#
SAPAuthorization
#
SAPCompliance
This guide will walk you through the process of creating an SAP QuickViewer Report (SAP standard transaction SQVI) to identify Segregation of Duties (SoD) conflicts on the document level.
So the analysis is not on the level of user authorization (CAN DO), but actually will detect documents that were created violating a SoD rule, with an associated business risk (DID DO).
This blog post is therefore further detailing our previous blog (<-link to other blog about the webinar) and our recent webinar on ACCESS VIOLATION MANAGEMENT: MITIGATING CONTROLS FOR RISKS IN SAP GRC.
This is a useful tool for SAP authorization consultants, internal auditors, and even business users, to detect and mitigate business risks associated with a lack of segregation of duties.
This analysis is a simple and quick analysis, but it can have false negative results, i.e. some cases are not covered by this approach:
The tables used in this example store the user name of the user who created the document and vendor. Later changes are recorded in change documents and not considered in this simple analysis.
See also the remarks in our webinar, and we will follow up on this issue in one of our next blogs.
Here we are looking at the case where a user both created a vendor and created a purchase order (PO). The risks is that a user creates a bogus vendor and with the PO requests unauthorized goods that the company will pay.
The conflict detection will be based on two SAP tables: LFA1 (Vendor Master) and EKKO (PO Header).
Prerequisites
Our White Paper explains how using robust controls and automation, organizations can better manage fraud risks, comply with regulations, improve operational efficiency, and save substantial costs.
After defining the join between the LFA1 (Vendor Master) and EKKO (Purchase Order Header) tables, the next step is to select which fields will appear in your query output. Here's a step-by-step breakdown:
Selection criteria allow users to narrow down the data they want to view by applying filters. For example, a user may want to see records for a specific date range or check records created by a specific user.
With these additional details, your query will be more flexible and usable by a variety of users with different requirements for SoD conflict analysis.
remQ – Business Inspector for SAP Software offers Business Transaction Monitoring and auditing software with built-in expert know-how.
Troubleshooting
By following this guide, you will be able to create a custom SQVI query to detect SoD conflicts where a user has both created a vendor and a purchase order. This query can be further customized to suit specific reporting or compliance needs.
The same approach works for other potential SoD violations.
The analysis performed here is limited to the users who created the vendor/document, not taking into account changes that might occur later.
In many real-life fraud scenarios, this is a reasonable assumption. One could even argue, that if another user makes changes to the (bogus?) vendor after it was created, then a 4-eyes principle is effectively established because another user had a chance to review the vendor.
So while being incomplete, it is effective in many cases, and very easy to implement.
Note the SQVI query created can be executed at any later time, so a periodical review is easy and can help address and reduce risks from a lack of segregation of duties.
Jens verfügt über mehr als 20 Jahre Erfahrung in den Bereichen SAP-Sicherheit, Compliance und interne Kontrollen. Er ist ein ehemaliger Wirtschaftsprüfer, immer neugierig, bereit zu lernen und Wissen zu teilen. Bei VOQUZ Labs ist Jens für die Risiko- und Compliance-Produkte verantwortlich. Es macht ihm Spaß, mit Kunden zu interagieren und schnelle und einfache Wege zu finden, um Produkte zu verbessern und den Kunden einen Mehrwert zu bieten. Pragmatisch und kundenorientiert? Dann Jens :)
Hast Du Fragen oder möchtest Du etwas hinzufügen? Hinterlasse uns bitte eine Nachricht! Deine Nachricht wird per E-Mail an uns übermittelt und nicht veröffentlicht.