Announcement:
wanna exchange links? contact me at sapchatroom@gmail.com.
Posted by
Admin at
Reply from GRCQuest on Jul 28 at 6:42 AM Not sure if we are on the same page. Let me try to elaborate and hopefully less confusing.
A subsidiary ledger is a detail ledger containing all the detail invoices, credits, payments, etc. of the customers or vendors. Having access to the subsidiary ledger allows one to apply payment to the invoices, clear offsetting debits and credits or write-off uncollectable items, etc. In the case of SAP, all activities in the subsidiary ledger are automatically echoed in the general ledger. This means any unjustified or malicious act in the subsidiary ledger will eventually show up in the control ledger (i.e. G/L). Good business practice dictates that a different person review and analyze the G/L and investigate any abnormalities. So you can imagine the risk if this person happens to be the same who create the malicious activities in the subsidiary ledger in the first place.
Obviously, the risk do not exist if the person has only access to account type D (Customer) or K (Vendor) only but not S (G/L). Sure the user can still hide his misdeeds if he can find another user with access to account type S to manipulate the G/L to hide what he did, but then, this becomes collusion .... something that requires more than authorization objects to detect.
Peter Lee
| | | ---------------Original Message---------------
From: James Johnson
Sent: Sunday, July 27, 2014 8:47 PM
Subject: Locking down FB01 and associated tcodes
Thanks for your reply. I understand your first half and got some help with your second half.
So my new found understanding is that a subsidiary ledger is linked to a customer / vendor etc and config either fixes subsidiary ledger(s) to customers / vendors or allows more flexibility. If flexibility is allowed then the scenario you describe can happen which explains SAP's view on this.
However our subsidiary ledger assignment is fixed in config - so no manipulation (without opening up the client) is possible. Access to the subsidiary ledger can only come via a Customer / Vendor so therefore controls around those can be used as per my previous testing.
Am I on the right page? |
| Reply to this email to post your response. __.____._ |   _.____.__ |
