Platform Specific Controls

SAP

SAP provides Enterprise Resource Planning (ERP) business applications that tightly integrate business processes organization wide. ERP business applications are the cornerstone for any organization. An organization’s most critical business cycles and most sensitive data are most often managed by an ERP and as such the risk inherent in these applications is critical and must be controlled effectively.

The following SAP related controls are organized by Control Type. You can also “Jump To” other Control Types and Categories by clicking on the link located at the right of this screen.

The following are links to more detailed pages:

Data Controls

Showing 2 controls:
Control TitleControl TypeRisk Rating
Monitor accounts with access to PCI relevant data Data ControlsHigh
Monitor accounts with access to PHI or PII relevant data Data ControlsHigh

Identity Governance

Showing 2 controls:
Control TitleControl TypeRisk Rating
Monitor users locked for more than 6 months and not deleted Identity GovernanceMedium
SAP – Govern Access to Critical Roles Identity Governance, IT General Controls, Least PrivilegeHigh

Least Privilege

Showing 65 controls:
Control TitleControl TypeRisk Rating
Basis Archiving Actions – Critical Access Least Privilege, Segregation of DutiesHigh
Basis Configuration Actions – Critical Access Least Privilege, Segregation of DutiesHigh
Basis Critical Actions – Critical Access Least Privilege, Segregation of DutiesHigh
Basis Performance Actions – Critical Access Least Privilege, Segregation of DutiesHigh
Monitor dialog users with the number of authorization objects Least PrivilegeMedium
Enabler Roles (Organizational access) with transactions Least PrivilegeHigh
Monitor accounts having access to Sensitive Data Screens (e.g. BOM) critical transactions Least PrivilegeHigh
Monitor Critical transactions_usage counts Least PrivilegeHigh
Monitor critical transactions usage, role assignment, and role_user assignment Least PrivilegeHigh
Monitor Info Providers containing Company Code only as a characteristic Least PrivilegeHigh
Monitor Info Providers that do not contain any of the characteristics Least PrivilegeMedium
Monitor Info Providers (with queries) containing characteristics (key fields for security) with company code not a part of selection criteria Least PrivilegeHigh
Monitor Infocubes secured by Profit Center/Company Code Least PrivilegeMedium
Monitor queries Restricted by Company Code and its Usage in the InfoProviders List Least PrivilegeHigh
Monitor queries restricted by Company Code/Profit Center and their usage Least PrivilegeHigh
Monitor queries that are not restricted by ProfitCenter/Company Code Least PrivilegeHigh
Monitor Roles with selected authorization objects (), Fields(), Values() Least PrivilegeMedium
Monitor Roles with Company Code (BUKRS) and Profit Center as wildcards (*) Least PrivilegeHigh
Monitor roles with manually inserted authorizations to replace or append to suggested standard Least PrivilegeMedium
Monitor roles with manually inserted authorizations to replace or append to suggested standard authorizations Least PrivilegeMedium
Monitor Roles with * (or pseudo wildcards) Least PrivilegeMedium
Monitor Roles with * (or pseudo wildcards) Least PrivilegeMedium
Monitor Roles with * (or pseudo wildcards) that give complete or excessive access Least PrivilegeMedium
Monitor Roles with organizational access such as postings to legal entities Least PrivilegeMedium
Monitor Roles with the number of unused transactions Least PrivilegeMedium
Monitor Roles with their count of unused transactions Least PrivilegeHigh
Monitor Roles with wildcard (*) value which provides all levels of access for activity (i.e. create/change/delete etc.) Least PrivilegeMedium
Monitor S2P or R2R roles and accounts with usage Least PrivilegeHigh
Monitor Source to Pay (S2P or R2R) roles with their child roles or transactions Least PrivilegeHigh
Monitor transactions associated with more than one role Least PrivilegeMedium
Monitor Transactions not used in the last () days Least PrivilegeMedium
Monitor transactions with their security status Least PrivilegeMedium
Monitor unused transactions with their associated Roles Least PrivilegeMedium
Monitor users and user groups that can be process asset write-offs Least PrivilegeHigh
Monitor users and user groups that can create customer master records Least PrivilegeHigh
Monitor users and user groups that can create material master records Least PrivilegeHigh
Monitor users and user groups that can create Vendor master records Least PrivilegeHigh
Monitor users and user groups that can perform security administration activities – Role Maintenance Least PrivilegeHigh
Monitor users and user groups that can perform security administration activities – user master maintenance Least PrivilegeHigh
Monitor users and user groups that can post depreciation Least PrivilegeHigh
Monitor users and user groups that can process payments to vendors Least PrivilegeHigh
Monitor users and user groups that can process returns/refunds Least PrivilegeHigh
Monitor users and user groups that can process Sales Orders Least PrivilegeHigh
Monitor users and user groups that can create asset master records Least PrivilegeHigh
Monitor users and user groups that perform invoice processing (from Vendors) Least PrivilegeHigh
Monitor users and user groups with access to significant financial reporting transactions/financial statements Least PrivilegeHigh
Monitor users by their positions/titles with Process (OTC/STP/FIN etc.) roles assignment Least PrivilegeHigh
Monitor users executing reports (Business Intelligence (BI)) Least PrivilegeMedium
Monitor users not in selected user group () having access to transactions () with change/update ability Least PrivilegeHigh
Monitor users and user groups that approve invoices Least PrivilegeHigh
Monitor users that approve purchase orders Least PrivilegeHigh
Monitor users that can post journal entries Least PrivilegeHigh
Monitor users and user groups that create Bank master data Least PrivilegeHigh
Monitor users and user groups that can perform treasury operations Least PrivilegeHigh
Monitor users that process purchase orders Least PrivilegeHigh
Monitor users who are assigned SAP Standard template Roles Least PrivilegeHigh
Monitor users with access to high risk SOX critical transactions Least PrivilegeHigh
Monitor users with access to Joint Ventures Data Least PrivilegeHigh
Monitor users with access to program maintenance and ABAP workbench Least PrivilegeCritical
Monitor users with access to system administration transactions Least PrivilegeCritical
Monitor users with change permissions in critical authorization objects such as S_PROGRAM, S_DEVELOP, S_TABU_DIS, S_TABU_CLI, S_BTCH_JOB, S_BTCH_ADM Least PrivilegeCritical
Monitor users with Company Code (BUKRS) and Profit Center (PRCTR) as wildcards (*) which allows all levels of access Least PrivilegeHigh
Monitor users with Security Maintenance transactions Least PrivilegeCritical
Review read only roles with write/execute/change access Least PrivilegeHigh
Usage history for transaction/s () and or user/s () Least PrivilegeHigh

Password controls

Showing 2 controls:
Control TitleControl TypeRisk Rating
Monitor accounts that cannot change their password Password controlsMedium
Monitor all accounts for which password never expires Password controlsMedium

Process controls

Showing 2 controls:
Control TitleControl TypeRisk Rating
Monitor purchase orders with three way match not activated Process controlsHigh
Monitor users with ability to open and close posting periods Process controlsHigh

Segregation of Duties

Showing 197 controls:
Control TitleControl TypeRisk Rating
Adjust the AR subsidiary balance using AR payments and then conceal with journal entries Segregation of DutiesCritical
Adjust the AR subsidiary balance using billing documents and then conceal with journal entries. Segregation of DutiesMedium
Adjust the AR subsidiary balance using cash application and then conceal with journal entries. Segregation of DutiesMedium
Adjust the subsidiary balance using the vendor invoice entry and then cover it up using journal entries Segregation of DutiesCritical
Allocate costs to unauthorized cost centers Segregation of DutiesLow
Cost Center Maintenance conflicts with Process Revenue Entries Segregation of DutiesMedium
Cost Center Maintenance conflicts with Process Cost Transfers Segregation of DutiesMedium
Alter Activity Type conflicts with Cost Allocation Segregation of DutiesLow
Approve Purchase Order conflicts with Create Material Segregation of DutiesMedium
Approve Purchase Order conflicts with Payables Payments Segregation of DutiesHigh
Approve Purchase Orders conflicts with Payables Invoices Segregation of DutiesHigh
Approve Purchase Orders conflicts with Receive Goods and Services Segregation of DutiesHigh
Customer Account Maintenance conflicts with Receivables Transactions Segregation of DutiesHigh
Archiving conflicts with Client Administration Segregation of DutiesMedium
Archiving conflicts with Configuration Segregation of DutiesMedium
Archiving conflicts with System Administration Segregation of DutiesMedium
Archiving conflicts with Transport Administration Segregation of DutiesMedium
Basis Development conflicts with Client Administration Segregation of DutiesMedium
Basis Development conflicts with Configuration Segregation of DutiesHigh
Basis Development & System Administration Segregation of DutiesCritical
Basis Development & Transport Administration Segregation of DutiesHigh
Basis Security Actions Segregation of DutiesHigh
Basis Table Maintenance & Client Administration Segregation of DutiesHigh
Basis Table Maintenance & System Administration Segregation of DutiesHigh
Basis Utilities & Client Administration Segregation of DutiesMedium
Basis Utilities & Configuration Segregation of DutiesHigh
Basis Utilities & System Administration Segregation of DutiesMedium
Basis Utilities & Transport Administration Segregation of DutiesHigh
Can hide differences between bank paymnts & posted AP recds Segregation of DutiesHigh
Change config of payroll then modify payroll master data Segregation of DutiesHigh
Change configuration of payroll then process payroll Segregation of DutiesHigh
Change customer master and enter inappropriate invoice Segregation of DutiesHigh
Change HR Benefits and process payroll without authorization Segregation of DutiesHigh
Change payroll and processing payroll without authorization Segregation of DutiesHigh
Change payroll config and maintain payroll settings Segregation of DutiesHigh
Change rebate agmt and change master record in cust favor Segregation of DutiesHigh
Change the customer master file and modify cash received Segregation of DutiesHigh
Changing payroll master data and modifying PD Structure Segregation of DutiesHigh
Chg credit limit of marginal cust & manage SOs in it’s favor Segregation of DutiesHigh
Clear balance and change billing doc for same customer Segregation of DutiesHigh
Cover up shipment by maintaining a fictitious sales doc Segregation of DutiesHigh
Create a credit memo then clear the customer to prompt a payment. Segregation of DutiesHigh
Create a manual check and perform bank reconciliation Segregation of DutiesHigh
Create an invoice via ERS GR & hide via asset depreciation Segregation of DutiesHigh
Create billing and inappropriately post payment Segregation of DutiesHigh
Create fictitious vendor and initiate payment to the vendor Segregation of DutiesHigh
Create fictitious vendor invoice and initiate manual checks for it Segregation of DutiesHigh
Create fictitious vendor invoice and initiate payment for it Segregation of DutiesHigh
Create or change a PO to contain an invalid service Segregation of DutiesMedium
Create PO to contain an invalid material Segregation of DutiesMedium
Create Transport & Perform Transport Segregation of DutiesHigh
Cross Application Master Data Segregation of DutiesHigh
Customer Credit Information conflicts with Receivables Receipts Segregation of DutiesHigh
Enter and approve time which could result in fraudulent payroll amounts. Segregation of DutiesHigh
Enter false time data and modify payroll configuration Segregation of DutiesHigh
Enter fictitious sales rebate and render fictitious payment Segregation of DutiesHigh
Enter Purch Agreements & create/modify fictitious Vendor Segregation of DutiesHigh
Enter Purchasing Agreement and adjust the inventory Segregation of DutiesMedium
Enter Purchasing Agreement and adjust the inventory Segregation of DutiesMedium
Enter Purchasing Agreement and adjust the inventory Segregation of DutiesMedium
Enter Purchasing Agreements and the render a manual check for payment Segregation of DutiesHigh
Enter Purchasing Agreements and the rendering of payment Segregation of DutiesHigh
Enter sales documents and give sales rebates Segregation of DutiesMedium
Enter sales documents and lower prices for fraudulent gain Segregation of DutiesHigh
Enter sales invoices and approve credit limits Segregation of DutiesHigh
Enter unauth payment and perform bank reconciliation Segregation of DutiesHigh
Enter vendor invoices and accept services Segregation of DutiesMedium
Entering false time data and maintaining PD Structure Segregation of DutiesHigh
Finance Archiving Segregation of DutiesHigh
Finance Critical Actions Segregation of DutiesHigh
Finance Master Data Segregation of DutiesHigh
Hide cash deposited and cash collections differences Segregation of DutiesHigh
Hide IM inventory adjustments via ledger entries Segregation of DutiesMedium
Hide inventory by not fully receiving order but invoicing Segregation of DutiesHigh
Hide powerful IM inventory adjustments via ledger entries Segregation of DutiesMedium
Hide WM inventory adjustments via ledger entries Segregation of DutiesMedium
HR Critical Actions Segregation of DutiesHigh
HR Master Data Segregation of DutiesHigh
Inc production to reduce cost var due to productivity loss Segregation of DutiesLow
Increase production to reduce cost variances Segregation of DutiesCritical
Initiate a payment by creating fictitious credit memos Segregation of DutiesHigh
Maintain a fictitious customer and initiate a payment Segregation of DutiesHigh
Maintain a fictitious vendor and direct disbursements to it Segregation of DutiesHigh
Maintain a fictitious vendor and initiate purchase to vendor Segregation of DutiesHigh
Maintain a fictitious vendor and process manual checks to it Segregation of DutiesHigh
Maintain a purch agreement and release a related requisition Segregation of DutiesMedium
Maintain a sales doc and generate a billing doc for it Segregation of DutiesHigh
Maintain an asset and manipulate the receipt of the asset Segregation of DutiesHigh
Maintain an invoice and enter or change payments against it Segregation of DutiesHigh
Maintain asset and capitalize or add costs to master record Segregation of DutiesCritical
Maintain bank account and create manual checks against it Segregation of DutiesHigh
Maintain bank account and divert incoming payments Segregation of DutiesHigh
Maintain bank account and post a payment from it Segregation of DutiesHigh
Maintain bank account and post a payment from it Segregation of DutiesHigh
Maintain customer master records and post fraudulent payments Segregation of DutiesHigh
Maintain deliveries and enter payments against them Segregation of DutiesHigh
Maintain fictitious customer and initiate orders Segregation of DutiesHigh
Maintain fictitious customer and issue invoices to the customer Segregation of DutiesHigh
Maintain fictitious GL account & hide activity via currency or tax postings Segregation of DutiesMedium
Maintain fictitious GL account & hide activity via postings Segregation of DutiesMedium
Maintain fictitious vendor and approve purchases to vendor Segregation of DutiesHigh
Maintain material mstr & add items to purch agmts Segregation of DutiesMedium
Maintain Number Ranges & System Administration Segregation of DutiesHigh
Maintain PO & accept the services through svc acceptance Segregation of DutiesMedium
Maintain PO and release a previously blocked Invoice Segregation of DutiesMedium
Maintain purchase orders and release or approve Segregation of DutiesHigh
Maintain Purchasing agreement and create Invoices Segregation of DutiesHigh
Maintain sales docs and post cust payment inappropriately Segregation of DutiesMedium
Maintain sales docs and process enter an incorrect invoice Segregation of DutiesHigh
Maintain sales document and immediately clear customer’s obligation Segregation of DutiesHigh
Maintain schemas for payroll and maintain time data Segregation of DutiesHigh
Maintain service or material mstr & add items to purch agmts Segregation of DutiesMedium
Maintaining roles or profiles and assigning roles to users Segregation of DutiesHigh
Maintaining Time Data and performing payroll maintenance Segregation of DutiesHigh
Manipulate cc reports to hide inappropriate journal entries Segregation of DutiesMedium
Manipulate cc reports to hide inappropriate tax or currency entries Segregation of DutiesMedium
Manipulate credit limit and assign rebates Segregation of DutiesHigh
Master data & remittance could result in fraudulent payments Segregation of DutiesHigh
Materials Management Archiving Segregation of DutiesHigh
Materials Management Critical Actions Segregation of DutiesHigh
Modify material master data and create/change a material req Segregation of DutiesMedium
Modify payroll master data and enter time data Segregation of DutiesHigh
Modify payroll master data and perform payroll maintenance Segregation of DutiesHigh
Modify payroll master data and then process payroll Segregation of DutiesHigh
Modify Purch agmnts and receive goods for fraudulent purpose Segregation of DutiesHigh
Modify Purch Agmnts and release a previously blocked Invoice Segregation of DutiesMedium
Modify Service Master and create a req for the service Segregation of DutiesMedium
Modify service master and release a req for the service Segregation of DutiesMedium
Modify service master data and enter a manual check to cover payment Segregation of DutiesHigh
Modify service master data and enter covering payment Segregation of DutiesHigh
Modify time data and process payroll without authority Segregation of DutiesHigh
Move stock to GR to meet delivery schedule Segregation of DutiesLow
Open closed period & receive or issue goods after month end Segregation of DutiesMedium
Open closed periods and inappropriately post currency or tax entries Segregation of DutiesMedium
Open closed periods and inappropriately post entries Segregation of DutiesMedium
Open closed periods and post manual checks after month end Segregation of DutiesMedium
Open closed periods and post payments after month end Segregation of DutiesMedium
Open closed periods previously enter incoming payments Segregation of DutiesMedium
Pay a vendor invoice and hide it via asset depreciation Segregation of DutiesHigh
Perform time evaluations and maintain time data Segregation of DutiesMedium
Perform time evaluations and modify PD structure Segregation of DutiesMedium
Perform time evaluations and perform payroll maintenance Segregation of DutiesMedium
Perform time evaluations and process payroll Segregation of DutiesMedium
Perform time evaluations and work schedule evaluations Segregation of DutiesMedium
Plant Maintenance Master Data Segregation of DutiesHigh
Post overhead expenses and settle project without approvals Segregation of DutiesHigh
Procure an item and adjust via inventory count Segregation of DutiesHigh
Procure an item and adjust via inventory count Segregation of DutiesHigh
Procure an item and adjust via inventory count Segregation of DutiesHigh
Procurement Archiving Segregation of DutiesHigh
Procurement Critical Actions Segregation of DutiesHigh
Production Order Processing & Confirmation Segregation of DutiesLow
Production Planning Archiving Segregation of DutiesHigh
Project Systems Archiving Segregation of DutiesHigh
Project Systems Master Data Segregation of DutiesHigh
Purch unauth items and hide by not fully receiving order Segregation of DutiesHigh
Purch unauthorized items and enact payment for them Segregation of DutiesHigh
Purch unauthorized items and initiate payment by invoicing Segregation of DutiesHigh
Purch unauthorized items and pay with manual check Segregation of DutiesHigh
Purchase Order Approval conflicts with Adjust Inventory Count Segregation of DutiesHigh
Purchase Order Approval conflicts with Enter Goods and Services Segregation of DutiesMedium
Purchase Order Approval conflicts with Release Invoices Segregation of DutiesMedium
Purchase Order Approval conflicts with Service Acceptance Segregation of DutiesMedium
Receive goods for PO and release blocked Invoices Segregation of DutiesMedium
Receive/issue incorrect amount and adjust via IM stock count Segregation of DutiesHigh
Receive/issue incorrect amount and adjust via powerful IM stock count Segregation of DutiesHigh
Receive/issue incorrect amount and adjust via WM stock count Segregation of DutiesHigh
Receive or accept service and enter covering payments Segregation of DutiesHigh
Receive or accept service and enter manual payment to cover Segregation of DutiesHigh
Receive services and release blocked invoice to offset recpt Segregation of DutiesMedium
Release a requisition and generate the accompanying PO Segregation of DutiesMedium
Release an order and initiate payment Segregation of DutiesHigh
Release produced matls to GR stock to meet prod quota Segregation of DutiesMedium
Remove material by adjusting out via IM physical inv Segregation of DutiesMedium
Remove material by adjusting out via powerful IM physical inv Segregation of DutiesMedium
Remove material by adjusting out via WM physical inv Segregation of DutiesMedium
Requisition an item and create a PO from that req Segregation of DutiesMedium
Requisition an item and then release a requisition Segregation of DutiesMedium
Risk of Sales Price modifications for Sales invoicing Segregation of DutiesHigh
Risk of sales price modifications for sales invoicing Segregation of DutiesHigh
Sales & Distribution Archiving Segregation of DutiesHigh
Sales & Distribution Master Data Segregation of DutiesHigh
Sales documents entered and released by the same person Segregation of DutiesMedium
Security Administration & Client Administration Segregation of DutiesHigh
Security Administration & Transport Administration Segregation of DutiesHigh
Settle expenses from an unauthorized order Segregation of DutiesLow
The automated controls for invoicing can be circumvented. Invoices are usually blocked due to price or quantity differences. Segregation of DutiesMedium
Use fictitious project/WBS to allocate overages Segregation of DutiesHigh
Use fictitious project/WBS to post overhead expenses Segregation of DutiesHigh
Users can create a fictitious trade and fraudulently confirm or exercise the trade Segregation of DutiesHigh
Vendor Pricing and A/P payments could result in fraudulent payments being made to the vendor. Segregation of DutiesMedium
Vendor Pricing and Manual Check Processing could result in fraudulent payments being made to the vendor. Segregation of DutiesMedium
Vendor Pricing and PO Approval could result in fraudulent payments being made to the vendor. Segregation of DutiesMedium
Vendor Pricing and Processing Vendor Invoices could result in fraudulent payments being made to the vendor. Segregation of DutiesMedium
Vendor Pricing and Releasing Blocked Invoices could result in fraudulent payments being made to the vendor. Segregation of DutiesMedium
Vendor Pricing and Releasing Requisitions could result in fraudulent payments being made to the vendor. Segregation of DutiesMedium
Vendor Pricing and Requisitioning could result in fraudulent payments being made to the vendor. Segregation of DutiesMedium