Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Finance
Create a fictitious GL account and generate journal activity or hide activity via posting
F001 GL02 Maintain GL Master Data GL01 Post Journal Entry MIT-F001
entries.
Medium

Alter a cost center without authorization and process unauthorized cost transfers to this
F002 CC03 Maintain Cost Centers CC06 Cost Transfer Processing MIT-F002
center, possibly distorting CO reporting.
Medium

Alter a cost center without authorization and process unauthorized revenue entries to
F003 CC03 Maintain Cost Centers FI01 Revenue Reposting MIT-F003
this center, possibly distorting CO reporting.
Medium

F004 CC02 Maintain CC or CE Groups GL01 Post Journal Entry MIT-F004 Manipulate cost center reports to hide inappropriate journal entry posting. Medium

F005 FI04 Maintain Bank Master Data AP01 AP Payments MIT-F005 Create a non bona-fide bank account and create a check from it. High

F006 FA01 Maintain Asset Document AP02 Process Vendor Invoices MIT-F006 Pay an invoice and hide it in an asset that would be depreciated over time. High

Create an invoice through ERS goods receipt and hide it in an asset that would be
F007 FA01 Maintain Asset Document MM05 Goods Receipts to PO MIT-F007
depreciated over time.
High

Allows differences between cash deposited and cash collections posted to be covered
F008 AR02 Cash Application FI03 Bank Reconciliation MIT-F008
up
High

Maintain Cost Center Execute Cost Center

F009 CC01 CC04 MIT-F009 Allocate costs to unauthorized cost centers thereby distorting financial reporting. Low
Distributions Distributions

F010 CC05 Maintain Internal CO Order CC07 Internal Order Settlement MIT-F010 Settle expenses from an unauthorized order and distort CO reporting. Low

Alter an activity type used for cost allocation purposes with fictitious data, thereby
F011 FI07 Maintain Activity Types FI02 Activity Allocation MIT-F011
distorting the cost allocation process.
Low

User responsible for asset masters records could process transactions that would allow
F012 FA02 Maintain Asset Master FA01 Maintain Asset Document MIT-F012
the asset to be depreciated over time.
Medium

F013 FA02 Maintain Asset Master MM05 Goods Receipts to PO MIT-F013 Create the asset and manipulate the receipt of the associated asset. High

Post overhead expenses to the project and settle the project without going through the
F014 PS02 Process Overhead Postings PS03 Settle Projects MIT-F014
settlement approval process.
High

Maintain Projects and WBS Use a fictitious project to allocate overages of an actual project, and settle the project
F015 PS01 PS03 Settle Projects MIT-F015
without going through the settlement approval process.
High
Elements

Maintain Projects and WBS Manipulate the work breakdown structure elements (profit centers, business areas, cost
F016 PS01 PS02 Process Overhead Postings MIT-F016
centers, plants) and post overhead expenses to the project
High
Elements

F017 FI04 Maintain Bank Master Data AR02 Cash Application MIT-F017 Maintain a non bona-fide bank account and divert incoming payments to it. High

Open previously closed accounting periods and inappropriately post entries after month
F018 FI06 Maintain Posting Periods GL01 Post Journal Entry MIT-F018
end.
Medium

Open previously closed accounting periods and inappropriately post payments after
F019 FI06 Maintain Posting Periods AP01 AP Payments MIT-F019
month end.
Medium

User able to open accounting periods previously closed and enter incoming payments
F020 FI06 Maintain Posting Periods AR02 Cash Application MIT-F020
after month end reporting.
Medium

Page 1 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Open previously closed accounting periods and inappropriately receive or issue goods
F021 FI06 Maintain Posting Periods MM04 Goods Movements MIT-F021
after month end.
Medium

Post Journal Entry (misc Create a fictitious GL account and generate miscellaneous general ledger activity or
F022 GL02 Maintain GL Master Data GL03 MIT-F022
hide fraudulent activity via posting entries.
Medium
Tax/Currency)

Post Journal Entry (misc Manipulate cost center reports to hide inappropriate miscellaneous journal entry
F023 CC02 Maintain CC or CE Groups GL03 MIT-F023
postings.
Medium
Tax/Currency)

Post Journal Entry (misc Open previously closed accounting periods and inappropriately post tax and currency
F024 FI06 Maintain Posting Periods GL03 MIT-F024
journal entries after month end.
Medium
Tax/Currency)

F025 FI04 Maintain Bank Master Data AP04 Manual Check Processing MIT-F025 Create a non bona-fide bank account and create manual checks from it High

F026 FI06 Maintain Posting Periods AP04 Manual Check Processing MIT-F026 Open previously closed accounting periods and inappropriately post manual payments Medium

Create / Change Treasury

F027 FI08 FI09 Confirm a Treasury Trade MIT-F027 Users can create a fictitious trade and fraudulently confirm or exercise the trade High
Item

Adjust the subsidiary balance using the vendor invoice entry and then cover it up using
F028 GL01 Post Journal Entry AP02 Process Vendor Invoices MIT-F028
journal entries
Medium

Adjust the subsidiary balance using the AR payment transaction and then cover it up
F029 GL01 Post Journal Entry AR01 AR Payments MIT-F029
using journal entries
Medium

Adjust the subsidiary balance using the AR payment transaction and then cover it up
F030 GL01 Post Journal Entry AR02 Cash Application MIT-F030
using journal entries
Medium

Adjust the subsidiary balance using the AR payment transaction and then cover it up
F031 GL01 Post Journal Entry AR05 AR Payments MIT-F031
using journal entries
Medium

Materials Management / Quality Management / Production Planning

M001 PP02 Production Order Processing FI05 Product Costing MIT-M001 Increase Production to reduce cost variances Low

M002 PP02 Production Order Processing PP01 Confirm Production Order MIT-M002 Production order processing and confirming production orders Low

M003 PP01 Confirm Production Order FI05 Product Costing MIT-M003 Increase Production to reduce cost variances due to productivity Low

M004 QM01 Quality Results Reporting SD02 Delivery Processing MIT-M004 Transfer stock to general release to meet delivery schedules Low

M005 QM01 Quality Results Reporting MM07 Enter Counts - WM MIT-M005 MM08 Clear Differences - WM Remove inferior materials by adjusting out via WM inventory Medium

Accept goods via goods receipts and perform a WM physical inventory adjustment
M006 MM04 Goods Movements MM07 Enter Counts - WM MIT-M006 MM08 Clear Differences - WM afterwards.
High

M007 QM01 Quality Results Reporting PP01 Confirm Production Order MIT-M007 Release produced materials to GR stock to maintain production quotas Medium

M008 GL01 Post Journal Entry MM07 Enter Counts - WM MIT-M008 MM08 Clear Differences - WM Hide WM inventory adjustments via ledger entries Medium

Clear Differences -
M009 QM01 Quality Results Reporting MM02 Enter Counts - IM MIT-M009 MM01 Remove inferior materials by adjusting out via IM inventories Medium
Inventory Management

Page 2 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Enter Counts & Clear Diff -

M010 QM01 Quality Results Reporting MM03 MIT-M010 Remove inferior materials by adjusting out via IM inventories Medium
IM

Clear Differences - Accept goods via goods receipts and perform an IM physical inventory adjustment
M011 MM04 Goods Movements MM02 Enter Counts - IM MIT-M011 MM01
afterwards.
High
Inventory Management

Enter Counts & Clear Diff - Accept goods via goods receipts and perform an IM physical inventory adjustment
M012 MM04 Goods Movements MM03 MIT-M012
afterwards.
High
IM

Enter Counts & Clear Diff -

M013 GL01 Post Journal Entry MM03 MIT-M013 Hide IM inventory adjustments via ledger entries Medium
IM

Clear Differences -
M014 GL01 Post Journal Entry MM02 Enter Counts - IM MIT-M014 MM01 Hide IM inventory adjustments via ledger entries Medium
Inventory Management

Procure to Pay

P001 PR01 Vendor Master Maintenance AP02 Process Vendor Invoices Maintain a fictitious vendor and enter a Vendor invoice for automatic payment High

P002 AP01 AP Payments PR01 Vendor Master Maintenance Maintain a fictitious vendor and create a payment to that vendor High

P003 AP02 Process Vendor Invoices AP01 AP Payments Enter fictitious vendor invoices and then render payment to the vendor High

P004 PR02 Maintain Purchase Order AP02 Process Vendor Invoices Purchase unauthorized items and initiate payment by invoicing High

Enter fictitious purchase orders for personal use and accept the goods through goods
P005 PR02 Maintain Purchase Order MM05 Goods Receipts to PO receipt
High

P006 AP02 Process Vendor Invoices MM05 Goods Receipts to PO Enter fictitious vendor invoices and accept the goods via goods receipt High

P007 PR02 Maintain Purchase Order AP01 AP Payments Enter a fictitious purchase order and enter the covering payment High

P008 PR01 Vendor Master Maintenance PR02 Maintain Purchase Order Create a fictitious vendor and initiate purchases to that vendor High

P009 AP03 Release Blocked Invoices PR08 Service Acceptance Receive or accept services and release a previously blocked Invoice to offset the receipt Medium

Enter unauthorized purchase order and release a previously blocked Invoice to offset
P010 AP03 Release Blocked Invoices PR02 Maintain Purchase Order the purchase order
Medium

Enter Counts & Clear Diff - Inappropriately procure an item and manipulating the IM physical inventory counts to
P011 PR02 Maintain Purchase Order MM03
hide.
High
IM

Risk of modifying or adding to service master data (to add item that normally is not
P012 PR03 Service Master Maintenance PR07 Requisitioning ordered by the company) and then create / change a requisition.
Medium

Maintain Material Master Add items to the material master or service master file and create fraudulent purchase
P013 MM06 PR02 Maintain Purchase Order orders for those items
Medium
Data

P014 FI03 Bank Reconciliation AP02 Process Vendor Invoices Can hide differences between bank payments & posted AP records High

Receive goods against a purchase order and release a previously blocked Invoice to
P015 AP03 Release Blocked Invoices MM05 Goods Receipts to PO offset the receipt
Medium

Page 3 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

P016 PR08 Service Acceptance AP01 AP Payments Receive or accept services and enter the covering payments High

Enter fictitious purchase orders for personal use and accept the services through service
P017 PR02 Maintain Purchase Order PR08 Service Acceptance acceptance
Medium

Maintain Material Master Add an item to the material master or service master file and then fraudulently adding
P018 MM06 PR05 Purchasing Agreements those items to purchasing agreements
Medium
Data

Approve the purchase of unauthorized goods and hide the misuse of inventory by not
P019 PR04 PO Approval MM05 Goods Receipts to PO fully receiving the order
High

Commit the company to fraudulent purchase contracts and initiate payment for
P020 PR04 PO Approval AP01 AP Payments unauthorized goods and services.
High

Release a non bona-fide purchase order and initiate payment for the order by entering
P021 PR04 PO Approval AP02 Process Vendor Invoices invoices
High

Clear Differences - Release a non bona-fide purchase order and the action remain undetected by
P022 PR04 PO Approval MM02 Enter Counts - IM MM01
manipulating the IM physical inventory counts
High
Inventory Management

Create a fictitious vendor or change existing vendor master data and approve purchases
P023 PR04 PO Approval PR01 Vendor Master Maintenance to this vendor
High

Maintain Material Master

P024 PR04 PO Approval MM06 Add or modify material master data and release an order for personal use Medium
Data

Modify a purchasing agreement and release a previously blocked invoice to offset the
P025 AP03 Release Blocked Invoices PR05 Purchasing Agreements vendor account.
Medium

P026 AP01 AP Payments PR05 Purchasing Agreements Enter fictitious purchasing agreements and then render payment High

Risk of entry of fictitious Purchasing Agreements and the entry of fictitious Vendor or
P027 PR01 Vendor Master Maintenance PR05 Purchasing Agreements modification of existing Vendor especially account data.
High

P028 PR05 Purchasing Agreements MM05 Goods Receipts to PO Modify purchasing agreements and then receive goods for fraudulent purposes. High

Enter unauthorized items to a purchasing agreement and create an invoice to obtain

P029 AP02 Process Vendor Invoices PR05 Purchasing Agreements those items for personal use
High

Risk of modifying service master data (to add a service that is normally not ordered by
P030 AP01 AP Payments PR03 Service Master Maintenance the company) and the entry of covering payments
High

Risk of addition of services to the Service Master File (services not related to business
P031 PR03 Service Master Maintenance PR06 Release Requisitions purpose) and the ability to create a Requisition for those services.
Medium

Risk of entering or maintaining a purchasing agreement and authorizing the related

P032 PR06 Release Requisitions PR05 Purchasing Agreements requisition through its release.
Medium

Risk of the same person requisitioning an item and creating a purchase order from that
P033 PR07 Requisitioning PR02 Maintain Purchase Order requisition.
Medium

Add items to the service master file and create fraudulent purchase orders for those
P034 PR02 Maintain Purchase Order PR03 Service Master Maintenance items
Medium

Enter Counts & Clear Diff - Risk of the same person entering a Purchasing Agreement for materials and then
P035 PR05 Purchasing Agreements MM03
adjusting the IM inventory for those materials.
Medium
IM

Page 4 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Maintain Material Master Risk of modifying or adding to material master data (to add material that normally is not
P036 MM06 PR07 Requisitioning ordered by the company) and then the release of a material requisition.
Medium
Data

Risk of the same person requisitioning an item and then releasing a requisition for
P037 PR07 Requisitioning PR06 Release Requisitions purchase, bypassing the authorization process.
Medium

Risk of entering unauthorized payments and reconcile with the bank through the same
P038 AP01 AP Payments FI03 Bank Reconciliation person.
High

Risk of entering Vendor invoices and the ability to accept those services in the Service
P039 AP02 Process Vendor Invoices PR08 Service Acceptance Receipts Entry.
Medium

Risk of the same person releasing a requisitioning and generating the accompanying
P040 PR06 Release Requisitions PR02 Maintain Purchase Order purchase order.
Medium

Add an item to the material master or service master file and then fraudulently adding
P041 PR03 Service Master Maintenance PR05 Purchasing Agreements those items to purchasing agreements
Medium

P042 PR04 PO Approval PR03 Service Master Maintenance Add or modify service master data and release an order for personal use Medium

Release a purchase order and release a previously blocked invoice to offset the vendor
P043 AP03 Release Blocked Invoices PR04 PO Approval account.
Medium

Release a fictitious purchase order for personal use and accept the services through
P044 PR04 PO Approval PR08 Service Acceptance service acceptance
Medium

Clear Differences - Inappropriately procure an item and manipulating the IM physical inventory counts to
P045 PR02 Maintain Purchase Order MM02 Enter Counts - IM MM01
hide.
High
Inventory Management

Inappropriately procure an item and manipulating the WM physical inventory counts to

P046 PR02 Maintain Purchase Order MM07 Enter Counts - WM MM08 Clear Differences - WM hide.
High

Enter Counts & Clear Diff - Release a non bona-fide purchase order and the action remain undetected by
P047 PR04 PO Approval MM03
manipulating the IM physical inventory counts
High
IM

Release a non bona-fide purchase order and the action remain undetected by
P048 PR04 PO Approval MM07 Enter Counts - WM MM08 Clear Differences - WM manipulating the WM physical inventory counts
High

Clear Differences - Risk of the same person entering a Purchasing Agreement for materials and then
P049 PR05 Purchasing Agreements MM02 Enter Counts - IM MM01
adjusting the IM inventory for those materials.
Medium
Inventory Management

Risk of the same person entering a Purchasing Agreement for materials and then
P050 PR05 Purchasing Agreements MM07 Enter Counts - WM MM08 Clear Differences - WM adjusting the WM inventory for those materials.
Medium

P051 AP04 Manual Check Processing PR01 Vendor Master Maintenance Maintain a fictitious vendor and create a payment to that vendor High

P052 AP02 Process Vendor Invoices AP04 Manual Check Processing Enter fictitious vendor invoices and then render payment to the vendor High

P053 PR02 Maintain Purchase Order AP04 Manual Check Processing Enter a fictitious purchase order and enter the covering payment High

P054 PR08 Service Acceptance AP04 Manual Check Processing Receive or accept services and manually enter the covering check payments High

Commit the company to fraudulent purchases and initiate manual check payments for
P055 PR04 PO Approval AP04 Manual Check Processing unauthorized goods and services.
High

Page 5 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

P056 AP04 Manual Check Processing PR05 Purchasing Agreements Enter fictitious purchasing agreements and then render manual checks for payment High

Risk of modifying service master data (to add a service that is normally not ordered by
P057 AP04 Manual Check Processing PR03 Service Master Maintenance the company) and the entry of covering payments
High

Risk of entering unauthorized manual payments and reconcile with the bank through the
P058 AP04 Manual Check Processing FI03 Bank Reconciliation same person.
High

Where release strategies are utilized, the same user should not maintain the purchase
P059 PR02 Maintain Purchase Order PR04 PO Approval order and release or approve it.
High

The automated controls for invoicing can be circumvented. Invoices are usually blocked
P060 AP02 Process Vendor Invoices AP03 Release Blocked Invoices due to price or quantity differences.
Medium

Maintain Vendor Pricing

P061 PR11 AP01 AP Payments Transactional processing should be segregated from pricing master data. Medium
Conditions

Maintain Vendor Pricing

P062 PR11 AP02 Process Vendor Invoices Transactional processing should be segregated from pricing master data. Medium
Conditions

Maintain Vendor Pricing

P063 PR11 AP03 Release Blocked Invoices Transactional processing should be segregated from pricing master data. Medium
Conditions

Maintain Vendor Pricing

P064 PR11 AP04 Manual Check Processing Transactional processing should be segregated from pricing master data. Medium
Conditions

Maintain Vendor Pricing

P065 PR11 PR04 PO Approval Transactional processing should be segregated from pricing master data. Medium
Conditions

Maintain Vendor Pricing

P066 PR11 PR06 Release Requisitions Transactional processing should be segregated from pricing master data. Medium
Conditions

Maintain Vendor Pricing

P067 PR11 PR07 Requisitioning Transactional processing should be segregated from pricing master data. Medium
Conditions

Order to Cash

S001 AR04 Credit Management SD05 Sales Order Processing Enter or modify sales documents and approve customer credit limits High

S002 SD05 Sales Order Processing AR03 Clear Customer Balance Create sales documents and immediately clear customer's obligation High

Maintain Customer Master

S003 SD05 Sales Order Processing SD01 Create a fictitious customer and initiate fraudulent sales document High
Data

Maintain Customer Master Make an unauthorized change to the master record (payment terms, tolerance level) in
S004 SD01 AR07 Process Customer Invoices favor of the customer and enter an inappropriate invoice.
High
Data

Inappropriately create or change rebate agreements and manage a customer's master

Maintain Customer Master
S005 SD01 SD03 Sales Rebates record in the favor of the customer. Could also change a customer's master record to High
Data direct payment to an inappropriate location.

Potentially clear a customer's balance before and create or make the same change to
S006 AR03 Clear Customer Balance AR05 Maintain Billing Documents the billing document for the same customer, clearing them of their obligation.
High

Inappropriately create or change a sales documents and generate a corresponding

S007 SD05 Sales Order Processing AR05 Maintain Billing Documents billing document for it.
High

Manipulate the user's credit limit and assign generous rebates to execute a marginal
S008 AR04 Credit Management SD03 Sales Rebates customer's order.
High

Page 6 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

S009 SD05 Sales Order Processing AR02 Cash Application Enter a fictitious sales document and then render fictitious payments. Medium

Create a billing document for a customer and inappropriately post a payment from the
S010 AR02 Cash Application AR05 Maintain Billing Documents same customer to conceal non-payment.
High

Maintain Customer Master

S011 SD01 AR01 AR Payments Create a fictitious customer and initiate payment to the unauthorized customer. High
Data

Process Customer Credit

S012 AR06 AR01 AR Payments Initiate an unauthorized payment to the customer by entering fictitious credit memos. High
Memos

S013 AR02 Cash Application SD04 Sales Document Release Change the accounts receivable records to cover differences with customer statements. High

S014 SD05 Sales Order Processing SD02 Delivery Processing Cover up unauthorized shipment by creating a fictitious sales documents High

S015 AR07 Process Customer Invoices SD06 Sales Pricing Condition Sales price modifications for sales invoicing. High

S016 SD05 Sales Order Processing SD06 Sales Pricing Condition Enter sales documents and lower prices for fraudulent gain High

S017 AR04 Credit Management AR02 Cash Application Perform credit approval function and modify cash received for fraudulent purposes. High

S018 AR02 Cash Application SD03 Sales Rebates Enter a fictitious sales rebates and then render fictitious payments. High

Maintain Customer Master Risk of the same person entering changes to the Customer Master file and modifying
S019 AR02 Cash Application SD01
the Cash Received for the customer.
High
Data

S020 SD05 Sales Order Processing SD04 Sales Document Release Risk of entering and releasing sales documents by the same person Medium

Risk of entering sales documents and giving sales rebates by the same person,
S021 SD05 Sales Order Processing SD03 Sales Rebates effectively granting an indirect price discount.
Medium

Risk of modifying and entering Sales Invoices and approving Credit Limits by the same
S022 AR07 Process Customer Invoices AR04 Credit Management person.
High

S023 AR05 Maintain Billing Documents SD06 Sales Pricing Condition Risk of Sales Price modifications for Sales invoicing. High

Maintain Customer Master

S024 SD01 AR03 Clear Customer Balance Maintain a customer master record and post a fraudulent payment against it High
Data

Maintain Customer Master

S025 SD01 AR05 Maintain Billing Documents User can create a fictitious customer and then issue invoices to the customer. High
Data

S026 AR02 Cash Application AR07 Process Customer Invoices User can create/change an invoice and enter/change payments against the invoice. High

User can create fictitious/incorrect delivery and enter payments against these,
S027 SD02 Delivery Processing AR02 Cash Application potentially misappropriating goods.
High

User able to create a fraudulent sales contract to include additional goods and enter an
S028 SD05 Sales Order Processing AR07 Process Customer Invoices incorrect customer invoice to hide the deception.
High

Process Customer Credit

S029 AR03 Clear Customer Balance AR06 Create a credit memo then clear the customer to prompt a payment. High
Memos

HR and Payroll

Page 7 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Maintain Employee (PA)

H001 HR03 PY04 Process Payroll Modify payroll master data and then process payroll. Potential for fraudulent activity. High
Master Data - 0008 - 0009 (

Change employee HR Benefits then process payroll without authorization. Potential for
H002 HR01 HR Benefits PY04 Process Payroll fraudulent activity.
High

H003 PY07 3rd Party Remittance HR02 HR Vendor Data Change to master data and creating the remittance could result in fraudulent payments. High

H004 HR04 Maintain Time Data PY01 Approve Time Change payroll master data and enter time data applied to incorrect settings. High

H005 HR04 Maintain Time Data PY04 Process Payroll Modify time data and process payroll resulting in fraudulent payments High

Maintain Payroll
H006 PY02 PY04 Process Payroll Change configuration of payroll then process payroll resulting in fraudulent payments High
Configuration

Maintain Employee (PA) Maintain Payroll Change configuration of payroll then modify payroll master data resulting in fraudulent
H007 HR03 PY02
payments
High
Master Data - 0008 - 0009 ( Configuration

Maintain Employee (PA)

H008 HR05 Modify PD Structure HR03 Change payroll master data and modify PD Structure High
Master Data - 0008 - 0009 (

H009 HR04 Maintain Time Data PY03 Payroll Maintenance Enter false time data and perform payroll maintenance. High

H010 PY03 Payroll Maintenance PY04 Process Payroll Change payroll and process payroll without proper authorization. High

Maintain Payroll
H011 PY02 PY03 Payroll Maintenance Change payroll configuration and perform maintenance on payroll settings. High
Configuration

Maintain Payroll
H012 HR04 Maintain Time Data PY02 Modify payroll configuration and enter false time data. High
Configuration

H013 HR04 Maintain Time Data HR05 Modify PD Structure Enter false time data and maintain PD structure High

Maintain Employee (PA)

H014 HR03 HR04 Maintain Time Data Users may enter false time data and process payroll resulting in fraudulent payments. High
Master Data - 0008 - 0009 (

Maintain Employee (PA) Users may maintain employee master data including pay rates and delete the payroll
H015 HR03 PY03 Payroll Maintenance result
High
Master Data - 0008 - 0009 (

H016 PY06 Payroll Schemas HR04 Maintain Time Data Users may enter false time data and perform work schedule evaluations High

H017 PY05 Time Evaluations HR04 Maintain Time Data Users may enter false time data and perform time evaluations Medium

Perform time evaluations and change the PD structure to mis route the data for
H018 PY05 Time Evaluations HR05 Modify PD Structure approvals
Medium

Perform time evaluations and delete payroll results which could disrupt the payroll
H019 PY05 Time Evaluations PY03 Payroll Maintenance process
Medium

Page 8 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Users who perform both the time evaluation and process payroll could hide fraudulent
H020 PY05 Time Evaluations PY04 Process Payroll actions.
Medium

Users who can perform both the time evaluations and maintain payroll schemas to hide
H021 PY05 Time Evaluations PY06 Payroll Schemas fraudulent actions
Medium

Basis

A developer could modify an existing program in production, perform traces to the

B001 BS02 Basis Development BS11 System Administration MIT-B001 program, and configure the production environment to run the program. This may affect Medium
system performance, data integrity and inappropriate program modification.

A developer could modify an existing program in production, perform traces to the

B002 BS02 Basis Development BS06 Configuration MIT-B002 program and configure the production environment to limit monitoring of the program run High
by increasing alarm thresholds and eliminating audit trails through external OS comma

A developer could create or modify a program in production and replicate these changes
B003 BS02 Basis Development BS05 Client Administration MIT-B003 to other clients. This bypasses the inherent controls in the transport process and could Medium
negatively impact the DV and QA clients.

A developer could create or modify a program in production and force the transport of
these changes after the fact to conceal irregular development practices. This also
B004 BS02 Basis Development BS12 Transport Administration MIT-B004
enables the reverting back to the program's original version without any trace of the
High
changes made in production.

A developer could modify program components (menus, screen layout, messages,

queries) and configure the production environment to execute the program with these
B005 BS04 Basis Utilities BS11 System Administration MIT-B005
changes. This may affect system performance, data integrity and inappropriate program
Medium
modification

A developer could modify program components (menus, screen layout, messages,

queries) and configure the production environment to limit monitoring of the program
B006 BS04 Basis Utilities BS06 Configuration MIT-B006
runs using the modified program components by increasing alarm thresholds and
High
eliminating audit trail

A developer could modify program components (menus, screen layout, messages,

B007 BS04 Basis Utilities BS05 Client Administration MIT-B007 queries) and replicate these changes to other clients. This bypasses the inherent Medium
controls in the transport process and could negatively impact the DV and QA clients.

A developer could modify program components (menus, screen layout, messages,

queries) and force the transport of these changes after the fact to conceal irregular
B008 BS04 Basis Utilities BS12 Transport Administration MIT-B008
development practices. This also enables the reverting back to the program components
High
origin

An individual could modify data in tables or modify valid configuration values and setup
B009 BS03 Basis Table Maintenance BS11 System Administration MIT-B009 the production environment to run transactions and programs using the inappropriately High
modified data. This could affect data integrity, system performance, and proper

An individual could modify data in tables or change valid configuration and replicate
B010 BS03 Basis Table Maintenance BS05 Client Administration MIT-B010 these changes to other clients. This is particularly sensitive if client administration High
transactions come with client-independent authorization allowing the developer to

An individual could inappropriately modify roles and assignments and reflect this change
B011 BS10 Security Administration BS05 Client Administration MIT-B011
to the production's mirror copy eliminating the chance to revert to the appropriate setup.
High

A security administrator could make inappropriate changes to unauthorized security

B012 BS10 Security Administration BS12 Transport Administration MIT-B012
roles, transport them, and assign them to a fictitious user for execution.
High

An administrator could execute archiving transactions during peak end-user usage and
B013 BS01 Archiving BS11 System Administration MIT-B013 administer the production system to allow for maximum system resources to complete Medium
the archiving function, affecting system performance.

A user could configure the production environment to limit monitoring of the

B014 BS01 Archiving BS06 Configuration MIT-B014 inappropriate archiving runs by increasing alarm thresholds and eliminating audit trails Medium
through external OS commands.

A user could inappropriately archive client-independent data and settings and use client
B015 BS01 Archiving BS05 Client Administration MIT-B015
administration functions to replicate such changes to other clients.
Medium

Page 9 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Usually the individuals responsible for archiving are end-users who understand the
business processes and data retention needs. Their job responsibilities do not require
B016 BS01 Archiving BS12 Transport Administration MIT-B016
transport administration transactions. The reverse can be said for the users
Medium
responsibilities

Can create transports, add objects to the transport, and move the transport: Can put
B017 BS07 Create Transport BS09 Perform Transport MIT-B017
unauthorized object changes into production, bypassing the Change Control process.
High

B018 BS08 Maintain Number Ranges BS11 System Administration MIT-B018 Can reset the number ranges (1) and delete your log/audit trail (2). High

One person controlling both the access in the profile/role and the user Ids increases the
B019 BS13 Maintain User Master BS14 Maintain Profiles / Roles MIT-B019
risk of inappropriate access
High

CRM
Maintaining Opportunities (qualifying the lead) must be independent of generating leads.
D001 CR01 Generate & Process Leads CR02 Maintain Opportunity Sales or Production forecast could be based on the number of qualified leads. In some Medium
companies, commissions could be paid based on the number of qualified leads.

The creation of key Business Partner data should be segregated from the Marketing
D002 CR01 Generate & Process Leads CR03 Maintain Business Partner groups Leads and Opportunity management. BPs should only be created after the Medium
appropriate review by the Master Data group.

A user could create a fictitious business partner and initiate fraudulent sales orders for
D003 CR03 Maintain Business Partner CR04 Process CRM Sales Order that partner. Master data such as business partners should not be maintained by the High
same users who process transactions using that master data.

D004 CR04 Process CRM Sales Order SD02 Delivery Processing A user could create a fictitious sales order to cover up an unauthorized shipment. High

Inappropriately create or change sales documents and generate the corresponding

D005 CR04 Process CRM Sales Order CR07 CRM Billing billing document in CRM.
High

Inappropriately create or change sales documents and generate the corresponding

D006 CR04 Process CRM Sales Order AR05 Maintain Billing Documents billing document in R3.
High

Enter fictitious service orders for personal use and accept the services through service
D007 CR05 Service Order Processing CR06 Service Confirmation acceptance. The user could prompt fraudulent payments. In addition spare parts could High
be fraudulently issued from inventory as a result of the confirmation.

User can create a fictitious business partner and then process billing in CRM for that
D008 CR07 CRM Billing CR03 Maintain Business Partner partner.
High

User can create a fictitious business partner and then process billing in R3 for that
D009 AR05 Maintain Billing Documents CR03 Maintain Business Partner partner.
High

Inappropriately accept or confirm a service order and generate a corresponding billing

D010 CR06 Service Confirmation CR07 CRM Billing document in CRM for the order. High

Inappropriately accept or confirm a service order and generate a corresponding billing

D011 CR06 Service Confirmation AR05 Maintain Billing Documents document in R3 for the order.
High

Internal user can be in collusion with a customer, process a fictitious inbound delivery
D012 SD07 Inbound Delivery Processing CR08 Process Credit Memo (based on complaint entered by the customer) and process a credit memo to the Medium
customer.

User could create a fictitious credit memo and run billing due in CRM to prompt a
D013 CR08 Process Credit Memo CR07 CRM Billing payment to a customer. The customer could provide a kickback to the internal user.
High

User could create a fictitious credit memo and run billing due in R3 to prompt a payment
D014 CR08 Process Credit Memo AR05 Maintain Billing Documents to a customer. The customer could provide a kickback to the internal user. High

Pricing conditions could be manipulated to provide inappropriate discounts or incentives

D015 AR07 Process Customer Invoices CR09 Maintain Conditions to customers which will be realized in an incorrect invoice.
High

Page 10 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

A user could enter a sales order in CRM and lower prices via conditions for fraudulent
D016 CR04 Process CRM Sales Order CR09 Maintain Conditions gain
High

Commission or Incentives may be paid based on the number of qualified leads.

D017 CR02 Maintain Opportunity PY04 Process Payroll Inappropriately qualified leads could result in fraudulent commission payments.
High

Commission or Incentives may be paid based on the number of service orders.

D018 CR05 Service Order Processing PY04 Process Payroll Fraudulent orders could be entered to achieve higher sales for commissions.
High

Commission or Incentives may be paid based on the number of sales orders. Fraudulent
D019 CR04 Process CRM Sales Order PY04 Process Payroll orders could be entered to achieve higher sales reporting for commissions.
High

D020 CR10 Maintain Product Catalog CR04 Process CRM Sales Order Add items to product catalogs and create fictitious sales orders for those items Medium

SRM
Maintain a fictitious vendor and enter an invoice to be included in the automatic payment
E001 SR01 EBP / SRM Vendor Master SR03 EBP / SRM Invoicing run
High

E002 SR02 EBP / SRM Purchasing SR03 EBP / SRM Invoicing Purchase unauthorized items and prompt the payment by invoicing High

EBP / SRM Goods Enter fictitious orders for personal use and accept the goods or services through goods
E003 SR02 EBP / SRM Purchasing SR04
receipt or service acceptance
High
Receipt/Service Acceptance

EBP / SRM Goods Enter fictitious invoices and accept goods or services via goods receipt or service
E004 SR03 EBP / SRM Invoicing SR04
acceptance
High
Receipt/Service Acceptance

E005 SR01 EBP / SRM Vendor Master SR02 EBP / SRM Purchasing Maintain a fictitious vendor and initiate purchases to that vendor. High

E006 SR02 EBP / SRM Purchasing MM07 Enter Counts - WM MM08 Clear Differences - WM Inappropriately procure items and manipulate the WM physical inventory counts to hide. Medium

Clear Differences -
E007 SR02 EBP / SRM Purchasing MM02 Enter Counts - IM MM01 Inappropriately procure items and manipulate the IM physical inventory counts to hide. Medium
Inventory Management

Enter Counts & Clear Diff -

E008 SR02 EBP / SRM Purchasing MM03 Inappropriately procure items and manipulate the IM physical inventory counts to hide. Medium
IM

EBP / SRM Product

E009 SR05 SR02 EBP / SRM Purchasing Add items to the catalog or master file and create fraudulent orders for those items. Medium
Maintenance

E010 FI03 Bank Reconciliation SR03 EBP / SRM Invoicing A user can hide differences between bank payments and posted AP records. High

EBP / SRM Goods Accept goods via SRM goods receipts and perform a WM physical inventory adjustment
E011 SR06 MM07 Enter Counts - WM MM08 Clear Differences - WM afterwards.
High
Receipt/Service Acceptance

EBP / SRM Goods Clear Differences - Accept goods via SRM goods receipts and perform IM physical inventory adjustment
E012 SR06 MM02 Enter Counts - IM MM01
afterwards.
High
Receipt/Service Acceptance Inventory Management

EBP / SRM Goods Enter Counts & Clear Diff - Accept goods via SRM goods receipts and perform IM physical inventory adjustment
E013 SR06 MM03
afterwards using powerful IM transactions High
Receipt/Service Acceptance IM

Enter fictitious orders for personal use and access the goods or services through goods
E014 SR02 EBP / SRM Purchasing MM05 Goods Receipts to PO receipt
High

Page 11 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Enter fictitious orders for personal use and access the goods or services through service
E015 SR02 EBP / SRM Purchasing PR08 Service Acceptance acceptance
High

EBP / SRM Maintain EBP / SRM Product Initiate purchases for fictitious goods by selecting those goods to be included in a
E016 SR08 SR05
shopping cart
Medium
Shopping Cart Maintenance

EBP / SRM Maintain Maintain a fictitious vendor and initiate purchases to that vendor by selecting goods to
E017 SR08 SR01 EBP / SRM Vendor Master be included in a shopping cart Medium
Shopping Cart

EBP / SRM Goods Approve the purchase of unauthorized goods and hide the misuse of inventory by not
E018 SR07 EBP / SRM PO Approval SR04
fully receiving the order in SRM
Medium
Receipt/Service Acceptance

Approve the purchase of unauthorized goods and hide the misuse of inventory by not
E019 SR07 EBP / SRM PO Approval MM05 Goods Receipts to PO fully receiving the order in R3
High

Where release strategies are utilized, the same user should not maintain the purchase
E020 SR02 EBP / SRM Purchasing SR07 EBP / SRM PO Approval order and release or approve it.
High

Create a fictitious vendor or change existing vendor master data and approve purchases
E021 SR01 EBP / SRM Vendor Master SR07 EBP / SRM PO Approval to this vendor
High

EBP / SRM Maintain Org Enter fictitious orders for personal use and manipulate the organizational structure to
E022 SR02 EBP / SRM Purchasing SR09
bypass approvals
High
Structure

EBP / SRM Maintain Org Create or maintain fictitious vendor and manipulate the organizational structure to
E023 SR01 EBP / SRM Vendor Master SR09
bypass approvals or secondary checks
High
Structure

EBP / SRM Maintain Initiate purchases to selecting goods to be included in a shopping cart then approving
E024 SR08 SR07 EBP / SRM PO Approval the purchase
High
Shopping Cart

EC-CS (Assumption - Data is uploaded to the Consolidation system. Additional risks may need to be defined for fully integrated systems)
AP/AR/GL master data creation and posting functions in conjunction with payment
G001 EC01 Maintain Hierarchies AP01 AP Payments MIT-G001 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G002 EC01 Maintain Hierarchies AP02 Process Vendor Invoices MIT-G002 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G003 EC01 Maintain Hierarchies AP04 Manual Check Processing MIT-G003 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G004 EC01 Maintain Hierarchies AR02 Cash Application MIT-G004 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G005 EC01 Maintain Hierarchies AR07 Process Customer Invoices MIT-G005 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G006 EC01 Maintain Hierarchies CC03 Maintain Cost Centers MIT-G006 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment
G007 EC01 Maintain Hierarchies FA01 Maintain Asset Document MIT-G007 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G008 EC01 Maintain Hierarchies FA02 Maintain Asset Master MIT-G008 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

Page 12 of 14
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
AP/AR/GL master data creation and posting functions in conjunction with payment
G009 EC01 Maintain Hierarchies FI01 Revenue Reposting MIT-G009 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G010 EC01 Maintain Hierarchies GL01 Post Journal Entry MIT-G010 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G011 EC01 Maintain Hierarchies GL02 Maintain GL Master Data MIT-G011 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
Post Journal Entry (misc
G012 EC01 Maintain Hierarchies GL03 MIT-G012 processing, receipt of money, GL account access; and the ability to modify ECCS High
Tax/Currency) hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
G013 EC01 Maintain Hierarchies PR01 Vendor Master Maintenance MIT-G013 processing, receipt of money, GL account access; and the ability to modify ECCS High
hierarchy and reporting output

AP/AR/GL master data creation and posting functions in conjunction with payment
Maintain Customer Master
G014 EC01 Maintain Hierarchies SD01 MIT-G014 processing, receipt of money, GL account access; and the ability to modify ECCS High
Data hierarchy and reporting output

Page 13 of 14
Functional Area Novus Monitor & Approver Email Address
Finance / Controlling Davud Friedman Davud.Friedman@novusint.com
Manufacturing Steve Bass Stephen.Bass@novusint.com
Procure to Pay
Order to Cash
HR
Basis Mark Meyer Mark.Meyer@novusint.com
CRM