The most visited post in my blog covers the 20 most critical conflicts that you may find in SAP auditing, SOX testing and user security controls. After several years of fine-tuning the user conflict matrix and having SAP HANA released, I expand this post by listing the 100 most critical and frequent segregation of duties incompatibilities. This list helps in simplifying the user reviews by internal auditors, functional roles and access security professionals while explaining the risk which may result in operational fraud.
This is the list which you are welcome to get as a MS Excel file,
VA01 Create Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
F.80 Mass reversal of documents and F-60 Maintain Table: Posting Periods are incompatible since the user may open accounting periods previously closed and make postings after month end.
VA01 Create Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA02 Change Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
F.80 Mass reversal of documents and OB52 C FI Maintain Table T001B are incompatible since the user may open accounting periods previously closed and make postings after month end.
VL02N Change outbound delivery and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
XK01 Create Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.
VF01 Create Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VL01N Create outbound delivery with order ref and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
VA01 Create sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XK01 Create Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD02 Change customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
MIGO Goods Movement and MM01 Create Material are incompatible since the user could create or change a fictitious receipt and create/change a material document to hide the deception.
Get the latest in corporate governance, risk, and compliance on Twitter
XD01 Create customer (centrally) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
XD01 Create customer (centrally) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VA01 Create sales order and VL01N Create outbound delivery with order ref are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.
VF01 Create Billing Document and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA02 Change Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
FK01 Create Vendor (FI) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VA02 Change Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-26 Incoming payments fast entry are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VA02 Change Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
XD01 Create customer (centrally) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
XD02 Change customer (centrally) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
XK01 Create Vendor (Centrally) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. Th.
XD02 Change customer (centrally) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VD01 Create customer (sales) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
FK02 Change Vendor (FI) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XK01 Create Vendor (Centrally) and VD02 Change Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.
XK01 Create Vendor (Centrally) and FD02 Change Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.
VD02 Change customer (sales) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
FD02 Change customer (accounting) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
MK01 Create Vendor (MM) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
FK01 Create Vendor (FI) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VF01 Create Billing Document and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA02 Change sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XD02 Change customer (centrally) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
ME21N Access to Create Purchase Order and ABAA Unplanned Depreciation are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
MK02 Change Vendor (MM) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VF01 Create Billing Document and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VF01 Create Billing Document and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
XD02 Change customer (centrally) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected.
XK01 Create Vendor (Centrally) and FD01 Create Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.
VA01 Create sales order and F-51 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK02 Change Vendor (FI) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XK02 Change Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
F.80 Mass reversal of documents and SCMA Schedule Manager: Scheduler are incompatible since the user may open accounting periods previously closed and make postings after month end.
XD02 Change customer (centrally) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.
FD01 Create customer (accounting) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VD01 Create customer (sales) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VF02 Change Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VD02 Change customer (sales) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
MK01 Create Vendor (MM) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VD01 Create customer (sales) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
FD02 Change customer (accounting) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
ME21N Access to Create Purchase Order and ABZU Write-up are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
XD01 Create customer (centrally) and F-51 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VD02 Change customer (sales) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
MK02 Change Vendor (MM) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VF01 Create Billing Document and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
FD02 Change customer (accounting) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hid the misappropriation of goods.
FK01 Create Vendor (FI) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-39 Clear customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. Th.
VA01 Create sales order and FBCJ Cash journal are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XK02 Change Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
ME21N Access to Create Purchase Order and ABMA Manual Depreciation are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
VA02 Change sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK01 Create Vendor (FI) and VD02 Change Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
VD01 Create customer (sales) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VF02 Change Billing Document and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-52 Post incoming payments are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK01 Create Vendor (FI) and FD02 Change Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.
FD01 Create customer (accounting) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VA01 Create sales order and FF/4 Interface for check deposit data entered externally are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VD02 Change customer (sales) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VA01 Create sales order and F-04 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VD01 Create customer (sales) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. Th.
FD02 Change customer (accounting) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VA01 Create sales order and FB05 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VA01 Create sales order and FF/5 Post check deposit data entered externally are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK02 Change Vendor (FI) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
VL02N Change outbound delivery and F-30 Post with clearing are incompatible since the user may create fictitious/incorrect delivery and enter payments against these, potentially misappropriating goods.
FD01 Create customer (accounting) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VD01 Create customer (sales) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.
XD01 Create customer (centrally) and FBCJ Cash journal are incompatible since the user may create a customer and then post payments against the customer.
XD02 Change customer (centrally) and F-51 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VD02 Change customer (sales) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected.
A risk-based approach to SAP segregation of duties The top 100 most critical segregation of duties conflicts in SAP Segregation of Duties Fraud Risks & Solutions Security SOD Segregation of Duties SOD Conflicts and Role Based Authorization in SAP SAP Segregation of Duties SOX 404 and Risks
Companies are managing risks to seize opportunities since the Mercantilism. However, a company-wide framework to manage risks was developed few years ago. The first integrated framework for enterprise risk management was published by COSO in 2004. Strategic risks addressing the companies´ ability to archive business objectives within the stakeholders´ risk appetite are still immature. In this post, I will give an overview about strategic risk management.
Risk management and governance can be improved by developing strategic risk management processes. These processes encompass the identification, the assessment and the management of top risks in the business strategies. For a given risk tolerance, strategic risk management can assess internal and external events that potentially affect the company strategy to archive business objectives. This field is a concern of the boards, directors and top management. GRC approach should integrate it to allow align all the different business activities to common objectives. Additionally, ERM approach should include prioritization processes to indentify key risks (which are the input for strategic risks).
This area was not properly developed in an integrated manner, or even resourced by companies. Even though, it deserves attention from upper management and other stakeholders (eg. risk rating agencies). There are increasing cases of catastrophic losses because unaligned strategies to risk appetites (eg. managing debts and investments in 2008 crisis, dealing with cost volatility, poor data loss prevention measures, subordinated debt or lack of geographical diversification). In this world of “continuous surprises”, stakeholders´ value is neither protected nor created. Personally, I get the feeling that, in some cases, a specific control issue may get more attention and resources than indentifying an emerging risk to execute a strategy.
There were some current developments to integrate strategies into a holistic approach. Strategic Risk Management can be linked to the ISO 31000:2009 since the top management is responsible to integrate this standard to the decision marking processes (which involves the strategies). Also developed during the last decade, the Return Driven Strategy framework integrates the strategic goals to the risk management goals. Unfortunately, these approaches are not usually carried out to practice by most companies.
In this post, I would like to discuss a recently published patent related to GRC. This patented was filled by Microsoft (US Patent # 2011/0112973 A1). It claims a computer-implemented method for compliance management of regulations for entities. The method comprises operations for receiving a set of control objectives and entities to generate test results.
This patent covers a process hierarchy from business objectives and policies to get compliance reports on test results. In the middle, there is a “compliance master framework” to organize control objectives in regulations and IT terms, along with an “abstraction library” and a “configuration management database CMDB” to map compliance programs to entities. The CMDB concept was previously patented by a related team on 2006 (Anthony Baron et al). Some of the terms in this patent seem to be widely defined, for instance, the “abstraction library may support mapping the detailed reality of the real world into abstract layers" (sic).
Microsoft offers GRC management solutions, which incorporate compliance software and risk management software. These solutions are designed to help organizations comply with current regulations, manage their risk, and facilitate required corporate disclosures. This patent shows Microsoft´s interest in continuing developing these solutions.
The inventor is Ashvinkumar J. Sanghvi. He has been filling patents related to automation of policies and procedures for information technology management since a decade ago. He already claimed 44 patents in the USPTO.
Software patenting has a role in GRC to address the automation of controls and tests, and hopeful, to reduce errors and human intervention.
The IT department is well aware of SOX IT controls. However, this department may also assist in providing information for business cycle testing to comply with SOX. It is important that IT and SAP process owners know that to expect from these audits. Some auditors would not have the access privilege or the knowledge to perform data extractions in SAP. In this case, they need the IT assistance. In this post, I explained that a SOX auditor usually covers in reviewing processes based on SAP.
1- Incompatible SAP Accesses for a Business Process
A SOX auditor would ask for a list of users with access to critical transactions. The definition on critical transactions depends on each company and process. However, most of the critical accesses are related to posting, creating and approving key transactions. Customized transactions (Y and Z) are also reviewed when involving high risk approvals. Manual tasks (eg. signing checks or approving reconciliations) are usually added to this analysis. Please refer to my post listing the most common Segregation of Duties Conflicts in SAP for further details.
2- Inconsistencies in SAP Master Files
A SOX auditor would ask for master files to check inconsistencies. Most of this audit process relates to applying filters in the same table or linking different tables. SOX auditors need to control the standardization of business processes and flows. For instance, SOX auditors would review customer credit limits (RF02L), tolerance keys (T169G), customer/vendor masters (eg. addresses, banks, duplications, payment terms, tax codes), and exchange rates (TCURR).
3- Inconsistencies in SAP Parameters
SOX auditors would ask for some parameters in SAP. Typically, they would need to assure that the 3-way match is set, the posting periods are limited in time, the approval flows are reasonable (parking and approving FI documents), and the approver delegations (FMWF_MDRUL) follow internal guidelines, etc.
4- Inconsistencies in custom interfaces to SAP
SOX auditors would walkthrough and test SAP interfaces with external applications (generally related to eBanking and eBusiness). They would be concerned about data integrity and security.
Get the latest in corporate governance, risk, and compliance on Twitter
There is not any official definition for a key control in SOX. Some guidance about this topic is taken from the PCAOB AS 5.11, but a clear distinction from “key controls” and “non-key controls” is not codified. It is entirely a matter of judgment and there is no commonly accepted definition of a key control. However, being able to distinguish both concepts can save time on documenting and testing controls that are not important. In this post, I described some common characteristics about these categories.
A Key Control has the following characteristics:
It is required to provide reasonable assurance that material errors will be prevented or timely detected
It is the only control that covers a risk of material misstatement (it is indispensable to cover its control objective)
If it fails, it is highly improbable that other control could detect the control absence.
It is a control that covers more than one risk or support a whole process execution
It is usually part of entity-level controls or high-level analytic controls
It need to be tested to provide assurance over financial assertions (as part of the SOX Compliance)
A Non-Key Control has the following characteristics:
It is also referred as sub-process, secondary, activity or operative control
It can fail without affecting a whole process
It is in place to monitor certain information
It have an indirect effect on the risk of material misstatement
Its importance should not be minimized (they are subject to monitoring)
It should not involve significant transactions
It is generally eliminated for testing purposes (as part of control rationalization or streamlining efforts)
Its testing can involve getting the walk-though documentation
It could be evaluated under a Control Self Assessment (CSA) program
Since there is not an official definition, the risk categorization depends on each company, and sometimes in practice, by each business owner. In addition, some people call non-key controls as non-SOX controls. What is your experience about this?
It is clear that Management is not required to test all controls in all the business units for SOX 404 compliance. Only those which affect significant accounts and disclosures in the financial statements or involve significant risks are scoped. However, it is commonly believed that all failed controls have to be remediated at fiscal year end.
Management and business process owners can choose to not remediate failed low-risk exceptions because the improvement plan is not practical or cost effective in the long term. For several companies, the remediation phase is where significant effort and money is spent. This decision should be informed to the auditors to get their feedback.
Some aspects of the unremediated deficiencies should be considered, including the effect on the overall risk matrix if a failed control is compensating others, or whether individual deficiencies are aggregated to produce a greater weakness. In other words, unremediated control deficiencies should not rise to the level of a significant deficiency. Less frequent controls or control on processes (as different from entity level controls) may indicate that the remediation plan could be postponed.
Conversely, general control deficiencies that have been properly communicated to Management and the Audit Committee and remain uncorrected after some reasonable period of time are a strong indicator of a material weakness.
Get the latest in corporate governance, risk, and compliance on Twitter
