on 05-22-2013 11:56 AM
Hello,
In standard SAP GRC matrix there is risk with ID - S024, with following description:
Risk ID | Risk Level | Description of Risk | Tc | Function 1 | Tc | Function 2 | Tc | Function 3 | |||
S024 | High | Maintain a customer master record and post a fraudulent payment against it | SD01 | Maintain Customer Master Data | AR03 | Clear Customer Balance |
I´m not sure that I understand where is the risk exactly.
Could you, please, suggest if it's really possible to post fraudulent payment using AR03 function. And if "yes" - how to do that?
For me it seems that it's possible only to clear the balance.
AR03 contains 5 transactions:
F-32 |
F-39 |
FB1D |
FBA3 |
FOAPPROC02 |
Thank you in advance!
I suggest you simulate this scenario on the ECC system and see if it is possible in any way. check the Permission level definitions of the risk also. I know there are cases of some transactions being able to call the change function from display due to the underlying permissions, but most good role designs would negate this issue.
As with most risks defined in the SAP delivered BC sets / text files, not all the risks are applicable to all businesses. If the risk makes no sense and is not going to be realised within the business, I would suggest turning it off with a justification comment added to the risk description field in the GRC system.
Sorry for not being of precise help, but just providing my common sense answer.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.