The 100 most critical and common segregation of duties conflicts in SAP
The most visited post in my blog covers the 20 most critical conflicts that you may find in SAP auditing, SOX testing and user security controls. After several years of fine-tuning the user conflict matrix and having SAP HANA released, I expand this post by listing the 100 most critical and frequent segregation of duties incompatibilities. This list helps in simplifying the user reviews by internal auditors, functional roles and access security professionals while explaining the risk which may result in operational fraud.
This is the list which you are welcome to get as a MS Excel file,
VA01 Create Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
F.80 Mass reversal of documents and F-60 Maintain Table: Posting Periods are incompatible since the user may open accounting periods previously closed and make postings after month end.
VA01 Create Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA02 Change Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
F.80 Mass reversal of documents and OB52 C FI Maintain Table T001B are incompatible since the user may open accounting periods previously closed and make postings after month end.
VL02N Change outbound delivery and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
XK01 Create Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.
VF01 Create Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VL01N Create outbound delivery with order ref and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
VA01 Create sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XK01 Create Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD02 Change customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
MIGO Goods Movement and MM01 Create Material are incompatible since the user could create or change a fictitious receipt and create/change a material document to hide the deception.
Get the latest in corporate governance, risk, and compliance on Twitter
XD01 Create customer (centrally) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
XD01 Create customer (centrally) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VA01 Create sales order and VL01N Create outbound delivery with order ref are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.
VF01 Create Billing Document and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA02 Change Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
FK01 Create Vendor (FI) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VA02 Change Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-26 Incoming payments fast entry are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VA02 Change Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
XD01 Create customer (centrally) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
XD02 Change customer (centrally) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
XK01 Create Vendor (Centrally) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. Th.
XD02 Change customer (centrally) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VD01 Create customer (sales) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
FK02 Change Vendor (FI) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XK01 Create Vendor (Centrally) and VD02 Change Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.
XK01 Create Vendor (Centrally) and FD02 Change Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.
VD02 Change customer (sales) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
FD02 Change customer (accounting) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
MK01 Create Vendor (MM) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
FK01 Create Vendor (FI) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VF01 Create Billing Document and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA02 Change sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XD02 Change customer (centrally) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
ME21N Access to Create Purchase Order and ABAA Unplanned Depreciation are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
MK02 Change Vendor (MM) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VF01 Create Billing Document and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VF01 Create Billing Document and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
XD02 Change customer (centrally) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected.
XK01 Create Vendor (Centrally) and FD01 Create Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.
VA01 Create sales order and F-51 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK02 Change Vendor (FI) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XK02 Change Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
F.80 Mass reversal of documents and SCMA Schedule Manager: Scheduler are incompatible since the user may open accounting periods previously closed and make postings after month end.
XD02 Change customer (centrally) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.
FD01 Create customer (accounting) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VD01 Create customer (sales) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VF02 Change Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VD02 Change customer (sales) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
MK01 Create Vendor (MM) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VD01 Create customer (sales) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
FD02 Change customer (accounting) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
ME21N Access to Create Purchase Order and ABZU Write-up are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
XD01 Create customer (centrally) and F-51 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VD02 Change customer (sales) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
MK02 Change Vendor (MM) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
VF01 Create Billing Document and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
FD02 Change customer (accounting) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hid the misappropriation of goods.
FK01 Create Vendor (FI) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-39 Clear customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. Th.
VA01 Create sales order and FBCJ Cash journal are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XK02 Change Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
ME21N Access to Create Purchase Order and ABMA Manual Depreciation are incompatible since assets may be acquired at an overvalued or undervalued price and then depreciated. Unplanned depreciation, manual depreciation, and asset value write-ups are processed incorrectly or without authority to proceed.
VA02 Change sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK01 Create Vendor (FI) and VD02 Change Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
VD01 Create customer (sales) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VF02 Change Billing Document and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-52 Post incoming payments are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK01 Create Vendor (FI) and FD02 Change Customer (FI) are incompatible since assets may be sold to non-existent or fraudulent customers.
FD01 Create customer (accounting) and VL02N Change outbound delivery are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VA01 Create sales order and FF/4 Interface for check deposit data entered externally are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VD02 Change customer (sales) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VA01 Create sales order and F-04 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VD01 Create customer (sales) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected. Th.
FD02 Change customer (accounting) and VL01N Create outbound delivery with order ref are incompatible since the user may create a customer and delivery goods to that customer, thereby misappropriating goods.
VA01 Create sales order and FB05 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
VA01 Create sales order and FF/5 Post check deposit data entered externally are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
FK02 Change Vendor (FI) and VD01 Create Customer (SD) are incompatible since assets may be sold to non-existent or fraudulent customers.
VL02N Change outbound delivery and F-30 Post with clearing are incompatible since the user may create fictitious/incorrect delivery and enter payments against these, potentially misappropriating goods.
FD01 Create customer (accounting) and F-32 Clear customer are incompatible since the user may create a customer and then post payments against the customer.
VD01 Create customer (sales) and F-26 Incoming payments fast entry are incompatible since the user may create a customer and then post payments against the customer.
XD01 Create customer (centrally) and FBCJ Cash journal are incompatible since the user may create a customer and then post payments against the customer.
XD02 Change customer (centrally) and F-51 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VD02 Change customer (sales) and F-29 Post customer down payment are incompatible since the user may have the ability to enter or modify down payments for customers and the user may have the ability to create or modify customer account information should be segregated. If the same person can process both items, unauthorized changes could be made and possibly not detected.
A risk-based approach to SAP segregation of duties The top 100 most critical segregation of duties conflicts in SAP Segregation of Duties Fraud Risks & Solutions Security SOD Segregation of Duties SOD Conflicts and Role Based Authorization in SAP SAP Segregation of Duties SOX 404 and Risks
