Risk ID Risk Level A001 High A002 High A003 High A008 High B002 High B004 High B006 High B008 High B009 High B010 High B011 High B012 High B017 High
B018 High B019 High D003 High D004 High D005 High D006 High D007 High D008 High D009 High D010 High D011 High D013 High D014 High D015 High D016 High D017 High D018 High D019 High E001 High E002 High E003 High
E004 High E005 High E010 High E011 High E012 High E013 High E014 High E015 High E019 High E020 High E021 High E022 High E023 High E024 High F005 High F006 High F007 High F008 High F013 High F014 High F015 High F016 High F017 High F025 High F027 High
G001 High G002 High G003 High G004 High G005 High G006 High G007 High G008 High G009 High G010 High G011 High G012 High G013 High G014 High
H001 High H002 High H003 High H004 High H005 High H006 High H007 High H008 High H009 High H010 High H011 High H012 High H013 High H014 High H015 High H016 High M006 High M011 High M012 High P001 High P002 High P003 High P004 High P005 High P006 High P007 High P008 High
P011 High P014 High P016 High P019 High P020 High P021 High P022 High P023 High P026 High P027 High P028 High P029 High P030 High P038 High P045 High P046 High P047 High P048 High P051 High P052 High P053 High P054 High P055 High P056 High P057 High
P058 High P059 High S001 High S002 High S003 High S004 High S005 High S006 High S007 High S008 High S010 High S011 High S012 High S013 High S014 High S015 High S016 High S017 High S018 High S019 High S022 High S023 High S024 High S025 High S026 High S027 High
S028 High
Description of Risk Tc AO02 AO03 AO04 AO09 BS02 BS02 BS04 BS04 BS03 BS03 BS10 BS10 BS07 Unauthorized maintenance of planning model and version may adversely impact
the production planning data stored in APO. This transaction should be limited to selected demand planning super user or manager.
Unauthorized deletion of active planning version may adversely impact the production planning data stored in APO. This transaction should be limited to selected demand planning super user or manager.
Unauthorized maintenance of planning model and version may adversely impact the production planning data stored in APO. This transaction should be limited to selected demand planning super user or manager.
Access to maintain macros/rules should be controlled via change management process. Unsupported or incorrect adjustments are made to the macros/rules may result in inaccurate production planning and production scheduling.
A developer could modify an existing program in production, perform traces to the program and configure the production environment to limit monitoring of the program run by increasing alarm thresholds and eliminating audit trails through external OS comma
A developer could create or modify a program in production and force the transport of these changes after the fact to conceal irregular development practices. This also enables the reverting back to the program's original version without any trace of the changes made in production.
A developer could modify program components (menus, screen layout, messages, queries) and configure the production environment to limit monitoring of the program runs using the modified program components by increasing alarm thresholds and eliminating audit trail
A developer could modify program components (menus, screen layout, messages, queries) and force the transport of these changes after the fact to conceal irregular development practices. This also enables the reverting back to the program components origin
An individual could modify data in tables or modify valid configuration values and setup the production environment to run transactions and programs using the inappropriately modified data. This could affect data integrity, system performance, and proper
An individual could modify data in tables or change valid configuration and replicate these changes to other clients. This is particularly sensitive if client administration transactions come with client-independent authorization allowing the developer to
An individual could inappropriately modify roles and assignments and reflect this change to the production's mirror copy eliminating the chance to revert to the appropriate setup.
A security administrator could make inappropriate changes to unauthorized security roles, transport them, and assign them to a fictitious user for execution. Can create transports, add objects to the transport, and move the transport: Can put unauthorized object changes into production, bypassing the Change Control process.
Can reset the number ranges (1) and delete your log/audit trail (2). BS08 BS13 CR03
A user could create a fictitious sales order to cover up an unauthorized shipment. CR04 CR04 CR04 CR05 CR07 AR05 CR06 CR06 CR08 CR08 AR07 CR04 CR02 CR05 CR04 SR01 Purchase unauthorized items and prompt the payment by invoicing SR02 SR02 One person controlling both the access in the profile/role and the user Ids
increases the risk of inappropriate access
A user could create a fictitious business partner and initiate fraudulent sales orders for that partner. Master data such as business partners should not be maintained by the same users who process transactions using that master data.
Inappropriately create or change sales documents and generate the corresponding billing document in CRM.
Inappropriately create or change sales documents and generate the corresponding billing document in R3.
Enter fictitious service orders for personal use and accept the services through service acceptance. The user could prompt fraudulent payments. In addition spare parts could be fraudulently issued from inventory as a result of the confirmation.
User can create a fictitious business partner and then process billing in CRM for that partner.
User can create a fictitious business partner and then process billing in R3 for that partner.
Inappropriately accept or confirm a service order and generate a corresponding billing document in CRM for the order.
Inappropriately accept or confirm a service order and generate a corresponding billing document in R3 for the order.
User could create a fictitious credit memo and run billing due in CRM to prompt a payment to a customer. The customer could provide a kickback to the internal user.
User could create a fictitious credit memo and run billing due in R3 to prompt a payment to a customer. The customer could provide a kickback to the internal user.
Pricing conditions could be manipulated to provide inappropriate discounts or incentives to customers which will be realized in an incorrect invoice.
A user could enter a sales order in CRM and lower prices via conditions for fraudulent gain
Commission or Incentives may be paid based on the number of qualified leads. Inappropriately qualified leads could result in fraudulent commission payments. Commission or Incentives may be paid based on the number of service orders. Fraudulent orders could be entered to achieve higher sales for commissions. Commission or Incentives may be paid based on the number of sales orders. Fraudulent orders could be entered to achieve higher sales reporting for commissions.
Maintain a fictitious vendor and enter an invoice to be included in the automatic payment run
Enter fictitious orders for personal use and accept the goods or services through goods receipt or service acceptance
SR03
Maintain a fictitious vendor and initiate purchases to that vendor. SR01 A user can hide differences between bank payments and posted AP records. FI03
SR06 SR06 SR06 SR02 SR02 SR07 SR02 SR01 SR02 SR01 SR08 Create a non bona-fide bank account and create a check from it. FI04 Pay an invoice and hide it in an asset that would be depreciated over time. FA01
FA01 AR02 Create the asset and manipulate the receipt of the associated asset. FA02
PS02 PS01
PS01
Maintain a non bona-fide bank account and divert incoming payments to it. FI04 Create a non bona-fide bank account and create manual checks from it FI04 Users can create a fictitious trade and fraudulently confirm or exercise the trade FI08 Enter fictitious invoices and accept goods or services via goods receipt or service
acceptance
Accept goods via SRM goods receipts and perform a WM physical inventory adjustment afterwards.
Accept goods via SRM goods receipts and perform IM physical inventory adjustment afterwards.
Accept goods via SRM goods receipts and perform IM physical inventory adjustment afterwards using powerful IM transactions
Enter fictitious orders for personal use and access the goods or services through goods receipt
Enter fictitious orders for personal use and access the goods or services through service acceptance
Approve the purchase of unauthorized goods and hide the misuse of inventory by not fully receiving the order in R3
Where release strategies are utilized, the same user should not maintain the purchase order and release or approve it.
Create a fictitious vendor or change existing vendor master data and approve purchases to this vendor
Enter fictitious orders for personal use and manipulate the organizational structure to bypass approvals
Create or maintain fictitious vendor and manipulate the organizational structure to bypass approvals or secondary checks
Initiate purchases to selecting goods to be included in a shopping cart then approving the purchase
Create an invoice through ERS goods receipt and hide it in an asset that would be depreciated over time.
Allows differences between cash deposited and cash collections posted to be covered up
Post overhead expenses to the project and settle the project without going through the settlement approval process.
Use a fictitious project to allocate overages of an actual project, and settle the project without going through the settlement approval process.
Manipulate the work breakdown structure elements (profit centers, business areas, cost centers, plants) and post overhead expenses to the project
EC01 EC01 EC01 EC01 EC01 EC01 EC01 EC01 EC01 EC01 EC01 EC01 EC01 EC01 AP/AR/GL master data creation and posting functions in conjunction with
payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output
HR03
HR01 PY07 Change payroll master data and enter time data applied to incorrect settings. HR04 Modify time data and process payroll resulting in fraudulent payments HR04 PY02 HR03
Change payroll master data and modify PD Structure HR05
Enter false time data and perform payroll maintenance. HR04 Change payroll and process payroll without proper authorization. PY03 Change payroll configuration and perform maintenance on payroll settings. PY02 Modify payroll configuration and enter false time data. HR04
Enter false time data and maintain PD structure HR04
HR03
HR03
Users may enter false time data and perform work schedule evaluations PY06 MM04 MM04 MM04 Maintain a fictitious vendor and enter a Vendor invoice for automatic payment PR01 Maintain a fictitious vendor and create a payment to that vendor AP01 Enter fictitious vendor invoices and then render payment to the vendor AP02 Purchase unauthorized items and initiate payment by invoicing PR02 PR02 Enter fictitious vendor invoices and accept the goods via goods receipt AP02 Enter a fictitious purchase order and enter the covering payment PR02 Create a fictitious vendor and initiate purchases to that vendor PR01 Modify payroll master data and then process payroll. Potential for fraudulent
activity.
Change employee HR Benefits then process payroll without authorization. Potential for fraudulent activity.
Change to master data and creating the remittance could result in fraudulent payments.
Change configuration of payroll then process payroll resulting in fraudulent payments
Change configuration of payroll then modify payroll master data resulting in fraudulent payments
Users may enter false time data and process payroll resulting in fraudulent payments.
Users may maintain employee master data including pay rates and delete the payroll result
Accept goods via goods receipts and perform a WM physical inventory adjustment afterwards.
Accept goods via goods receipts and perform an IM physical inventory adjustment afterwards.
Accept goods via goods receipts and perform an IM physical inventory adjustment afterwards.
Enter fictitious purchase orders for personal use and accept the goods through goods receipt
PR02 Can hide differences between bank payments & posted AP records FI03 Receive or accept services and enter the covering payments PR08
PR04 PR04 PR04 PR04
PR04 Enter fictitious purchasing agreements and then render payment AP01 PR01
Modify purchasing agreements and then receive goods for fraudulent purposes. PR05 AP02 AP01 AP01 PR02 PR02 PR04 PR04
Maintain a fictitious vendor and create a payment to that vendor AP04 Enter fictitious vendor invoices and then render payment to the vendor AP02 Enter a fictitious purchase order and enter the covering payment PR02 Receive or accept services and manually enter the covering check payments PR08 PR04
AP04 AP04 Inappropriately procure an item and manipulating the IM physical inventory
counts to hide.
Approve the purchase of unauthorized goods and hide the misuse of inventory by not fully receiving the order
Commit the company to fraudulent purchase contracts and initiate payment for unauthorized goods and services.
Release a non bona-fide purchase order and initiate payment for the order by entering invoices
Release a non bona-fide purchase order and the action remain undetected by manipulating the IM physical inventory counts
Create a fictitious vendor or change existing vendor master data and approve purchases to this vendor
Risk of entry of fictitious Purchasing Agreements and the entry of fictitious Vendor or modification of existing Vendor especially account data.
Enter unauthorized items to a purchasing agreement and create an invoice to obtain those items for personal use
Risk of modifying service master data (to add a service that is normally not ordered by the company) and the entry of covering payments
Risk of entering unauthorized payments and reconcile with the bank through the same person.
Inappropriately procure an item and manipulating the IM physical inventory counts to hide.
Inappropriately procure an item and manipulating the WM physical inventory counts to hide.
Release a non bona-fide purchase order and the action remain undetected by manipulating the IM physical inventory counts
Release a non bona-fide purchase order and the action remain undetected by manipulating the WM physical inventory counts
Commit the company to fraudulent purchases and initiate manual check payments for unauthorized goods and services.
Enter fictitious purchasing agreements and then render manual checks for payment
Risk of modifying service master data (to add a service that is normally not ordered by the company) and the entry of covering payments
AP04 PR02 Enter or modify sales documents and approve customer credit limits AR04 Create sales documents and immediately clear customer's obligation SD05 Create a fictitious customer and initiate fraudulent sales document SD05 SD01 SD01 AR03 SD05 AR04 AR02
Create a fictitious customer and initiate payment to the unauthorized customer. SD01 AR06 AR02 Cover up unauthorized shipment by creating a fictitious sales documents SD05
Sales price modifications for sales invoicing. AR07
Enter sales documents and lower prices for fraudulent gain SD05 AR04 Enter a fictitious sales rebates and then render fictitious payments. AR02 AR02
AR07 Risk of Sales Price modifications for Sales invoicing. AR05 Maintain a customer master record and post a fraudulent payment against it SD01 User can create a fictitious customer and then issue invoices to the customer. SD01 AR02 SD02 Risk of entering unauthorized manual payments and reconcile with the bank
through the same person.
Where release strategies are utilized, the same user should not maintain the purchase order and release or approve it.
Make an unauthorized change to the master record (payment terms, tolerance level) in favor of the customer and enter an inappropriate invoice.
Inappropriately create or change rebate agreements and manage a customer's master record in the favor of the customer. Could also change a customer's master record to direct payment to an inappropriate location.
Potentially clear a customer's balance before and create or make the same change to the billing document for the same customer, clearing them of their obligation.
Inappropriately create or change a sales documents and generate a corresponding billing document for it.
Manipulate the user's credit limit and assign generous rebates to execute a marginal customer's order.
Create a billing document for a customer and inappropriately post a payment from the same customer to conceal non-payment.
Initiate an unauthorized payment to the customer by entering fictitious credit memos.
Change the accounts receivable records to cover differences with customer statements.
Perform credit approval function and modify cash received for fraudulent purposes.
Risk of the same person entering changes to the Customer Master file and modifying the Cash Received for the customer.
Risk of modifying and entering Sales Invoices and approving Credit Limits by the same person.
User can create/change an invoice and enter/change payments against the invoice.
User can create fictitious/incorrect delivery and enter payments against these, potentially misappropriating goods.
SD05
Create a credit memo then clear the customer to prompt a payment. AR03 User able to create a fraudulent sales contract to include additional goods and
Function 1 Tc Function 2 Tc
APO Maintain Model AO01 APO Supply & Demand Planning
APO Model & Version Management AO01 APO Supply & Demand Planning
APO active version) AO01 APO Supply & Demand Planning
APO Define Advanced Macros AO01 APO Supply & Demand Planning
Basis Development BS06 Configuration
Basis Development BS12 Transport Administration
Basis Utilities BS06 Configuration
Basis Utilities BS12 Transport Administration
Basis Table Maintenance BS11 System Administration
Basis Table Maintenance BS05 Client Administration
Security Administration BS05 Client Administration
Security Administration BS12 Transport Administration
Maintain Number Ranges BS11 System Administration Maintain User Master BS14 Maintain Profiles / Roles Maintain Business Partner CR04 Process CRM Sales Order
Process CRM Sales Order SD02 Delivery Processing Process CRM Sales Order CR07 CRM Billing
Process CRM Sales Order AR05 Maintain Billing Documents Service Order Processing CR06 Service Confirmation
CRM Billing CR03 Maintain Business Partner
Maintain Billing Documents CR03 Maintain Business Partner
Service Confirmation CR07 CRM Billing
Service Confirmation AR05 Maintain Billing Documents
Process Credit Memo CR07 CRM Billing
Process Credit Memo AR05 Maintain Billing Documents
Process Customer Invoices CR09 Maintain Conditions
Process CRM Sales Order CR09 Maintain Conditions Maintain Opportunity PY04 Process Payroll
Service Order Processing PY04 Process Payroll
Process CRM Sales Order PY04 Process Payroll
EBP / SRM Vendor Master SR03 EBP / SRM Invoicing EBP / SRM Purchasing SR03 EBP / SRM Invoicing
EBP / SRM Purchasing SR04 EBP / SRM Goods Receipt/Service Acceptance
EBP / SRM Invoicing SR04
EBP / SRM Vendor Master SR02 EBP / SRM Purchasing Bank Reconciliation SR03 EBP / SRM Invoicing
MM07 Enter Counts - WM MM08
MM02 Enter Counts - IM MM01
MM03 Enter Counts & Clear Diff - IM
EBP / SRM Purchasing MM05 Goods Receipts to PO EBP / SRM Purchasing PR08 Service Acceptance EBP / SRM PO Approval MM05 Goods Receipts to PO EBP / SRM Purchasing SR07 EBP / SRM PO Approval EBP / SRM Vendor Master SR07 EBP / SRM PO Approval
EBP / SRM Purchasing SR09 EBP / SRM Maintain Org Structure EBP / SRM Vendor Master SR09 EBP / SRM Maintain Org Structure
EBP / SRM Maintain Shopping Cart SR07 EBP / SRM PO Approval Maintain Bank Master Data AP01 AP Payments
Maintain Asset Document AP02 Process Vendor Invoices Maintain Asset Document MM05 Goods Receipts to PO
Cash Application FI03 Bank Reconciliation
Maintain Asset Master MM05 Goods Receipts to PO Process Overhead Postings PS03 Settle Projects
PS03 Settle Projects
PS02 Process Overhead Postings
Maintain Bank Master Data AR02 Cash Application
Maintain Bank Master Data AP04 Manual Check Processing Create / Change Treasury Item FI09 Confirm a Treasury Trade
EBP / SRM Goods Receipt/Service Acceptance
EBP / SRM Goods Receipt/Service Acceptance
EBP / SRM Goods Receipt/Service Acceptance
EBP / SRM Goods Receipt/Service Acceptance
Maintain Projects and WBS Elements
Maintain Projects and WBS Elements
Maintain Hierarchies AP01 AP Payments
Maintain Hierarchies AP02 Process Vendor Invoices
Maintain Hierarchies AP04 Manual Check Processing
Maintain Hierarchies AR02 Cash Application
Maintain Hierarchies AR07 Process Customer Invoices
Maintain Hierarchies CC03 Maintain Cost Centers
Maintain Hierarchies FA01 Maintain Asset Document
Maintain Hierarchies FA02 Maintain Asset Master
Maintain Hierarchies FI01 Revenue Reposting
Maintain Hierarchies GL01 Post Journal Entry
Maintain Hierarchies GL02 Maintain GL Master Data
Maintain Hierarchies GL03
Maintain Hierarchies PR01 Vendor Master Maintenance
Maintain Hierarchies SD01 Maintain Customer Master Data Post Journal Entry (misc Tax/Currency)
PY04 Process Payroll
HR Benefits PY04 Process Payroll
3rd Party Remittance HR02 HR Vendor Data
Maintain Time Data PY01 Approve Time
Maintain Time Data PY04 Process Payroll
Maintain Payroll Configuration PY04 Process Payroll
PY02 Maintain Payroll Configuration
Modify PD Structure HR03
Maintain Time Data PY03 Payroll Maintenance Payroll Maintenance PY04 Process Payroll Maintain Payroll Configuration PY03 Payroll Maintenance
Maintain Time Data PY02 Maintain Payroll Configuration Maintain Time Data HR05 Modify PD Structure
HR04 Maintain Time Data
PY03 Payroll Maintenance
Payroll Schemas HR04 Maintain Time Data
Goods Movements MM07 Enter Counts - WM MM08
Goods Movements MM02 Enter Counts - IM MM01
Goods Movements MM03 Enter Counts & Clear Diff - IM Vendor Master Maintenance AP02 Process Vendor Invoices
AP Payments PR01 Vendor Master Maintenance
Process Vendor Invoices AP01 AP Payments
Maintain Purchase Order AP02 Process Vendor Invoices Maintain Purchase Order MM05 Goods Receipts to PO Process Vendor Invoices MM05 Goods Receipts to PO Maintain Purchase Order AP01 AP Payments
Vendor Master Maintenance PR02 Maintain Purchase Order Maintain Employee (PA) Master
Data - 0008 - 0009 (
Maintain Employee (PA) Master Data - 0008 - 0009 (
Maintain Employee (PA) Master Data - 0008 - 0009 (
Maintain Employee (PA) Master Data - 0008 - 0009 (
Maintain Employee (PA) Master Data - 0008 - 0009 (
Maintain Purchase Order MM03 Enter Counts & Clear Diff - IM Bank Reconciliation AP02 Process Vendor Invoices
Service Acceptance AP01 AP Payments
PO Approval MM05 Goods Receipts to PO
PO Approval AP01 AP Payments
PO Approval AP02 Process Vendor Invoices
PO Approval MM02 Enter Counts - IM MM01
PO Approval PR01 Vendor Master Maintenance
AP Payments PR05 Purchasing Agreements
Vendor Master Maintenance PR05 Purchasing Agreements
Purchasing Agreements MM05 Goods Receipts to PO Process Vendor Invoices PR05 Purchasing Agreements
AP Payments PR03 Service Master Maintenance
AP Payments FI03 Bank Reconciliation
Maintain Purchase Order MM02 Enter Counts - IM MM01
Maintain Purchase Order MM07 Enter Counts - WM MM08
PO Approval MM03 Enter Counts & Clear Diff - IM
PO Approval MM07 Enter Counts - WM MM08
Manual Check Processing PR01 Vendor Master Maintenance Process Vendor Invoices AP04 Manual Check Processing Maintain Purchase Order AP04 Manual Check Processing Service Acceptance AP04 Manual Check Processing
PO Approval AP04 Manual Check Processing
Manual Check Processing PR05 Purchasing Agreements Manual Check Processing PR03 Service Master Maintenance
Manual Check Processing FI03 Bank Reconciliation Maintain Purchase Order PR04 PO Approval
Credit Management SD05 Sales Order Processing Sales Order Processing AR03 Clear Customer Balance Sales Order Processing SD01 Maintain Customer Master Data Maintain Customer Master Data AR07 Process Customer Invoices
Maintain Customer Master Data SD03 Sales Rebates
Clear Customer Balance AR05 Maintain Billing Documents
Sales Order Processing AR05 Maintain Billing Documents
Credit Management SD03 Sales Rebates
Cash Application AR05 Maintain Billing Documents
Maintain Customer Master Data AR01 AR Payments Process Customer Credit Memos AR01 AR Payments
Cash Application SD04 Sales Document Release
Sales Order Processing SD02 Delivery Processing Process Customer Invoices SD06 Sales Pricing Condition Sales Order Processing SD06 Sales Pricing Condition
Credit Management AR02 Cash Application
Cash Application SD03 Sales Rebates
Cash Application SD01 Maintain Customer Master Data
Process Customer Invoices AR04 Credit Management Maintain Billing Documents SD06 Sales Pricing Condition Maintain Customer Master Data AR03 Clear Customer Balance Maintain Customer Master Data AR05 Maintain Billing Documents Cash Application AR07 Process Customer Invoices Delivery Processing AR02 Cash Application
Sales Order Processing AR07 Process Customer Invoices
Clear Differences - WM
Clear Differences - Inventory Management
Clear Differences - WM
Clear Differences - Inventory Management
Clear Differences - WM
Clear Differences - WM
Clear Differences - Inventory Management
Clear Differences - Inventory Management
