Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SOD and Risks

Former Member

‎05-21-2008 1:45 AM

0 Kudos

I was going through the SOD listed at http://www.sapsecurityonline.com/sox_sod/sod_matrix.htm and I was wondering why the following are in conflicts:

Conflicts by business process

1) AP Invoice Verification and AP Payment Runs/ Clearing

2) Customer Master and Sales Order

3) Delivery Goods Issue and Cash Receipts/ AR Credit Memos

4) Delivery Goods Issue and Customer Master

5) Delivery Goods Issue and Sales Order

6) Purchase Order and Vendor

7) Purchase Order and AP Invoice Verification

😎 Purchase Order and AP Payment Runs/ Clearing

9) Purchase Order and Receiving

10) Receiving and Inventory Adjustments

11) Sales Order and Cash Receipts/ AR Credit Memos

12) Vendor and AP Invoice Verification

13) Vendor and AP Payment Runs/ Clearing

I would like to understand the risks involve in the above conflicts and what the risk levels are for each one.

Thanks in advance!

Bliss

3 REPLIES 3

jurjen_heeck
Active Contributor

‎05-21-2008 7:10 AM

0 Kudos

I think you'd best talk to some functional people about this. I think I can see some danger in the process combinations you mention but the real risk depends on your company's processes and control measures.

For instance:

People who can edit customer masters and sales orders could easily set the customer delivery addres to a fake one (their own for instance), create a sales order and set the address back to the original. If the changes on delivery addresses are monitored/logged this is not such a big risk.

The same goes for a lot of items in your list. Basically you do not want transactional data and customer/vendor masterdata to be maintained by the same person. Just to avoid them changeing masterdata, creating orders, accepting invoices and releasing payment runs after which they can change back the masterdata.

Former Member
In response to jurjen_heeck

‎05-21-2008 8:46 AM

0 Kudos

Just a side note from me about possible compensating controls for this example: For vendor and customer master data maintenance, SAP also has so called "sensitive fields" which can be defined for the master records. This requires another user with the same access to release the changes made. So the person can complete the entire process, or it would look like they can from the perspective of analyzing their authorizations, but they cannot complete it on their own from the perspective of the system customizing settings.

Just a thought.

Julius

chris_hall2
Participant

‎05-23-2008 3:10 PM

0 Kudos

If you read the portion right above the conflicts by business process (ie MM SOD Matrix) this provides further information.

These are purely guidelines and are not set in stone. Depending on business or audit requirements you can modify any way you like. We installed ComplianceCalibrator about a year ago now and have worked with external audit companies to ensure we are setup to comply with various audits (ie SOx). We did a lot or rejigging moving stuff from L to M or H to M or removing the SOD all together from our matrix.