#
SAPAuthorization
#
SAPCompliance
This guide will walk you through the process of creating an SAP QuickViewer Report (SAP standard transaction SQVI) to identify Segregation of Duties (SoD) conflicts on the document level.
So the analysis is not on the level of user authorization (CAN DO), but actually will detect documents that were created violating a SoD rule, with an associated business risk (DID DO).
This blog post is therefore further detailing our previous blog (<-link to other blog about the webinar) and our recent webinar on ACCESS VIOLATION MANAGEMENT: MITIGATING CONTROLS FOR RISKS IN SAP GRC.
This is a useful tool for SAP authorization consultants, internal auditors, and even business users, to detect and mitigate business risks associated with a lack of segregation of duties.
This analysis is a simple and quick analysis, but it can have false negative results, i.e. some cases are not covered by this approach:
The tables used in this example store the user name of the user who created the document and vendor. Later changes are recorded in change documents and not considered in this simple analysis.
See also the remarks in our webinar, and we will follow up on this issue in one of our next blogs.
Here we are looking at the case where a user both created a vendor and created a purchase order (PO). The risks is that a user creates a bogus vendor and with the PO requests unauthorized goods that the company will pay.
The conflict detection will be based on two SAP tables: LFA1 (Vendor Master) and EKKO (PO Header).
Prerequisites
Our White Paper explains how using robust controls and automation, organizations can better manage fraud risks, comply with regulations, improve operational efficiency, and save substantial costs.
After defining the join between the LFA1 (Vendor Master) and EKKO (Purchase Order Header) tables, the next step is to select which fields will appear in your query output. Here's a step-by-step breakdown:
Selection criteria allow users to narrow down the data they want to view by applying filters. For example, a user may want to see records for a specific date range or check records created by a specific user.
With these additional details, your query will be more flexible and usable by a variety of users with different requirements for SoD conflict analysis.
Organizations are increasingly exposed to compliance requirements. Adopting innovative ways to assess and manage risk and enhance performance is critical. That’s where data analytics and continuous monitoring are helping to simplify and improve the internal control system, increase operational efficiencies, reduce costs, and detect fraud and errors earlier. Internal controls become a way for organizations to create value.
Troubleshooting
By following this guide, you will be able to create a custom SQVI query to detect SoD conflicts where a user has both created a vendor and a purchase order. This query can be further customized to suit specific reporting or compliance needs.
The same approach works for other potential SoD violations.
The analysis performed here is limited to the users who created the vendor/document, not taking into account changes that might occur later.
In many real-life fraud scenarios, this is a reasonable assumption. One could even argue, that if another user makes changes to the (bogus?) vendor after it was created, then a 4-eyes principle is effectively established because another user had a chance to review the vendor.
So while being incomplete, it is effective in many cases, and very easy to implement.
Note the SQVI query created can be executed at any later time, so a periodical review is easy and can help address and reduce risks from a lack of segregation of duties.
Jens has 20+ years of experience in SAP security, compliance and internal controls. He is an ex-auditor, always curious, willing to learn and to share knowledge. At VOQUZ Labs Jens is responsible for our risk and compliance products. He enjoys interacting with customers and finding quick and simple ways to improve our products to deliver value to customers. Pragmatic and customer-focused? Then Jens :)
Do you have any questions or something to add? Just leave us a message, please! Your message will be delivered by e-mail to us and will not be published.