SAP GRC SOD Conflicts High Risk

Risk ID
A001
Risk Level
High
A002
High
A003
High
A008
High
B002
High
B004
High
B006
High
B008
High
B009
High
B010
High
B011
High
B012
High
B017
High
B018
High
B019
High
D003
High
D004
High
D005
High
D006
High
D007
High
D008
High
D009
High
D010
High
D011
High
D013
High
D014
High
D015
High
D016
High
D017
High
D018
High
D019
High
E001
High
E002
High
E003
High
E004
High
E005
High
E010
High
E011
High
E012
High
E013
High
E014
High
E015
High
E019
High
E020
High
E021
High
E022
High
E023
High
E024
High
F005
High
F006
High
F007
High
F008
High
F013
High
F014
High
F015
High
F016
High
F017
High
F025
High
F027
High
G001
High
G002
High
G003
High
G004
High
G005
High
G006
High
G007
High
G008
High
G009
High
G010
High
G011
High
G012
High
G013
High
G014
High
H001
High
H002
High
H003
High
H004
High
H005
High
H006
High
H007
High
H008
High
H009
H010
High
High
H011
High
H012
High
H013
H014
High
High
H015
High
H016
High
M006
High
M011
High
M012
High
P001
High
P002
High
P003
High
P004
High
P005
High
P006
High
P007
High
P008
High
P011
High
P014
High
P016
P019
High
High
P020
High
P021
High
P022
High
P023
High
P026
High
P027
High
P028
High
P029
High
P030
High
P038
High
P045
High
P046
High
P047
High
P048
High
P051
High
P052
High
P053
High
P054
High
P055
High
P056
High
P057
High
P058
High
P059
High
S001
High
S002
High
S003
High
S004
High
S005
High
S006
High
S007
High
S008
High
S010
High
S011
High
S012
High
S013
High
S014
High
S015
High
S016
S017
High
High
S018
High
S019
High
S022
High
S023
High
S024
High
S025
High
S026
High
S027
High
S028
High
S029
High
Description of Risk
Unauthorized maintenance of planning model and version may adversely impact
the production planning data stored in APO. This transaction should be limited to
selected demand planning super user or manager.
Tc
Unauthorized deletion of active planning version may adversely impact the

production planning data stored in APO. This transaction should be limited to
AO03
Unauthorized maintenance of planning model and version may adversely impact

the production planning data stored in APO. This transaction should be limited to
AO04
Access to maintain macros/rules should be controlled via change management

process. Unsupported or incorrect adjustments are made to the macros/rules
may result in inaccurate production planning and production scheduling.
AO09
A developer could modify an existing program in production, perform traces to the

program and configure the production environment to limit monitoring of the
program run by increasing alarm thresholds and eliminating audit trails through
external OS comma
BS02
A developer could create or modify a program in production and force the

transport of these changes after the fact to conceal irregular development
practices. This also enables the reverting back to the program's original version
without any trace of the changes made in production.
BS02
A developer could modify program components (menus, screen layout,

messages, queries) and configure the production environment to limit monitoring
of the program runs using the modified program components by increasing alarm
thresholds and eliminating audit trail
BS04
A developer could modify program components (menus, screen layout,

messages, queries) and force the transport of these changes after the fact to
conceal irregular development practices. This also enables the reverting back to
the program components origin
BS04
An individual could modify data in tables or modify valid configuration values and
setup the production environment to run transactions and programs using the
inappropriately modified data. This could affect data integrity, system
performance, and proper
BS03
An individual could modify data in tables or change valid configuration and

replicate these changes to other clients. This is particularly sensitive if client
administration transactions come with client-independent authorization allowing
the developer to
BS03
An individual could inappropriately modify roles and assignments and reflect this
change to the production's mirror copy eliminating the chance to revert to the
appropriate setup.
BS10
A security administrator could make inappropriate changes to unauthorized

security roles, transport them, and assign them to a fictitious user for execution.
BS10
Can create transports, add objects to the transport, and move the transport: Can
put unauthorized object changes into production, bypassing the Change Control
process.
BS07
AO02
Can reset the number ranges (1) and delete your log/audit trail (2).
BS08
One person controlling both the access in the profile/role and the user Ids
increases the risk of inappropriate access
A user could create a fictitious business partner and initiate fraudulent sales
orders for that partner. Master data such as business partners should not be
maintained by the same users who process transactions using that master data.
BS13
A user could create a fictitious sales order to cover up an unauthorized shipment.
CR04
Inappropriately create or change sales documents and generate the

corresponding billing document in CRM.
Inappropriately create or change sales documents and generate the
corresponding billing document in R3.
Enter fictitious service orders for personal use and accept the services through
service acceptance. The user could prompt fraudulent payments. In addition
spare parts could be fraudulently issued from inventory as a result of the
confirmation.
CR04
User can create a fictitious business partner and then process billing in CRM for
that partner.
User can create a fictitious business partner and then process billing in R3 for
that partner.
Inappropriately accept or confirm a service order and generate a corresponding
billing document in CRM for the order.
CR07
Inappropriately accept or confirm a service order and generate a corresponding

billing document in R3 for the order.
CR06
User could create a fictitious credit memo and run billing due in CRM to prompt a
payment to a customer. The customer could provide a kickback to the internal
user.
CR08
User could create a fictitious credit memo and run billing due in R3 to prompt a
payment to a customer. The customer could provide a kickback to the internal
user.
CR08
Pricing conditions could be manipulated to provide inappropriate discounts or

incentives to customers which will be realized in an incorrect invoice.
AR07
A user could enter a sales order in CRM and lower prices via conditions for
fraudulent gain
Commission or Incentives may be paid based on the number of qualified leads.
Inappropriately qualified leads could result in fraudulent commission payments.
CR04
Commission or Incentives may be paid based on the number of service orders.

Fraudulent orders could be entered to achieve higher sales for commissions.
CR05
Commission or Incentives may be paid based on the number of sales orders.

Fraudulent orders could be entered to achieve higher sales reporting for
commissions.
CR04
Maintain a fictitious vendor and enter an invoice to be included in the automatic

payment run
Purchase unauthorized items and prompt the payment by invoicing
SR01
Enter fictitious orders for personal use and accept the goods or services through
goods receipt or service acceptance
SR02
CR03
CR04
CR05
AR05
CR06
CR02
SR02
Enter fictitious invoices and accept goods or services via goods receipt or service
acceptance
SR03
Maintain a fictitious vendor and initiate purchases to that vendor.
SR01
A user can hide differences between bank payments and posted AP records.
FI03
Accept goods via SRM goods receipts and perform a WM physical inventory
adjustment afterwards.
SR06
Accept goods via SRM goods receipts and perform IM physical inventory
SR06
Accept goods via SRM goods receipts and perform IM physical inventory
adjustment afterwards using powerful IM transactions
SR06
Enter fictitious orders for personal use and access the goods or services through
goods receipt
Enter fictitious orders for personal use and access the goods or services through
service acceptance
Approve the purchase of unauthorized goods and hide the misuse of inventory by
not fully receiving the order in R3
Where release strategies are utilized, the same user should not maintain the
purchase order and release or approve it.
Create a fictitious vendor or change existing vendor master data and approve
purchases to this vendor
Enter fictitious orders for personal use and manipulate the organizational
structure to bypass approvals
Create or maintain fictitious vendor and manipulate the organizational structure to
bypass approvals or secondary checks
SR02
Initiate purchases to selecting goods to be included in a shopping cart then

approving the purchase
Create a non bona-fide bank account and create a check from it.
SR08
Pay an invoice and hide it in an asset that would be depreciated over time.
FA01
Create an invoice through ERS goods receipt and hide it in an asset that would
be depreciated over time.
Allows differences between cash deposited and cash collections posted to be
covered up
Create the asset and manipulate the receipt of the associated asset.
FA01
Post overhead expenses to the project and settle the project without going
through the settlement approval process.
Use a fictitious project to allocate overages of an actual project, and settle the
project without going through the settlement approval process.
PS02
Manipulate the work breakdown structure elements (profit centers, business

areas, cost centers, plants) and post overhead expenses to the project
PS01
Maintain a non bona-fide bank account and divert incoming payments to it.
FI04
Create a non bona-fide bank account and create manual checks from it
FI04
Users can create a fictitious trade and fraudulently confirm or exercise the trade
FI08
SR02
SR07
SR02
SR01
SR02
SR01
FI04
AR02
FA02
PS01
AP/AR/GL master data creation and posting functions in conjunction with

payment processing, receipt of money, GL account access; and the ability to
modify ECCS hierarchy and reporting output
EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01
Modify payroll master data and then process payroll. Potential for fraudulent
activity.
HR03
Change employee HR Benefits then process payroll without authorization.

Potential for fraudulent activity.
Change to master data and creating the remittance could result in fraudulent
payments.
Change payroll master data and enter time data applied to incorrect settings.
HR01
Modify time data and process payroll resulting in fraudulent payments
HR04
Change configuration of payroll then process payroll resulting in fraudulent

payments
Change configuration of payroll then modify payroll master data resulting in
fraudulent payments
PY02
Change payroll master data and modify PD Structure
HR05
Enter false time data and perform payroll maintenance.

Change payroll and process payroll without proper authorization.
HR04
PY03
Change payroll configuration and perform maintenance on payroll settings.
PY02
Modify payroll configuration and enter false time data.
HR04
Enter false time data and maintain PD structure

Users may enter false time data and process payroll resulting in fraudulent
payments.
HR04
HR03
Users may maintain employee master data including pay rates and delete the
payroll result
HR03
Users may enter false time data and perform work schedule evaluations
PY06
Accept goods via goods receipts and perform a WM physical inventory

Accept goods via goods receipts and perform an IM physical inventory
Accept goods via goods receipts and perform an IM physical inventory
Maintain a fictitious vendor and enter a Vendor invoice for automatic payment
MM04
Maintain a fictitious vendor and create a payment to that vendor
AP01
Enter fictitious vendor invoices and then render payment to the vendor
AP02
Purchase unauthorized items and initiate payment by invoicing
PR02
Enter fictitious purchase orders for personal use and accept the goods through
goods receipt
Enter fictitious vendor invoices and accept the goods via goods receipt
PR02
Enter a fictitious purchase order and enter the covering payment
PR02
Create a fictitious vendor and initiate purchases to that vendor
PR01
PY07
HR04
HR03
MM04
MM04
PR01
AP02
Inappropriately procure an item and manipulating the IM physical inventory

counts to hide.
Can hide differences between bank payments & posted AP records
PR02
Receive or accept services and enter the covering payments

Approve the purchase of unauthorized goods and hide the misuse of inventory by
not fully receiving the order
Commit the company to fraudulent purchase contracts and initiate payment for
unauthorized goods and services.
Release a non bona-fide purchase order and initiate payment for the order by
entering invoices
Release a non bona-fide purchase order and the action remain undetected by
manipulating the IM physical inventory counts
PR08
PR04
Create a fictitious vendor or change existing vendor master data and approve
purchases to this vendor
Enter fictitious purchasing agreements and then render payment
PR04
Risk of entry of fictitious Purchasing Agreements and the entry of fictitious Vendor
or modification of existing Vendor especially account data.
PR01
Modify purchasing agreements and then receive goods for fraudulent purposes.
PR05
Enter unauthorized items to a purchasing agreement and create an invoice to

obtain those items for personal use
Risk of modifying service master data (to add a service that is normally not
ordered by the company) and the entry of covering payments
AP02
Risk of entering unauthorized payments and reconcile with the bank through the
same person.
Inappropriately procure an item and manipulating the IM physical inventory
counts to hide.
Inappropriately procure an item and manipulating the WM physical inventory
counts to hide.
manipulating the IM physical inventory counts
AP01
manipulating the WM physical inventory counts
PR04
Maintain a fictitious vendor and create a payment to that vendor
AP04
Enter fictitious vendor invoices and then render payment to the vendor
AP02
Enter a fictitious purchase order and enter the covering payment
PR02
Receive or accept services and manually enter the covering check payments
PR08
Commit the company to fraudulent purchases and initiate manual check

payments for unauthorized goods and services.
PR04
Enter fictitious purchasing agreements and then render manual checks for
payment
Risk of modifying service master data (to add a service that is normally not
ordered by the company) and the entry of covering payments
AP04
FI03
PR04
PR04
PR04
AP01
AP01
PR02
PR02
PR04
AP04
Risk of entering unauthorized manual payments and reconcile with the bank
through the same person.
Where release strategies are utilized, the same user should not maintain the
purchase order and release or approve it.
Enter or modify sales documents and approve customer credit limits
AP04
Create sales documents and immediately clear customer's obligation
SD05
Create a fictitious customer and initiate fraudulent sales document
SD05
Make an unauthorized change to the master record (payment terms, tolerance

level) in favor of the customer and enter an inappropriate invoice.
SD01
Inappropriately create or change rebate agreements and manage a customer's

master record in the favor of the customer. Could also change a customer's
master record to direct payment to an inappropriate location.
SD01
Potentially clear a customer's balance before and create or make the same
change to the billing document for the same customer, clearing them of their
obligation.
AR03
Inappropriately create or change a sales documents and generate a

corresponding billing document for it.
Manipulate the user's credit limit and assign generous rebates to execute a
marginal customer's order.
Create a billing document for a customer and inappropriately post a payment
from the same customer to conceal non-payment.
SD05
Create a fictitious customer and initiate payment to the unauthorized customer.
SD01
Initiate an unauthorized payment to the customer by entering fictitious credit

memos.
Change the accounts receivable records to cover differences with customer
statements.
Cover up unauthorized shipment by creating a fictitious sales documents
AR06
Sales price modifications for sales invoicing.
AR07
Enter sales documents and lower prices for fraudulent gain

Perform credit approval function and modify cash received for fraudulent
purposes.
Enter a fictitious sales rebates and then render fictitious payments.
SD05
AR04
Risk of the same person entering changes to the Customer Master file and
modifying the Cash Received for the customer.
AR02
Risk of modifying and entering Sales Invoices and approving Credit Limits by the
same person.
Risk of Sales Price modifications for Sales invoicing.
AR07
Maintain a customer master record and post a fraudulent payment against it
SD01
User can create a fictitious customer and then issue invoices to the customer.
SD01
User can create/change an invoice and enter/change payments against the

invoice.
User can create fictitious/incorrect delivery and enter payments against these,
potentially misappropriating goods.
AR02
PR02
AR04
AR04
AR02
AR02
SD05
AR02
AR05
SD02
User able to create a fraudulent sales contract to include additional goods and
enter an incorrect customer invoice to hide the deception.
SD05
Create a credit memo then clear the customer to prompt a payment.
AR03
Function 1
APO Maintain Model
Tc
AO01
Function 2
APO Supply & Demand Planning
APO Model & Version Management
AO01
APO active version)
AO01
APO Define Advanced Macros
AO01
Basis Development
BS06
Configuration
Basis Development
BS12
Transport Administration
Basis Utilities
BS06
Configuration
Basis Utilities
BS12
Basis Table Maintenance
BS11
System Administration
Basis Table Maintenance
BS05
Client Administration
Security Administration
BS05
Client Administration
Security Administration
BS12
Create Transport
BS09
Perform Transport
Tc
Maintain Number Ranges
BS11
System Administration
Maintain User Master
BS14
Maintain Profiles / Roles
Maintain Business Partner
CR04
Process CRM Sales Order
SD02
Delivery Processing
CR07
CRM Billing
AR05
Maintain Billing Documents
Service Order Processing
CR06
Service Confirmation
CRM Billing
CR03
CR03
CR07
CRM Billing
AR05
Process Credit Memo
CR07
CRM Billing
Process Credit Memo
AR05
Process Customer Invoices
CR09
Maintain Conditions
CR09
Maintain Conditions
Maintain Opportunity
PY04
Process Payroll
Service Order Processing
PY04
Process Payroll
PY04
Process Payroll
EBP / SRM Vendor Master
SR03
EBP / SRM Invoicing
EBP / SRM Purchasing
SR03
EBP / SRM Invoicing
SR04
EBP / SRM Goods Receipt/Service

Acceptance
EBP / SRM Invoicing
SR04

Acceptance
SR02
Bank Reconciliation
SR03
EBP / SRM Invoicing

Acceptance
MM07
Enter Counts - WM
MM08

Acceptance
MM02
Enter Counts - IM
MM01

Acceptance
MM03
Enter Counts & Clear Diff - IM
MM05
Goods Receipts to PO
PR08
Service Acceptance
EBP / SRM PO Approval
MM05
SR07
SR07
SR09
EBP / SRM Maintain Org Structure
SR09
EBP / SRM Maintain Org Structure
EBP / SRM Maintain Shopping Cart
SR07
Maintain Bank Master Data
AP01
AP Payments
Maintain Asset Document
AP02
Process Vendor Invoices
MM05
Cash Application
FI03
Bank Reconciliation
Maintain Asset Master
MM05
Process Overhead Postings
PS03
Settle Projects
Maintain
Elements
Projects
and
WBS
PS03
Settle Projects
Maintain
Elements
Projects
and
WBS
PS02
Process Overhead Postings
AR02
Cash Application
AP04
Manual Check Processing
Create / Change Treasury Item
FI09
Confirm a Treasury Trade
Maintain Hierarchies
AP01
AP Payments
AP02
AP04
AR02
Cash Application
AR07
CC03
Maintain Cost Centers
FA01
FA02
Maintain Asset Master
FI01
Revenue Reposting
GL01
Post Journal Entry
GL02
Maintain GL Master Data
GL03
Post
Journal
Tax/Currency)
PR01
Vendor Master Maintenance
SD01
Maintain Customer Master Data
Entry
(misc
Maintain Employee (PA) Master

Data - 0008 - 0009 (
PY04
Process Payroll
HR Benefits
PY04
Process Payroll
3rd Party Remittance
HR02
HR Vendor Data
Maintain Time Data
PY01
Approve Time
Maintain Time Data
PY04
Process Payroll
Maintain Payroll Configuration
PY04
Process Payroll

Data - 0008 - 0009 (
PY02
Modify PD Structure
HR03

Data - 0008 - 0009 (
Maintain Time Data

Payroll Maintenance
PY03
PY04
Payroll Maintenance
Process Payroll
PY03
Payroll Maintenance
Maintain Time Data
PY02
Maintain Time Data

Data - 0008 - 0009 (
HR05
HR04
Modify PD Structure
Maintain Time Data

Data - 0008 - 0009 (
PY03
Payroll Maintenance
Payroll Schemas
HR04
Maintain Time Data
Goods Movements
MM07
Enter Counts - WM
MM08
Goods Movements
MM02
Enter Counts - IM
MM01
Goods Movements
MM03
AP02
AP Payments
PR01
AP01
AP Payments
Maintain Purchase Order
AP02
MM05
MM05
AP01
AP Payments
PR02
MM03
Bank Reconciliation
AP02
Service Acceptance
PO Approval
AP01
MM05
AP Payments
PO Approval
AP01
AP Payments
PO Approval
AP02
PO Approval
MM02
Enter Counts - IM
PO Approval
PR01
AP Payments
PR05
Purchasing Agreements
PR05
MM05
PR05
AP Payments
PR03
Service Master Maintenance
AP Payments
FI03
Bank Reconciliation
MM02
Enter Counts - IM
MM01
MM07
Enter Counts - WM
MM08
PO Approval
MM03
PO Approval
MM07
Enter Counts - WM
PR01
AP04
AP04
Service Acceptance
AP04
PO Approval
AP04
PR05
PR03
Service Master Maintenance
MM01
MM08
FI03
Bank Reconciliation
PR04
PO Approval
Credit Management
SD05
Sales Order Processing
AR03
Clear Customer Balance
SD01
AR07
SD03
Sales Rebates
AR05
AR05
Credit Management
SD03
Sales Rebates
Cash Application
AR05
AR01
AR Payments
Process Customer Credit Memos
AR01
AR Payments
Cash Application
SD04
Sales Document Release
SD02
Delivery Processing
SD06
Sales Pricing Condition

Credit Management
SD06
AR02

Cash Application
Cash Application
SD03
Sales Rebates
Cash Application
SD01
AR04
Credit Management
SD06
AR03
AR05
Cash Application
AR07
Delivery Processing
AR02
Cash Application
AR07
AR06
Process Customer Credit Memos
Function 3
Clear Differences - WM
Clear Differences
Management
Inventory
Clear Differences
Management
Inventory
Clear Differences
Management
Inventory
Clear Differences Management

Inventory

SAP GRC SOD Conflicts High Risk

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

SAP GRC SOD Conflicts High Risk

Transféré par

Droits d'auteur :

Formats disponibles

Risk ID

Unauthorized deletion of active planning version may adversely impact the

Unauthorized maintenance of planning model and version may adversely impact

Access to maintain macros/rules should be controlled via change management

A developer could modify an existing program in production, perform traces to the

A developer could create or modify a program in production and force the

A developer could modify program components (menus, screen layout,

A developer could modify program components (menus, screen layout,

An individual could modify data in tables or change valid configuration and

A security administrator could make inappropriate changes to unauthorized

A user could create a fictitious sales order to cover up an unauthorized shipment.

Inappropriately create or change sales documents and generate the

Inappropriately accept or confirm a service order and generate a corresponding

Pricing conditions could be manipulated to provide inappropriate discounts or

Commission or Incentives may be paid based on the number of service orders.

Commission or Incentives may be paid based on the number of sales orders.

Maintain a fictitious vendor and enter an invoice to be included in the automatic

Maintain a fictitious vendor and initiate purchases to that vendor.

Initiate purchases to selecting goods to be included in a shopping cart then

Manipulate the work breakdown structure elements (profit centers, business

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

AP/AR/GL master data creation and posting functions in conjunction with

Change employee HR Benefits then process payroll without authorization.

Modify time data and process payroll resulting in fraudulent payments

Change configuration of payroll then process payroll resulting in fraudulent

Change payroll master data and modify PD Structure

Enter false time data and perform payroll maintenance.

Change payroll configuration and perform maintenance on payroll settings.

Modify payroll configuration and enter false time data.

Enter false time data and maintain PD structure

Accept goods via goods receipts and perform a WM physical inventory

Maintain a fictitious vendor and create a payment to that vendor

Purchase unauthorized items and initiate payment by invoicing

Enter a fictitious purchase order and enter the covering payment

Create a fictitious vendor and initiate purchases to that vendor

Inappropriately procure an item and manipulating the IM physical inventory

Receive or accept services and enter the covering payments

Enter unauthorized items to a purchasing agreement and create an invoice to

Maintain a fictitious vendor and create a payment to that vendor

Enter a fictitious purchase order and enter the covering payment

Commit the company to fraudulent purchases and initiate manual check

Create sales documents and immediately clear customer's obligation

Create a fictitious customer and initiate fraudulent sales document

Make an unauthorized change to the master record (payment terms, tolerance

Inappropriately create or change rebate agreements and manage a customer's

Inappropriately create or change a sales documents and generate a

Create a fictitious customer and initiate payment to the unauthorized customer.

Initiate an unauthorized payment to the customer by entering fictitious credit

Sales price modifications for sales invoicing.

Enter sales documents and lower prices for fraudulent gain

Maintain a customer master record and post a fraudulent payment against it

User can create/change an invoice and enter/change payments against the