SEGREGATION OF DUTIES for SAP

Size: px

Start display at page:

Download "SEGREGATION OF DUTIES for SAP"

Roderick Briggs
5 years ago
Views:

1 SEGREGATION OF DUTIES for SAP

SEGREGATION-OF-DUTIES In todays modern, technology driven world, segregation-of-duties (SoD) is enforced through business applications and ERP s, but highlighting breakdowns in these controls is

2 SEGREGATION-OF-DUTIES In todays modern, technology driven world, segregation-of-duties (SoD) is enforced through business applications and ERP s, but highlighting breakdowns in these controls is difficult. Conflicts caused by poor or missing controls, such as segregation of authorisation and approval may go undetected; leading to potential abuse. ACL s SoD fo SAP solutions ensures that user authorisations are properly compartmentalised and provides assurance that the controls are working correctly. Notifications are built into the ACL platform to ensure that any exceptions are given the amount of attention they deserve and their resolutions correctly managed. Page 1

3 ARA ACCESS RISK ANALYZER Page 2

4 Create/ Maintain a vendor Make payments Procure an item Create/ Maintain a purchase order Approve purchase order Update inventory material master data Receipt the goods/ services Maintain posting periods Manual check processing Post journal entries Releasing the requisition Recording fixed asset acquisitions PROCURE-TO-PAY Matrix Process an invoice for automatic payment Posted AP records Create/ modify purchases to a vendor Maintain inventory counts Release/ approve a purchase order Change vendor banking details Perform physical inventory adjustments Enter an invoice for payment Perform bank reconciliation Create a purchase requisition Make payments Create bank account Approve changes to vendor master data Receipt the goods number Key Conflict quantity Page 3

5 PROCURE-TO-PAY Description # Description ID 1 Create/ Maintain a fictitious vendor and process an invoice for automatic payment P2P-P-R001 2 A user can hide differences between bank payments and posted AP records. P2P-P-R002 3 Create/ Maintain a fictitious vendor and initiate purchases to that vendor P2P-P-R003 4 Inappropriately procure an item and manipulate the physical inventory counts to hide. P2P-P-R004 5 Create/ Maintain a fictitious vendor and approve purchases to this vendor P2P-P-R005 6 A user can create/ maintain a fraudulent purchase order and release or approve it P2P-P-R006 7 User can update material master data to add inventory items and procure these goods (create/ modify PO) P2P-P-R007 8 Create or maintain a fraudulent purchase order and receipt the goods or services P2P-P-R008 9 Change vendor master data banking details and make fraudulent payments to vendor P2P-P-R Accept goods via goods receipts and perform a physical inventory adjustment afterwards P2P-P-R Accept goods via goods receipts and enter an invoice for payment of these goods P2P-P-R User can process unauthorized payments and conceal these payments in performing the bank reconciliation P2P-P-R Create or maintain a fraudulent purchase order and process invoice P2P-P-R Create purchase requisition and create/maintain a fictitious vendor P2P-P-R Post vendor invoices to closed accounting periods, by being able to maintain posting periods and process vendor invoices P2P-P-R Process vendor invoice and manual check processing, resulting in misappropriation of funds P2P-P-R Process vendor invoice and record automatic AP payments, resulting in misappropriation of funds P2P-P-R Post Journal entry & Process Vendor invoice, thereby concealing fraudulent transactions P2P-P-R Record AP payments and post journal entry, thereby concealing fraudulent payments made P2P-P-R Generating unauthorised purchases by creating purchase requisition and releasing the requisition P2P-P-R Creating fictitious assets, by recording Fixed Asset acquisitions & Process Vendor invoice P2P-P-R Create purchase requisition and create purchase order, resulting in unauthorised purchases P2P-P-R Create purchase requisition and approve purchase order, resulting in unauthorised purchases P2P-P-R Create/ maintain a vendor and create a bank account, resulting in misappropriation of funds P2P-P-R Create a bank account and process AP Payments, resulting in misappropriation of funds P2P-P-R Create/ maintain a fictitious vendor and approve changes made to the vendor master data P2P-P-R Creating fictitious assets, by recording Fixed Asset acquisitions & Process goods receipt P2P-P-R027 Page 4

6 Create / maintain a customer Adjust selling process Adjust credit limits Delivery of goods Create / maintain customer payment terms Create a bank account Clear the customer Approve invoice Post journal entry Perform bank reconciliation Release sales orders Create a billing document ORDER-TO-CASH Matrix Issue invoices to customer Initiate payments to customer Create sales orders Adjust credit limits Allocate cash receipts Key number Conflict quantity Create/ change a credit note Manage cash deposits Approve changes to customer master data Post journal entry Description # Description ID 1 User can create/maintain a fictitious customer and then issue invoices to the customer O2C-P-R001 2 Create a fictitious customer and initiate payment to the unauthorized customer O2C-P-R002 3 Selling prices can be manipulated and then issue invoices to customers O2C-P-R003 4 Create an invoice to a customer and adjust credit limits O2C-P-R004 5 Create/ maintain a fictitious customer and create an unauthorized sales order for the customer O2C-P-R005 6 Create a fictitious customer and assign/adjust credit limits to the customer O2C-P-R006 7 Create/modify customer details and allocate cash received to the customer, resulting in misappropriation of receipts. O2C-P-R007 8 Create sales order and delivery of goods to hide the misappropriation of goods O2C-P-R008 9 Create/ maintain a customers payment terms and process unauthorized sales orders to the customer O2C-P-R Create/ change a credit note and delivery of goods to hide misappropriation of goods O2C-P-R User can create a customer and process credits notes to the customer. O2C-P-R User has access to create a bank account and manage cash deposits to hide misappropriation of funds O2C-P-R Create a credit memo then clear the customer to prompt a payment O2C-P-R Create/ maintain a fictitious customer and approve changes to the customer master O2C-P-R Process a fraudulent invoice and approve customer invoice O2C-P-R Record AR receipts and post journal entry, concealing misappropriation of receipts O2C-P-R Record AR receipts and perform bank reconciliation, concealing misappropriation of receipts O2C-P-R Create a fictitious sales order and release sales order document for processing O2C-P-R Create a billing document for a customer and post payments to that customer to conceal misappropriation of cash O2C-P-R Create a billing document for a customer and post journal entries O2C-P-R020 Page 5

7 Process payroll Approve leave request Approve time Approve creation of employee Enter / Maintain time data HIRE-TO-RETIRE Matrix Create an employee Create leave request 2 1 Approve changes to employee master 3 17 Update employee benefits 4 17 Enter / Maintain time data number Key Conflict quantity Description # Description ID 1 Create or maintain a ghost employee and process payroll H2R-P-R001 2 Create leave request and approve the leave request H2R-P-R002 3 Approve changes to employee master data and process payroll H2R-P-R003 4 Update employee benefits and process payroll H2R-P-R004 5 Maintain time data and process payroll H2R-P-R005 6 Enter/maintain time data and approve time H2R-P-R006 7 Create/maintain an employee and approve creation thereof H2R-P-R007 8 Create/maintain an employee and maintain time data H2R-P-R008 9 Create/maintain an employee and approve time H2R-P-R009 Page 6

8 Post to general ledge Postings after month end Approve postings of journal Reverse journal GENERAL LEDGER Matrix Create a general ledger account Open previously closed accounting periods Create a general journal number Key Conflict quantity Description # Description ID 1 Create a general ledger account and post to the general ledger GL-P-R001 2 User can open accounting periods previously closed and make postings after month end GL-P-R002 3 Create a general journal and approve the posting of the journal GL-P-R003 4 Create a general journal and reverse the general journal GL-P-R004 5 Create a general ledger account and approve posting of journals GL-P-R005 Page 7

9 Module 2 TAD TRANSACTION ACTIVITY DETECTION Page 8

User Creates A Vendor And An Invoice For This Vendor There should be segregation of duties between the person creating a vendor and the person creating invoices to that vendor as this will ensure the

10 User Creates A Vendor And An Invoice For This Vendor There should be segregation of duties between the person creating a vendor and the person creating invoices to that vendor as this will ensure the integrity of the vendor master data is maintained. The user could potentially create and ultimately pay fraudulent or fictitious vendors. Identifies where a user creates a vendor and an invoice for this vendor. Extracts accounts payable and vendor data and analyzes processed activities to identify where the same user has created a vendor and also created an invoice for this same vendor. Activity Description Activity Indicator User ID User Full Name Vendor ID Document Number Document Type Date Document Currency Amount in Document Currency Amount in Reporting Currency Report Currency Company Name Company Code Vendor Name Summary of exceptions user creates a vendor and an invoice for that vendor Count of exceptions where user created a vendor and an invoice for that vendor SD_ANALYTIC_01_SDCS501 Page 9

User Creates A Customer And An Invoice For This Customer Maintaining customer master data should be segregated from customer related transactions, such as customer invoicing.

11 User Creates A Customer And An Invoice For This Customer Maintaining customer master data should be segregated from customer related transactions, such as customer invoicing. This will ensure valid and accurate customer invoices issued. A user who is able to create customers should not be able to create a customer invoice for that same customer as the details on the invoice could be amended to that of the employee to ensure payment into their own account. Identifies where a user creates a customer and an invoice for this customer. Extracts accounts receivable data and customer data, and analyzes processed activities to identify where the same user has created the customer and also creates an invoice for the same customer. Activity Description Activity Indicator Customer Number Customer Name User ID User Full Name Date Document Number Document Type Amount in Document Currency Document Currency Amount in Reporting Currency Report Currency Company Name Company Code Heat map of amount exceptions of users who create a customer and an invoice Total amount of exceptions by user and customer name SD_ANALYTIC_02_SDCS503 Page 10

User Creates A Purchase Order & Receipts The Goods Or Services The person ordering goods should not be receiving the goods.

A user who is able to create purchase orders and receipt those goods or services exposes a risk that a user could be ordering such goods or services for their own benefit and without much oversight.

Extracts purchase order and goods receipts data, and analyzes processed activities to identify where the same user has created the purchase order and also receipted the goods or services on that

12 User Creates A Purchase Order & Receipts The Goods Or Services The person ordering goods should not be receiving the goods. Adequate segregation will allow for proper review and approval of transactions as well as preventing possible fraudulent/incorrect orders. A user who is able to create purchase orders and receipt those goods or services exposes a risk that a user could be ordering such goods or services for their own benefit and without much oversight. Identifies where a user creates a purchase order and receipts the goods or services. Extracts purchase order and goods receipts data, and analyzes processed activities to identify where the same user has created the purchase order and also receipted the goods or services on that purchase order. Activity Description Activity Indicator User ID User Full Name Vendor ID Vendor Name Date Document Number Document Line Number Line Description Material Number Amount in Document Currency Document Currency Amount in Reporting Currency Report Currency Company Code Company Name Heat map of total value by material and user Total value of exceptions by material & user Pie chart of total value of exceptions by material SD_ANALYTIC_03_SDCS504 Page 11

User Creates A Credit Memo For A Customer And Creates A Refund For The Customer An employee should not be able to request a customer credit and process the refund.

A user who is able to create a credit memo should not also be able to create or force a refund to the customer as this gives the user the ability to pay customers or themselves which may not seem

13 User Creates A Credit Memo For A Customer And Creates A Refund For The Customer An employee should not be able to request a customer credit and process the refund. This eliminates review and approval of credit notes and creates the opportunity for incorrect/fraudulent credit notes. A user who is able to create a credit memo should not also be able to create or force a refund to the customer as this gives the user the ability to pay customers or themselves which may not seem material at first, but could mount and also cause reputational risk. Identifies where a user creates a credit memo for a customer and creates a refund for the customer. Extracts accounts receivable data and analyzes processed activities to identify where the same user has created a credit memo and also created a refund for the same customer. Activity Description Activity Indicator Customer Number Customer Name User ID User Full Name Date Document Number Document Type Amount in Document Currency Amount in Reporting Currency Report Currency Company Code Company Name Document Currency Heat map of total value exceptions by customer and user name Total value of exceptions by user name and activity SD_ANALYTIC_04_SDCS506 Page 12

User Creates And Approves The Purchase Order Creation and approval of purchase orders should be segregated to ensure accuracy and validity of the purchase order.

Identifies where a user creates and approves the purchase order.

14 User Creates And Approves The Purchase Order Creation and approval of purchase orders should be segregated to ensure accuracy and validity of the purchase order. The user could commit the entity into unplanned and unknown purchases that would otherwise not be approved and would need to be fulfilled. Identifies where a user creates and approves the purchase order. Extracts purchase order data and analyzes processed activities to identify where the same user has created the purchase order and also approved the same purchase order. Activity Description Activity Indicator User ID User Full Name Vendor ID Vendor Name Document Number Amount in Document Currency Document Line Number Document Currency Line Description Material Number Date Amount in Reporting Currency Report Currency Company Code Company Name Heat map of total value exceptions by user and vendor Total value of exceptions by user and activity description SD_ANALYTIC_05_SDCS510 Page 13

User Creates General Ledger Account And Posts Journal Entry The responsibility for creating general ledger accounts should be separated from posting journals to an associated general ledger account.

A user could be using newly created general ledger accounts to post one side of journals intended to either overstate sales, create liabilities, affect bank balances or conceal reconciling items or a

15 User Creates General Ledger Account And Posts Journal Entry The responsibility for creating general ledger accounts should be separated from posting journals to an associated general ledger account. This is to ensure the accuracy and validity of general ledger accounts as well as any journal posted. A user could be using newly created general ledger accounts to post one side of journals intended to either overstate sales, create liabilities, affect bank balances or conceal reconciling items or a wide range of transactions. Identifies where a user creates a general ledger account and posts journal entry. Extracts general ledger data and analyzes processed activities to identify where the same user has created a new general ledger account and also posted journal entries to the general ledger account. Activity Description Activity Indicator GL Account Number GL Account Description User ID User Full Name Vendor ID Vendor Name Document Number Date Amount in Document Currency Document Currency Amount in Reporting Currency Report Currency Company Code Company Name Pie chart of total value of exceptions by GL account Count of exceptions where user creates general ledger and posts entry SD_ANALYTIC_06_SDCS511 Page 14

User Amends Vendor Bank Account Number And Pays Vendor Maintaining vendor master data should be segregated from vendor related transactions, such as vendor payments.

16 User Amends Vendor Bank Account Number And Pays Vendor Maintaining vendor master data should be segregated from vendor related transactions, such as vendor payments. This will support valid and accurate vendor payments. A user who is able to pay vendors and amend a vendor s bank account number could direct payments to incorrect or their own bank accounts. Identifies where a user amends the vendor bank account number and pays vendor. Extracts accounts payable and vendor data, and analyzes processed activities to identify where the same user has amended a vendor's bank account number and also paid the same vendor. Output Results Fields Activity Description Activity Indicator User ID User Full Name Vendor ID Document Number Document Type Date Amount in Document Currency Vendor Name Document Currency Amount in Reporting Currency Report Currency Company Name Company Code Total value of exceptions by user Count of exceptions where user amends vendor bank account and pays vendor SD_ANALYTIC_07_SDCS502 Page 15

User Pays Vendor And Performs Bank Reconciliation Any person allowed to perform payments should not be able to perform the bank reconciliation.

A user who is able to pay vendors should not be able to perform the bank reconciliation function where one can further hide a fraudulent payment or process the transaction as reconciled.

17 User Pays Vendor And Performs Bank Reconciliation Any person allowed to perform payments should not be able to perform the bank reconciliation. This would eliminate proper review and creates the opportunity to perform incorrect/invalid payments. The bank reconciliation may also be manipulated to hide errors or fraudulent activity. A user who is able to pay vendors should not be able to perform the bank reconciliation function where one can further hide a fraudulent payment or process the transaction as reconciled. Identifies where a user pays vendors and performs bank reconciliation. Extracts accounts payable and bank reconciliation data and analyzes processed activities to identify where the same user has paid a vendor and also performs the bank reconciliation. Activity Description Activity Indicator User ID User Full Name Vendor ID Document Number Document Type Date Amount in Document Currency Vendor Name Document Currency Amount in Reporting Currency Report Currency Company Code Company Name Heat map of total value exceptions by user name and activity description Total value of exceptions by user SD_ANALYTIC_08_SDCS507 Page 16

User Adjusts Selling Prices And Creates Customer Invoices The person who creates customer invoices should not be allowed to amend sales prices.

A user who is able to adjust selling prices should not be able to create a customer invoice with those items because the user could be offering customers unapproved or loss-making prices that

18 User Adjusts Selling Prices And Creates Customer Invoices The person who creates customer invoices should not be allowed to amend sales prices. This would eliminate proper review and approval of price changes and could result in invalid/incorrect invoicing. A user who is able to adjust selling prices should not be able to create a customer invoice with those items because the user could be offering customers unapproved or loss-making prices that ultimately affect profitability and reputation of the entity. Identifies where a user adjusts selling prices and creates customer invoices. Extracts accounts receivable data and sales data and analyzes processed activities to identify where the same user has adjusted the selling price and also created an invoice for a customer for those sales items. Activity Description Activity Indicator Customer Number Customer Name User ID User Full Name Date Document Number Document Type Amount in Document Currency Document Currency Amount in Reporting Currency Report Currency Company Code Company Name Heat map of total value exceptions by customer and user name Pie chart of total value of exceptions by user name Total value of exceptions by customer and user name SD_ANALYTIC_09_SDCS505 Page 17

19 User Receives Goods And Adjusts The Inventory Levels Any form of change to inventory levels should be segregated from issuing good received notes, i.e. receiving of goods. Proper segregation will allow for better review of inventory transactions and provide assurance regarding the accuracy and validity of inventory transactions and the associated inventory levels. A user who is able to receive goods and adjust the inventory levels could misuse this ability to misappropriate goods without detection. Identifies where a user receives goods and adjusts the inventory levels. Extracts inventory data and analyzes processed activities to identify where the same user has received goods and also adjusts inventory levels. Activity Description Activity Indicator User ID User Full Name Vendor ID Vendor Name Document Number Document Line Number Line Description Material Number Date Amount in Document Currency Document Currency Amount in Reporting Currency Report Currency Company Name Company Code Pie chart of total value exceptions by goods description Total value of exceptions by user name and activity description SD_ANALYTIC_10_SDCS508 Page 18

User Receives Goods & Writes Off Inventory Any form of change to inventory levels should be segregated from issuing good received notes, i.e. receiving of goods.

20 User Receives Goods & Writes Off Inventory Any form of change to inventory levels should be segregated from issuing good received notes, i.e. receiving of goods. Proper segregation will allow for better review of inventory transactions and provide assurance regarding the accuracy and validity of inventory transactions and the associated inventory levels. A user who is able to receive goods and also write off inventory could misuse this ability to misappropriate goods without detection. Identifies where a user receives goods and writes off inventory. Extracts inventory data and analyzes processed activities to identify where the same user has received goods and also writes off inventory. Activity Description Activity Indicator User ID User Full Name Vendor ID Vendor Name Document Number Document Line Number Line Description Material Number Date Amount in Document Currency Document Currency Amount in Reporting Currency Report Currency Company Code Company Name Total value of exceptions by material description Total value of exceptions by user and activity description SD_ANALYTIC_11_SDCS509 Page 19

User Receipts Goods Or Services And Creates Invoice Adequate segregation of duties is required between the person receipting goods or services and the person responsible for capturing the supplier

A user who is able to receipt goods or services and also create the invoice for these goods and services poses a risk that the user could receipt the goods and services for personal use and

21 User Receipts Goods Or Services And Creates Invoice Adequate segregation of duties is required between the person receipting goods or services and the person responsible for capturing the supplier invoice. This is to ensure accuracy and validity in the recording of goods and services received. A user who is able to receipt goods or services and also create the invoice for these goods and services poses a risk that the user could receipt the goods and services for personal use and thereafter create the invoice which ordinarily would have had some level of external review because accounts payable would vet the invoice before capturing. Identifies where a user receipts goods or services and creates invoice. Extracts goods receipt data and accounts payable data and analyzes processed activities to identify where the same user has receipted goods or services and also created the invoices for these goods or services. Activity Description Activity Indicator User ID User Full Name Vendor ID Vendor Name PO Invoice Ref Number Document Number Document Type Amount in Document Currency Amount in Reporting Currency Report Currency Company Code Document Currency Company Name Total value exceptions by user and activity description Heat map of total value exception by user and vendor SD_ANALYTIC_12_SDCS512 Page 20