SOX audits require checking that incompatible tasks and system rights are assigned to different individuals in order to avoid any conflict of duties. Segregation of duties (SOD) has always been an important component of the control environment because its impact in fraud prevention and the alignment between IT and the business. SOD enhances the IT principle of minimal privilege. Both manual tasks (eg. approvals by signature) and system roles should be included in these audits. The type and number of conflicts between transactions are always a challenge for SOX scoping . For instance, there are more than 150 high risk incompatibilities reported by SAP. In the business practice, it may be hard to understand the risks associated to a reported conflict.
Even SAP provides an extensive framework for maintaining role-based security (eg. RSUSR008, RSUSR009), several tools to simplify the audit process have been launched (eg. Virsa, Approva and CSI). All these complexity was a challenge for the compliance function to create solid policies and to educate staff regarding SOD.
I created a list with the top 20 most critical segregation of duties conflicts in SAP to help in this process. I included both the incompatibility of transactions and the fraud/error risk for SOX compliance. I selected the most sensitive transactions, the riskier and more frequent situations and their reported incompatibilities.
For the complete list of high risk SOD conflicts in SAP: http://www.box.net/shared/am4bsvi8i5
CR04 Process CRM Sales Order + SD02 Delivery Processing = A user could create a fictitious sales order to cover up an unauthorized shipment.
CR04 Process CRM Sales Order + CR07 CRM Billing = Inappropriately create or change sales documents and generate the corresponding billing document in CRM.
CR05 Service Order Processing + CR06 Service Confirmation = Enter fictitious service orders for personal use and accept the services through service acceptance. The user could prompt fraudulent payments. In addition spare parts could be fraudulently issued from inventory as a result of the confirmation.
SR01 EBP / SRM Vendor Master + SR03 EBP / SRM Invoicing = Maintain a fictitious vendor and enter an invoice to be included in the automatic payment run.
FI03 Bank Reconciliation + SR03 EBP / SRM Invoicing = A user can hide differences between bank payments and posted AP records.
SR01 EBP / SRM Vendor Master + SR07 EBP / SRM PO Approval = Create a fictitious vendor or change existing vendor master data and approve purchases to this vendor.
SR01 EBP / SRM Vendor Master + SR09 EBP / SRM Maintain Org Structure = Create or maintain fictitious vendor and manipulate the organizational structure to bypass approvals or secondary checks.
AR02 Cash Application + FI03 Bank Reconciliation = Allows differences between cash deposited and cash collections posted to be covered up.
MM04 Goods Movements + MM02 Enter Counts – IM + MM04 Clear Differences – IM = Accept goods via goods receipts and perform an IM physical inventory adjustment afterwards.
MM04 Goods Movements + MM03 Enter Counts & Clear Diff - IM = Accept goods via goods receipts and perform an IM physical inventory adjustment afterwards.
PR01 Vendor Master Maintenance + AP02 Process Vendor Invoices = Maintain a fictitious vendor and enter a Vendor invoice for automatic payment.
PR01 Vendor Master Maintenance + PR02 Maintain Purchase Order = Create a fictitious vendor and initiate purchases to that vendor.
PR02 Maintain Purchase Order + MM03 Enter Counts & Clear Diff - IM = Inappropriately procure an item and manipulating the IM physical inventory counts to hide.
FI03 Bank Reconciliation + AP02 Process Vendor Invoices = Can hide differences between bank payments & posted AP records.
PR04 PO Approval + MM02 Enter Counts - IM + MM04 Clear Differences – IM = Release a non bona-fide purchase order and the action remain undetected by manipulating the IM physical inventory counts.
PR01 Vendor Master Maintenance + PR05 Purchasing Agreements = Risk of entry of fictitious Purchasing Agreements and the entry of fictitious Vendor or modification of existing Vendor especially account data.
AP01 AP Payments + FI03 Bank Reconciliation = Risk of entering unauthorized payments and reconcile with the bank through the same person.
PR02 Maintain Purchase Order + MM02 Enter Counts - IM = Inappropriately procure an item and manipulating the IM physical inventory counts to hide.
PR04 PO Approval + MM03 Enter Counts & Clear Diff - IM = Release a non bona-fide purchase order and the action remain undetected by manipulating the IM physical inventory counts
AP04 Manual Check Processing + FI03 Bank Reconciliation = Risk of entering unauthorized manual payments and reconcile with the bank through the same person.
SD01 Maintain Customer Master Data + AR01 AR Payments = Create a fictitious customer and initiate payment to the unauthorized customer.
SD01 Maintain Customer Master Data + AR05 Maintain Billing Documents = User can create a fictitious customer and then issue invoices to the customer.