Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Finance
Create a fictitious GL account and generate journal activity or hide activity
F001 GL02 Maintain GL Master Data GL01 Post Journal Entry MIT-F001 Medium
via posting entries.

Cost Transfer Alter a cost center without authorization and process unauthorized cost
F002 CC03 Maintain Cost Centers CC06 MIT-F002 Medium
Processing transfers to this center, possibly distorting CO reporting.

Alter a cost center without authorization and process unauthorized revenue

F003 CC03 Maintain Cost Centers FI01 Revenue Reposting MIT-F003 Medium
entries to this center, possibly distorting CO reporting.

Maintain CC or CE
F004 CC02 GL01 Post Journal Entry MIT-F004 Manipulate cost center reports to hide inappropriate journal entry posting. Medium
Groups

Maintain Bank Master

F005 FI04 AP01 AP Payments MIT-F005 Create a non bona-fide bank account and create a check from it. High
Data

Maintain Asset
F006 FA01 AP02 Process Vendor Invoices MIT-F006 Pay an invoice and hide it in an asset that would be depreciated over time. High
Document

Maintain Asset Create an invoice through ERS goods receipt and hide it in an asset that
F007 FA01 MM05 Goods Receipts to PO MIT-F007 High
Document would be depreciated over time.

Allows differences between cash deposited and cash collections posted to

F008 AR02 Cash Application FI03 Bank Reconciliation MIT-F008 High
be covered up

Maintain Cost Center Execute Cost Center Allocate costs to unauthorized cost centers thereby distorting financial
F009 CC01 CC04 MIT-F009 Low
Distributions Distributions reporting.

Maintain Internal CO Internal Order

F010 CC05 CC07 MIT-F010 Settle expenses from an unauthorized order and distort CO reporting. Low
Order Settlement

Alter an activity type used for cost allocation purposes with fictitious data,
F011 FI07 Maintain Activity Types FI02 Activity Allocation MIT-F011 Low
thereby distorting the cost allocation process.

Maintain Asset User responsible for asset masters records could process transactions that
F012 FA02 Maintain Asset Master FA01 MIT-F012 Medium
Document would allow the asset to be depreciated over time.

F013 FA02 Maintain Asset Master MM05 Goods Receipts to PO MIT-F013 Create the asset and manipulate the receipt of the associated asset. High

Process Overhead Post overhead expenses to the project and settle the project without going
F014 PS02 PS03 Settle Projects MIT-F014 High
Postings through the settlement approval process.

Maintain Projects and Use a fictitious project to allocate overages of an actual project, and settle
F015 PS01 PS03 Settle Projects MIT-F015 High
WBS Elements the project without going through the settlement approval process.

Maintain Projects and Process Overhead Manipulate the work breakdown structure elements (profit centers, business
F016 PS01 PS02 MIT-F016 High
WBS Elements Postings areas, cost centers, plants) and post overhead expenses to the project

Maintain Bank Master

F017 FI04 AR02 Cash Application MIT-F017 Maintain a non bona-fide bank account and divert incoming payments to it. High
Data

Open previously closed accounting periods and inappropriately post entries

F018 FI06 Maintain Posting Periods GL01 Post Journal Entry MIT-F018 Medium
after month end.

Page 1 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Open previously closed accounting periods and inappropriately post
F019 FI06 Maintain Posting Periods AP01 AP Payments MIT-F019 Medium
payments after month end.

User able to open accounting periods previously closed and enter incoming
F020 FI06 Maintain Posting Periods AR02 Cash Application MIT-F020 Medium
payments after month end reporting.

Open previously closed accounting periods and inappropriately receive or

F021 FI06 Maintain Posting Periods MM04 Goods Movements MIT-F021 Medium
issue goods after month end.

Post Journal Entry (misc Create a fictitious GL account and generate miscellaneous general ledger
F022 GL02 Maintain GL Master Data GL03 MIT-F022 Medium
Tax/Currency) activity or hide fraudulent activity via posting entries.

Maintain CC or CE Post Journal Entry (misc Manipulate cost center reports to hide inappropriate miscellaneous journal
F023 CC02 GL03 MIT-F023 Medium
Groups Tax/Currency) entry postings.

Post Journal Entry (misc Open previously closed accounting periods and inappropriately post tax and
F024 FI06 Maintain Posting Periods GL03 MIT-F024 Medium
Tax/Currency) currency journal entries after month end.

Maintain Bank Master Manual Check

F025 FI04 AP04 MIT-F025 Create a non bona-fide bank account and create manual checks from it High
Data Processing

Manual Check Open previously closed accounting periods and inappropriately post manual
F026 FI06 Maintain Posting Periods AP04 MIT-F026 Medium
Processing payments

Create / Change Confirm a Treasury Users can create a fictitious trade and fraudulently confirm or exercise the
F027 FI08 FI09 MIT-F027 High
Treasury Item Trade trade

Adjust the subsidiary balance using the vendor invoice entry and then cover
F028 GL01 Post Journal Entry AP02 Process Vendor Invoices MIT-F028 Medium
it up using journal entries

Adjust the subsidiary balance using the AR payment transaction and then
F029 GL01 Post Journal Entry AR01 AR Payments MIT-F029 Medium
cover it up using journal entries

Adjust the subsidiary balance using the AR payment transaction and then
F030 GL01 Post Journal Entry AR02 Cash Application MIT-F030 Medium
cover it up using journal entries

Adjust the subsidiary balance using the AR payment transaction and then
F031 GL01 Post Journal Entry AR05 AR Payments MIT-F031 Medium
cover it up using journal entries

Materials Management / Quality Management / Production Planning

Production Order
M001 PP02 FI05 Product Costing MIT-M001 Increase Production to reduce cost variances Low
Processing

Production Order Confirm Production

M002 PP02 PP01 MIT-M002 Production order processing and confirming production orders Low
Processing Order

Confirm Production
M003 PP01 FI05 Product Costing MIT-M003 Increase Production to reduce cost variances due to productivity Low
Order

Quality Results
M004 QM01 SD02 Delivery Processing MIT-M004 Transfer stock to general release to meet delivery schedules Low
Reporting

Quality Results
M005 QM01 MM07 Enter Counts - WM MIT-M005 MM08 Clear Differences - WM Remove inferior materials by adjusting out via WM inventory Medium
Reporting

Page 2 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Accept goods via goods receipts and perform a WM physical inventory

M006 MM04 Goods Movements MM07 Enter Counts - WM MIT-M006 MM08 Clear Differences - WM High
adjustment afterwards.

Quality Results Confirm Production

M007 QM01 PP01 MIT-M007 Release produced materials to GR stock to maintain production quotas Medium
Reporting Order

M008 GL01 Post Journal Entry MM07 Enter Counts - WM MIT-M008 MM08 Clear Differences - WM Hide WM inventory adjustments via ledger entries Medium

Quality Results Clear Differences -

M009 QM01 MM02 Enter Counts - IM MIT-M009 MM01 Remove inferior materials by adjusting out via IM inventories Medium
Reporting Inventory Management

Quality Results Enter Counts & Clear

M010 QM01 MM03 MIT-M010 Remove inferior materials by adjusting out via IM inventories Medium
Reporting Diff - IM

Clear Differences - Accept goods via goods receipts and perform an IM physical inventory
M011 MM04 Goods Movements MM02 Enter Counts - IM MIT-M011 MM01 High
Inventory Management adjustment afterwards.

Enter Counts & Clear Accept goods via goods receipts and perform an IM physical inventory
M012 MM04 Goods Movements MM03 MIT-M012 High
Diff - IM adjustment afterwards.

Enter Counts & Clear

M013 GL01 Post Journal Entry MM03 MIT-M013 Hide IM inventory adjustments via ledger entries Medium
Diff - IM

Clear Differences -
M014 GL01 Post Journal Entry MM02 Enter Counts - IM MIT-M014 MM01 Hide IM inventory adjustments via ledger entries Medium
Inventory Management
Procure to Pay
Vendor Master Maintain a fictitious vendor and enter a Vendor invoice for automatic
P001 PR01 AP02 Process Vendor Invoices High
Maintenance payment

Vendor Master
P002 AP01 AP Payments PR01 Maintain a fictitious vendor and create a payment to that vendor High
Maintenance

P003 AP02 Process Vendor Invoices AP01 AP Payments Enter fictitious vendor invoices and then render payment to the vendor High

P004 PR02 Maintain Purchase Order AP02 Process Vendor Invoices Purchase unauthorized items and initiate payment by invoicing High

Enter fictitious purchase orders for personal use and accept the goods
P005 PR02 Maintain Purchase Order MM05 Goods Receipts to PO High
through goods receipt

P006 AP02 Process Vendor Invoices MM05 Goods Receipts to PO Enter fictitious vendor invoices and accept the goods via goods receipt High

P007 PR02 Maintain Purchase Order AP01 AP Payments Enter a fictitious purchase order and enter the covering payment High

Vendor Master
P008 PR01 PR02 Maintain Purchase Order Create a fictitious vendor and initiate purchases to that vendor High
Maintenance

Page 3 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Release Blocked Receive or accept services and release a previously blocked Invoice to
P009 AP03 PR08 Service Acceptance Medium
Invoices offset the receipt

Release Blocked Enter unauthorized purchase order and release a previously blocked Invoice
P010 AP03 PR02 Maintain Purchase Order Medium
Invoices to offset the purchase order

Enter Counts & Clear Inappropriately procure an item and manipulating the IM physical inventory
P011 PR02 Maintain Purchase Order MM03 High
Diff - IM counts to hide.

Service Master Risk of modifying or adding to service master data (to add item that normally
P012 PR03 PR07 Requisitioning Medium
Maintenance is not ordered by the company) and then create / change a requisition.

Maintain Material Master Add items to the material master or service master file and create fraudulent
P013 MM06 PR02 Maintain Purchase Order Medium
Data purchase orders for those items

P014 FI03 Bank Reconciliation AP02 Process Vendor Invoices Can hide differences between bank payments & posted AP records High

Release Blocked Receive goods against a purchase order and release a previously blocked
P015 AP03 MM05 Goods Receipts to PO Medium
Invoices Invoice to offset the receipt

P016 PR08 Service Acceptance AP01 AP Payments Receive or accept services and enter the covering payments High

Enter fictitious purchase orders for personal use and accept the services
P017 PR02 Maintain Purchase Order PR08 Service Acceptance Medium
through service acceptance

Maintain Material Master Add an item to the material master or service master file and then
P018 MM06 PR05 Purchasing Agreements Medium
Data fraudulently adding those items to purchasing agreements

Approve the purchase of unauthorized goods and hide the misuse of

P019 PR04 PO Approval MM05 Goods Receipts to PO High
inventory by not fully receiving the order

Commit the company to fraudulent purchase contracts and initiate payment

P020 PR04 PO Approval AP01 AP Payments High
for unauthorized goods and services.

Release a non bona-fide purchase order and initiate payment for the order
P021 PR04 PO Approval AP02 Process Vendor Invoices High
by entering invoices

Clear Differences - Release a non bona-fide purchase order and the action remain undetected
P022 PR04 PO Approval MM02 Enter Counts - IM MM01 High
Inventory Management by manipulating the IM physical inventory counts

Vendor Master Create a fictitious vendor or change existing vendor master data and
P023 PR04 PO Approval PR01 High
Maintenance approve purchases to this vendor

Maintain Material Master

P024 PR04 PO Approval MM06 Add or modify material master data and release an order for personal use Medium
Data

Release Blocked Modify a purchasing agreement and release a previously blocked invoice to
P025 AP03 PR05 Purchasing Agreements Medium
Invoices offset the vendor account.

P026 AP01 AP Payments PR05 Purchasing Agreements Enter fictitious purchasing agreements and then render payment High

Page 4 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

Vendor Master Risk of entry of fictitious Purchasing Agreements and the entry of fictitious
P027 PR01 PR05 Purchasing Agreements High
Maintenance Vendor or modification of existing Vendor especially account data.

Modify purchasing agreements and then receive goods for fraudulent

P028 PR05 Purchasing Agreements MM05 Goods Receipts to PO High
purposes.

Enter unauthorized items to a purchasing agreement and create an invoice

P029 AP02 Process Vendor Invoices PR05 Purchasing Agreements High
to obtain those items for personal use

Service Master Risk of modifying service master data (to add a service that is normally not
P030 AP01 AP Payments PR03 High
Maintenance ordered by the company) and the entry of covering payments

Risk of addition of services to the Service Master File (services not related
Service Master
P031 PR03 PR06 Release Requisitions to business purpose) and the ability to create a Requisition for those Medium
Maintenance services.

Risk of entering or maintaining a purchasing agreement and authorizing the

P032 PR06 Release Requisitions PR05 Purchasing Agreements Medium
related requisition through its release.

Risk of the same person requisitioning an item and creating a purchase

P033 PR07 Requisitioning PR02 Maintain Purchase Order Medium
order from that requisition.

Service Master Add items to the service master file and create fraudulent purchase orders
P034 PR02 Maintain Purchase Order PR03 Medium
Maintenance for those items

Enter Counts & Clear Risk of the same person entering a Purchasing Agreement for materials and
P035 PR05 Purchasing Agreements MM03 Medium
Diff - IM then adjusting the IM inventory for those materials.

Risk of modifying or adding to material master data (to add material that
Maintain Material Master
P036 MM06 PR07 Requisitioning normally is not ordered by the company) and then the release of a material Medium
Data requisition.

Risk of the same person requisitioning an item and then releasing a

P037 PR07 Requisitioning PR06 Release Requisitions Medium
requisition for purchase, bypassing the authorization process.

Risk of entering unauthorized payments and reconcile with the bank through
P038 AP01 AP Payments FI03 Bank Reconciliation High
the same person.

Risk of entering Vendor invoices and the ability to accept those services in
P039 AP02 Process Vendor Invoices PR08 Service Acceptance Medium
the Service Receipts Entry.

Risk of the same person releasing a requisitioning and generating the

P040 PR06 Release Requisitions PR02 Maintain Purchase Order Medium
accompanying purchase order.

Service Master Add an item to the material master or service master file and then
P041 PR03 PR05 Purchasing Agreements Medium
Maintenance fraudulently adding those items to purchasing agreements

Service Master
P042 PR04 PO Approval PR03 Add or modify service master data and release an order for personal use Medium
Maintenance

Release Blocked Release a purchase order and release a previously blocked invoice to offset
P043 AP03 PR04 PO Approval Medium
Invoices the vendor account.

Page 5 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Release a fictitious purchase order for personal use and accept the services
P044 PR04 PO Approval PR08 Service Acceptance Medium
through service acceptance

Clear Differences - Inappropriately procure an item and manipulating the IM physical inventory
P045 PR02 Maintain Purchase Order MM02 Enter Counts - IM MM01 High
Inventory Management counts to hide.

Inappropriately procure an item and manipulating the WM physical inventory

P046 PR02 Maintain Purchase Order MM07 Enter Counts - WM MM08 Clear Differences - WM High
counts to hide.

Enter Counts & Clear Release a non bona-fide purchase order and the action remain undetected
P047 PR04 PO Approval MM03 High
Diff - IM by manipulating the IM physical inventory counts

Release a non bona-fide purchase order and the action remain undetected
P048 PR04 PO Approval MM07 Enter Counts - WM MM08 Clear Differences - WM High
by manipulating the WM physical inventory counts

Clear Differences - Risk of the same person entering a Purchasing Agreement for materials and
P049 PR05 Purchasing Agreements MM02 Enter Counts - IM MM01 Medium
Inventory Management then adjusting the IM inventory for those materials.

Risk of the same person entering a Purchasing Agreement for materials and
P050 PR05 Purchasing Agreements MM07 Enter Counts - WM MM08 Clear Differences - WM Medium
then adjusting the WM inventory for those materials.

Manual Check Vendor Master

P051 AP04 PR01 Maintain a fictitious vendor and create a payment to that vendor High
Processing Maintenance

Manual Check
P052 AP02 Process Vendor Invoices AP04 Enter fictitious vendor invoices and then render payment to the vendor High
Processing

Manual Check
P053 PR02 Maintain Purchase Order AP04 Enter a fictitious purchase order and enter the covering payment High
Processing

Manual Check Receive or accept services and manually enter the covering check
P054 PR08 Service Acceptance AP04 High
Processing payments

Manual Check Commit the company to fraudulent purchases and initiate manual check
P055 PR04 PO Approval AP04 High
Processing payments for unauthorized goods and services.

Manual Check Enter fictitious purchasing agreements and then render manual checks for
P056 AP04 PR05 Purchasing Agreements High
Processing payment

Manual Check Service Master Risk of modifying service master data (to add a service that is normally not
P057 AP04 PR03 High
Processing Maintenance ordered by the company) and the entry of covering payments

Manual Check Risk of entering unauthorized manual payments and reconcile with the bank
P058 AP04 FI03 Bank Reconciliation High
Processing through the same person.

Where release strategies are utilized, the same user should not maintain the
P059 PR02 Maintain Purchase Order PR04 PO Approval High
purchase order and release or approve it.

Release Blocked The automated controls for invoicing can be circumvented. Invoices are
P060 AP02 Process Vendor Invoices AP03 Medium
Invoices usually blocked due to price or quantity differences.

Maintain Vendor Pricing

P061 PR11 AP01 AP Payments Transactional processing should be segregated from pricing master data. Medium
Conditions

Page 6 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Maintain Vendor Pricing
P062 PR11 AP02 Process Vendor Invoices Transactional processing should be segregated from pricing master data. Medium
Conditions

Maintain Vendor Pricing Release Blocked

P063 PR11 AP03 Transactional processing should be segregated from pricing master data. Medium
Conditions Invoices

Maintain Vendor Pricing Manual Check

P064 PR11 AP04 Transactional processing should be segregated from pricing master data. Medium
Conditions Processing

Maintain Vendor Pricing

P065 PR11 PR04 PO Approval Transactional processing should be segregated from pricing master data. Medium
Conditions

Maintain Vendor Pricing

P066 PR11 PR06 Release Requisitions Transactional processing should be segregated from pricing master data. Medium
Conditions

Maintain Vendor Pricing

P067 PR11 PR07 Requisitioning Transactional processing should be segregated from pricing master data. Medium
Conditions
Order to Cash

S001 AR04 Credit Management SD05 Sales Order Processing Enter or modify sales documents and approve customer credit limits High

S002 SD05 Sales Order Processing AR03 Clear Customer Balance Create sales documents and immediately clear customer's obligation High

Maintain Customer
S003 SD05 Sales Order Processing SD01 Create a fictitious customer and initiate fraudulent sales document High
Master Data

Maintain Customer Process Customer Make an unauthorized change to the master record (payment terms,
S004 SD01 AR07 High
Master Data Invoices tolerance level) in favor of the customer and enter an inappropriate invoice.

Inappropriately create or change rebate agreements and manage a

Maintain Customer
S005 SD01 SD03 Sales Rebates customer's master record in the favor of the customer. Could also change a High
Master Data customer's master record to direct payment to an inappropriate location.

Potentially clear a customer's balance before and create or make the same
Maintain Billing
S006 AR03 Clear Customer Balance AR05 change to the billing document for the same customer, clearing them of their High
Documents obligation.

Maintain Billing Inappropriately create or change a sales documents and generate a

S007 SD05 Sales Order Processing AR05 High
Documents corresponding billing document for it.

Manipulate the user's credit limit and assign generous rebates to execute a
S008 AR04 Credit Management SD03 Sales Rebates High
marginal customer's order.

S009 SD05 Sales Order Processing AR02 Cash Application Enter a fictitious sales document and then render fictitious payments. Medium

Maintain Billing Create a billing document for a customer and inappropriately post a
S010 AR02 Cash Application AR05 High
Documents payment from the same customer to conceal non-payment.

Maintain Customer Create a fictitious customer and initiate payment to the unauthorized
S011 SD01 AR01 AR Payments High
Master Data customer.

Page 7 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Process Customer Initiate an unauthorized payment to the customer by entering fictitious credit
S012 AR06 AR01 AR Payments High
Credit Memos memos.

Sales Document Change the accounts receivable records to cover differences with customer
S013 AR02 Cash Application SD04 High
Release statements.

S014 SD05 Sales Order Processing SD02 Delivery Processing Cover up unauthorized shipment by creating a fictitious sales documents High

Process Customer
S015 AR07 SD06 Sales Pricing Condition Sales price modifications for sales invoicing. High
Invoices

S016 SD05 Sales Order Processing SD06 Sales Pricing Condition Enter sales documents and lower prices for fraudulent gain High

Perform credit approval function and modify cash received for fraudulent
S017 AR04 Credit Management AR02 Cash Application High
purposes.

S018 AR02 Cash Application SD03 Sales Rebates Enter a fictitious sales rebates and then render fictitious payments. High

Maintain Customer Risk of the same person entering changes to the Customer Master file and
S019 AR02 Cash Application SD01 High
Master Data modifying the Cash Received for the customer.

Sales Document
S020 SD05 Sales Order Processing SD04 Risk of entering and releasing sales documents by the same person Medium
Release

Risk of entering sales documents and giving sales rebates by the same
S021 SD05 Sales Order Processing SD03 Sales Rebates Medium
person, effectively granting an indirect price discount.

Process Customer Risk of modifying and entering Sales Invoices and approving Credit Limits
S022 AR07 AR04 Credit Management High
Invoices by the same person.

Maintain Billing
S023 AR05 SD06 Sales Pricing Condition Risk of Sales Price modifications for Sales invoicing. High
Documents

Maintain Customer
S024 SD01 AR03 Clear Customer Balance Maintain a customer master record and post a fraudulent payment against it High
Master Data

Maintain Customer Maintain Billing User can create a fictitious customer and then issue invoices to the
S025 SD01 AR05 High
Master Data Documents customer.

Process Customer User can create/change an invoice and enter/change payments against the
S026 AR02 Cash Application AR07 High
Invoices invoice.

User can create fictitious/incorrect delivery and enter payments against

S027 SD02 Delivery Processing AR02 Cash Application High
these, potentially misappropriating goods.

Process Customer User able to create a fraudulent sales contract to include additional goods
S028 SD05 Sales Order Processing AR07 High
Invoices and enter an incorrect customer invoice to hide the deception.

Process Customer
S029 AR03 Clear Customer Balance AR06 Create a credit memo then clear the customer to prompt a payment. High
Credit Memos
HR and Payroll

Page 8 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Maintain Employee (PA)
Modify payroll master data and then process payroll. Potential for fraudulent
H001 HR03 Master Data - 0008 - PY04 Process Payroll High
activity.
0009 (

Change employee HR Benefits then process payroll without authorization.

H002 HR01 HR Benefits PY04 Process Payroll High
Potential for fraudulent activity.

Change to master data and creating the remittance could result in fraudulent
H003 PY07 3rd Party Remittance HR02 HR Vendor Data High
payments.

Change payroll master data and enter time data applied to incorrect
H004 HR04 Maintain Time Data PY01 Approve Time High
settings.

H005 HR04 Maintain Time Data PY04 Process Payroll Modify time data and process payroll resulting in fraudulent payments High

Maintain Payroll Change configuration of payroll then process payroll resulting in fraudulent
H006 PY02 PY04 Process Payroll High
Configuration payments

Maintain Employee (PA)

Maintain Payroll Change configuration of payroll then modify payroll master data resulting in
H007 HR03 Master Data - 0008 - PY02 High
Configuration fraudulent payments
0009 (

Maintain Employee (PA)

H008 HR05 Modify PD Structure HR03 Master Data - 0008 - Change payroll master data and modify PD Structure High
0009 (

H009 HR04 Maintain Time Data PY03 Payroll Maintenance Enter false time data and perform payroll maintenance. High

H010 PY03 Payroll Maintenance PY04 Process Payroll Change payroll and process payroll without proper authorization. High

Maintain Payroll
H011 PY02 PY03 Payroll Maintenance Change payroll configuration and perform maintenance on payroll settings. High
Configuration

Maintain Payroll
H012 HR04 Maintain Time Data PY02 Modify payroll configuration and enter false time data. High
Configuration

H013 HR04 Maintain Time Data HR05 Modify PD Structure Enter false time data and maintain PD structure High

Maintain Employee (PA)

Users may enter false time data and process payroll resulting in fraudulent
H014 HR03 Master Data - 0008 - HR04 Maintain Time Data High
payments.
0009 (

Maintain Employee (PA)

Users may maintain employee master data including pay rates and delete
H015 HR03 Master Data - 0008 - PY03 Payroll Maintenance High
the payroll result
0009 (

H016 PY06 Payroll Schemas HR04 Maintain Time Data Users may enter false time data and perform work schedule evaluations High

H017 PY05 Time Evaluations HR04 Maintain Time Data Users may enter false time data and perform time evaluations Medium

Page 9 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Perform time evaluations and change the PD structure to mis route the data
H018 PY05 Time Evaluations HR05 Modify PD Structure Medium
for approvals

Perform time evaluations and delete payroll results which could disrupt the
H019 PY05 Time Evaluations PY03 Payroll Maintenance Medium
payroll process

Users who perform both the time evaluation and process payroll could hide
H020 PY05 Time Evaluations PY04 Process Payroll Medium
fraudulent actions.

Users who can perform both the time evaluations and maintain payroll
H021 PY05 Time Evaluations PY06 Payroll Schemas Medium
schemas to hide fraudulent actions

Basis
A developer could modify an existing program in production, perform traces
to the program, and configure the production environment to run the
B001 BS02 Basis Development BS11 System Administration MIT-B001 Medium
program. This may affect system performance, data integrity and
inappropriate program modification.
A developer could modify an existing program in production, perform traces
to the program and configure the production environment to limit monitoring
B002 BS02 Basis Development BS06 Configuration MIT-B002 High
of the program run by increasing alarm thresholds and eliminating audit trails
through external OS comma

A developer could create or modify a program in production and replicate

B003 BS02 Basis Development BS05 Client Administration MIT-B003 these changes to other clients. This bypasses the inherent controls in the Medium
transport process and could negatively impact the DV and QA clients.

A developer could create or modify a program in production and force the

transport of these changes after the fact to conceal irregular development
B004 BS02 Basis Development BS12 Transport Administration MIT-B004 High
practices. This also enables the reverting back to the program's original
version without any trace of the changes made in production.

A developer could modify program components (menus, screen layout,

messages, queries) and configure the production environment to execute
B005 BS04 Basis Utilities BS11 System Administration MIT-B005 Medium
the program with these changes. This may affect system performance, data
integrity and inappropriate program modification

A developer could modify program components (menus, screen layout,

messages, queries) and configure the production environment to limit
B006 BS04 Basis Utilities BS06 Configuration MIT-B006 High
monitoring of the program runs using the modified program components by
increasing alarm thresholds and eliminating audit trail

A developer could modify program components (menus, screen layout,

messages, queries) and replicate these changes to other clients. This
B007 BS04 Basis Utilities BS05 Client Administration MIT-B007 Medium
bypasses the inherent controls in the transport process and could negatively
impact the DV and QA clients.
A developer could modify program components (menus, screen layout,
messages, queries) and force the transport of these changes after the fact
B008 BS04 Basis Utilities BS12 Transport Administration MIT-B008 High
to conceal irregular development practices. This also enables the reverting
back to the program components origin
An individual could modify data in tables or modify valid configuration values
Basis Table and setup the production environment to run transactions and programs
B009 BS03 BS11 System Administration MIT-B009 High
Maintenance using the inappropriately modified data. This could affect data integrity,
system performance, and proper
An individual could modify data in tables or change valid configuration and
Basis Table replicate these changes to other clients. This is particularly sensitive if client
B010 BS03 BS05 Client Administration MIT-B010 High
Maintenance administration transactions come with client-independent authorization
allowing the developer to
An individual could inappropriately modify roles and assignments and reflect
B011 BS10 Security Administration BS05 Client Administration MIT-B011 this change to the production's mirror copy eliminating the chance to revert High
to the appropriate setup.

Page 10 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
A security administrator could make inappropriate changes to unauthorized
B012 BS10 Security Administration BS12 Transport Administration MIT-B012 security roles, transport them, and assign them to a fictitious user for High
execution.

An administrator could execute archiving transactions during peak end-user

B013 BS01 Archiving BS11 System Administration MIT-B013 usage and administer the production system to allow for maximum system Medium
resources to complete the archiving function, affecting system performance.

A user could configure the production environment to limit monitoring of the

B014 BS01 Archiving BS06 Configuration MIT-B014 inappropriate archiving runs by increasing alarm thresholds and eliminating Medium
audit trails through external OS commands.
A user could inappropriately archive client-independent data and settings
B015 BS01 Archiving BS05 Client Administration MIT-B015 and use client administration functions to replicate such changes to other Medium
clients.
Usually the individuals responsible for archiving are end-users who
understand the business processes and data retention needs. Their job
B016 BS01 Archiving BS12 Transport Administration MIT-B016 Medium
responsibilities do not require transport administration transactions. The
reverse can be said for the users responsibilities
Can create transports, add objects to the transport, and move the transport:
B017 BS07 Create Transport BS09 Perform Transport MIT-B017 Can put unauthorized object changes into production, bypassing the High
Change Control process.

Maintain Number
B018 BS08 BS11 System Administration MIT-B018 Can reset the number ranges (1) and delete your log/audit trail (2). High
Ranges

One person controlling both the access in the profile/role and the user Ids
B019 BS13 Maintain User Master BS14 Maintain Profiles / Roles MIT-B019 High
increases the risk of inappropriate access

CRM
Maintaining Opportunities (qualifying the lead) must be independent of
Generate & Process generating leads. Sales or Production forecast could be based on the
D001 CR01 CR02 Maintain Opportunity Medium
Leads number of qualified leads. In some companies, commissions could be paid
based on the number of qualified leads.

The creation of key Business Partner data should be segregated from the
Generate & Process Maintain Business
D002 CR01 CR03 Marketing groups Leads and Opportunity management. BPs should only Medium
Leads Partner be created after the appropriate review by the Master Data group.

A user could create a fictitious business partner and initiate fraudulent sales
Maintain Business Process CRM Sales orders for that partner. Master data such as business partners should not
D003 CR03 CR04 High
Partner Order be maintained by the same users who process transactions using that
master data.

Process CRM Sales A user could create a fictitious sales order to cover up an unauthorized
D004 CR04 SD02 Delivery Processing High
Order shipment.

Process CRM Sales Inappropriately create or change sales documents and generate the
D005 CR04 CR07 CRM Billing High
Order corresponding billing document in CRM.

Process CRM Sales Maintain Billing Inappropriately create or change sales documents and generate the
D006 CR04 AR05 High
Order Documents corresponding billing document in R3.

Enter fictitious service orders for personal use and accept the services
Service Order through service acceptance. The user could prompt fraudulent payments.
D007 CR05 CR06 Service Confirmation High
Processing In addition spare parts could be fraudulently issued from inventory as a
result of the confirmation.

Maintain Business User can create a fictitious business partner and then process billing in CRM
D008 CR07 CRM Billing CR03 High
Partner for that partner.

Maintain Billing Maintain Business User can create a fictitious business partner and then process billing in R3
D009 AR05 CR03 High
Documents Partner for that partner.

Page 11 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Inappropriately accept or confirm a service order and generate a
D010 CR06 Service Confirmation CR07 CRM Billing High
corresponding billing document in CRM for the order.

Maintain Billing Inappropriately accept or confirm a service order and generate a

D011 CR06 Service Confirmation AR05 High
Documents corresponding billing document in R3 for the order.

Internal user can be in collusion with a customer, process a fictitious

Inbound Delivery
D012 SD07 CR08 Process Credit Memo inbound delivery (based on complaint entered by the customer) and Medium
Processing process a credit memo to the customer.
User could create a fictitious credit memo and run billing due in CRM to
D013 CR08 Process Credit Memo CR07 CRM Billing prompt a payment to a customer. The customer could provide a kickback to High
the internal user.
User could create a fictitious credit memo and run billing due in R3 to
Maintain Billing
D014 CR08 Process Credit Memo AR05 prompt a payment to a customer. The customer could provide a kickback to High
Documents the internal user.

Process Customer Pricing conditions could be manipulated to provide inappropriate discounts

D015 AR07 CR09 Maintain Conditions High
Invoices or incentives to customers which will be realized in an incorrect invoice.

Process CRM Sales A user could enter a sales order in CRM and lower prices via conditions for
D016 CR04 CR09 Maintain Conditions High
Order fraudulent gain

Commission or Incentives may be paid based on the number of qualified

D017 CR02 Maintain Opportunity PY04 Process Payroll leads. Inappropriately qualified leads could result in fraudulent commission High
payments.
Commission or Incentives may be paid based on the number of service
Service Order
D018 CR05 PY04 Process Payroll orders. Fraudulent orders could be entered to achieve higher sales for High
Processing commissions.
Commission or Incentives may be paid based on the number of sales
Process CRM Sales
D019 CR04 PY04 Process Payroll orders. Fraudulent orders could be entered to achieve higher sales reporting High
Order for commissions.

Maintain Product Process CRM Sales Add items to product catalogs and create fictitious sales orders for those
D020 CR10 CR04 Medium
Catalog Order items

SRM
EBP / SRM Vendor Maintain a fictitious vendor and enter an invoice to be included in the
E001 SR01 SR03 EBP / SRM Invoicing High
Master automatic payment run

E002 SR02 EBP / SRM Purchasing SR03 EBP / SRM Invoicing Purchase unauthorized items and prompt the payment by invoicing High

EBP / SRM Goods

Enter fictitious orders for personal use and accept the goods or services
E003 SR02 EBP / SRM Purchasing SR04 Receipt/Service High
through goods receipt or service acceptance
Acceptance

EBP / SRM Goods

Enter fictitious invoices and accept goods or services via goods receipt or
E004 SR03 EBP / SRM Invoicing SR04 Receipt/Service High
service acceptance
Acceptance

EBP / SRM Vendor

E005 SR01 SR02 EBP / SRM Purchasing Maintain a fictitious vendor and initiate purchases to that vendor. High
Master

Inappropriately procure items and manipulate the WM physical inventory

E006 SR02 EBP / SRM Purchasing MM07 Enter Counts - WM MM08 Clear Differences - WM Medium
counts to hide.

Clear Differences - Inappropriately procure items and manipulate the IM physical inventory
E007 SR02 EBP / SRM Purchasing MM02 Enter Counts - IM MM01 Medium
Inventory Management counts to hide.

Page 12 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level
Enter Counts & Clear Inappropriately procure items and manipulate the IM physical inventory
E008 SR02 EBP / SRM Purchasing MM03 Medium
Diff - IM counts to hide.

EBP / SRM Product Add items to the catalog or master file and create fraudulent orders for those
E009 SR05 SR02 EBP / SRM Purchasing Medium
Maintenance items.

A user can hide differences between bank payments and posted AP

E010 FI03 Bank Reconciliation SR03 EBP / SRM Invoicing High
records.

EBP / SRM Goods

Accept goods via SRM goods receipts and perform a WM physical inventory
E011 SR06 Receipt/Service MM07 Enter Counts - WM MM08 Clear Differences - WM High
adjustment afterwards.
Acceptance

EBP / SRM Goods

Clear Differences - Accept goods via SRM goods receipts and perform IM physical inventory
E012 SR06 Receipt/Service MM02 Enter Counts - IM MM01 High
Inventory Management adjustment afterwards.
Acceptance

EBP / SRM Goods

Enter Counts & Clear Accept goods via SRM goods receipts and perform IM physical inventory
E013 SR06 Receipt/Service MM03 High
Diff - IM adjustment afterwards using powerful IM transactions
Acceptance

Enter fictitious orders for personal use and access the goods or services
E014 SR02 EBP / SRM Purchasing MM05 Goods Receipts to PO High
through goods receipt

Enter fictitious orders for personal use and access the goods or services
E015 SR02 EBP / SRM Purchasing PR08 Service Acceptance High
through service acceptance

EBP / SRM Maintain EBP / SRM Product Initiate purchases for fictitious goods by selecting those goods to be
E016 SR08 SR05 Medium
Shopping Cart Maintenance included in a shopping cart

EBP / SRM Maintain EBP / SRM Vendor Maintain a fictitious vendor and initiate purchases to that vendor by selecting
E017 SR08 SR01 Medium
Shopping Cart Master goods to be included in a shopping cart

EBP / SRM Goods

Approve the purchase of unauthorized goods and hide the misuse of
E018 SR07 EBP / SRM PO Approval SR04 Receipt/Service Medium
inventory by not fully receiving the order in SRM
Acceptance

Approve the purchase of unauthorized goods and hide the misuse of

E019 SR07 EBP / SRM PO Approval MM05 Goods Receipts to PO High
inventory by not fully receiving the order in R3

Where release strategies are utilized, the same user should not maintain the
E020 SR02 EBP / SRM Purchasing SR07 EBP / SRM PO Approval High
purchase order and release or approve it.

EBP / SRM Vendor Create a fictitious vendor or change existing vendor master data and
E021 SR01 SR07 EBP / SRM PO Approval High
Master approve purchases to this vendor

EBP / SRM Maintain Org Enter fictitious orders for personal use and manipulate the organizational
E022 SR02 EBP / SRM Purchasing SR09 High
Structure structure to bypass approvals

Page 13 of 15
 Segregation of Duty Risks

Risk ID FunctionID Function 1 FunctionID Function 2 Mitigation ID Function Function 3 Description of Risk Risk Level

EBP / SRM Vendor EBP / SRM Maintain Org Create or maintain fictitious vendor and manipulate the organizational
E023 SR01 SR09 High
Master Structure structure to bypass approvals or secondary checks

EBP / SRM Maintain Initiate purchases to selecting goods to be included in a shopping cart then
E024 SR08 SR07 EBP / SRM PO Approval High
Shopping Cart approving the purchase

EC-CS (Assumption - Data is uploaded to the Consolidation system. Additional risks may need to be defined for fully integrated systems)
AP/AR/GL master data creation and posting functions in conjunction with
G001 EC01 Maintain Hierarchies AP01 AP Payments MIT-G001 payment processing, receipt of money, GL account access; and the ability High
to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
G002 EC01 Maintain Hierarchies AP02 Process Vendor Invoices MIT-G002 payment processing, receipt of money, GL account access; and the ability High
to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
Manual Check
G003 EC01 Maintain Hierarchies AP04 MIT-G003 payment processing, receipt of money, GL account access; and the ability High
Processing to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
G004 EC01 Maintain Hierarchies AR02 Cash Application MIT-G004 payment processing, receipt of money, GL account access; and the ability High
to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
Process Customer
G005 EC01 Maintain Hierarchies AR07 MIT-G005 payment processing, receipt of money, GL account access; and the ability High
Invoices to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
G006 EC01 Maintain Hierarchies CC03 Maintain Cost Centers MIT-G006 payment processing, receipt of money, GL account access; and the ability High
to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
Maintain Asset
G007 EC01 Maintain Hierarchies FA01 MIT-G007 payment processing, receipt of money, GL account access; and the ability High
Document to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
G008 EC01 Maintain Hierarchies FA02 Maintain Asset Master MIT-G008 payment processing, receipt of money, GL account access; and the ability High
to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
G009 EC01 Maintain Hierarchies FI01 Revenue Reposting MIT-G009 payment processing, receipt of money, GL account access; and the ability High
to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
G010 EC01 Maintain Hierarchies GL01 Post Journal Entry MIT-G010 payment processing, receipt of money, GL account access; and the ability High
to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
G011 EC01 Maintain Hierarchies GL02 Maintain GL Master Data MIT-G011 payment processing, receipt of money, GL account access; and the ability High
to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
Post Journal Entry (misc
G012 EC01 Maintain Hierarchies GL03 MIT-G012 payment processing, receipt of money, GL account access; and the ability High
Tax/Currency) to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
Vendor Master
G013 EC01 Maintain Hierarchies PR01 MIT-G013 payment processing, receipt of money, GL account access; and the ability High
Maintenance to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with
Maintain Customer
G014 EC01 Maintain Hierarchies SD01 MIT-G014 payment processing, receipt of money, GL account access; and the ability High
Master Data to modify ECCS hierarchy and reporting output

Page 14 of 15
Functional Area Novus Monitor & Approver Email Address
Finance / Controlling Davud Friedman [email protected]
Manufacturing Steve Bass [email protected]
Procure to Pay
Order to Cash
HR
Basis Mark Meyer [email protected]
CRM