Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 2 of 69
COPYRIGHT INFORMATION
COPYRIGHT NOTICES
2004-2016 Greenlight Technologies, Inc. All Rights Reserved. The information in this document is provided for informational purposes only, is subject to change without notice, and should not be construed as a commitment by Greenlight Technologies, Inc. Greenlight Technologies, Inc. assumes no responsibility or liability for any errors or inaccuracies that may appear in this book. Except as permitted by license, no part of this document may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means – electronic, mechanical, recording, or otherwise – without the prior written permission of Greenlight Technologies, Inc. Printed in the U.S.A. CAUTION This document contains proprietary, confidential information that is the exclusive property of Greenlight Technologies, Inc. If you do not have a valid contract with Greenlight Technologies for the use of this document, or have not signed a non-disclosure agreement with Greenlight Technologies, then you received this document in an unauthorized manner and are not legally entitled to possess or read it. Use, duplication, and disclosure are subject to restrictions stated in your contract with Greenlight Technologies, Inc. Use, duplication, and disclosure by the Government are subject to restrictions for commercial software and shall be deemed to be Restricted Rights software under Federal Law.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 3 of 69
DOCUMENT REVISION HISTORY
Sr. No Date Version Comments
1 11/17/2016 1.0 Document is updated for v1.0 release.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 4 of 69
TABLE OF CONTENTS
1 ABOUT THIS GUIDE ............................................................................................................... 6
1.1 DOCUMENT PURPOSE ...................................................................................................... 6
1.2 DOCUMENT CONVENTIONS .......................................................................................... 6
1.3 TARGET AUDIENCE........................................................................................................... 6
1.4 CONTACT GREENLIGHT .................................................................................................. 6
2 AUTOMATED CONTROL OVERVIEW ................................................................................ 7
2.1 DEFINITIONS ...................................................................................................................... 7
3 RISKS ......................................................................................................................................... 8
3.1 RISK-F001 .............................................................................................................................. 8
3.2 RISK-F013 ............................................................................................................................ 10
3.3 RISK– F028 .......................................................................................................................... 12
3.4 RISK–M013 ......................................................................................................................... 13
3.5 RISK- M014 ......................................................................................................................... 15
3.6 RISK-P001 ............................................................................................................................ 17
3.7 RISK-P004 ............................................................................................................................ 19
3.8 RISK-P005 ............................................................................................................................ 21
3.9 RISK-P006 ............................................................................................................................ 23
3.10 RISK-P008 ............................................................................................................................ 24
3.11 RISK-P011 ............................................................................................................................ 26
3.12 RISK-P013 ............................................................................................................................ 28
3.13 RISK-P018 ............................................................................................................................ 30
3.14 RISK-P027 ............................................................................................................................ 32
3.15 RISK-P028 ............................................................................................................................ 34
3.16 RISK-P029 ............................................................................................................................ 36
3.17 RISK-P032 ............................................................................................................................ 38
3.18 RISK-P035 ............................................................................................................................ 40
3.19 RISK-P040 ............................................................................................................................ 42
3.20 RISK-P045 ............................................................................................................................ 44
3.21 RISK-P049 ............................................................................................................................ 46
3.22 RISK-S001 ............................................................................................................................ 48
3.23 RISK-S003 ............................................................................................................................ 50
3.24 RISK-S004 ............................................................................................................................ 52
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 5 of 69
3.25 RISK-S005 ............................................................................................................................ 54
3.26 RISK-S007 ............................................................................................................................ 56
3.27 RISK-S008 ............................................................................................................................ 58
3.28 RISK-S020 ............................................................................................................................ 60
3.29 RISK-S021 ............................................................................................................................ 62
3.30 RISK-S022 ............................................................................................................................ 64
3.31 RISK-S025 ............................................................................................................................ 66
3.32 RISK-S028 ............................................................................................................................ 68
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 6 of 69
1 ABOUT THIS GUIDE
This document provides the information of risk mitigation controls.
1.1 DOCUMENT PURPOSE
This document provides detailed information about risks along with the functions, joining conditions, execution sequences and the input parameter details.
1.2 DOCUMENT CONVENTIONS
The document conventions are as follows:
1. Bold Book Antiqua- to designate names of icons, buttons and menus.
2. Italic Book Antiqua-to designate hyperlinks and cross-references.
1.3 TARGET AUDIENCE
The target audience for this manual is AVM LaserFocus team who can schedule jobs for mitigation controls.
1.4 CONTACT GREENLIGHT
For any questions or queries contact:
Email: [email protected]
Web: www.greenlightcorp.com
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 7 of 69
2 AUTOMATED CONTROL OVERVIEW
SAP Access Violation Management by Greenlight (AVM) is an automated control solution that retrieves data from SAP ECC and correlates two or more transactions to identify actual SOD events by user. This exception reporting includes 100% transaction monitoring of ECC and fulfills the SOD mitigation control requirement.
2.1 DEFINITIONS
List of prerequisites are as follows:
1. Linkages or Joining – identifies the fields which must be common and have matching data across the functions in the SOD before an exception is reported.
2. Execution Sequence – Identifies which function module is executed 1st and whose output is used when the 2nd function module is executed
a. Sequence is critical i. To ensure the data is efficiently and correctly fetched from the ECC tables.
ii. To understand when validating controls so the person testing knows which transaction must be performed in the control execution period.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 8 of 69
3 RISKS
This chapter discusses about detail information about risks.
3.1 RISK-F001
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
F001
Create a fictitious GL account and generate journal activity or hide activity via posting entries.
I GL01 - Post Journal Entry
GL01 -> USNAM (User ID) = GL02 -> USNAM (User ID) GL01 - >BUKRS (Company Code) = GL02 -> BUKRS (Company Code) GL01 -> HKONT (GL Code) = GL02 -> HKONT (GL Code)
II GL02 - Maintain GL Master Data
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Mandatory
Fiscal Year Optional
Journal Entry Document Type
Optional Document type used for Journal entry other than AB, JE, SA and SB will be given as input in this field.
Journal Entry Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for post journal entry transaction creation will be given as input in this field.
GL Master Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for GL Master will be given as input in this field.
GL Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking master data change for previous no. of months. If you give
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 9 of 69
Field Description Condition Remark
value as 4 then program will check master data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
GL Master Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in master data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 10 of 69
3.2 RISK-F013
Risk ID Risk Description
Execution Sequence
Functions Linkage or Joining
F013
Create the asset and manipulate the receipt of the associated asset.
I
MM05 - Goods Receipts to PO
MM05 -> USNAM(User ID) = FA02 -> USNAM(User ID) MM05 -> ANLN1 (Main Asset No.) = FA02 -> ANLN1 (Main Asset No) MM05 -> ANLN2 (Sub Asset No.) = FA02 -> ANLN2 (Sub Asset No.)
II
FA02 - Maintain Asset Master
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Optional
Purchase Organization
Optional
Plant Optional
Goods Receipt Movement Type
Optional Movement type used for Good Receipt other than 101, 102, 103, 104, 105, and 106 will be given as input in this field.
Goods Receipt Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for Goods Receipt for PO transaction creation will be given as input in this field.
Fixed Asset Master Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Fixed Asset Master will be given as input in this field.
Fixed Asset Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking master data change for previous no. of months. If you give value as 4 then program will check master data changed in last four months calculating
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 11 of 69
Field Description Condition Remark
dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Fixed Asset Master Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in master data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 12 of 69
3.3 RISK– F028
Risk ID Risk Description Execution Sequence
Functions Linkage or Joining
F028 Adjust the subsidiary balance using the vendor invoice entry and then cover it up using journal entries.
I GL01 - Post Journal Entry
GL01 -> USNAM(User ID) = AP02 -> USNAM(User ID) GL01 - >BUKRS (Company Code) = AP02 -> BUKRS (Company Code) GL01 -> HKONT (GL Code) = AP02 -> SAKNR (GL Code)
II AP02 - Process Vendor Invoices
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Mandatory
Fiscal Year Optional
Journal Entry Document Type
Optional Document type used for Journal entry other than AB, JE, SA and SB will be given as input in this field.
Journal Entry Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for post journal entry transaction creation will be given as input in this field.
Vendor Invoice Document Type
Optional Document type used for Vendor Invoice entry other than KA, KG, KN, KR, KZ, NB, RE, RF, RK, RN, RV and VI will be given as input in this field.
Vendor Invoice Prior Months
Mandatory Value in this field is considered for looking vendor invoices created for previous no. of months. If you give value as 4 then program will check for vendor invoices created in last four months calculating dates from execution date.
Vendor Invoice Posting Key
Optional Posting key for vendor invoice other than 21, 22, 31 and 32 will be given as input in this field.
Vendor Invoice Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for vendor invoice creation will be given as input in this field.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 13 of 69
3.4 RISK–M013
Risk ID Risk Description
Execution Sequence
Functions Linkage or Joining
M013
Hide IM inventory adjustments via ledger entries
I MM03 - Enter Counts & Clear Diff - IM
MM03 -> USNAM(User ID) = GL01 -> USNAM(User ID) MM03 -> SAKNR (GL Code) = GL01 -> HKONT (GL Code)
II GL01 - Post Journal Entry
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Plant Optional
Storage Location Optional
Fiscal Year Optional
Inventory Transaction Event Type
Optional Event Type used for Inventory transactions other than ID, IB, IN and IZ will be given as input in this field.
Inventory Posting Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for inventory posting transaction creation will be given as input in this field.
Journal Entry Document Type
Optional Document type used for Journal entry other than AB, JE, SA and SB will be given as input in this field.
Journal Entry Company Code
Optional Transaction code which are not in SAP standard Ruleset and used for Journal posting transaction creation will be given as input in this field.
Journal Entry Prior Months
Mandatory Value in this field is considered for looking journal entries created for previous no. of months. If you give value as 4 then program will check for journal entries created in last four months calculating dates from execution date.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 14 of 69
Field Description Condition Remark
Journal Entry Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for post journal entry transaction creation will be given as input in this field.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 15 of 69
3.5 RISK- M014
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
M014 Hide IM inventory adjustments via ledger entries
I MM01 - Clear Differences - IM
MM01 -> USNAM (User ID) = MM02 -> USNAM (User ID) MM01 -> WERKS (Plant) = MM02 -> WERKS (Plant) MM01 -> LGORT (Storage Loc.) = MM02->LGORT (Storage Loc) MM01 -> IBLNR (Inventory Doc No.) = MM02 -> IBLNR (Inventory Doc No.) MM01 -> GJAHR (Fiscal Year) = MM02 -> GJAHR (Fiscal Year) MM01 -> MATNR(Material Code) = MM02 -> MATNR (Material Code)
II MM02 - Enter Counts - IM
II GL01 - Post Journal Entry
MM01 -> USNAM(User ID) = GL01 -> USNAM(User ID) MM01 -> SAKNR (GL Code) = GL01 -> HKONT (GL Code)
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Plant Optional
Storage Location Optional
Fiscal Year Optional
Inventory Posting Event Type
Optional Event Type used for Inventory transactions other than ID, IB, IN and IZ will be given as input in this field.
Inventory Posting Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for inventory posting transaction will be given as input in this field.
Journal Entry Document Type
Optional Document type used for Journal entry other than AB, JE, SA and SB will be given as input in this field.
Journal Entry Company Code
Optional Transaction code which are not in SAP standard Ruleset and used for journal posting transaction will be given as input in this field.
Journal Entry Prior Months
Mandatory Value in this field is considered for looking journal entries created for previous no. of months. If you give value as 4 then program will check for journal entries created in last
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 16 of 69
Field Description Condition Remark
four months calculating dates from execution date.
Journal Entry Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for post journal entry transaction creation will be given as input in this field.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 17 of 69
3.6 RISK-P001
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
P001
Maintain a fictitious vendor and enter a Vendor invoice for automatic payment
I AP02 - Process Vendor Invoices
AP02 -> USNAM (User ID) = PR01 -> USNAM (User ID) AP02 - >BUKRS (Company Code) = PR01 -> BUKRS (Company Code) AP02 -> LIFNR (Vendor Code) = PR01 -> LIFNR (Vendor Code)
II PR01 - Vendor Master Maintenance
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Mandatory
Fiscal Year Optional
Vendor Invoice Document Type
Optional Document type used for Vendor Invoice entry other than KA, KG, KN, KR, KZ, NB, RE, RF, RK, RN, RV and VI will be given as input in this field.
Vendor Invoice Posting Key
Optional Posting key for vendor invoice other than 21, 22, 31 and 32 will be given as input in this field.
Vendor Invoice Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for vendor invoice transaction creation will be given as input in this field.
Vendor Master Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Vendor Master will be given as input in this field.
Vendor Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking master data change for previous no. of months. If you give value as 4 then program will check master data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Vendor Master Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 18 of 69
Field Description Condition Remark
check changes in master data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 19 of 69
3.7 RISK-P004
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
P004
Purchase unauthorized items and initiate payment by invoicing
I AP02 - Process Vendor Invoices
AP02 -> USNAM (User ID) = PR02 -> USNAM (User ID) AP02 - >BUKRS (Company Code) = PR02 -> BUKRS (Company Code) AP02 -> LIFNR (Vendor Code) = PR02 -> LIFNR (Vendor Code) AP02 -> EBELN (Purchase Order No.) = PR02 -> EBELN (Purchase Order No.)
II
PR02 - Maintain Purchase Order
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Mandatory
Fiscal Year Optional
Vendor Invoice Document Type
Optional Document type used for Vendor Invoice entry other than KA, KG, KN, KR, KZ, NB, RE, RF, RK, RN, RV and VI will be given as input in this field.
Vendor Invoice Posting Key
Optional Posting key for vendor invoice posting other than 21, 22, 31 and 32 will be given as input in this field.
Vendor Invoice Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for vendor invoice creation will be given as input in this field.
Purchase Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Order will be given as input in this field.
Purchase Order Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Purchase Order data change for previous no. of months. If you give value as 4 then program will check Purchase Order data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 20 of 69
Field Description Condition Remark
will be as 3 months.
Purchase Order Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Purchase Order data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 21 of 69
3.8 RISK-P005
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
P005
Enter fictitious purchase orders for personal use and accept the goods through goods receipt
I
MM05 - Goods Receipts to PO
MM05 -> USNAM(User ID) = PR02 -> USNAM(User ID) MM05 -> LIFNR (Vendor Code) = PR02 -> LIFNR (Vendor Code) MM05 -> EBELN (Purchase Order No.) = PR02 -> EBELN (Purchase Order No.) MM05 -> EBELP (PO Item No.) = PR02 -> EBELP (PO Item No.)
II
PR02 - Maintain Purchase Order
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Optional
Purchase Organization Optional
Goods Receipt Movement Type
Optional Movement type used for Good Receipt other than 101, 102, 103, 104, 105, and 106 will be given as input in this field.
Goods Receipt Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for Goods Receipt for PO transaction creation will be given as input in this field.
Purchase Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Order will be given as input in this field.
Purchase Order Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Purchase Order data change for previous no. of months. If you give value as 4 then program will check Purchase Order data changed in last four months calculating dates from execution date. If you did not give any value in
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 22 of 69
Field Description Condition Remark
this field by default this will be as 3 months.
Purchase Order Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Purchase Order data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 23 of 69
3.9 RISK-P006
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
P006
Enter fictitious vendor invoices and accept the goods via goods receipt.
I
AP02 - Process Vendor Invoices
AP02 -> USNAM (User ID) = MM05 -> USNAM (User ID) AP02 - >BUKRS (Company Code) = MM05 -> BUKRS (Company Code) AP02 -> LIFNR (Vendor Code) = MM05 -> LIFNR (Vendor Code) AP02 -> MBLNR (Material Doc No.) = MM05 ->MBLNR (Material Doc No.) AP02 -> GJAHR1 (Material Doc Year) = MM05 -> MJAHR (Material Doc Year)
II
MM05 - Goods Receipts to PO
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Mandatory
Fiscal Year Optional
Vendor Invoice Document Type
Optional Document type used for Vendor Invoice entry other than KA, KG, KN, KR, KZ, NB, RE, RF, RK, RN, RV and VI will be given as input in this field.
Vendor Invoice Posting Key
Optional Posting key for vendor invoice posting other than 21, 22, 31 and 32 will be given as input in this field.
Vendor Invoice Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for vendor invoice processing transaction creation will be given as input in this field.
Goods Receipt Movement Type
Optional Movement type used for Good Receipt other than 101, 102, 103, 104, 105, and 106 will be given as input in this field.
Goods Receipt Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for Goods Receipt to PO transaction creation will be given as input in this field.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 24 of 69
3.10 RISK-P008
Risk ID Risk Description Execution Sequence
Functions Linkage or Joining
P008
Create a fictitious vendor and initiate purchases to that vendor
I
PR02 - Maintain Purchase Order
PR02 -> USNAM (User ID) = PR01 -> USNAM (User ID) PR02 -> EKORG (Pur. Org.) = PR01 -> EKORG (Pur. Org) PR02 -> LIFNR (Vendor Code) = PR01 -> LIFNR (Vendor Code)
II
PR01 - Vendor Master Maintenance
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Purchasing Organization
Optional
Purchase Order Doc Type
Optional
Purchase Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Order will be given as input in this field.
Vendor Master Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Vendor Master will be given as input in this field.
Vendor Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking master data change for previous no. of months. If you give value as 4 then program will check master data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 25 of 69
Field Description Condition Remark
months.
Vendor Master Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in master data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 26 of 69
3.11 RISK-P011
Risk ID Risk Description
Execution Sequence
Functions Linkage or Joining
P011
Inappropriately procure an item and manipulating the IM physical inventory counts to hide.
I MM03 - Enter Counts & Clear Diff - IM
MM03 -> USNAM (User ID) = PR02 -> USNAM (User ID) MM03 -> WERKS (Plant) = PR02 -> WERKS (Plant) MM03 -> MATNR (Material Code) = PR02 -> MATNR (Material Code)
II PR02 - Maintain Purchase Order
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Plant Optional
Storage Location Optional
Fiscal Year Optional
Inventory Posting Event Type
Optional Event Type used for Inventory transactions other than ID, IB, IN and IZ will be given as input in this field.
Inventory Posting Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for inventory posting transaction will be given as input in this field.
Purchase Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Order will be given as input in this field.
Purchase Order Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Purchase Order data change for previous no. of months. If you give value as 4 then program will check Purchase Order data changed in last four
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 27 of 69
Field Description Condition Remark
months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Purchase Order Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Purchase Order data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 28 of 69
3.12 RISK-P013
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
P013
Add items to the material master or service master file and create fraudulent purchase orders for those items.
I PR02 - Maintain Purchase Order
PR02 -> USNAM (User ID) = MM06 -> USNAM (User ID) PR02 -> WERKS (Plant) = MM06 -> WERKS (Plant) PR02 -> MATNR (Material Code) = MM06 -> MATNR (Material Code)
II
MM06 - Maintain Material Master Data.
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Purchasing Organization
Optional
Purchase Order Doc Type
Optional
Purchase Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Order will be given as input in this field.
Material Master Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Material Master will be given as input in this field.
Material Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking master data change for previous no. of months. If you give value as 4 then program will check master data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Material Master Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 29 of 69
Field Description Condition Remark
check changes in master data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 30 of 69
3.13 RISK-P018
Risk ID Risk Description Execution Sequence
Functions Linkage or Joining
P018
Add an item to the material master or service master file and then fraudulently adding those items to purchasing agreements.
I PR05 - Purchasing Agreements
PR05 -> USNAM (User ID) = MM06 -> USNAM (User ID) PR05 -> WERKS (Plant) = MM06 -> WERKS (Plant) PR05 -> MATNR (Material Code) = MM06 -> MATNR (Material Code)
II
MM06 - Maintain Material Master Data
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Purchasing Organization
Optional
Purchase Agreement Doc Type
Optional
Purchase Agreement Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Agreements will be given as input in this field.
Material Master Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Material Master will be given as input in this field.
Material Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking master data change for previous no. of months. If you give value as 4 then program will check master data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 31 of 69
Field Description Condition Remark
Material Master Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in master data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 32 of 69
3.14 RISK-P027
Risk ID Risk Description
Execution Sequence
Functions Linkage or Joining
P027
Risk of entry of fictitious Purchasing Agreements and the entry of fictitious Vendor or modification of existing Vendor especially account data.
I PR05 - Purchasing Agreements
PR05 -> USNAM (User ID) = PR01 -> USNAM (User ID) PR05 -> EKORG (Pur. Org.) = PR01 -> EKORG (Pur. Org) PR05 -> LIFNR (Vendor Code) = PR01 -> LIFNR (Vendor Code)
II PR01 - Vendor Master Maintenance
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Purchasing Organization
Optional
Purchase Agreement Doc Type
Optional
Purchase Agreement Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Agreement will be given as input in this field.
Vendor Master Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Vendor Master will be given as input in this field.
Vendor Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking master data change for previous no. of months. If you give value as 4 then program will check master data changed in last four months calculating dates
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 33 of 69
Field Description Condition Remark
from execution date. If you did not give any value in this field by default this will be as 3 months.
Vendor Master Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in master data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 34 of 69
3.15 RISK-P028
Risk ID Risk Description
Execution Sequence
Functions Linkage or Joining
P028
Modify purchasing agreements and then receive goods for fraudulent purposes.
I
MM05 - Goods Receipts to PO
MM05 -> USNAM(User ID) = PR05 -> USNAM(User ID) MM05 -> LIFNR (Vendor Code) = PR05 -> LIFNR (Vendor Code) MM05 -> EBELN (Purchase Order No.) = PR05 -> EBELN (Purchase Order No.) MM05 -> MATNR (Material Code) = PR05 -> MATNR (Material Code)
II
PR05 - Purchasing Agreements
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Optional
Purchase Organization Optional
Goods Receipt Movement Type
Optional Movement type used for Good Receipt other than 101, 102, 103, 104, 105, and 106 will be given as input in this field.
Goods Receipt Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for Goods Receipt to PO transaction creation will be given as input in this field.
Purchase Agreement Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Agreement will be given as input in this field.
Purchase Agreement Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Purchase Agreement data change for previous no. of months. If you give value as 4 then program will check Purchase Agreement data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Purchase Agreement Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 35 of 69
Field Description Condition Remark
to check changes in Purchase agreement data. If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 36 of 69
3.16 RISK-P029
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
P029
Enter unauthorized items to a purchasing agreement and create an invoice to obtain those items for personal use
I AP02 - Process Vendor Invoices
AP02 -> USNAM (User ID) = PR05 -> USNAM (User ID) AP02 - >BUKRS (Company Code) = PR05 -> BUKRS (Company Code) AP02 -> LIFNR (Vendor Code) = PR05 -> LIFNR (Vendor Code) AP02 -> EBELN (Purchase Order No.) = PR05 -> EBELN (Purchase Order No.)
II PR05 - Purchasing Agreements
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Mandatory
Fiscal Year Optional
Vendor Invoice Document Type
Optional Document type used for Vendor Invoice entry other than KA, KG, KN, KR, KZ, NB, RE, RF, RK, RN, RV and VI will be given as input in this field.
Vendor Invoice Posting Key
Optional Posting key for vendor invoice posting other than 21, 22, 31 and 32 will be given as input in this field.
Vendor Invoice Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for vendor invoice creation will be given as input in this field.
Purchase Agreement Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Agreement will be given as input in this field.
Purchase Agreement Optional If you are going to schedule control with certain frequency this field is important. Value in this
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 37 of 69
Field Description Condition Remark
Prior Month field is considered for looking Purchase Agreement data change for previous no. of months. If you give value as 4 then program will check Purchase Agreement data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Purchase Agreement Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Purchase agreement data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 38 of 69
3.17 RISK-P032
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
P032
Risk of entering or maintaining a purchasing agreement and authorizing the related requisition through its release.
I PR05 - Purchasing Agreements
PR05 -> USNAM (User ID) = PR06 -> USNAM (User ID) PR05 -> BANFN (Pur. Requisition No.) = PR06 -> BANFN (Pur. Requisition No.) PR05 -> MATNR (Material Code) = PR06 -> MATNR (Material Code)
II PR06 - Release Requisitions
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Purchasing Organization
Optional
Purchase Agreement Doc Type
Optional
Purchase Agreement Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Agreement will be given as input in this field.
Release Purchase Requisition Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Requisition will be given as input in this field.
Release Purchase Requisition Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Purchase Requisition data change for previous no. of months. If you give value as 4 then program will check Purchase Requisition data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Release Purchase Optional For immediate execution of control without scheduling for previous data then this field is
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 39 of 69
Field Description Condition Remark
Requisition Date important. You have to give input in this field as from date and to date for which you have to check changes in Release purchase requisition data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 40 of 69
3.18 RISK-P035
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
P035
Risk of the same person entering a Purchasing Agreement for materials and then adjusting the IM inventory for those materials.
I MM03 - Enter Counts & Clear Diff - IM
MM03 -> USNAM (User ID) = PR05 -> USNAM (User ID) MM03 -> WERKS (Plant) = PR05 -> WERKS (Plant) MM03 -> MATNR (Material Code) = PR05 -> MATNR (Material Code)
II PR05 - Purchasing Agreements
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Plant Optional
Storage Location Optional
Fiscal Year Optional
Inventory Posting Event Type
Optional Event Type used for Inventory transactions other than ID, IB, IN and IZ will be given as input in this field.
Inventory Posting Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for inventory posting transaction will be given as input in this field.
Purchase Agreement Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Agreement will be given as input in this field.
Purchase Agreement Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Purchase Agreement data change for previous no. of months. If you give value as 4 then program will check Purchase Agreement data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 41 of 69
Field Description Condition Remark
Purchase Agreement Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Purchase agreement data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 42 of 69
3.19 RISK-P040
Risk ID
Risk Description
Execution Sequence
Functions Linkage or Joining
P040
Risk of the same person releasing a requisitioning and generating the accompanying purchase order.
I
PR02 - Maintain Purchase Order
PR02 -> USNAM (User ID) = PR06 -> USNAM (User ID) PR02 -> BANFN (Pur. Requisition No.) = PR06 -> BANFN (Pur. Requisition No.) PR02 -> MATNR (Material Code) = PR06 -> MATNR (Material Code)
II PR06 - Release Requisitions
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Purchasing Organization
Optional
Purchase Order Doc Type
Optional
Purchase Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Order will be given as input in this field.
Release Purchase Requisition Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Requisition will be given as input in this field.
Release Purchase Requisition Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Purchase Requisition data change for previous no. of months. If you give value as 4 then program will check Purchase Requisition data changed in last four months calculating dates from execution date. If you did not give any value in this
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 43 of 69
Field Description Condition Remark
field by default this will be as 3 months.
Release Purchase Requisition Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Release purchase requisition data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 44 of 69
3.20 RISK-P045
Risk ID Risk Description
Execution Sequence
Functions Linkage or Joining
P045
Inappropriately procure an item and manipulating the IM physical inventory counts to hide.
I
MM01 - Clear Differences - IM
MM01 -> USNAM (User ID) = MM02 -> USNAM (User ID) MM01 -> WERKS (Plant) = MM02 -> WERKS (Plant) MM01 -> LGORT (Storage Loc.) = MM02->LGORT (Storage Loc) MM01 -> IBLNR (Inventory Doc No.) = MM02 -> IBLNR (Inventory Doc No.) MM01 -> GJAHR (Fiscal Year) = MM02 -> GJAHR (Fiscal Year) MM01 -> MATNR(Material Code) = MM02 -> MATNR (Material Code)
II MM02 - Enter Counts - IM
II
PR02 - Maintain Purchase Order
MM01 -> USNAM(User ID) = PR02 -> USNAM(User ID) MM01 -> WERKS (Plant) = PR02 -> WERKS (Plant) MM01 -> MATNR (Material Code) = PR02 -> MATNR (Material Code)
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Plant Optional
Storage Location Optional
Fiscal Year Optional
Inventory Posting Event Type
Optional Event Type used for Inventory transactions other than ID, IB, IN and IZ will be given as input in this field.
Inventory Posting Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for inventory posting transaction will be given as input in this field.
Purchase Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Order will be given as input in this field.
Purchase Order Prior Optional If you are going to schedule control with certain frequency this field is important. Value in
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 45 of 69
Field Description Condition Remark
Month this field is considered for looking Purchase Order data change for previous no. of months. If you give value as 4 then program will check Purchase Order data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Purchase Order Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Purchase order data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 46 of 69
3.21 RISK-P049
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
P049
Risk of the same person entering a Purchasing Agreement for materials and then adjusting the IM inventory for those materials.
I MM01 - Clear Differences - IM
MM01 -> USNAM (User ID) = MM02 -> USNAM (User ID) MM01 -> WERKS (Plant) = MM02 -> WERKS (Plant) MM01 -> LGORT (Storage Loc.) = MM02->LGORT (Storage Loc) MM01 -> IBLNR (Inventory Doc No.) = MM02 -> IBLNR (Inventory Doc No.) MM01 -> GJAHR (Fiscal Year) = MM02 -> GJAHR (Fiscal Year) MM01 -> MATNR(Material Code) = MM02 -> MATNR (Material Code)
II MM02 - Enter Counts - IM
II PR05 - Purchasing Agreements
MM01 -> USNAM(User ID) = PR05 -> USNAM(User ID) MM01 -> WERKS (Plant) = PR05 -> WERKS (Plant) MM01 -> MATNR (Material Code) = PR05 -> MATNR (Material Code)
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Plant Optional
Storage Location Optional
Fiscal Year Optional
Inventory Posting Event Type
Optional Event Type used for Inventory transactions other than ID, IB, IN and IZ will be given as input in this field.
Inventory Posting Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for inventory posting transaction will be given as input in this field.
Purchase Agreement Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Purchase Agreement will be given as input in this field.
Purchase Agreement Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Purchase Agreement data change for previous no. of months. If you give value as 4 then program will check Purchase Agreement data changed in last four months calculating dates from execution date. If you did not give any value in this
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 47 of 69
Field Description Condition Remark
field by default this will be as 3 months.
Purchase Agreement Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Purchase agreement data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 48 of 69
3.22 RISK-S001
Risk ID
Risk Description
Execution Sequence
Functions Linkage or Joining
S001
Enter or modify sales documents and approve customer credit limits
I SD05 - Sales Order Processing
SD05 -> USNAM (User ID) = AR04 -> USNAM (User ID) SD05 -> KUNNR (Customer Code) = AR04 -> KUNNR (Customer Code)
II AR04 - Credit Management
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Sales Organization Optional
Distribution Channel
Optional
Division Optional
Company Code Optional
Sales Order Transaction Code
Optional Transaction codes which are not in SAP standard Ruleset and used for maintaining for Sales order maintenance will be given as input in this field.
Credit Management Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Credit Management will be given as input in this field.
Credit Management Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Credit Management data change for previous no. of months. If you give value as 4 then program will check Credit Management data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Credit Management Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 49 of 69
Field Description Condition Remark
to check changes in Credit management data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 50 of 69
3.23 RISK-S003
Risk ID
Risk Description
Execution Sequence
Functions Linkage or Joining
S003
Create a fictitious customer and initiate fraudulent sales document
I SD05 - Sales Order Processing
SD05 -> USNAM (User ID) = SD01 -> USNAM (User ID) SD05 -> VKORG(Sales Organization) = SD01 -> VKORG(Sales Organization) SD05 -> VTWEG(Distribution Channel) = SD01 -> VTWEG(Distribution Channel) SD05 -> SPART(Division) = SD01 -> SPART(Division) SD05 -> KUNNR (Customer Code) = SD01 -> KUNNR (Customer Code)
II
SD01 - Maintain Customer Master Data
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Sales Organization Optional
Distribution Channel
Optional
Division Optional
Company Code Optional
Sales Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Sales order maintenance will be given as input in this field.
Customer Master Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Customer Master will be given as input in this field.
Customer Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Master data change for previous no. of months. If you give value as 4 then program will check Master data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 51 of 69
Field Description Condition Remark
Customer Master Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in master data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 52 of 69
3.24 RISK-S004
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
S004
Make an unauthorized change to the master record (payment terms, tolerance level) in favor of the customer and enter an inappropriate invoice.
I AR07 - Process Customer Invoices
AR07 -> USNAM (User ID) = SD01 -> USNAM (User ID) AR07 -> BUKRS (Company Code) = SD01 -> BUKRS (Company Code) AR07 -> KUNNR (Customer Code) = SD01 -> KUNNR (Customer Code)
II SD01 - Maintain Customer Master Data
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Mandatory
Fiscal Year Optional
Customer Invoice Document Type
Optional Document type used for Customer Invoice entry other than CI, DE, and DR will be given as input in this field.
Process Customer Invoice Posting Key
Optional Posting key for process customer invoice posting other than 01 and 12 will be given as input in this field.
Process Customer Invoice Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for process customer invoice transaction creation will be given as input in this field.
Customer Master Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Customer Master will be given as input in this field.
Customer Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Master data change for previous no. of months. If you give value
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 53 of 69
Field Description Condition Remark
as 4 then program will check Master data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Customer Master Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in master data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 54 of 69
3.25 RISK-S005
Risk ID
Risk Description
Execution Sequence
Functions Linkage or Joining
S005
Inappropriately create or change rebate agreements and manage a customer's master record in the favor of the customer. Could also change a customer's master record to direct payment to an inappropriate location.
I SD03 - Sales Rebates
SD03 -> USNAM (User ID) = SD01 -> USNAM (User ID) SD03 -> VKORG(Sales Organization) = SD01 -> VKORG(Sales Organization) SD03 -> VTWEG(Distribution Channel) = SD01 -> VTWEG(Distribution Channel) SD03 -> SPART(Division) = SD01 -> SPART(Division) SD03 -> KUNNR (Customer Code) = SD01 -> KUNNR (Customer Code)
II
SD01 - Maintain Customer Master Data
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Sales Organization Optional
Distribution Channel Optional
Sales Rebate Transaction Code
Optional Transaction codes which are not in SAP standard Ruleset and used for maintaining for Sales Rebate maintenance will be given as input in this field.
Customer Master Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 55 of 69
Field Description Condition Remark
Transaction Code Customer Master will be given as input in this field.
Customer Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Master data change for previous no. of months. If you give value as 4 then program will check Master data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Customer Master Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in master data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 56 of 69
3.26 RISK-S007
Risk ID
Risk Description
Execution Sequence
Functions Linkage or Joining
S007
Inappropriately create or change a sales document and generate a corresponding billing document for it.
I
AR05 - Maintain Billing Documents
AR05 -> USNAM (User ID) = SD05 -> USNAM (User ID) AR05 -> VKORG(Sales Organization) = SD05 -> VKORG(Sales Organization) AR05 -> VTWEG(Distribution Channel) = SD05 -> VTWEG(Distribution Channel) AR05 -> SPART(Division) = SD05 -> SPART(Division) AR05 -> KUNNR (Customer Code) = SD05 -> KUNNR (Customer Code) AR05 -> AUBEL (Sales Order Number) = SD05 -> VBELN(Sales Order Number) AR05 -> AUPOS (Sales Doc Item) = SD05 -> POSNR (Sales Order Item)
II
SD05 - Sales Order Processing
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Sales Organization Optional
Distribution Channel
Optional
Division Optional
Sales Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Sales order maintenance will be given as input in this field.
Sales Order Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Sales order data change for previous no. of months. If you give value as 4 then program will check Sales order data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Sales Order Date Optional For immediate execution of control without scheduling for previous data then this field is
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 57 of 69
Field Description Condition Remark
important. You have to give input in this field as from date and to date for which you have to check changes in Sales order data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 58 of 69
3.27 RISK-S008
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
S008
Manipulate the user's credit limit and assign generous rebates to execute a marginal customer's order.
I SD03 - Sales Rebates
SD03 -> USNAM (User ID) = AR04 -> USNAM (User ID) SD03 -> KUNNR (Customer Code) = AR04 -> KUNNR (Customer Code)
II AR04 - Credit Management
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Sales Organization Optional
Distribution Channel
Optional
Company Code Optional
Sales Rebate Transaction Code
Optional Transaction codes which are not in SAP standard Ruleset and used for maintaining for Sales Rebate maintenance will be given as input in this field.
Credit Management Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Credit Management will be given as input in this field.
Credit Management Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Credit Management data change for previous no. of months. If you give value as 4 then program will check Credit Management data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Credit Management Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 59 of 69
Field Description Condition Remark
check changes in Credit management data. If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 60 of 69
3.28 RISK-S020
Risk ID
Risk Description
Execution Sequence
Functions Linkage or Joining
S020
Risk of entering and releasing sales documents by the same person
I SD04 - Sales Document Release
SD04 -> USNAM (User ID) = SD05 -> USNAM (User ID) SD04-> VKORG(Sales Organization) = SD05 -> VKORG(Sales Organization) SD04-> VTWEG(Distribution Channel) = SD05 -> VTWEG(Distribution Channel) SD04-> SPART(Division) = SD05 -> SPART(Division) SD04-> KUNNR (Customer Code) = SD05 -> KUNNR (Customer Code) SD04-> VBELN_C (Sales Order Number) = SD05 -> VBELN(Sales Order Number)
II SD05 - Sales Order Processing
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Sales Organization Optional
Distribution Channel
Optional
Company Code Optional
Sales Doc Release Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Sales doc release maintenance will be given as input in this field.
Sales Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Sales Order will be given as input in this field.
Sales Order Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Sales Order data change for previous no. of months. If you give value as 4 then program will check Sales Order data changed in last four months calculating dates from execution date. If you did not give any value in this field by default
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 61 of 69
Field Description Condition Remark
this will be as 3 months.
Sales Order Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Sales order data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 62 of 69
3.29 RISK-S021
Risk ID
Risk Description
Execution Sequence
Functions Linkage or Joining
S021
Risk of entering sales documents and giving sales rebates by the same person, effectively granting an indirect price discount.
I SD03 - Sales Rebates
SD03 -> USNAM (User ID) = SD05 -> USNAM (User ID) SD03-> VKORG(Sales Organization) = SD05 -> VKORG(Sales Organization) SD03-> VTWEG(Distribution Channel) = SD05 -> VTWEG(Distribution Channel) SD03-> SPART(Division) = SD05 -> SPART(Division) SD03-> KUNNR (Customer Code) = SD05 -> KUNNR (Customer Code) SD03-> KNUMA (Agreement Number) = SD05 -> KNUMA (Agreement Number)
II SD05 - Sales Order Processing
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Sales Organization Optional
Distribution Channel
Optional
Sales Rebate Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Sales Rebate maintenance will be given as input in this field.
Sales Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Sales Order will be given as input in this field.
Sales Order Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Sales Order data change for previous no. of months. If you give value as 4 then program will check Sales Order data changed in last four months
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 63 of 69
Field Description Condition Remark
calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Sales Order Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Sales order data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 64 of 69
3.30 RISK-S022
Risk ID Risk Description
Execution Sequence
Functions Linkage or Joining
S022
Risk of modifying and entering Sales Invoices and approving Credit Limits by the same person.
I AR07 - Process Customer Invoices
AR07 -> USNAM (User ID) = AR04 -> USNAM (User ID) AR07 -> KUNNR (Customer Code) = AR04-> KUNNR (Customer Code)
II AR04 - Credit Management
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Mandatory
Fiscal Year Optional
Customer Invoice Document Type
Optional Document type used for Customer Invoice entry other than CI, DE, and DR will be given as input in this field.
Process Customer Invoice Posting Key
Optional Posting key for process customer invoice posting other than 01 and 12 will be given as input in this field.
Process Customer Invoice Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for process customer invoice transaction creation will be given as input in this field.
Credit Management Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Credit Management will be given as input in this field.
Credit Management Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Credit Management data change for previous no. of months. If you give value as 4 then program will check Credit Management data changed in last four months calculating dates from execution date. If you did not give any value in this
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 65 of 69
Field Description Condition Remark
field by default this will be as 3 months.
Credit Management Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Credit management data If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 66 of 69
3.31 RISK-S025
Risk ID Risk Description
Execution Sequence
Functions Linkage or Joining
S025
User can create a fictitious customer and then issue invoices to the customer.
I
AR05 - Maintain Billing Documents
AR05 -> USNAM (User ID) = SD01 -> USNAM (User ID) AR05-> VKORG(Sales Organization) = SD01 -> VKORG(Sales Organization) AR05-> VTWEG(Distribution Channel) = SD01 -> VTWEG(Distribution Channel) AR05-> SPART(Division) = SD01 -> SPART(Division) AR05-> KUNNR (Customer Code) = SD01 -> KUNNR (Customer Code)
II
SD01 - Maintain Customer Master Data
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Sales Organization Optional
Distribution Channel
Optional
Division Optional
Customer Master Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Customer Master will be given as input in this field.
Customer Master Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Master data change for previous no. of months. If you give value as 4 then program will check Master data changed in last four months calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 67 of 69
Field Description Condition Remark
Customer Master Date
Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in master data. If you did not give any value in this field by default this will be as 3 months.
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 68 of 69
3.32 RISK-S028
Risk ID
Risk Description Execution Sequence
Functions Linkage or Joining
S028
User able to create a fraudulent sales contract to include additional goods and enter an incorrect customer invoice to hide the deception.
I AR07 - Process Customer Invoices
AR07 -> USNAM (User ID) = SD05 -> USNAM (User ID) AR07 -> BUKRS (Company Code) = SD05-> BUKRS (Company Code) AR07 -> KUNNR (Customer Code) = SD05-> KUNNR (Customer Code)
II SD05 - Sales Order Processing
Control Input Parameter
Field Description Condition Remark
User Id Mandatory
Date Mandatory
Company Code Mandatory
Fiscal Year Optional
Customer Invoice Document Type
Optional Document type used for Customer Invoice entry other than CI, DE, and DR will be given as input in this field.
Process Customer Invoice Posting Key
Optional Posting key for process customer invoice posting other than 01 and 12 will be given as input in this field.
Process Customer Invoice Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for process customer invoice transaction creation will be given as input in this field.
Sales Order Transaction Code
Optional Transaction code which are not in SAP standard Ruleset and used for maintaining for Sales Order will be given as input in this field.
Sales Order Prior Month
Optional If you are going to schedule control with certain frequency this field is important. Value in this field is considered for looking Sales Order data change for previous no. of months. If you give value as 4 then program will check Sales Order data changed in last four months
AVM Mitigation Control Refrence Guide v1.0
Greenlight Technologies, Inc. Page 69 of 69
Field Description Condition Remark
calculating dates from execution date. If you did not give any value in this field by default this will be as 3 months.
Sales Order Date Optional For immediate execution of control without scheduling for previous data then this field is important. You have to give input in this field as from date and to date for which you have to check changes in Sales order data. If you did not give any value in this field by default this will be as 3 months.