Risk ID A001

Risk Level High

A002

High

A003

High

A008

High

B002

High

B004

High

B006

High

B008

High

B009

High

B010

High

Description of Risk Unauthorized maintenance of planning model and version may adversely impact the production planning data stored in APO. This transaction should be limited to selected demand planning super user or manager. Unauthorized deletion of active planning version may adversely impact the production planning data stored in APO. This transaction should be limited to selected demand planning super user or manager. Unauthorized maintenance of planning model and version may adversely impact the production planning data stored in APO. This transaction should be limited to selected demand planning super user or manager. Access to maintain macros/rules should be controlled via change management process. Unsupported or incorrect adjustments are made to the macros/rules may result in inaccurate production planning and production scheduling. A developer could modify an existing program in production, perform traces to the program and configure the production environment to limit monitoring of the program run by increasing alarm thresholds and eliminating audit trails through external OS comma A developer could create or modify a program in production and force the transport of these changes after the fact to conceal irregular development practices. This also enables the reverting back to the program's original version without any trace of the changes made in production. A developer could modify program components (menus, screen layout, messages, queries) and configure the production environment to limit monitoring of the program runs using the modified program components by increasing alarm thresholds and eliminating audit trail A developer could modify program components (menus, screen layout, messages, queries) and force the transport of these changes after the fact to conceal irregular development practices. This also enables the reverting back to the program components origin An individual could modify data in tables or modify valid configuration values and setup the production environment to run transactions and programs using the inappropriately modified data. This could affect data integrity, system performance, and proper An individual could modify data in tables or change valid configuration and replicate these changes to other clients. This is particularly sensitive if client administration transactions come with client-independent authorization allowing the developer to An individual could inappropriately modify roles and assignments and reflect this change to the production's mirror copy eliminating the chance to revert to the appropriate setup. A security administrator could make inappropriate changes to unauthorized security roles, transport them, and assign them to a fictitious user for execution. Can create transports, add objects to the transport, and move the transport: Can put unauthorized object changes into production, bypassing the Change Control process. Can reset the number ranges (1) and delete your log/audit trail (2). One person controlling both the access in the profile/role and the user Ids increases the risk of inappropriate access A user could create a fictitious business partner and initiate fraudulent sales orders for that partner. Master data such as business partners should not be maintained by the same users who process transactions using that master data. A user could create a fictitious sales order to cover up an unauthorized shipment. Inappropriately create or change sales documents and generate the corresponding billing document in CRM. Inappropriately create or change sales documents and generate the corresponding billing document in R3. Enter fictitious service orders for personal use and accept the services through service acceptance. The user could prompt fraudulent payments. In addition spare parts could be fraudulently issued from inventory as a result of the confirmation. User can create a fictitious business partner and then process billing in CRM for that partner. User can create a fictitious business partner and then process billing in R3 for that partner.

Tc

AO02

AO03

AO04

AO09

BS02

BS02

BS04

BS04

BS03

BS03

B011 B012 B017 B018 B019 D003

High High High High High High

BS10 BS10 BS07 BS08 BS13 CR03

D004 D005 D006 D007

High High High High

CR04 CR04 CR04 CR05

D008 D009

High High

CR07 AR05

D010 D011 D013 D014 D015 D016 D017 D018 D019 E001 E002 E003 E004 E005 E010 E011 E012 E013 E014 E015 E019 E020 E021 E022 E023 E024 F005 F006 F007 F008 F013 F014

High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High

Inappropriately accept or confirm a service order and generate a corresponding billing document in CRM for the order. Inappropriately accept or confirm a service order and generate a corresponding billing document in R3 for the order. User could create a fictitious credit memo and run billing due in CRM to prompt a payment to a customer. The customer could provide a kickback to the internal user. User could create a fictitious credit memo and run billing due in R3 to prompt a payment to a customer. The customer could provide a kickback to the internal user. Pricing conditions could be manipulated to provide inappropriate discounts or incentives to customers which will be realized in an incorrect invoice. A user could enter a sales order in CRM and lower prices via conditions for fraudulent gain Commission or Incentives may be paid based on the number of qualified leads. Inappropriately qualified leads could result in fraudulent commission payments. Commission or Incentives may be paid based on the number of service orders. Fraudulent orders could be entered to achieve higher sales for commissions. Commission or Incentives may be paid based on the number of sales orders. Fraudulent orders could be entered to achieve higher sales reporting for commissions. Maintain a fictitious vendor and enter an invoice to be included in the automatic payment run Purchase unauthorized items and prompt the payment by invoicing Enter fictitious orders for personal use and accept the goods or services through goods receipt or service acceptance Enter fictitious invoices and accept goods or services via goods receipt or service acceptance Maintain a fictitious vendor and initiate purchases to that vendor. A user can hide differences between bank payments and posted AP records. Accept goods via SRM goods receipts and perform a WM physical inventory adjustment afterwards. Accept goods via SRM goods receipts and perform IM physical inventory adjustment afterwards. Accept goods via SRM goods receipts and perform IM physical inventory adjustment afterwards using powerful IM transactions Enter fictitious orders for personal use and access the goods or services through goods receipt Enter fictitious orders for personal use and access the goods or services through service acceptance Approve the purchase of unauthorized goods and hide the misuse of inventory by not fully receiving the order in R3 Where release strategies are utilized, the same user should not maintain the purchase order and release or approve it. Create a fictitious vendor or change existing vendor master data and approve purchases to this vendor Enter fictitious orders for personal use and manipulate the organizational structure to bypass approvals Create or maintain fictitious vendor and manipulate the organizational structure to bypass approvals or secondary checks Initiate purchases to selecting goods to be included in a shopping cart then approving the purchase Create a non bona-fide bank account and create a check from it. Pay an invoice and hide it in an asset that would be depreciated over time. Create an invoice through ERS goods receipt and hide it in an asset that would be depreciated over time. Allows differences between cash deposited and cash collections posted to be covered up Create the asset and manipulate the receipt of the associated asset. Post overhead expenses to the project and settle the project without going through the settlement approval process.

CR06 CR06 CR08 CR08 AR07 CR04 CR02 CR05 CR04 SR01 SR02 SR02 SR03 SR01 FI03 SR06 SR06 SR06 SR02 SR02 SR07 SR02 SR01 SR02 SR01 SR08 FI04 FA01 FA01 AR02 FA02 PS02

F015 F016 F017 F025 F027 G001

High High High High High High

G002

High

G003

High

G004

High

G005

High

G006

High

G007

High

G008

High

G009

High

G010

High

G011

High

G012

High

G013

High

G014

High

H001 H002 H003 H004 H005

High High High High High

Use a fictitious project to allocate overages of an actual project, and settle the project without going through the settlement approval process. Manipulate the work breakdown structure elements (profit centers, business areas, cost centers, plants) and post overhead expenses to the project Maintain a non bona-fide bank account and divert incoming payments to it. Create a non bona-fide bank account and create manual checks from it Users can create a fictitious trade and fraudulently confirm or exercise the trade AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output AP/AR/GL master data creation and posting functions in conjunction with payment processing, receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting output Modify payroll master data and then process payroll. Potential for fraudulent activity. Change employee HR Benefits then process payroll without authorization. Potential for fraudulent activity. Change to master data and creating the remittance could result in fraudulent payments. Change payroll master data and enter time data applied to incorrect settings. Modify time data and process payroll resulting in fraudulent payments

PS01 PS01 FI04 FI04 FI08 EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

EC01

HR03 HR01 PY07 HR04 HR04

H006 H007 H008 H009 H010 H011 H012 H013 H014 H015 H016 M006 M011 M012 P001 P002 P003 P004 P005 P006 P007 P008 P011 P014 P016 P019 P020 P021 P022 P023 P026 P027 P028 P029 P030 P038 P045

High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High High

Change configuration of payroll then process payroll resulting in fraudulent payments Change configuration of payroll then modify payroll master data resulting in fraudulent payments Change payroll master data and modify PD Structure Enter false time data and perform payroll maintenance. Change payroll and process payroll without proper authorization. Change payroll configuration and perform maintenance on payroll settings. Modify payroll configuration and enter false time data. Enter false time data and maintain PD structure Users may enter false time data and process payroll resulting in fraudulent payments. Users may maintain employee master data including pay rates and delete the payroll result Users may enter false time data and perform work schedule evaluations Accept goods via goods receipts and perform a WM physical inventory adjustment afterwards. Accept goods via goods receipts and perform an IM physical inventory adjustment afterwards. Accept goods via goods receipts and perform an IM physical inventory adjustment afterwards. Maintain a fictitious vendor and enter a Vendor invoice for automatic payment Maintain a fictitious vendor and create a payment to that vendor Enter fictitious vendor invoices and then render payment to the vendor Purchase unauthorized items and initiate payment by invoicing Enter fictitious purchase orders for personal use and accept the goods through goods receipt Enter fictitious vendor invoices and accept the goods via goods receipt Enter a fictitious purchase order and enter the covering payment Create a fictitious vendor and initiate purchases to that vendor Inappropriately procure an item and manipulating the IM physical inventory counts to hide. Can hide differences between bank payments & posted AP records Receive or accept services and enter the covering payments Approve the purchase of unauthorized goods and hide the misuse of inventory by not fully receiving the order Commit the company to fraudulent purchase contracts and initiate payment for unauthorized goods and services. Release a non bona-fide purchase order and initiate payment for the order by entering invoices Release a non bona-fide purchase order and the action remain undetected by manipulating the IM physical inventory counts Create a fictitious vendor or change existing vendor master data and approve purchases to this vendor Enter fictitious purchasing agreements and then render payment Risk of entry of fictitious Purchasing Agreements and the entry of fictitious Vendor or modification of existing Vendor especially account data. Modify purchasing agreements and then receive goods for fraudulent purposes. Enter unauthorized items to a purchasing agreement and create an invoice to obtain those items for personal use Risk of modifying service master data (to add a service that is normally not ordered by the company) and the entry of covering payments Risk of entering unauthorized payments and reconcile with the bank through the same person. Inappropriately procure an item and manipulating the IM physical inventory counts to hide.

PY02 HR03 HR05 HR04 PY03 PY02 HR04 HR04 HR03 HR03 PY06 MM04 MM04 MM04 PR01 AP01 AP02 PR02 PR02 AP02 PR02 PR01 PR02 FI03 PR08 PR04 PR04 PR04 PR04 PR04 AP01 PR01 PR05 AP02 AP01 AP01 PR02

P046 P047 P048 P051 P052 P053 P054 P055 P056 P057 P058 P059 S001 S002 S003 S004 S005

High High High High High High High High High High High High High High High High High

Inappropriately procure an item and manipulating the WM physical inventory counts to hide. Release a non bona-fide purchase order and the action remain undetected by manipulating the IM physical inventory counts Release a non bona-fide purchase order and the action remain undetected by manipulating the WM physical inventory counts Maintain a fictitious vendor and create a payment to that vendor Enter fictitious vendor invoices and then render payment to the vendor Enter a fictitious purchase order and enter the covering payment Receive or accept services and manually enter the covering check payments Commit the company to fraudulent purchases and initiate manual check payments for unauthorized goods and services. Enter fictitious purchasing agreements and then render manual checks for payment Risk of modifying service master data (to add a service that is normally not ordered by the company) and the entry of covering payments Risk of entering unauthorized manual payments and reconcile with the bank through the same person. Where release strategies are utilized, the same user should not maintain the purchase order and release or approve it. Enter or modify sales documents and approve customer credit limits Create sales documents and immediately clear customer's obligation Create a fictitious customer and initiate fraudulent sales document Make an unauthorized change to the master record (payment terms, tolerance level) in favor of the customer and enter an inappropriate invoice. Inappropriately create or change rebate agreements and manage a customer's master record in the favor of the customer. Could also change a customer's master record to direct payment to an inappropriate location. Potentially clear a customer's balance before and create or make the same change to the billing document for the same customer, clearing them of their obligation. Inappropriately create or change a sales documents and generate a corresponding billing document for it. Manipulate the user's credit limit and assign generous rebates to execute a marginal customer's order. Create a billing document for a customer and inappropriately post a payment from the same customer to conceal nonpayment. Create a fictitious customer and initiate payment to the unauthorized customer. Initiate an unauthorized payment to the customer by entering fictitious credit memos. Change the accounts receivable records to cover differences with customer statements. Cover up unauthorized shipment by creating a fictitious sales documents Sales price modifications for sales invoicing. Enter sales documents and lower prices for fraudulent gain Perform credit approval function and modify cash received for fraudulent purposes. Enter a fictitious sales rebates and then render fictitious payments. Risk of the same person entering changes to the Customer Master file and modifying the Cash Received for the customer. Risk of modifying and entering Sales Invoices and approving Credit Limits by the same person. Risk of Sales Price modifications for Sales invoicing. Maintain a customer master record and post a fraudulent payment against it User can create a fictitious customer and then issue invoices to the customer. User can create/change an invoice and enter/change payments against the invoice. User can create fictitious/incorrect delivery and enter payments against these, potentially misappropriating goods.

PR02 PR04 PR04 AP04 AP02 PR02 PR08 PR04 AP04 AP04 AP04 PR02 AR04 SD05 SD05 SD01 SD01

S006 S007 S008 S010 S011 S012 S013 S014 S015 S016 S017 S018 S019 S022 S023 S024 S025 S026 S027

High High High High High High High High High High High High High High High High High High High

AR03 SD05 AR04 AR02 SD01 AR06 AR02 SD05 AR07 SD05 AR04 AR02 AR02 AR07 AR05 SD01 SD01 AR02 SD02

S028 S029

High High

User able to create a fraudulent sales contract to include additional goods and enter an incorrect customer invoice to hide the deception. Create a credit memo then clear the customer to prompt a payment.

SD05 AR03

Function 1 APO Maintain Model

Tc

AO01

Function 2 APO Supply Planning

Tc

Function 3

&

Demand

APO Model Management

&

Version

AO01

APO Supply Planning

&

Demand

APO active version)

AO01

APO Supply Planning

&

Demand

APO Define Macros

Advanced

AO01

APO Supply Planning

&

Demand

Basis Development

BS06

Configuration

Basis Development

BS12

Transport Administration

Basis Utilities

BS06

Configuration

Basis Utilities

BS12

Transport Administration

Basis Table Maintenance

BS11

System Administration

Basis Table Maintenance

BS05

Client Administration

Security Administration Security Administration Create Transport Maintain Number Ranges Maintain User Master Maintain Business Partner

BS05 BS12 BS09 BS11 BS14 CR04

Client Administration Transport Administration Perform Transport System Administration Maintain Profiles / Roles Process CRM Sales Order

Process CRM Sales Order Process CRM Sales Order Process CRM Sales Order Service Order Processing

SD02 CR07 AR05 CR06

Delivery Processing CRM Billing Maintain Billing Documents Service Confirmation

CRM Billing Maintain Billing Documents

CR03 CR03

Maintain Business Partner Maintain Business Partner

Service Confirmation Service Confirmation Process Credit Memo Process Credit Memo Process Customer Invoices Process CRM Sales Order Maintain Opportunity Service Order Processing Process CRM Sales Order EBP / SRM Vendor Master EBP / SRM Purchasing EBP / SRM Purchasing EBP / SRM Invoicing EBP / SRM Vendor Master Bank Reconciliation EBP / SRM Goods Receipt/Service Acceptance EBP / SRM Goods Receipt/Service Acceptance EBP / SRM Goods Receipt/Service Acceptance EBP / SRM Purchasing EBP / SRM Purchasing EBP / SRM PO Approval EBP / SRM Purchasing EBP / SRM Vendor Master EBP / SRM Purchasing EBP / SRM Vendor Master EBP / SRM Maintain Shopping Cart Maintain Bank Master Data Maintain Asset Document Maintain Asset Document Cash Application Maintain Asset Master Process Overhead Postings

CR07 AR05 CR07 AR05 CR09 CR09 PY04 PY04 PY04 SR03 SR03 SR04 SR04 SR02 SR03

CRM Billing Maintain Billing Documents CRM Billing Maintain Billing Documents Maintain Conditions Maintain Conditions Process Payroll Process Payroll Process Payroll EBP / SRM Invoicing EBP / SRM Invoicing EBP / SRM Goods Receipt/Service Acceptance EBP / SRM Goods Receipt/Service Acceptance EBP / SRM Purchasing EBP / SRM Invoicing MM08 Clear Differences - WM MM01 Clear Differences Inventory Management -

MM07 Enter Counts - WM MM02 Enter Counts - IM MM03 Enter Counts & Clear Diff IM MM05 Goods Receipts to PO PR08 Service Acceptance

MM05 Goods Receipts to PO SR07 SR07 SR09 SR09 SR07 AP01 AP02 EBP / SRM PO Approval EBP / SRM PO Approval EBP / SRM Maintain Org Structure EBP / SRM Maintain Org Structure EBP / SRM PO Approval AP Payments Process Vendor Invoices

MM05 Goods Receipts to PO FI03 Bank Reconciliation

MM05 Goods Receipts to PO PS03 Settle Projects

Maintain Projects and WBS Elements Maintain Projects and WBS Elements Maintain Bank Master Data Maintain Bank Master Data Create / Change Treasury Item Maintain Hierarchies

PS03 PS02 AR02 AP04 FI09 AP01

Settle Projects Process Overhead Postings Cash Application Manual Check Processing Confirm a Treasury Trade AP Payments

Maintain Hierarchies

AP02

Process Vendor Invoices

Maintain Hierarchies

AP04

Manual Check Processing

Maintain Hierarchies

AR02

Cash Application

Maintain Hierarchies

AR07

Process Customer Invoices

Maintain Hierarchies

CC03

Maintain Cost Centers

Maintain Hierarchies

FA01

Maintain Asset Document

Maintain Hierarchies

FA02

Maintain Asset Master

Maintain Hierarchies

FI01

Revenue Reposting

Maintain Hierarchies

GL01

Post Journal Entry

Maintain Hierarchies

GL02

Maintain GL Master Data

Maintain Hierarchies

GL03

Post Journal Entry (misc Tax/Currency)

Maintain Hierarchies

PR01

Vendor Master Maintenance

Maintain Hierarchies

SD01

Maintain Customer Master Data

Maintain Employee (PA) Master Data - 0008 - 0009 ( HR Benefits 3rd Party Remittance Maintain Time Data Maintain Time Data

PY04 PY04 HR02 PY01 PY04

Process Payroll Process Payroll HR Vendor Data Approve Time Process Payroll

Maintain Payroll Configuration Maintain Employee (PA) Master Data - 0008 - 0009 ( Modify PD Structure Maintain Time Data Payroll Maintenance Maintain Payroll Configuration Maintain Time Data Maintain Time Data Maintain Employee (PA) Master Data - 0008 - 0009 ( Maintain Employee (PA) Master Data - 0008 - 0009 ( Payroll Schemas Goods Movements Goods Movements Goods Movements Vendor Master Maintenance AP Payments Process Vendor Invoices Maintain Purchase Order Maintain Purchase Order Process Vendor Invoices Maintain Purchase Order Vendor Master Maintenance Maintain Purchase Order Bank Reconciliation Service Acceptance PO Approval PO Approval PO Approval PO Approval PO Approval AP Payments Vendor Master Maintenance Purchasing Agreements Process Vendor Invoices AP Payments AP Payments Maintain Purchase Order

PY04 PY02 HR03 PY03 PY04 PY03 PY02 HR05 HR04 PY03 HR04

Process Payroll Maintain Configuration Payroll

Maintain Employee (PA) Master Data - 0008 - 0009 ( Payroll Maintenance Process Payroll Payroll Maintenance Maintain Payroll Configuration Modify PD Structure Maintain Time Data Payroll Maintenance Maintain Time Data MM08 Clear Differences - WM MM01 Clear Differences Inventory Management -

MM07 Enter Counts - WM MM02 Enter Counts - IM MM03 Enter Counts & Clear Diff IM AP02 Process Vendor Invoices PR01 AP01 Vendor Master Maintenance AP Payments

AP02 Process Vendor Invoices MM05 Goods Receipts to PO MM05 Goods Receipts to PO AP01 PR02 AP Payments Maintain Purchase Order

MM03 Enter Counts & Clear Diff IM AP02 Process Vendor Invoices AP01 AP Payments MM05 Goods Receipts to PO AP01 AP02 AP Payments Process Vendor Invoices MM01 Clear Differences Inventory Management -

MM02 Enter Counts - IM PR01 PR05 PR05 Vendor Master Maintenance Purchasing Agreements Purchasing Agreements

MM05 Goods Receipts to PO PR05 PR03 FI03 Purchasing Agreements Service Master Maintenance Bank Reconciliation MM01 Clear Differences Inventory Management -

MM02 Enter Counts - IM

Maintain Purchase Order PO Approval PO Approval Manual Check Processing Process Vendor Invoices Maintain Purchase Order Service Acceptance PO Approval Manual Check Processing Manual Check Processing Manual Check Processing Maintain Purchase Order Credit Management Sales Order Processing Sales Order Processing Maintain Customer Master Data Maintain Customer Master Data

MM07 Enter Counts - WM MM03 Enter Counts & Clear Diff IM MM07 Enter Counts - WM PR01 AP04 AP04 AP04 AP04 PR05 PR03 FI03 PR04 SD05 AR03 SD01 AR07 SD03 Vendor Master Maintenance Manual Check Processing Manual Check Processing Manual Check Processing Manual Check Processing Purchasing Agreements Service Master Maintenance Bank Reconciliation PO Approval Sales Order Processing Clear Customer Balance Maintain Customer Master Data Process Customer Invoices Sales Rebates

MM08 Clear Differences - WM

MM08 Clear Differences - WM

Clear Customer Balance Sales Order Processing Credit Management Cash Application Maintain Customer Master Data Process Customer Credit Memos Cash Application Sales Order Processing Process Customer Invoices Sales Order Processing Credit Management Cash Application Cash Application Process Customer Invoices Maintain Billing Documents Maintain Customer Master Data Maintain Customer Master Data Cash Application Delivery Processing

AR05 AR05 SD03 AR05 AR01 AR01 SD04 SD02 SD06 SD06 AR02 SD03 SD01 AR04 SD06 AR03 AR05 AR07 AR02

Maintain Billing Documents Maintain Billing Documents Sales Rebates Maintain Billing Documents AR Payments AR Payments Sales Document Release Delivery Processing Sales Pricing Condition Sales Pricing Condition Cash Application Sales Rebates Maintain Customer Master Data Credit Management Sales Pricing Condition Clear Customer Balance Maintain Billing Documents Process Customer Invoices Cash Application

Sales Order Processing Clear Customer Balance

AR07 AR06

Process Customer Invoices Process Memos Customer Credit