Big4Guy
Big4GuyWelcome to Big4Guy.com. Big4Guy is an online resource where I will share with you the latest news, insights, knowledge and some experiences as a Big 4 consultant. We will discuss some of the important issues which organisations are facing today in the areas of information security, security and controls in SAP R/3, Oracle Applications, J.D.Edwards, Peoplesoft and various other ERP's. You will also find information on latest complaince regulations like Sarbanes Oxley, Basel II and so on. Big4guy will also attempt to provide valuable resources for individuals interested in examinations the CISA, CISM, CISSP, PMP and various other security certifications considered essential for entry in any Big 4 accounting, auditing and consulting firms. You are invited to post your comments and viewpoints to posts here. I sincerely hope this online journal will be useful to everyone from a budding student to a professional in the accounting, auditing, management and consultancy professions.
|
Post details: Segregation of Duties in SAP R/3 Environment
04/08/06
Segregation of Duties in SAP R/3 Environment
Access control forms a very important part of the overall control framework in any ERP environment. In SAP R/3 segregation of incompatible functions is a major control point. Assessing whether incompatible functions are assigned to SAP users can be a tedious task. So how does one go about addressing such incompatibility issues. Let me explain using an example of the accounts payable process in SAP. Ideally, in A/P segregation of duties should exist between purchasing, goods receiving, invoice processing and cash disbursement functionalities. Below, I have given a 7 step process for SOD segregation of duties in SAP A/P.
Step 1 - Document the entire process of payables. This would include Raising Purchase requisition, releasing purchase requisition, raising a purchase order PO, releasing purchase order, goods receipt, invoice entry, and finally processing payments.
Step 2 - For each of the sub-process identified above, identify the relevant transaction code in SAP. This can be done using the standard menus in SAP.
Step 3 - Identify the key control points within the process. In our example above, key control points would be raise PO, goods receipt, enter invoice, create and changing vendor master records.
Step 4 - Identify if there are any other incompatible duties. One such incompatible function would be payment processing and vendor master maintainence.
Step 5 - Identify the transaction codes in SAP which allow access to these incompatible functions. Now in SAP the relevant transaction codes would be: XK01 / XK02 - Create Vendor / Change Vendor details, ME21 - Create PO, ME28 - Release PO, MB01 - Goods Receipt, MIRA / MIRO - Invoice Entry. The incompatible functions relevant for segregation of duties would be
- XK01 / XK02 and ME28
- ME21 and ME28
- ME28 and MB01
- XK01 / XK02 and MIRA / MIRO
Step 6 - Identify employees within the organization who have access to such incompatible functions. This can be done using SUIM, data analysis tools. If required analysis can be even done at the authorization profile level.
Step 7 - Once users with access to incompatible functions are identified, access to such functions should be restricted. This should be done by the BASIS person who is responsible and knowledgeable enough to carry out such task.
Related Posts
SAP R/3 Authorization Basics
SAP R/3 Profile Generator
Securing Customized Transactions in SAP R/3
How to Deactivate SAP* User ID
Comments:
No Comments for this post yet...
Categories
Archives
Search
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
| << < | > >> | |||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | |||||
Misc
All content copyright © 2005-2008
Big4Guy.com
Do not reproduce either in part or full without the express permission of the
Webmaster
