchase order and release a previously blocked Invoice to offset
P010 AP03 Release Blocked Invoices PR02 Maintain Purchase Order the purchase order
Medium
Enter Counts & Clear Diff - Inappropriately procure an item and manipulating the IM physical inventory counts to
P011 PR02 Maintain Purchase Order MM03
hide.
High
IM
Risk of modifying or adding to service master data (to add item that normally is not
P012 PR03 Service Master Maintenance PR07 Requisitioning ordered by the company) and then create / change a requisition.
Medium
Maintain Material Master Add items to the material master or service master file and create fraudulent purchase
P013 MM06 PR02 Maintain Purchase Order orders for those items
Medium
Data
P014 FI03 Bank Reconciliation AP02 Process Vendor Invoices Can hide differences between bank payments & posted AP records High
Receive goods against a purchase order and release a previously blocked Invoice to
P015 AP03 Release Blocked Invoices MM05 Goods Receipts to PO offset the receipt
Medium
Page 3 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
P016 PR08 Service Acceptance AP01 AP Payments Receive or accept services and enter the covering payments High
Enter fictitious purchase orders for personal use and accept the services through service
P017 PR02 Maintain Purchase Order PR08 Service Acceptance acceptance
Medium
Maintain Material Master Add an item to the material master or service master file and then fraudulently adding
P018 MM06 PR05 Purchasing Agreements those items to purchasing agreements
Medium
Data
Approve the purchase of unauthorized goods and hide the misuse of inventory by not
P019 PR04 PO Approval MM05 Goods Receipts to PO fully receiving the order
High
Commit the company to fraudulent purchase contracts and initiate payment for
P020 PR04 PO Approval AP01 AP Payments unauthorized goods and services.
High
Release a non bona-fide purchase order and initiate payment for the order by entering
P021 PR04 PO Approval AP02 Process Vendor Invoices invoices
High
Clear Differences - Release a non bona-fide purchase order and the action remain undetected by
P022 PR04 PO Approval MM02 Enter Counts - IM MM01
manipulating the IM physical inventory counts
High
Inventory Management
Create a fictitious vendor or change existing vendor master data and approve purchases
P023 PR04 PO Approval PR01 Vendor Master Maintenance to this vendor
High
Modify a purchasing agreement and release a previously blocked invoice to offset the
P025 AP03 Release Blocked Invoices PR05 Purchasing Agreements vendor account.
Medium
P026 AP01 AP Payments PR05 Purchasing Agreements Enter fictitious purchasing agreements and then render payment High
Risk of entry of fictitious Purchasing Agreements and the entry of fictitious Vendor or
P027 PR01 Vendor Master Maintenance PR05 Purchasing Agreements modification of existing Vendor especially account data.
High
P028 PR05 Purchasing Agreements MM05 Goods Receipts to PO Modify purchasing agreements and then receive goods for fraudulent purposes. High
Risk of modifying service master data (to add a service that is normally not ordered by
P030 AP01 AP Payments PR03 Service Master Maintenance the company) and the entry of covering payments
High
Risk of addition of services to the Service Master File (services not related to business
P031 PR03 Service Master Maintenance PR06 Release Requisitions purpose) and the ability to create a Requisition for those services.
Medium
Risk of the same person requisitioning an item and creating a purchase order from that
P033 PR07 Requisitioning PR02 Maintain Purchase Order requisition.
Medium
Add items to the service master file and create fraudulent purchase orders for those
P034 PR02 Maintain Purchase Order PR03 Service Master Maintenance items
Medium
Enter Counts & Clear Diff - Risk of the same person entering a Purchasing Agreement for materials and then
P035 PR05 Purchasing Agreements MM03
adjusting the IM inventory for those materials.
Medium
IM
Page 4 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Maintain Material Master Risk of modifying or adding to material master data (to add material that normally is not
P036 MM06 PR07 Requisitioning ordered by the company) and then the release of a material requisition.
Medium
Data
Risk of the same person requisitioning an item and then releasing a requisition for
P037 PR07 Requisitioning PR06 Release Requisitions purchase, bypassing the authorization process.
Medium
Risk of entering unauthorized payments and reconcile with the bank through the same
P038 AP01 AP Payments FI03 Bank Reconciliation person.
High
Risk of entering Vendor invoices and the ability to accept those services in the Service
P039 AP02 Process Vendor Invoices PR08 Service Acceptance Receipts Entry.
Medium
Risk of the same person releasing a requisitioning and generating the accompanying
P040 PR06 Release Requisitions PR02 Maintain Purchase Order purchase order.
Medium
Add an item to the material master or service master file and then fraudulently adding
P041 PR03 Service Master Maintenance PR05 Purchasing Agreements those items to purchasing agreements
Medium
P042 PR04 PO Approval PR03 Service Master Maintenance Add or modify service master data and release an order for personal use Medium
Release a purchase order and release a previously blocked invoice to offset the vendor
P043 AP03 Release Blocked Invoices PR04 PO Approval account.
Medium
Release a fictitious purchase order for personal use and accept the services through
P044 PR04 PO Approval PR08 Service Acceptance service acceptance
Medium
Clear Differences - Inappropriately procure an item and manipulating the IM physical inventory counts to
P045 PR02 Maintain Purchase Order MM02 Enter Counts - IM MM01
hide.
High
Inventory Management
Enter Counts & Clear Diff - Release a non bona-fide purchase order and the action remain undetected by
P047 PR04 PO Approval MM03
manipulating the IM physical inventory counts
High
IM
Release a non bona-fide purchase order and the action remain undetected by
P048 PR04 PO Approval MM07 Enter Counts - WM MM08 Clear Differences - WM manipulating the WM physical inventory counts
High
Clear Differences - Risk of the same person entering a Purchasing Agreement for materials and then
P049 PR05 Purchasing Agreements MM02 Enter Counts - IM MM01
adjusting the IM inventory for those materials.
Medium
Inventory Management
Risk of the same person entering a Purchasing Agreement for materials and then
P050 PR05 Purchasing Agreements MM07 Enter Counts - WM MM08 Clear Differences - WM adjusting the WM inventory for those materials.
Medium
P051 AP04 Manual Check Processing PR01 Vendor Master Maintenance Maintain a fictitious vendor and create a payment to that vendor High
P052 AP02 Process Vendor Invoices AP04 Manual Check Processing Enter fictitious vendor invoices and then render payment to the vendor High
P053 PR02 Maintain Purchase Order AP04 Manual Check Processing Enter a fictitious purchase order and enter the covering payment High
P054 PR08 Service Acceptance AP04 Manual Check Processing Receive or accept services and manually enter the covering check payments High
Commit the company to fraudulent purchases and initiate manual check payments for
P055 PR04 PO Approval AP04 Manual Check Processing unauthorized goods and services.
High
Page 5 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
P056 AP04 Manual Check Processing PR05 Purchasing Agreements Enter fictitious purchasing agreements and then render manual checks for payment High
Risk of modifying service master data (to add a service that is normally not ordered by
P057 AP04 Manual Check Processing PR03 Service Master Maintenance the company) and the entry of covering payments
High
Risk of entering unauthorized manual payments and reconcile with the bank through the
P058 AP04 Manual Check Processing FI03 Bank Reconciliation same person.
High
Where release strategies are utilized, the same user should not maintain the purchase
P059 PR02 Maintain Purchase Order PR04 PO Approval order and release or approve it.
High
The automated controls for invoicing can be circumvented. Invoices are usually blocked
P060 AP02 Process Vendor Invoices AP03 Release Blocked Invoices due to price or quantity differences.
Medium
Order to Cash
S001 AR04 Credit Management SD05 Sales Order Processing Enter or modify sales documents and approve customer credit limits High
S002 SD05 Sales Order Processing AR03 Clear Customer Balance Create sales documents and immediately clear customer's obligation High
Maintain Customer Master Make an unauthorized change to the master record (payment terms, tolerance level) in
S004 SD01 AR07 Process Customer Invoices favor of the customer and enter an inappropriate invoice.
High
Data
Potentially clear a customer's balance before and create or make the same change to
S006 AR03 Clear Customer Balance AR05 Maintain Billing Documents the billing document for the same customer, clearing them of their obligation.
High
Manipulate the user's credit limit and assign generous rebates to execute a marginal
S008 AR04 Credit Management SD03 Sales Rebates customer's order.
High
Page 6 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
S009 SD05 Sales Order Processing AR02 Cash Application Enter a fictitious sales document and then render fictitious payments. Medium
Create a billing document for a customer and inappropriately post a payment from the
S010 AR02 Cash Application AR05 Maintain Billing Documents same customer to conceal non-payment.
High
S013 AR02 Cash Application SD04 Sales Document Release Change the accounts receivable records to cover differences with customer statements. High
S014 SD05 Sales Order Processing SD02 Delivery Processing Cover up unauthorized shipment by creating a fictitious sales documents High
S015 AR07 Process Customer Invoices SD06 Sales Pricing Condition Sales price modifications for sales invoicing. High
S016 SD05 Sales Order Processing SD06 Sales Pricing Condition Enter sales documents and lower prices for fraudulent gain High
S017 AR04 Credit Management AR02 Cash Application Perform credit approval function and modify cash received for fraudulent purposes. High
S018 AR02 Cash Application SD03 Sales Rebates Enter a fictitious sales rebates and then render fictitious payments. High
Maintain Customer Master Risk of the same person entering changes to the Customer Master file and modifying
S019 AR02 Cash Application SD01
the Cash Received for the customer.
High
Data
S020 SD05 Sales Order Processing SD04 Sales Document Release Risk of entering and releasing sales documents by the same person Medium
Risk of entering sales documents and giving sales rebates by the same person,
S021 SD05 Sales Order Processing SD03 Sales Rebates effectively granting an indirect price discount.
Medium
Risk of modifying and entering Sales Invoices and approving Credit Limits by the same
S022 AR07 Process Customer Invoices AR04 Credit Management person.
High
S023 AR05 Maintain Billing Documents SD06 Sales Pricing Condition Risk of Sales Price modifications for Sales invoicing. High
S026 AR02 Cash Application AR07 Process Customer Invoices User can create/change an invoice and enter/change payments against the invoice. High
User can create fictitious/incorrect delivery and enter payments against these,
S027 SD02 Delivery Processing AR02 Cash Application potentially misappropriating goods.
High
User able to create a fraudulent sales contract to include additional goods and enter an
S028 SD05 Sales Order Processing AR07 Process Customer Invoices incorrect customer invoice to hide the deception.
High
HR and Payroll
Page 7 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Change employee HR Benefits then process payroll without authorization. Potential for
H002 HR01 HR Benefits PY04 Process Payroll fraudulent activity.
High
H003 PY07 3rd Party Remittance HR02 HR Vendor Data Change to master data and creating the remittance could result in fraudulent payments. High
H004 HR04 Maintain Time Data PY01 Approve Time Change payroll master data and enter time data applied to incorrect settings. High
H005 HR04 Maintain Time Data PY04 Process Payroll Modify time data and process payroll resulting in fraudulent payments High
Maintain Payroll
H006 PY02 PY04 Process Payroll Change configuration of payroll then process payroll resulting in fraudulent payments High
Configuration
Maintain Employee (PA) Maintain Payroll Change configuration of payroll then modify payroll master data resulting in fraudulent
H007 HR03 PY02
payments
High
Master Data - 0008 - 0009 ( Configuration
H009 HR04 Maintain Time Data PY03 Payroll Maintenance Enter false time data and perform payroll maintenance. High
H010 PY03 Payroll Maintenance PY04 Process Payroll Change payroll and process payroll without proper authorization. High
Maintain Payroll
H011 PY02 PY03 Payroll Maintenance Change payroll configuration and perform maintenance on payroll settings. High
Configuration
Maintain Payroll
H012 HR04 Maintain Time Data PY02 Modify payroll configuration and enter false time data. High
Configuration
H013 HR04 Maintain Time Data HR05 Modify PD Structure Enter false time data and maintain PD structure High
Maintain Employee (PA) Users may maintain employee master data including pay rates and delete the payroll
H015 HR03 PY03 Payroll Maintenance result
High
Master Data - 0008 - 0009 (
H016 PY06 Payroll Schemas HR04 Maintain Time Data Users may enter false time data and perform work schedule evaluations High
H017 PY05 Time Evaluations HR04 Maintain Time Data Users may enter false time data and perform time evaluations Medium
Perform time evaluations and change the PD structure to mis route the data for
H018 PY05 Time Evaluations HR05 Modify PD Structure approvals
Medium
Perform time evaluations and delete payroll results which could disrupt the payroll
H019 PY05 Time Evaluations PY03 Payroll Maintenance process
Medium
Page 8 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Users who perform both the time evaluation and process payroll could hide fraudulent
H020 PY05 Time Evaluations PY04 Process Payroll actions.
Medium
Users who can perform both the time evaluations and maintain payroll schemas to hide
H021 PY05 Time Evaluations PY06 Payroll Schemas fraudulent actions
Medium
Basis
A developer could create or modify a program in production and replicate these changes
B003 BS02 Basis Development BS05 Client Administration MIT-B003 to other clients. This bypasses the inherent controls in the transport process and could Medium
negatively impact the DV and QA clients.
A developer could create or modify a program in production and force the transport of
these changes after the fact to conceal irregular development practices. This also
B004 BS02 Basis Development BS12 Transport Administration MIT-B004
enables the reverting back to the program's original version without any trace of the
High
changes made in production.
An individual could modify data in tables or modify valid configuration values and setup
B009 BS03 Basis Table Maintenance BS11 System Administration MIT-B009 the production environment to run transactions and programs using the inappropriately High
modified data. This could affect data integrity, system performance, and proper
An individual could modify data in tables or change valid configuration and replicate
B010 BS03 Basis Table Maintenance BS05 Client Administration MIT-B010 these changes to other clients. This is particularly sensitive if client administration High
transactions come with client-independent authorization allowing the developer to
An individual could inappropriately modify roles and assignments and reflect this change
B011 BS10 Security Administration BS05 Client Administration MIT-B011
to the production's mirror copy eliminating the chance to revert to the appropriate setup.
High
An administrator could execute archiving transactions during peak end-user usage and
B013 BS01 Archiving BS11 System Administration MIT-B013 administer the production system to allow for maximum system resources to complete Medium
the archiving function, affecting system performance.
A user could inappropriately archive client-independent data and settings and use client
B015 BS01 Archiving BS05 Client Administration MIT-B015
administration functions to replicate such changes to other clients.
Medium
Page 9 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Usually the individuals responsible for archiving are end-users who understand the
business processes and data retention needs. Their job responsibilities do not require
B016 BS01 Archiving BS12 Transport Administration MIT-B016
transport administration transactions. The reverse can be said for the users
Medium
responsibilities
Can create transports, add objects to the transport, and move the transport: Can put
B017 BS07 Create Transport BS09 Perform Transport MIT-B017
unauthorized object changes into production, bypassing the Change Control process.
High
B018 BS08 Maintain Number Ranges BS11 System Administration MIT-B018 Can reset the number ranges (1) and delete your log/audit trail (2). High
One person controlling both the access in the profile/role and the user Ids increases the
B019 BS13 Maintain User Master BS14 Maintain Profiles / Roles MIT-B019
risk of inappropriate access
High
CRM
Maintaining Opportunities (qualifying the lead) must be independent of generating leads.
D001 CR01 Generate & Process Leads CR02 Maintain Opportunity Sales or Production forecast could be based on the number of qualified leads. In some Medium
companies, commissions could be paid based on the number of qualified leads.
The creation of key Business Partner data should be segregated from the Marketing
D002 CR01 Generate & Process Leads CR03 Maintain Business Partner groups Leads and Opportunity management. BPs should only be created after the Medium
appropriate review by the Master Data group.
A user could create a fictitious business partner and initiate fraudulent sales orders for
D003 CR03 Maintain Business Partner CR04 Process CRM Sales Order that partner. Master data such as business partners should not be maintained by the High
same users who process transactions using that master data.
D004 CR04 Process CRM Sales Order SD02 Delivery Processing A user could create a fictitious sales order to cover up an unauthorized shipment. High
Enter fictitious service orders for personal use and accept the services through service
D007 CR05 Service Order Processing CR06 Service Confirmation acceptance. The user could prompt fraudulent payments. In addition spare parts could High
be fraudulently issued from inventory as a result of the confirmation.
User can create a fictitious business partner and then process billing in CRM for that
D008 CR07 CRM Billing CR03 Maintain Business Partner partner.
High
User can create a fictitious business partner and then process billing in R3 for that
D009 AR05 Maintain Billing Documents CR03 Maintain Business Partner partner.
High
Internal user can be in collusion with a customer, process a fictitious inbound delivery
D012 SD07 Inbound Delivery Processing CR08 Process Credit Memo (based on complaint entered by the customer) and process a credit memo to the Medium
customer.
User could create a fictitious credit memo and run billing due in CRM to prompt a
D013 CR08 Process Credit Memo CR07 CRM Billing payment to a customer. The customer could provide a kickback to the internal user.
High
User could create a fictitious credit memo and run billing due in R3 to prompt a payment
D014 CR08 Process Credit Memo AR05 Maintain Billing Documents to a customer. The customer could provide a kickback to the internal user. High
Page 10 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
A user could enter a sales order in CRM and lower prices via conditions for fraudulent
D016 CR04 Process CRM Sales Order CR09 Maintain Conditions gain
High
Commission or Incentives may be paid based on the number of sales orders. Fraudulent
D019 CR04 Process CRM Sales Order PY04 Process Payroll orders could be entered to achieve higher sales reporting for commissions.
High
D020 CR10 Maintain Product Catalog CR04 Process CRM Sales Order Add items to product catalogs and create fictitious sales orders for those items Medium
SRM
Maintain a fictitious vendor and enter an invoice to be included in the automatic payment
E001 SR01 EBP / SRM Vendor Master SR03 EBP / SRM Invoicing run
High
E002 SR02 EBP / SRM Purchasing SR03 EBP / SRM Invoicing Purchase unauthorized items and prompt the payment by invoicing High
EBP / SRM Goods Enter fictitious orders for personal use and accept the goods or services through goods
E003 SR02 EBP / SRM Purchasing SR04
receipt or service acceptance
High
Receipt/Service Acceptance
EBP / SRM Goods Enter fictitious invoices and accept goods or services via goods receipt or service
E004 SR03 EBP / SRM Invoicing SR04
acceptance
High
Receipt/Service Acceptance
E005 SR01 EBP / SRM Vendor Master SR02 EBP / SRM Purchasing Maintain a fictitious vendor and initiate purchases to that vendor. High
E006 SR02 EBP / SRM Purchasing MM07 Enter Counts - WM MM08 Clear Differences - WM Inappropriately procure items and manipulate the WM physical inventory counts to hide. Medium
Clear Differences -
E007 SR02 EBP / SRM Purchasing MM02 Enter Counts - IM MM01 Inappropriately procure items and manipulate the IM physical inventory counts to hide. Medium
Inventory Management
E010 FI03 Bank Reconciliation SR03 EBP / SRM Invoicing A user can hide differences between bank payments and posted AP records. High
EBP / SRM Goods Accept goods via SRM goods receipts and perform a WM physical inventory adjustment
E011 SR06 MM07 Enter Counts - WM MM08 Clear Differences - WM afterwards.
High
Receipt/Service Acceptance
EBP / SRM Goods Clear Differences - Accept goods via SRM goods receipts and perform IM physical inventory adjustment
E012 SR06 MM02 Enter Counts - IM MM01
afterwards.
High
Receipt/Service Acceptance Inventory Management
EBP / SRM Goods Enter Counts & Clear Diff - Accept goods via SRM goods receipts and perform IM physical inventory adjustment
E013 SR06 MM03
afterwards using powerful IM transactions High
Receipt/Service Acceptance IM
Enter fictitious orders for personal use and access the goods or services through goods
E014 SR02 EBP / SRM Purchasing MM05 Goods Receipts to PO receipt
High
Page 11 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Enter fictitious orders for personal use and access the goods or services through service
E015 SR02 EBP / SRM Purchasing PR08 Service Acceptance acceptance
High
EBP / SRM Maintain EBP / SRM Product Initiate purchases for fictitious goods by selecting those goods to be included in a
E016 SR08 SR05
shopping cart
Medium
Shopping Cart Maintenance
EBP / SRM Maintain Maintain a fictitious vendor and initiate purchases to that vendor by selecting goods to
E017 SR08 SR01 EBP / SRM Vendor Master be included in a shopping cart Medium
Shopping Cart
EBP / SRM Goods Approve the purchase of unauthorized goods and hide the misuse of inventory by not
E018 SR07 EBP / SRM PO Approval SR04
fully receiving the order in SRM
Medium
Receipt/Service Acceptance
Approve the purchase of unauthorized goods and hide the misuse of inventory by not
E019 SR07 EBP / SRM PO Approval MM05 Goods Receipts to PO fully receiving the order in R3
High
Where release strategies are utilized, the same user should not maintain the purchase
E020 SR02 EBP / SRM Purchasing SR07 EBP / SRM PO Approval order and release or approve it.
High
Create a fictitious vendor or change existing vendor master data and approve purchases
E021 SR01 EBP / SRM Vendor Master SR07 EBP / SRM PO Approval to this vendor
High
EBP / SRM Maintain Org Enter fictitious orders for personal use and manipulate the organizational structure to
E022 SR02 EBP / SRM Purchasing SR09
bypass approvals
High
Structure
EBP / SRM Maintain Org Create or maintain fictitious vendor and manipulate the organizational structure to
E023 SR01 EBP / SRM Vendor Master SR09
bypass approvals or secondary checks
High
Structure
EBP / SRM Maintain Initiate purchases to selecting goods to be included in a shopping cart then approving
E024 SR08 SR07 EBP / SRM PO Approval the purchase
High
Shopping Cart
EC-CS (Assumption - Data is uploaded to the Consolidation system. Additional risks may need to be defined for fully integrated systems)
AP/AR/GL master data creation and posting functions in conjunction with payment
G001 EC01 Maintain Hierarchies AP01 AP Payments MIT-G001 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G002 EC01 Maintain Hierarchies AP02 Process Vendor Invoices MIT-G002 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G003 EC01 Maintain Hierarchies AP04 Manual Check Processing MIT-G003 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G004 EC01 Maintain Hierarchies AR02 Cash Application MIT-G004 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G005 EC01 Maintain Hierarchies AR07 Process Customer Invoices MIT-G005 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G006 EC01 Maintain Hierarchies CC03 Maintain Cost Centers MIT-G006 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G007 EC01 Maintain Hierarchies FA01 Maintain Asset Document MIT-G007 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G008 EC01 Maintain Hierarchies FA02 Maintain Asset Master MIT-G008 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
Page 12 of 14
Segregation of Duty Risks
Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
AP/AR/GL master data creation and posting functions in conjunction with payment
G009 EC01 Maintain Hierarchies FI01 Revenue Reposting MIT-G009 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G010 EC01 Maintain Hierarchies GL01 Post Journal Entry MIT-G010 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G011 EC01 Maintain Hierarchies GL02 Maintain GL Master Data MIT-G011 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
Post Journal Entry (misc
G012 EC01 Maintain Hierarchies GL03 MIT-G012 processing, receipt of money, GL account access; and the ability to modify ECCS High
Tax/Currency) hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G013 EC01 Maintain Hierarchies PR01 Vendor Master Maintenance MIT-G013 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
Maintain Customer Master
G014 EC01 Maintain Hierarchies SD01 MIT-G014 processing, receipt of money, GL account access; and the ability to modify ECCS High
Data hierarchy and reporting output
Page 13 of 14
Functional Area Novus Monitor & Approver Email Address
Finance / Controlling Davud Friedman Davud.Friedman@novusint.com
Manufacturing Steve Bass Stephen.Bass@novusint.com
Procure to Pay
Order to Cash
HR
Basis Mark Meyer Mark.Meyer@novusint.com
CRM