ITAC 100 Implementation Guide For SAP (V2012)

Introduction ...........................................................................................................................................................
6
ITAC 100 roles and main responsibilities ............................................................................................................ 7
How to implement ITAC 100................................................................................................................................. 8
Definitions.............................................................................................................................................................. 8
ITAC 100 naming convention ............................................................................................................................... 9
Main changes performed prior publication ........................................................................................................ 10
ICRF 04: Sales & customer services .................................................................................................................. 12
Control 4.3: Review of user profiles and access to the sales management system .................................................... 13
I04.A01 Access review to Customer master data ........................................................................................................................... 14
I04.A02 Access review to cash receipts ......................................................................................................................................... 15
I04.A03 Access review to create or maintain deliveries ................................................................................................................ 16
I04.A04 Access review to create or maintain credit memos .......................................................................................................... 17
I04.A05 Access review to create or maintain invoices................................................................................................................... 18
Control 4.6: Check on creating and editing prices ...................................................................................................... 19

I04.A06 Access review to maintain prices ..................................................................................................................................... 20
I04.C01 Use of article categories ................................................................................................................................................... 21
Control 4.7: Approving Discount and special terms of sales ...................................................................................... 22

I04.C02 Manual pricing in sales order ........................................................................................................................................... 22
Control 4.9: Approving a new client ............................................................................................................................. 23

I04.R01 Payment terms are set up in accounting and sales management systems ......................................................................... 24
I04.C03 Credit Limits areas are correctly set-up ............................................................................................................................ 25
Control 4.18: Approving creations/modifications in the customers master file ........................................................ 26

I04.C04 Key information for customer master data ....................................................................................................................... 27
I04.R02 Review customer master data changes ............................................................................................................................. 28
Control 4.19: Checking account closures/deactivations .............................................................................................. 29

I04.T01 Blocking customer process ............................................................................................................................................... 29
Control 4.20: Annual review of credit limits ................................................................................................................ 30

I04.R03 Review of missing & changed credit limit ....................................................................................................................... 31
I04.R04 Credit limits early warning ............................................................................................................................................... 32
Control 4.21: Confirming a client’s credit balance upon placing an order ............................................................... 33
I04.C05 Block sales orders when credit limit is exceeded ............................................................................................................. 34
I04.A07 Access review to unblock sales document ....................................................................................................................... 35
Control 4.22: Reviewing customer orders .................................................................................................................... 36

I04.C06 Key information is required in sales orders ...................................................................................................................... 36
Control 4.27: Accepting returns .................................................................................................................................... 37

I04.C07 Sales credit notes are automatically transferred to accounting ......................................................................................... 38
I04.C08 Returns and credit memos relate to valid sales orders or billing documents and they are properly documented. ........... 39
Control 4.32: Managing invoices for deliveries and stock outgoings ......................................................................... 40
I04.C09 Sales billing are automatically transferred to accounting ................................................................................................. 41
I04.C10 Coherence between Sales order, delivery and invoice ..................................................................................................... 42
Control 4.34: Monitoring zero balance invoices .......................................................................................................... 43

I04.T02 Define specific process for free goods .............................................................................................................................. 44
I04.R05 Review free goods ............................................................................................................................................................ 45
Control 4.35: Monitoring credit notes .......................................................................................................................... 46

I04.C11 Validation of credit memos before they are issued .......................................................................................................... 47
I04.A08 Access review to release credit memos ............................................................................................................................ 48
SG ITAC100 Manual 2
Control 4.37: Revenue recognition ................................................................................................................................ 49
I04.T03 Billing due list is cleared before end of the accounting period ......................................................................................... 50
I04.C12 Procedure of account allocation to sales billing documents ............................................................................................. 51
I04.T04 Reconciliation between sales management system and general ledger ............................................................................ 52
ITAC in Risks & Controls Matrix (ICRF 04) .............................................................................................................. 53

ICRF 05: Stock & Logistics ................................................................................................................................ 54
Control 5.2: Organization of storage ............................................................................................................................ 55
I05.C01 Physical storage areas must be recorded in the stock management system ..................................................................... 56
I05.T01 Stock quantities must be calculated in the stock management system ............................................................................. 57
Control 5.4: Review of user profiles and access to the stock management system ................................................... 58
I05.A01 Access review to inventory movements ........................................................................................................................... 58
Control 5.6: Storage of sensitive articles....................................................................................................................... 60

I05.C02 Sensitive articles (value, risk of theft, hazardous) are identified ...................................................................................... 61
I05.A02 Access review to sensitive material inventory movements .............................................................................................. 62
Control 5.7: Creating/editing/deleting entries from the stock master file ................................................................. 63
I05.A03 Access review to material master data ............................................................................................................................. 64
I05.R01 Review modifications of material master data ................................................................................................................. 65
Control 5.8: Annual review of the structure of the article master file ....................................................................... 66
I05.R02 Review of article master file ............................................................................................................................................ 66
Control 5.11: Monitoring supplies ................................................................................................................................ 67

I05.T02 Purchase orders not delivered on time are identified by the Inventory Management System .......................................... 67
Control 5.13: Management of discrepancies in delivery ............................................................................................. 68

I05.C03 Any discrepancy in delivery relies on a level of tolerance ............................................................................................... 68
Control 5.19: Reconciliation between the finance module and the stock management module .............................. 69
I05.C04 Stock movements generate automatic posting in accounting system .............................................................................. 69
Control 5.20: Approving the parameters for stock levels management .................................................................... 70
I05.T03 Acceptable level of stock is configured ............................................................................................................................ 71
I05.R03 Review of replenishment strategy .................................................................................................................................... 72
Control 5.22: Monitoring off-site stock and goods on consignment ........................................................................... 73

I05.T04 Off site and consignment stocks are managed by inventory management system ........................................................... 73
Control 5.23: Approving stock adjustments following a stock counting ................................................................... 74

I05.C05 Define tolerance limits for inventory difference postings ................................................................................................ 75
I05.R04 Stock adjustments review ................................................................................................................................................. 76
Control 5.26: Review of anomalies ................................................................................................................................ 77

I05.C06 Configure inventory management system to forbid negative quantity in stock ............................................................... 77
Control 5.27: Reconciliation between the stock in accounting, the stock management system and the physical
stock ................................................................................................................................................................................. 78
I05.R05 Report of stock values ...................................................................................................................................................... 78
Control 5.30: Approving the scrapping and destruction of stock .............................................................................. 79

I05.A04 Access review to register scrapped stocks ....................................................................................................................... 80
I05.R06 Review scrapping and destructions .................................................................................................................................. 81
ITAC in Risks & Controls Matrix (ICRF 5) ................................................................................................................ 82

ICRF 06: Purchasing .......................................................................................................................................... 83
Control 6.6: Review of purchaser profiles and access permissions to the purchase management system ............. 84
I06.A01 Access review to maintain supplier master data............................................................................................................... 85
I06.A02 Access review to approve supplier creation/ modification/ deletion ................................................................................ 86
SG ITAC100 Manual 3
I06.A03 Access review to create supplier agreement or contract................................................................................................... 87
Control 6.7: Review of profiles, other than purchasers with access permission to the purchase management
system ............................................................................................................................................................................... 88
I06.A04 Access review to create purchase orders .......................................................................................................................... 89
I06.A05 Access review to approve purchase orders ....................................................................................................................... 90
I06.A06 Access review to process goods receipts .......................................................................................................................... 91
I06.A07 Access review to perform service receipts ....................................................................................................................... 92
I06.A08 Access review to record supplier invoices ....................................................................................................................... 93
Control 6.17: Approving the creation/modification/deletion of supplier accounts ................................................... 94

I06.T01 Maintain alternative payee ................................................................................................................................................ 95
I06.C01 Key information is required for supplier master data ....................................................................................................... 96
I06.R01 Review supplier master data changes ............................................................................................................................... 97
Control 6.18: Closing the accounts of delisted suppliers ............................................................................................. 98

I06.T02 Blocking supplier process ................................................................................................................................................. 98
Control 6.19: Approval of new/modified supplier tariffs and purchasing terms ...................................................... 99
I06.R02 Supplier's tariffs and purchasing terms are reviewed ....................................................................................................... 99
Control 6.22: Reliability of purchase orders .............................................................................................................. 100

I06.C02 Key information is required in purchase orders ............................................................................................................. 101
I06.C03 Key information is required in scheduling agreement / contracts .................................................................................. 102
I06.C04 Purchase price is defined for supplier/material .............................................................................................................. 103
Control 6.23: Approving purchase orders .................................................................................................................. 104

I06.C05 Purchase orders need approval ....................................................................................................................................... 104
Control 6.24: Monitoring non-received orders .......................................................................................................... 105

I06.T03 Follow up of open purchase orders (on delay) ............................................................................................................... 105
Control 6.27: Recording of supplier invoices ............................................................................................................. 106

I06.C06 Set duplicate invoice criteria .......................................................................................................................................... 106
Control 6.30: Handling variances between the invoice and the order ..................................................................... 107
I06.C07 Definition of tolerances limits between invoices and orders .......................................................................................... 107
Control 6.33: Monitoring prepaid invoices received and not invoiced .................................................................... 108
I06.C08 GRNI are automatically posted ...................................................................................................................................... 109
I06.T04 Monitor unmatched invoices and receptions .................................................................................................................. 110
ITAC in Risks & Controls Matrix (ICRF 06) ............................................................................................................ 111

ICRF 15: Financing & treasury ....................................................................................................................... 112
Control 15.4: Bank account inventory ........................................................................................................................ 113
I15.C01 Bank accounts are identified as such in accounting system ........................................................................................... 114
I15.R01 List of bank accounts is reviewed .................................................................................................................................. 115
Control 15.6: Review of users profiles and access to the cash management system ............................................... 116
I15.A01 Access review to payment preparation ........................................................................................................................... 117
I15.A02 Access review to payment execution ............................................................................................................................. 118
Control 15.21: Validation of the proposition to pay .................................................................................................. 119

I15.C02 Definition of tolerances limits between incoming/outgoing payments and invoices .................................................... 120
I15.C03 Define sensitive fields for dual control before incoming/outgoing payment release...................................................... 121
Control 15.35: Verifying the valuation of foreign currency accounts ...................................................................... 122
I15.C04 Foreign Exchange reevaluations are automatically posted by the system during the closing process ........................... 122

ICRF 16: Accounting & fixed assets ................................................................................................................ 124
SG ITAC100 Manual 4
Control 16.2: Management of users profiles and access permissions to the modules of the accounting system .. 125
I06.A01 Access review to maintain supplier master data............................................................................................................. 125
Control 16.6: Formalization of the Chart of accounts and of the rules for allocation ........................................... 126
I16.C01 Each business transaction posted in accounting system should have a booking scheme ............................................... 126
Control 16.7: General ledger/SIF correspondence table ........................................................................................... 127

I16.C02 System is configured to map local accounts to SIF ........................................................................................................ 128
I16.R01 Review SIF accounts G/L accounts mapping ................................................................................................................. 129
Control 16.8: Review of open accounts ....................................................................................................................... 130

I16.T01 Block unused accounts ................................................................................................................................................... 130
Control 16.9: Modification of the Chart of accounts ................................................................................................. 131

I16.R02 Changes made to the chart of accounts are reviewed ..................................................................................................... 131
Control 16.10: Review of the access rights for modification of the Chart of accounts ........................................... 132
I16.A02 Access review to maintain chart of accounts ................................................................................................................. 132
Control 16.11: Traceability of entries ......................................................................................................................... 134

I16.C03 Ensure the number ranges of documents is correct ........................................................................................................ 135
I16.R03 Review manual entries made on automatic journals ...................................................................................................... 136
I16.C04 Modification of automatic posting is restricted .............................................................................................................. 137
I16.C05 Reversal posting of all logistic transaction must be defined into accounting system .................................................... 138
Control 16.15: Review of manual entries .................................................................................................................... 139

I16.C06 Restrict manual entries on accounts only impacted by automatic postings. .................................................................. 140
I16.C07 Define specific document type for non-standard manual entries.................................................................................... 141
I16.R04 Non-standard manual entries are reviewed .................................................................................................................... 142
Control 16.20: Control of the general ledger balances/sub-ledger balances ........................................................... 143
I16.R05 AP and AR reconciled to GL.......................................................................................................................................... 144
I16.R06 Control of the general ledger balances/sub-ledger balances ........................................................................................... 145
Control 16.22: Intercompany reconciliation .............................................................................................................. 146

I16.C08 Set Saint-Gobain as intercompany group in accounting system ..................................................................................... 147
I16.C09 Intercompany process in the same accounting system ................................................................................................... 148
I16.T02 Identify trading partners ................................................................................................................................................. 149
I16.R07 Intercompany reconciliation ........................................................................................................................................... 150
Control 16.26: Procedure for period end accounting ................................................................................................ 151

I16.C10 Fiscal Year Variant Posting periods ............................................................................................................................... 152
I16.C11 Posting period configuration .......................................................................................................................................... 153
SG ITAC100 Manual 5
Introduction
The Internal Control Reference Framework (ICRF) is a guide for implementing internal control in the Group.
It describes internal control general principles, highlights the way Internal Control is to be implemented in the
subsidiaries of the Saint-Gobain Group, explains the controls and describes the monitoring process of the
Internal Control system. The ICRF is structured by process. All 17 processes cover the main operations run at
all Group levels.
At the core of the information systems, Enterprise Resource Planning (ERP) applications support the
operations of business activities, especially in Sales, Stocks, Purchasing and Accounting. Among the controls
described in the ICRF for these 4 processes, some of them can be automated or semi-automated in IT
Automated Controls (ITAC).
In that perspective, the enclosed document ITAC 100 constitutes a support tool to implement the hundred
minimum IT Automated Controls in ERP environment and in particular in SAP for the modules SD, MM and FI
that support Sales, Stocks, Purchasing and Accounting processes. These controls could/should be extended
locally by other ITACs in order to improve the ICRF automation compliancy.
Therefore, the distribution of the ITAC 100 with the ICRF Controls is as follow:
ICRF Controls Selected ICRF Controls itac
Sales 43 14 29
Stocks 35 14 20
Purchasing 36 11 22
Accounting* 41 15 29
155 54 100
*4 ICRF and 7 itacs controls on Treasury process
SG ITAC100 Manual 6
ITAC 100 roles and main responsibilities
Main ITAC 100 actors are:
- IT Application competency centers (CC): Any team in charge of the design, implementation and
maintenance of the application. Mainly CC will be responsible to customize the system and support the
business. They will be also responsible to customize reports, transactions, etc…
- Business (Functional Departments): As described in the ICRF, Functional departments are responsible
for the internal control system in place. Functional departments will be able to use ITAC 100 to
Improve effectiveness and efficiency of Internal Control.
- Group:
o DSI Security Group: In charge of publishing and updating this framework aligned with the
Internal Control Department. Security department will support mainly IT Application
competency centers and follow up ITAC 100 implementation.
o Internal Control Department: In charge of the design of the Group’s internal control system
and coordinating its deployment. It will mainly support the Functional Departments.
Itac main responsibilities are the following:
(A) Access review: (C) Customizing: (R) Report: (T) Transaction:
IT Define roles
Configures the ERP Provide reports
(Application considering each Deliver integrated
according to according to business
competency sensitive action, solution
centers)
business needs organization and needs
provide reports
Execute
Business Define Business Review and use report
Review and validate transactions to
(Functional Processes and to comply with ICRF
user access comply with ICRF
Departments) Organization controls
controls
Group Design of the Group’s internal control system (ICRF) and frameworks (ITAC100)
SG ITAC100 Manual 7
How to implement ITAC 100
The implementation of ITAC 100 is a project involving the IT function (Competency Centers) and Business
functions (Sales, Purchasing, Stock&Logistic, Accounting).
There are two major contexts of implementation:
1. At the time of implementing a new Information System or doing a major up-grade
2. or after the system has been implemented.
1 – Implementing a new Information System or a major up-grade of the system
In this context, ITAC 100 should be used at the different phases of the project:
1. Specification: include the ITAC 100 requirements in the functional and technical specifications
(Business requirements and organization, access restriction, master data management, reports,
transactions).
2. General and detailed Design
3. Implementation, acceptance tests and roll out: ITAC 100 shall be tested
2 – ITAC 100 Implementation in an existing Information System
In this context, 3 phases have to be considered:

1. Prepare a Gap Analysis of the existing ITAC against the ITAC 100 described in this document in order to
document the implementation and to identify the areas for improvement.
2. Consider budget and planning issues to implement the corrections (development, workload,
organization change).
3. Run the improvement plan that has been validated in phase 2.
Definitions
ICRF: Internal Control Reference Framework
Control Description and Risk: Description of the activity of control and the related risk described in the ICRF
ITAC: Information Technology Automated Control
ITAC objective: Internal control objective addressed by ITAC.
ITAC description: description of how to implement and to use the ITAC. It generally describes the
responsibility of the Business (functional requirements), the responsibility of the Competency Center
(technical implementation), and the use of the ITAC depending on the ITAC category (see infra.).
ITAC 100 technical implementation: Step by step process to implement the ITAC in an SAP environment.
Itac: ITAC described in this framework.
SG ITAC100 Manual 8
ITAC 100 Category
(A) Access review: Report of users with granted access to specific transactions and
authorization objects related to critical business process.
(C) Customizing: Configuration of SAP designed in SPRO (master data structure, workflow,
threshold…).
(R) Report: Standard or customized reports.
(T) Transaction: Build-in function to process the data (master data management, automatic
process).
The distribution of the ITAC 100 by category is as follow:
(A) Access (C) (R) (T)

itac
review: Customizing: Report: Transaction:
Sales 29 8 12 5 4
Stocks 20 4 6 6 4
Purchasing 22 8 8 2 4
Accounting 29 4 15 8 2
100 24 41 21 14
ITAC 100 naming convention

ITAC 100 naming convention used in this referential is IPP.CNN where:
- I is ITAC,
- PP is process number according to ICRF,
- C is control category letter, see ITAC 100 category above,
- NN is incremental number.
SG ITAC100 Manual 9
Main changes performed prior publication
In the following table it is possible to get a track change compared with previous version where:
- Changed: Indicates if there is any kind of changes in the itac. The change can be identified in the
columns “New”, “Deleted” and “Type of Change”.
- New: Indicates if the control is new compared with previous version.
- Deleted - Reason of deletion: Indicates if the control has been deleted compare with previous version
and its reason.
- Type of change:
o Information update: Changes on any of the itac section that could impact the itac
implementation but not the control objective.
o Typology of control: Changes where the itac has suffered a category change (A, C, T or R)
o ICRF covered: Changes where the itac covers another ICRF control. It will show the previous
ICRF covered.
- # control: Change on itac control number. (It is not taken into account for the “Changed” column).
Versus v1 (Pilot)
50 8 3 38 1 6 26
Type of change
Deleted?
itac Itac Description Changed New
Reason of deletion Information
Typology of ICRF # control
control controlled
I04.A01 Access Review to customer master data Yes x -
I04.A02 Access Review to Cash Receipts Yes x -
I04.A03 Access Review to create or maintain deliveries Yes x -
I04.A04 Access Review to create or maintain credit memos Yes x -
I04.A05 Access Review to create or maintain invoices Yes x -
I04.A06 Access Review to maintain prices Yes x -
I04.C01 Use of articles categories No -
I04.C02 Manual pricing in Sales Order No -
Payment terms are set up in accounting and sales
I04.R01 Yes x X 4.18 I04.T01
management systems
I04.C03 Credit limits areas are correctly set up Yes 4.20 I04.C04
I04.C04 Key information for customer master data Yes x I04.C03
I04.R02 Review customer master data changes No I04.R01
I04.T01 Blocking customer process Yes x I04.T02
I04.R03 Review of missing and changed credit limit Yes x I04.R02
I04.R04 Credit limits Early warning Yes x New
I04.C05 Block sales orders when credit limit is exceeded No -
I04.A07 Access review to unblock sales document Yes x -
I04.C06 Key information is required in sales orders Yes x New
I04.C07 Sales credit note are automatically transferred to accounting No I04.C06
Returns and credit memos relate to valid sales orders or I04.C07
I04.C08 Yes x
billing documents
I04.C09 Sales billing are automatically transferred to accounting No I04.C08
I04.C10 Coherence between sales order, delivery and invoice No I04.C09
I04.T02 Define specific process for free goods No I04.T03
I04.R05 Review free goods Yes x I04.R03
I04.C11 Validation of credit memos before they are issued No I04.C10
I04.A08 Access review to release credit memos Yes x -
I04.T03 Billing due list cleared before end of the accounting period No I04.T04
Account determination procedure allocation to sales billing
I04.C12 No I04.C11
documents
Covered in control
xI04.C12x Reconcile account receivable Yes Deleted
I04.C03
Reconciliation between sales management system and
I04.T04 Yes x New
general ledger
Physical storage areas must be recorded in the stock
I05.C01 No -
management system
Stock quantities must be calculated in the stock
I05.T01 No -
management system
I05.A01 Access review to inventory movements Yes x -
Sensitive articles (value, riskof theft, hazardous) are
I05.C02 No -
identified
I05.A02 Access review to sensitive material inventory movements Yes x -
I05.A03 Access review to material master data Yes x -
I05.R01 Review modifications of material master data No -
I05.R02 Review of article master file No -
Purchase orders not delivered on time are identified by the
I05.T02 No -
inventory management system
I05.C03 Any discrepancy in delivery relies on a level of tolerance No -
Stock movements generate automatic posting in accounting
I05.C04 No -
system
I05.T03 Acceptable level of stock is configured No -
I05.R03 Review of replenishment strategy Yes x -
I05.T04 Off-site and consignment stocks are managed by inventory No -
SG ITAC100 Manual 10
Versus v1 (Pilot)
50 8 3 38 1 6 26
Type of change
Deleted?
itac Itac Description Changed New
Reason of deletion Information
Typology of ICRF # control
control controlled
management system
I05.C05 Define tolerance limits for inventory difference postings Yes x New
I05.R04 Stock adjustments review No -
Configure inventory management system to forbid negative
I05.C06 Yes x 5.20 I05.C05
quantity in stock
I05.R05 Report of stock values No -
I05.A04 Access review to register scrapped stocks Yes x -
I05.R06 Review scraping and destructions No -
I06.A01 Access review to maintain supplier master data Yes x -
Access review to approve supplier
I06.A02 Yes x -
creation/modification/deletion
I06.A03 Access review to create supplier agreement or contract Yes x -
I06.A04 Access review to create purchase orders Yes x -
I06.A05 Access review to approve purchase orders Yes x -
I06.A06 Access review to process good receipts Yes x -
I06.A07 Access review to perform service receipts Yes x -
I06.A08 Access review to record supplier invoices Yes x -
I06.T01 Maintain alternative payee No -
I06.C01 Key information is required for supplier master data Yes x -
I06.R01 Review supplier master data changes No -
I06.T02 Blocking supplier process Yes x -
I06.R02 Supplier's tariffs and purchasing terms are reviewed Yes x -
I06.C02 Key information is required in purchase orders No -
Key information is required in scheduling
I06.C03 Yes x New
agreements/contracts
I06.C04 Purchase price is defined for supplier/material No I06.C03
I06.C05 Purchase orders need approval No I06.C04
I06.T03 Follow up of open purchase orders No -
Risk covered with other
xI06.C05x Supplier invoices are blocked for payment when recorded Yes Deleted
controls
I06.C06 Set duplicate invoice criteria No -
I06.C07 Define acceptable variance between invoices and reception Yes x -
I06.C08 GRNI are automatically posted No -
I06.T04 Monitor unmatched invoices and receptions No -
I15.C01 Bank accounts are identified as such in accounting system No -
I15.R01 List of bank accounts is reviewed No -
I15.A01 Access review to payment preparation Yes x 6.7 I06.A09
I15.A02 Access review to payment execution Yes x 6.7 I06.A10
Definition of tolerances limits between incoming/outgoing
I15.C02 Yes x 4.39 I04.C13
payments and invoices
Define sensitive fields for dual control before
I15.C03 Yes x New
incoming/outgoing payment release
Foreign Exchange reevaluations are automatically posted by
I15.C04 No I15.C02
the system during the closing process
I16.A01 Access review to closing/open accounting period parameters Yes x New
Risk covered by controls
xI16.R01x Chart of accounts is reviewed Yes Deleted
I16.T01,I16.R02
Each business transaction posted in accounting system
I16.C01 No -
should have a booking scheme
I16.C02 System is configured to map local accounts to SIF No -
I16.R01 Review SIF accounts G/L accounts mapping No I16.R02
Risk covered by controls
xI16.R03x Review open accounts Yes Deleted
I16.T01,I16.R02
I16.T01 Block unused accounts No -
I16.R02 Changes made to the chart of accounts are reviewed Yes x -
I16.A02 Access review to maintain chart of accounts Yes x -
I16.C03 Ensure the number ranges of documents is correct No -
I16.R03 Review manual entries on automatic journalised process No I16.R05
I16.C04 Modification of automatic posting is restricted No -
Reversal posting of all logistic transaction must be defined
I16.C05 No -
into accounting system
Restrict manual entries on accounts only impacted by
I16.C06 No -
automatic postings
Define specific document type for non-standard manaual
I16.C07 No -
entries
I16.R04 Non-standard manual entries are reviewed No I16.R06
I16.R05 AP and AR reconciled to GL No I16.R07
I16.R06 Control of the general ledger balances/sub-ledger balances No I16.R08
Set Saint-Gobain as intercompany group in accounting
I16.C08 No -
system
I16.C09 Intercompany process in the same accounting system No -
I16.T02 Identify trading partners No -
I16.R07 Intercompany reconciliation No I16.R09
I16.C10 Fiscal Year Variant Posting periods Yes x New
I16.C11 Posting period configuration Yes x New
ICRF 04: Sales & customer services
Control 4.3: Review of user profiles and access to the sales management system
ICRF
Control Description:
Access permissions to the sales management system and the modules of the accounting system shall be in accordance with the
allocation of functions and responsibilities.
Access permissions to perform sensitive transactions (creating, editing, deleting information from client files etc.) shall only be
given to users who require it.
The relevant IT department shall be informed of any changes (changes of position, departures, transfers etc.) by the department
managers.
The Sales Department and the Finance Department shall, no less than once a year, perform a review of all user profiles and
access permissions to the sales management system and the modules of the accounting system.
Risks:
Risk 4.5 - Theft, misuse of assets, laundering and collusion
Risk 4.6 - Differences between the order, the delivery and the invoice
APPLICATION CONTROLS
I04.A01 Access review to Customer master data
I04.A02 Access review to cash receipts
I04.A03 Access review to create or maintain deliveries
I04.A04 Access review to create or maintain credit memos
I04.A05 Access review to create or maintain invoices
I04.A01 Access review to Customer master data
SAP Module FI, SD ITAC 100 technical implementation

Technical category Access review
Competency centers must provide to the business a report

Control 4.3: Review of user profiles and access to the
variant (using a batch at least once per year for example) to
sales management system
identify those users with the ability to create or maintain
Risk addressed by ITAC: R4.5
customer information.
ITAC objective: Review user list to detect userid that
Use standard report S_BCE_68002111 (SAP Menu: Tools
should not be granted access to customer master data.
-> Administration -> User Maintenance -> Information
System -> User -> and generate a variant for Critical
ITAC description: Competency Centers provide the
Authorizations with:
appropriated reports according to the Business
requirement and organization. Sales and Finance
1) the following transactions:
Departments use the reports to perform the review, no
- XD01 Create customer (general view)
less than once a year.
- XD02 Modify customer (general view)
- VD01 Create customer (Sales view)
ITAC 100 Transactions
- VD02 Modify customer (Sales view)
S_BCE_68002111 report – with critical authorizations
- FD01 Create customer (Finance view)
(New version).
- FD02 Modify customer (Finance view)
- FD08 Confirm customer individually
- Custom Transactions (Z*) if applicable
2) at least the following authorization objects:

- F_KNA1_BUK, attribute ACTVT, values 01 or 02 or C8.
- F_KNA1_BED, attribute ACTVT, values 01 or 02 or C8.
3) the appropriate Organizational data for each

company in the scope of the Competency Center (if
applicable).
Finance and/or Sales Departments must review the report in

order to ensure the user list is appropriate. If needed, users
can also run the report with the appropriate variant for
further revisions.
Competency Center must ensure that there is at least a role

with the ability to use this report and that the role has been
assigned to the users selected by the business.
I04.A02 Access review to cash receipts
SAP Module FI ITAC 100 technical implementation


cash receipts.
should not be granted access to cash receipts.
Authorizations with::
requirements and organization. Finance and/or Sales
- F-04 Post with Clearing
- F-06 Post Incoming Payments
- F-26 Incoming Payments Fast Entry
- F-28 Post Incoming Payments
- F-29 Post Customer Down Payment
(New version).
- F-30 Post with Clearing
- F-36 Bill of Exchange Payment
- F-39 Clear Customer Down Payment
- F-52 G/L: Acct Bal.Interest Calculation
- FBA2 Post Customer Down Payment
- FBZ1 Post Incoming Payments
- FBZ3 Incoming Payments Fast Entry

- F_BKPF_BUK, attribute ACTVT, values 01 or 02.
- F_BKPF_BLA, attribute ACTVT, values 01.
- F_BKPF_KOA, attributes ACTVT, value 01 and KOART,
values D, S or K.

applicable).

further revisions.

I04.A03 Access review to create or maintain deliveries
SAP Module SD ITAC 100 technical implementation


Risks addressed by ITAC: R4.5 and R4.6
deliveries.
should not be granted access to create or maintain
deliveries.
requirements and organization. Finance and/or Sales
- VL01, Create Delivery,
- VL01N Create Outbound Delivery with Order
Reference,
- VL10(*) Mass Delivery creation
- VL02, VL02N Change Outbound Delivery,
- VL08 Confirmation of Picking Request,
(New version).
- VL01NO Create Outbound Delivery without order
reference,
- VLSP Subsequent Outbound - Delivery split.

- V_LIKP_VST, attribute ACTVT, values 01, 02, or 04.

applicable).

further revisions.

I04.A04 Access review to create or maintain credit memos


credit memos.
should not be granted access to create or maintain credit
memos.
requirements and organization. Finance and Sales
- F-27 Enter Customer Credit Memo - Header Data,
- F-67 Park Document: Document Header,
- FB75 Enter Customer Credit Memos,
- FV75 Park Customer Credit Memo,
ITAC 100 Transactions - FB08 Reverse Document Header Data,
S_BCE_68002111 report – with critical authorizations - F.80 Mass Reversal of Documents.
(New version). - Custom Transactions (Z*) if applicable

- F_BKPF_BUK, attribute ACTVT, values 01 or 77.
- F_BKPF_GSB, attribute ACTVT, values 01 or 77.
- F_BKPF_KOA, attributes ACTVT, values 01 or 77, and
KOART, value D.

applicable).

further revisions.

I04.A05 Access review to create or maintain invoices


invoices.
should not be granted access to create or maintain
invoices.
requirements and organization. Sales Departments use
- VF01 Create Billing Document,
the reports to perform the review, no less than once a
- VF02 Change Billing Document,
year.
- VF04 Maintain Billing Due List,
- VF11 Cancel Billing Document.
S_BCE_68002111 report – with critical authorizations 2) at least the following authorization objects:
(New version). - V_VBRK_FKA, attribute ACTVT, values 01 or 02, FKART
by invoice type (to be customized locally)
- V_VBRK_VKO, attribute ACTVT, values 01 or 02

applicable).
Sales Departments must review the report in order to ensure

the user list is appropriate. If needed, users can also run the
report with the appropriate variant for further revisions.

Control 4.6: Check on creating and editing prices
ICRF
Access permission to update prices in the information systems is limited to authorized people.
Any creation or modification of details shall be checked by a person who does not have price-editing access in order to identify
any incorrect or unauthorized changes (using a computer print-out for example).
Risks:
Risk 4.3 - Offers, contracts, contract amendments or orders that do not comply with the company’s commercial policy
I04.A06 Access review to maintain prices
I04.C01 Use of article categories
I04.A06 Access review to maintain prices


identify those users with the ability to maintain and create
pricing schemes.
should not be granted access to maintain prices. Use standard report S_BCE_68002111 (SAP Menu: Tools
ITAC description: Competency center provides reports System -> User -> and generate a variant for Critical
appropriate to business and organization and Sales Authorizations with:
department reviews users with granted access to price
change at least once a year. 1) the following transactions:
- VK11 Create condition
ITAC 100 Transactions - VK12 Change condition
S_BCE_68002111 report – with critical authorizations - VKP5 Create / Change sales price condition
(New version). - VKP6 Change pricing document
- VK31 Create conditions
- VK34 Create conditions with reference
- VK32 Change conditions
- VA41 Create contract
- VA42 Change Contract

- V_KONH_VKO, attribute ACTVT, value 01 or 02 (for
VK*)
- V_KONH_VKS, attribute ACTVT, value 01 or 02 (for
VK*)
- V_VBAK_AAT, attribute ACTVT, value 01 or 02 (for VA*)
- V_VBAK_VKO, attribute ACTVT, value 01 or 02 (for
VA*)

applicable).
Sales Departments must review the report in order to ensure


I04.C01 Use of article categories

Technical category Customizing
Define category for item with catalog pricing.

Execute transaction VOV7 - Maintain Item Categories:
Overview.
Double click on the Item Category (Column: ItCa) for relevant
ITAC objective: Structure the article master data files by
categories.
category.
In the "Business Data" section, set "Billing Relevance" and
"Pricing" fields.
ITAC description: Competency center activates pricing
depending on Item Categories for sales order. Item
Note: Those fields should not be let empty. However, in some
Categories must be defined with the Business.
cases, such as free-of-charge items and text, item categories
may not be relevant for pricing. As a consequence, those
ITAC 100 Transactions exceptions should be justified.
VOV7 (SPRO -> IMG -> SAP Customizing Implementation
Guide -> Sales and Distribution -> Sales -> Sales
Documents -> Sales Document Item -> Define Item
Categories)
VOV4 - Item Category Assignment Overview
Control 4.7: Approving Discount and special terms of sales
ICRF
The granting of discounts, preferential rates or special terms of sale must be systematically approved by a suitable level of
management, in accordance with the delegation of powers.
A system shall be put in place to track cases in which such special terms have been granted.
Risks:
APPLICATION CONTROL
I04.C02 Manual pricing in sales order

Set pricing procedures to automatic or not manually.

Control 4.7: Approving discounts and special terms of
Execute V/06: Maintain Condition Types (Customers).
sale
For authorized pricing procedures, set the "Manual Entries"
in the "Changes which can be made" section to either:
ITAC objective: Define tolerance based on the standard
- B (automatic entry has priority) but pricing tolerance limits
prices for manual pricing or do not allow manual pricing
are set; this setting means that where a condition record
in sales order.
exists for a particular condition type, that condition record
cannot be manually overridden. However, where no
ITAC description: Competence Center defines the
condition record exists, a manual entry is allowed. To control
customizing based on the Business requirements: pricing
the extent of this manual entry, tolerance limits must be set.
tolerance limits regarding manual modifications that can
- Or D (not possible to process manually).
be performed in sales order.
If necessary check that system message is set to blocking.
V/06 (SPRO)
Control 4.9: Approving a new client
ICRF
Every new client shall be assessed before an account is opened and any orders are processed in their name. In particular,
the assessment shall confirm/assess the following points:
- The legal existence of the client,
- The financial stability of the client,
- The sales prospects,
- The client’s reputation in the light of his practice.
Credit limits must be set up for all clients, with the help of the Finance Department. Whenever a potential recovery risk is
identified for a new client, strict payment terms (deposit, full payment in advance for example) may be applied..
Risks:
Risk 4.4 - Receivables not being collected
I04.R01 Payment terms are set up in accounting and sales management

systems
I04.C03 Credit Limits areas are correctly set-up
I04.R01 Payment terms are set up in accounting and sales management
systems
SAP Module SD, FI ITAC 100 technical implementation

Technical category Transaction
Competency center should customize a report to identify

Control 4.9: Approving a new client. Credit limits must
different payment terms between the sales and the finance
be set up for all clients.
module.
Risks addressed by ITAC: R4.4
This can be done comparing payment methods from
ITAC objective: Payment terms should be replicated from
V_T042ZL and T052 tables, and payment terms from KNB1
sales management system to accounting system to avoid
and KNVV tables.
any discrepancy between the different documents
(proposal, delivery and bill with finance
documents/reports as aging).
ITAC description: Sales management system and
accounting system replicate payment terms in customer
master data. If both modules SD and FI are implemented,
payment method and payment terms defined in
customer master data are used by accounting system for
aging report.

Customized report.
I04.C03 Credit Limits areas are correctly set-up

Using OB45: SPRO > IMG > SAP Customizing Implementation

Control 4.9: Approving a new client. Credit limits must
Guide > Enterprise Structure > Definition > Financial
be set up for all clients.
Accounting > Define Credit Control Area : For each credit
control implement the following credit control areas’
configuration.
ITAC objective: New customers must be created with a 1) Set "Data for updating SD"
credit block, requiring credit management to approve a Update variant must be either "00012" or "00018."
credit limit before processing can continue.
2) Include in "Default data for automatically creating new
ITAC description: Competency Center must implement customers" appropriate data for each field:
the Credit limit customizing based on Business - Risk category
Requirement (Risk category, Business organization…). - Credit limit
- Credit representative group
OB45: SPRO:IMG > SAP Customizing Implementation
Guide > Enterprise Structure > Definition > Financial
Accounting > Define Credit Control Area
Control 4.18: Approving creations/modifications in the customers master file
ICRF
Any creation/editing/deletion of a client account or client details must be correctly documented, justified and authorised.
The request form for the creation/modification of a client account and all documents sent by the client must be stored and
archived in a specific file.
At least once a month, the Sales Department shall review any sensitive details (payment terms for example) that have been
added or changed in the customer master file in order to ensure that there have been no unauthorised creations/changes.
Risks:
I04.C04 Key information for customer master data
I04.R02 Review customer master data changes
I04.C04 Key information for customer master data

The mandatory fields in SAP enforce that the required

Control 4.18: Approving creations/modifications in the
customer information is configured by customer account
customer master file
group.
Risks addressed by ITAC: R4.4
SPRO -> IMG -> SAP Customizing Implementation Guide ->
ITAC objective: A customer cannot be created without
Financial Accounting (New) -> Accounts Receivable and
critical information.
Accounts Payable -> Customer Accounts -> Master Data ->
Preparations for Creating Customer Master Data -> Define
ITAC description: Competence Center implements the
Account Groups with Screen Layout (Customers)
mandatory fields based on the Business Requirement
(name, address, VAT, payment terms…)
- Name,
- Address,
- Local registration number (for example SIREN in France)
OBD2: SPRO -> IMG -> SAP Customizing Implementation
- Payment term
Guide -> Financial Accounting (New) -> Accounts
- Reconciliation account
Receivable and Accounts Payable -> Customer Accounts -
- Incoterms
> Master Data -> Preparations for Creating Customer
- Group / Non Group
Master Data -> Define Account Groups for each
customer account group utilized
I04.R02 Review customer master data changes

Technical category Report
Competency center must provide to the business a report of

Control 4.18: Approving creations/modifications in the
customer changes (monthly batch, for example) using the
customer master file
standard report S_ALR_87012182. Limit the output by:
- Restricting the "Changed On" field from the last review.
ITAC objective: Customers sensitive master data changes
- Enter the company code
are reviewed to detect any errors.
- Enter the sales area data (sales organizations, distribution
channel, division)
ITAC description: The Competency Center shall
customize the report in order to match the Business
In order to simplify the analysis, fields to be analyzed can be
Requirements and the organization in place. At least
identified to filter the output:
once a month, the Sales Department shall review any
sensitive details (payment terms for example) that have
1. Define a "field group for customer master records"
been added or changed in the customer master file.
OB31 / "New entry"
Additionally, the Competency Center should assign to the
2. Assign fields to the field group
requested users the ability to run this report.
OB30 to assign
3. Limit the search of customer changes via S_ALR_87012182
by applying the "field group" criteria
S_ALR_87012182 - Display Changes to Customers
Competency Center must ensure that at least there is a role
Control 4.19: Checking account closures/deactivations
ICRF
The Commercial Department shall ensure that all legitimate decisions to close or deactivate a client account are entered into the
sales management system.
Risks:
APPLICATION CONTROL
I04.T01 Blocking customer process

Technical category Master data
Use XD05 to block customers. This transaction will block

Control 4.19: Checking account closures/deactivations
logistic (creation of new sales orders for the customer) and
accounting processes at once.
ITAC objective: Avoid sales to Customer that has been
Execute transaction XD06 - Flag for deletion on appropriate
decided to ban.
customers.
ITAC description: As soon as Business decision, the
Note: Flag for deletion alone (without blocking the customer)
customer should be blocked in the System by using the
will not prevent the creation of new sales order to the
standard function.
customer.
ITAC 100 Transactions Competency Center must ensure that there is at least a role
XD05 - Block Customer with the ability to use these transactions and that the role
XD06 – Flag for deletion has been assigned to the users selected by the business.
Control 4.20: Annual review of credit limits
ICRF
Every client shall be given a credit limit.
At least once a year, the Finance Department and the Sales Department shall review and update client credit limits based on
activity, financial information and their commercial relationship.
Risks:
Risk 4.1 - Failure to respect legal obligations regarding commercial matters
I04.R03 Review of missing & changed credit limit
I04.R04 Credit Limits early warning
I04.R03 Review of missing & changed credit limit


Control 4.20: Annual review of credit limits
customer without credit limit information. Standard
Risks addressed by ITAC: R4.1, R4.4 and R4.5
transactions could be used:
ITAC objective: Credit limits of customers are reviewed
- Execute report showing the entire customer credit
and updated to minimize the risk of dispute.
limit data using F.31 or FDK43.
- Use standard report to review missing credit limits and
ITAC description: At least once a year, the Finance
terms.
Department and the Sales Department shall review and
- Execute transaction F.32-> Listing of customers with
update client credit limits based on activity, financial
missing credit data.
information and their commercial relationship. In
addition, they should ensure that all customers have
Limitation: Customer flagged for deletion will be
credit limit assigned.
showed in this report.
F.31 Credit Management Overview
credit master changes using S_ALR_87012215 (Display
FDK43 Credit Management master data list
changes to credit management).
F.32 Clear customer account
S_ALR_87012215 Display changes to credit management
Competency Center must ensure that at least there is a role
with the ability to use these transactions and reports. In
addition the role must be assigned to the users selected by
the business.
I04.R04 Credit limits early warning

Use transaction FCV3 to monitor the customer’s credit

Control 4.20: Finance and Sales Departments shall
situation.
review and update client credit limit based on activity,
financial information and their other commercial
Finance and/or Sales department should review this report
relationship.
frequently and perform the appropriate actions if needed.
Risk addressed by ITAC: R4.1, R4.4 and R4.5
ITAC objective: Identify customers that are close to reach
with the ability to use this transaction and the role has been
or already reached their credit limit.
ITAC description: Competency must provide the
business the report to identify those clients close to
reach their credit limit based on the SAP standard
program. Finance and/or Sales department should
review this report frequently and perform the
appropriate actions if needed.

FCV3 Credit Management (Early warning list)
Control 4.21: Confirming a client’s credit balance upon placing an order
ICRF
An order shall be blocked if it means that the credit limits would be exceeded.
An order can be unblocked by a suitable level of management, if the special payment terms (account, cash payment etc.) defined
to limit the risk of non-collection, are met.
Risks:
I04.C05 Block sales orders when credit limit is exceeded
I04.A07 Access review to unblock sales document
I04.C05 Block sales orders when credit limit is exceeded

Configure sales document types to check credit limits.

Control 4.21: Confirming a client’s credit balance upon
Execute VOV8 Maintain Sales Document Type.
placing an order
Double click on the document type under column SaTy.
In the "General Control" section, populated the "Check Credit
ITAC objective: To avoid sales to customers that have Limit" field.
exceeded their credit limit
ITAC description: Competency Center must activate the

control on the appropriate sales order document types
required by the Business. The unblocking process must
be defined with the Business.

VOV8 (SPRO -> IMG -> SAP Customizing Implementation
Guide -> Sales and Distribution -> Sales -> Sales
Documents -> Sales Document Header -> Define Sales
Document Types)
I04.A07 Access review to unblock sales document


Control 4.21: Confirming a client’s credit balance upon
placing an order
identify those users with the ability to unblock sales orders.
ITAC objective: Review user list to detect userid that -> Administration -> User Maintenance -> Information
should not be granted access to unblock sales System -> User -> and generate a variant for Critical
documents. Authorizations with:
ITAC description: Competency Center must provide the 1) the following transactions:
report that lists the users with the ability to unblock sales - VKM1 - Blocked SD document or
orders. - VKM4 - Blocked SD document
The report can be split according to the Business - Custom Transactions (Z*) if applicable
organization.
Sales and/or Finance department shall review at least 2) at least the following authorization objects:
once a year this report. - V_KNKK_FRE, attribute ACTVT, value 23
- V_VBUK_FRE, attribute ACTVT, value 23
S_BCE_68002111 report – with critical authorizations 3) the appropriate Organizational data for each
(New version). company in the scope of the Competency Center (if
applicable).

further revisions.

Control 4.22: Reviewing customer orders
ICRF
Every customer order must be correctly documented (purchase order, contract, amendment).
Any customer orders that are placed over the telephone must be confirmed to the client in writing (article, price, amount,
address etc).
Any large customer orders (amount and duration to be defined by the entity) must be systematically reviewed and signed by a
suitable level of management, before being processed and confirmed to the client in writing.
Risk:
APPLICATION CONTROL
I04.C06 Key information is required in sales orders

Control 4.22: Reviewing customer orders

Configure sales order document type to check the Customer
Purchase Order during the order creation before release.
ITAC objective: Every customer order must be correctly
Execute VOV8 - Maintain Sales Document Type; double click
documented (purchase order, contract, amendment).
on the document type selected.
ITAC description: Competency Center must activate the
In the "General Control" section, Activate “Enter PO number”
control on the appropriate sales order document types
field to ensure that PO customer number is mandatory when
required by the Business. The system should prevent the
creating a sales order. Activate also the field “Check purchase
creation of duplicates customer orders.
order number” to avoid duplicates.

VOV8: SPRO > Sales & Distribution > Sales >
Sales Document > Sales Document header > Define
Sales document Types
Control 4.27: Accepting returns
ICRF
The quantities and article codes for any returned goods must be checked and then entered into the stock management system.
Any return of goods must be documented and approved by the adequate level of management.
Accounting must be informed of all accepted returns as soon as possible, so that credit notes can be issued.
Risks:
Risk 4.2 - Loss of clients
Risk 4.8 - Missing or incorrect accounting entries
I04.C07 Sales credit notes are automatically transferred to accounting
I04.C08 Returns and credit memos relate to valid sales orders or billing
documents and they are properly documented
I04.C07 Sales credit notes are automatically transferred to accounting

Execute VOFA - Define Billing Types.

On the pop-up window, double click on "Define Billing
Types."
ITAC objective: Accounting must be informed of all
Double click on RE (Credit for Returns) and other potentially
accepted returns as soon as possible, so that credit notes
document types customized. In the "General control" section,
can be issued.
uncheck the "Posting Block" field to ensure that SD credit
notes documents are automatic transferred to accounting.
ITAC description: Competence center must implement
the customizing based on the Business Requirements and
organization.

VOFA (SPRO -> IMG -> SAP Customizing Implementation
Guide -> Sales and Distribution -> Billing -> Billing
Documents -> Define Billing Types).
I04.C08 Returns and credit memos relate to valid sales orders
or billing documents and they are properly documented.

Configure return and credit memo document types to contain

reference to sale order or billing document by using
transaction VOV8 - Define Sales Document Types.
Populate the ""Reference Mandatory"" field with one of the
ITAC objective: Return and credit memos relate to valid
following values:
sales orders or billing documents to avoid any dispute
- C: With reference to a sales order
with customers and they indicate the reason of the
- M: With reference to a billing document
return/credit.
Execute transaction OVA2 - Define Incompleteness
ITAC description: Competence center must implement
Procedures.
the customizing based on the Business Requirements and
- Set ""Order Reason"" to mandatory field.
organization.
- Define ""Order Reason"" as a mandatory field in line with
credit memo incompletion procedures. Complete if necessary
ITAC 100 Transactions the reasons of credit memo according to business cases.
VOV8 (SPRO > Sales and Distribution > Sales > Sales
Documents > Sales Documents Header > Define Sales
Document Types)
OVA2 (SPRO -> SAP Customizing Implementation Guide -

> Logistics Execution -> Shipping -> Basic Shipping
Functions -> Incompletion Control for Deliveries ->
Define Incompleteness Procedures)
Control 4.32: Managing invoices for deliveries and stock outgoings
ICRF
The entity has put in place a procedure in order to ensure that:
• All despatches are invoiced,
• All invoices are issued in accordance with the contractual terms and conditions,
• All invoices have a corresponding delivery note (and related documents) and customer order.
The monitoring of non-invoiced deliveries and invoices issued before delivery is formalised by the Accounting Department
according to a formalised procedure.
Risks:
Risk 4.1 - Failure to respect legal obligations regarding commercial matters
I04.C09 Sales billing are automatically transferred to accounting
I04.C10 Coherence between Sales order, delivery and invoice
I04.C09 Sales billing are automatically transferred to accounting

Execute VOFA - Define Billing Types.

Control 4.32: Managing invoices for deliveries and stock
On the pop-up window, double click on "Define Billing
outgoings
Types."
Double click on F1, F2 (Invoice), IV (Intercompany Billing) and
other potentially document types customized. In the
ITAC objective: Billing generate automatically journal "General control" section, uncheck the "Posting Block" field
entry in the Accounting module. to ensure that SD billing documents are automatic
transferred to accounting.
ITAC description: Competency center customizes sales
management system and accounting system to post
journal entry whenever an invoice is issued.

VOFA: SPRO -> IMG -> SAP Customizing Implementation
Guide -> Sales and Distribution -> Billing -> Billing
Documents -> Define Billing Types.
I04.C10 Coherence between Sales order, delivery and invoice

Configure the copying requirements to billing documents

Control 4.32: Managing invoices for deliveries and stock
using VTFL and VTFA.
outgoings
Set copy rule to include at least:
- Customer
- Item
ITAC objective: Delivery note and invoice inherit from - Unit Price (except for delivery note)
sales order information to avoid any discrepancy - Delivery Address
between the different legal documents. - Sales order reference
- Quantity
ITAC description: Competency center should customize
delivery note and invoice to inherit from sales order
information according to Commercial and Financial
department requirements.

VTFA (SPRO>Sales and Distribution > Billing > Billing
Documents > Copying control: Sales document to billing
document )
VTFL (SPRO > Sales and Distribution > Billing > Billing
Documents > Maintain Copying Control For Billing
Documents > Copying control: Delivery document to
billing document)
Control 4.34: Monitoring zero balance invoices
ICRF
All outflows of goods/finished products at the destination of third party shall be recorded in an invoice.
A report of stock outgoings that are invoiced at zero is reviewed at least once a month by the suitable level of management in
order to detect any incomplete or incorrect entries..
Risks:
I04.T02 Define specific process for free goods
I04.R05 Review free goods
I04.T02 Define specific process for free goods

Define free goods rules using SAP functionality “Free Goods”

with transaction VBN1 - Create Free Good Determination
Record.
ITAC objective: Zero balance invoice should be easily
identified
with the ability to use this transactions and that the role has
been assigned to the users selected by the business
ITAC description: Management defined procedures using
specific processing for free goods. Sales department
Confer to I04.C01 if free “item category” is used.
should define specific rules for free goods and
Competency center should customize Sales management
system for this type of transaction.

VBN1 - Create free goods conditions
I04.R05 Review free goods

Use FBL5N to identify invoices or line item invoiced at zero.

FBL5N: Accounting > Financial Accounting > Accounts
Receivable > Account > Display/Change Line Items
ITAC objective: Review free goods usage to detect if
If free “Item Category” (confer to I04.C01) article is used, the
there is no mistake or misuse.
report VA05 can be used. Results must be filtered using the
free item category.
ITAC description: Competency Center shall customize
the report according to the Business requirements and
organization. Once a month, the report is reviewed by
with the ability to use these transactions and that the role
the suitable management to determine items and
has been assigned to the users selected by the business
conditions that are allowed for the free goods process.

FBL5N: Accounting > Financial Accounting > Accounts
Receivable > Account > Display/Change Line Items
Control 4.35: Monitoring credit notes
ICRF
A report of all credit notes issued shall be revised on a monthly basis by the Finance Department in order
- To ensure that all the notes issued have been recorded and that all the notes recorded have been authorised,
- To detect eventual mistakes.
Risk:
I04.C11 Validation of credit memos before they are issued
I04.A08 Access review to release credit memos
I04.C11 Validation of credit memos before they are issued

Configure credit memo request document type to be checked

before release.
Use VOV8 - Define Sales Document Types.
ITAC objective: Credit memo requests are automatically
blocked. For every credit memo document type existing, double click
on the document type and scroll down to the billing section.
ITAC description: Credit memo requests are
automatically blocked and require Finance Department Enter the value "08" (Check Credit Memo), or the appropriate
to release for further processing. customized one, in the Billing block field in the billing section.
Competency Center implements the customizing and
defines the credit memo process with the Business
organization (unblocking process).

VOV8: SPRO > Sales & Distribution > Sales >
Sales Document > Sales Document header > Define
Sales document Types
I04.A08 Access review to release credit memos


credit memos:
should not be granted access to release credit memos.
requirements and organization. Finance and Sales
- V.23 Release credit memo to billing
S_BCE_68001400 - Users According to Complex Criteria 2) at least the following authorization objects:
- V_VBAK_AAT, attributes ACTVT, values 43 or 02 and
AUART with Credit Memos types.

applicable).

further revisions.

Control 4.37: Revenue recognition
ICRF
The turnover must be recorded in accordance with the Group rules, and respect the separation of accounting periods.
The Accounting Department shall reconcile the recorded turnover with the information from the sales management system.
It shall ensure that the turnover has been correctly broken down (Group, non-Group, sundry income).
Risk:
Risk 4.8 - Missing or incorrect accounting entries
I04.T03 Billing due list is cleared before end of the accounting period
I04.C12 Procedure of account allocation to sales billing documents
I04.T04 Reconciliation between sales management system and general

ledger
I04.T03 Billing due list is cleared before end of the accounting period

Use VF04 - Maintain Billing Due List at least once a month

after the end of the month so deliveries are issued before
closing the accounting period.
ITAC objective: All deliveries should result in the Competency Center must ensure that there is at least a role
recognition of revenue or a receivable in the appropriate with the ability to use this transaction and that the role has
period been assigned to the users selected by the business.
ITAC description: Invoices should be created for all

completed deliveries before the end of the period

VF04 - Maintain Billing Due List
I04.C12 Procedure of account allocation to sales billing documents

For each billing document type (e.g. services invoice, export

invoices...), assign to an Account Determination Procedure or
rationalize the fact that accounting is not impacted (ex: pro-
forma).
ITAC objective: All invoice and credit notes generate
accounting revenue. Execute transaction OV33 - Define And Assign Account
Determination Procedures.
ITAC description: Finance department define rules for Double click on "Assign Account Determination Procedure."
recording revenue and Competency center customize Assign billing document types to an account determination
Accounting system to record revenue based on invoices procedure: for each billing document type, (Column BillT) an
and credit notes issued by sales management system. account determination procedure should be assigned.
ITAC 100 Transactions If exception are request for business purpose (ex: pro-forma),
OV33 (SPRO Sales and Distribution > Basic Functions > maintain rationalization of billing document type not being
Account Assignment/Costing > Revenue Account assigned to Assign Account Determination Procedures.
Determination > Define And Assign Account
Determination Procedures > Define Account
Determination Procedure)
I04.T04 Reconciliation between sales management system and general
ledger

Use VFX3 - Release billing document for accounting at least

once a month before the end of the month to ensure that all
billing documents are transferred to accounting.
ITAC objective: All invoice and credit notes generate Competency Center must ensure that there is at least a role
accounting revenue/negative revenue. with the ability to use this transaction and that the role has
been assigned to the users selected by the business.
ITAC description: Finance department must ensure that
there are no billing documents blocked in the sales
module and not transferred to accounting.

VFX3 - Release billing document for accounting
ITAC in Risks & Controls Matrix (ICRF 04)
SAP Mod. ITAC 100 ICRF Risk addressed

ICRF itac
SD FI Category R4.1 R4.2 R4.3 R4.4 R4.5 R4.6 R4.8
4.3 I04.A01 X X A X
4.3 I04.A02 X A X
4.3 I04.A03 X A X X
4.3 I04.A04 X A X
4.3 I04.A05 X A X X
4.6 I04.A06 X A X X
4.6 I04.C01 X C X X
4.7 I04.C02 X C X X
4.9 I04.R01 X R X
4.9 I04.C03 X C X X
4.18 I04.C04 X C X
4.18 I04.R02 X R X X
4.19 I04.T01 X T X X
4.20 I04.R03 X R X X X
4.20 I04.R04 X R X X X
4.21 I04.C05 X C X
4.21 I04.A07 X A X
4.22 I04.C06 X X C X
4.27 I04.C07 X X C X X
4.27 I04.C08 X C X X X
4.32 I04.C09 X X C X X X
4.32 I04.C10 X C X X X
4.34 I04.T02 X X T X X
4.34 I04.R05 X R X X
4.35 I04.C11 X C X
4.35 I04.A08 X A X
4.37 I04.T03 X T X
4.37 I04.C12 X X C X
4.37 I04.T04 X X T X
4 2 4 11 20 4 5
ICRF 05: Stock & Logistics
Control 5.2: Organization of storage
ICRF
Control description:
The way in which storage areas are to be organized is specified in a procedure that reiterates the following points:
• The reception, delivery and storage areas must be kept separate. If this is not possible, compensatory controls must be put in
place.
• All storage areas must be recorded in the stock management system.
• The exact physical location of a reference in stock must be known.
• The following stock categories must be identified and listed (physically and/or in the system):
- Products/goods of insufficient quality,
- Obsolete stock,
- Reserved orders.
- Bills on hold sales.
• The following stock must be identified and stored in a special area:
- Articles received, which are not in accordance with the order and that need to be returned to the supplier or collected by the
carrier,
- Client returns,
- Stock on consignment,
- Hazardous products.
Risks:
Risk 5.1 - Incorrect knowledge of the quantities in the stock
Risk 5.2 - Stock shortfalls
Risk 5.3 - Surplus stock and excess of reserved stock
Risk 5.4 - Obsolete stock incorrectly identified and controlled
Risk 5.5 - Acceptance of non-compliant stock
Risk 5.6 - Stock theft
I05.C01 Physical storage areas must be recorded in the

stock management system
I05.T01 Stock quantities must be calculated in the

I05.C01 Physical storage areas must be recorded in the
SAP Module MM ITAC 100 technical implementation

Use SPRO to define storage location in the IMG and affect to

a plant:
Risks addressed by ITAC: R5.1, R5.2, R5.3, R5.4, R5.5 and
SPRO IMG > Enterprise Structure > Definition > Material
R5.6
Management > Maintain storage location.
At least, warehouses, delivery area and reception area are
ITAC objective: Define storage locations in the inventory
defined.
management system for at least delivery, reception,
returns, consignment, subcontractor and storage areas.
If WM SAP module is used, storage bin should be described.
ITAC description: Each physical stock location is reflected
in the system with a corresponding system location code.
The physical zoning (Delivery, reception, returns, storage

area, consignment and subcontractors) is referenced to
the zoning of the inventory management system.
The Stock Manager shall express the requirements in
term of zoning and detailed description of each zone (use
of storage bin for instance).

SPRO IMG > Enterprise Structure > Definition > Material
Management > Maintain storage location.
I05.T01 Stock quantities must be calculated in the stock management
system
SAP Module MM, SD ITAC 100 technical implementation

Generate report of inventory by Material / Plant / Storage by

using transactions:
- MB52 - Stock Overview
R5.6
- MB54 - Vendor Consignment stock
- MD04 - Stock requirement list
ITAC objective: Identify missing quantities, products or
- MMBE - Stock Overview (article by article)
goods of insufficient quality, obsolete stock, reserved
- MB58 - Customer consignment stock
orders, and bill on hold sales.
- MC46 - Slow moving items
- MC50 - Dead stock
ITAC description: In order to monitor the stock
quantities, the stock manager shall use the appropriate
These reports detail:
transactions in the system. The quantities must.be
- Inventory quantity
calculated in the stock management system.
- Quantity blocked
- Quantity reserved for quality control
- Quantity ordered
ITAC 100 Transactions - Quantity reserved to address sales orders.
CO06 - Back order processing, CO09 - Availability
Overview, MB52 - Stock Overview, MB54 – Vendor Use CO09 and CO06 to check available to promise stock (ATP
Consignment Stock, MD04 - Stock requirement list, quantities).
MMBE - Stock Overview (article by article), MB58 -
Customer consignment stock These reports may be replaced by specific reports or Business
Intelligence solution.
Control 5.4: Review of user profiles and access to the stock management system
ICRF
Access permissions to the stock management system and to the accounting system must comply with the rules for segregation
of duties, as described in Control 5.3.
At least once a year, the Stock Manager shall review all user profiles and access permissions to the stock management system
and shall inform the IT Department of any changes required (departures, transfers etc.).
Risks:
Risk 5.8 - Stock incorrectly valued due to poor identification of net realisable value
APPLICATION CONTROL
I05.A01 Access review to inventory movements
SAP Module MM,SD ITAC 100 technical implementation

Control 5.4: Review of user profiles and access to the Competency centers must provide to the business a report
stock management system variant (using a batch at least once per year for example) to
Risks addressed by ITAC: R5.6 and R5.8 identify those users with the ability to post goods movements
(receipt, issue, transfer posting).
should not be granted access to inventory movements. Use standard report S_BCE_68002111 (SAP Menu: Tools
ITAC description: The Competency Center shall provide System -> User -> and generate a variant for Critical
the reports according to the Business Organization. Authorizations with:
Stock Manager and finance manager shall review the list
of the users with the help of the report and request the 1) the following transactions:
necessary changes. - MIGO, MB1A, MB1B, MB1C: Goods movements
- CO11N: Production confirmation
- MFBF: Production booking
- VL01, VL01N, VL02, VL02N: Outbound Delivery
ITAC 100 Transactions - MI07, MI10: Post Inventory Differences
S_BCE_68002111 report – with critical authorizations - Custom Transactions (Z*) if applicable
(New version).
2) at least the following authorization objects
- B_USERSTAT, attribute ACTVT, value 01
- M_MSEG_BMB, attribute ACTVT, value 01
- M_MSEG_BWA, attributes ACTVT, value 01
- M_MSEG_BWE, attribute ACTVT, value 01
- M_MSEG_BWF, attribute ACTVT, value 01
- M_MSEG_LGO, attribute ACTVT, value 01
- M_MSEG_WMB, attribute ACTVT, value 01
- M_MSEG_WWA, attribute ACTVT, value 01
- M_MSEG_WWE, attribute ACTVT, value 01

applicable).
Finance and/or Stock Manager must review the report in

further revisions.

Control 5.6: Storage of sensitive articles
ICRF
Sensitive articles (value, risk of theft, hazardous) shall be identified and stored appropriately.
A list of sensitive stock articles is kept up to date. Access must be restricted to authorised people. The quantities of these stocks
shall be controlled every month.
The Site Manager shall ensure that all products are stored in accordance with the Group’s EHS policies. Access permissions to the
stock management system and to the accounting system must comply with the rules for segregation of duties, as described in
Control 5.3.
At least once a year, the Stock Manager shall review all user profiles and access permissions to the stock management system
and shall inform the IT Department of any changes required (departures, transfers etc.).
Risks:
I05.C02 Sensitive articles (value, risk of theft, hazardous) are identified
I05.A02 Access review to sensitive material inventory movements
I05.C02 Sensitive articles (value, risk of theft, hazardous) are
identified

Define specific material type for sensitive material including

value item, risk of theft or hazardous count using OMS2
Maintain Material Type.
ITAC objectives: Sensitive articles are correctly identified
Affect sensitive material to these categories.
in the system in order to restrict the access to the
movements to authorized people only.
Another solution, for hazardous materials, is to use the EHS-
relevant “second view” in the article master file for each
ITAC description: Competency Center shall configure the
article.
system (Material Type) according to the Business needs.
The business shall list the sensitive articles and describe
the way to manage them.

OMS2 : SPRO > Logistics general > Material Master > Basic
Settings > Material Types > Define Attributes of Material
Types
I05.A02 Access review to sensitive material inventory movements


identify those users with the ability to process goods receipts
for sensitive material.
should not be granted access to sensitive material
inventory movements
ITAC description: Competency Center shall provide the
reports according to the Business requirements and
organization.
Stock Managers and finance manager use the report to
- MIGO: Good Movement
make the review of the users with granted access to
sensitive material inventory movement.
ITAC 100 Transactions - M_MATE_MAT field BEGRU with sensitive material
S_BCE_68002111 report – with critical authorizations type
(New version). - M_MATE_MAT field BEGRU with sensitive material
type
- M_MATE_WRG field BEGRU with sensitive material
type

applicable).

further revisions.

Control 5.7: Creating/editing/deleting entries from the stock master file
ICRF
Access permissions to create/edit/delete any entries from the stock master file must be restricted to authorised people. The
process for creating/editing/deleting entries from the stock master file must be documented and approved.
The stock manager shall carry out, at least once a year, a review of all users and access permissions to the article master file, and
inform the IT Department of any changes required (departures, transfers etc.)
An independent person shall conduct a monthly review of any critical modifications (the Marketing Manager for example).
Risks:
I05.A03 Access review to material master data
I05.R01 Review modifications of material master data
I05.A03 Access review to material master data


Control 5.7: Creating/editing/deleting entries from the
stock master file
identify those users with the ability to manage material
master data.
R5.8
should not be granted access to material master data.
stock manager with reports listing users with granted
access to create or change material master data.
- MM01 – Material Creation
Stock Manager reviews the report at least once a year
- MM02 – Material Change
and communicates corrections to be made by the
- MM70, MM71 – Material deletion
Competency Center.
- MR21 - Material Master Price Change
S_BCE_68002111 report – with critical authorizations Retail-specific transactions :
(New version). - MM41 – Create article
- MM42 – Change article
- MM46 – Article mass maintenance
- WSE1 – Flag article for deletion

- F_BKPF_BUK attribute ACTVT, value 02 (MR21)
- M_MATE_BUK attribute ACTVT, value 01, 02 (MM*)
- M_MATE_STA attribute ACTVT, value 01, 02 (MM*)
- M_MATE_VKO attribute ACTVT, value 01, 02 (MM*)
- M_MATE_WGR attribute ACTVT, value ACT 01, 02
(MM*)
- M_MATE_WRK attribute ACTVT, value 01, 02 (MM*)
- W_WAKH_EKO attribute ACTVT, value 01 (WSE1)

applicable).
Stock Manager must review the report in order to ensure the

user list is appropriate. If needed, users can also run the

I05.R01 Review modifications of material master data


Control 5.7: Creating/editing/deleting entries from the
material changes. MM44 for retail variant of SAP or MM04
stock master file
for other variants could be used. The report must include all
fields that make articles unique (selected by the business).
R5.8
Limitation: these transactions are by material. Specific report
ITAC objective: Generate report to display critical
or Business Intelligence solution should be used as an
material master data changes.
alternative.
ITAC description: Competency center shall provide the
reports based on the Business requirements. Depending
on the number of monthly modifications in material
master data, Business and IT shall find what critical
information the report will provide.
As per ICRF, an independent shall conduct a monthly

review of any critical modifications.

MM04 Display change documents (standard)
MM44 Display change documents (retail variant)
Control 5.8: Annual review of the structure of the article master file
ICRF
The structure of the article master file is reviewed annually in order to ensure that the number of references is appropriate and
that all generic codes are cleared.
Risks:
APPLICATION CONTROL
I05.R02 Review of article master file

Competency center must provide to the business report to

Control 5.8: Annual review of the structure of the article
verify the article master file. This report should help the
master file
business to identify generic, duplicates, etc. articles.
1 – Generate a report using MM60 to list material. Depending
ITAC objectives: Extract the structure of article master
on the number of references, it should be better to import
file to review the references and to clear generic codes
the MM60 results in BI for further analysis.
2 - Generate a report using MM60 with a selection of
reports based on the Business Requirements and
potential generic material type.
organization. At least two reports shall be defined:
1 – The list of articles that have the same description to
When WM module is implemented, MB52 can be also used.
identify duplicate material references.
2 – The list of Generic codes to clear them and to create
the necessary references that are not generic.
MM60 - List material
MB52 - List warehouse stock
Control 5.11: Monitoring supplies
ICRF
The entity has set up a system to identify any orders that are not delivered on the expected date (early or late).
This monitoring system can in particular be supported by a delivery schedule that sets out the suppliers’ delivery dates and the
expected quantities.
Risks:
APPLICATION CONTROL
I05.T02 Purchase orders not delivered on time are identified by the

Inventory Management System

Transactions ME2W, ME2M, ME2C, ME2L or ME2N are

Control 5.11: Monitoring supplies
available to display all overdue orders (open orders, delivery
date in the past).
ITAC objective: identify orders not delivered on time
extracted from Inventory Management System
ITAC description: Competency Center shall provide or
customize the reports based on the Business
requirements and organization. Thus, Business can
monitor the delivery dates and the expected quantities.

ME2W - Purchase Orders for Supplying Plant
ME2M - Purchase Orders by Material
ME2C - Purchase Orders by Material Group
ME2L - Purchase Orders by Vendor
ME2N - Purchase Orders by PO Number
Control 5.13: Management of discrepancies in delivery
ICRF
All received goods must be recorded with an associated order number.
Any discrepancies in delivery must be approved by the Stock Manager before being accepted.
Deliveries received without a purchase order must remain an exception and be signed off by an authorised person. They shall be
regularly checked by a person independent from the stock management.
Risks:
APPLICATION CONTROL
I05.C03 Any discrepancy in delivery relies on a level of tolerance

Use OMC0 to define and configure in the system the gaps

Control 5.13: Management of discrepancies in delivery
tolerance limits between quantities received and ordered.
Risks addressed by ITAC: R5.2, R5.3, R5.5 and R5.6
Define the users groups and tolerance limits including the
ITAC objective: The System validates the quantity
price and quantity variance (percentage or quantity, upper or
captured as received against the quantity ordered and
lower). Thresholds are the following ones:
rejects the transaction if the quantity received exceeds
- B2 Identify acceptable (with warning) limits
or is less than the quantity ordered
- B1 Identify unacceptable limits
ITAC description: The Competency Center shall
Configure in SAP the tolerance limits regarding previous task.
customize the system with regards to the Business
- Within transaction OMC0 define thresholds B2 & B1
Requirements (tolerance in quantity) and organization
(exception to be authorized by appropriate level of
management).

OMC0 : SPRO > IMG > Materials Management > Inventory
Management and Physical Inventory > Goods Receipt > Set
Tolerance Limit
Control 5.19: Reconciliation between the finance module and the stock
management module
ICRF
Any physical movements of stock must as soon as possible lead to an accounting entry.
At least once a month, the Accounting Department shall reconcile the stock management system (or the stock management
module) and the accounting system (or the finance module) in order to validate any recorded changes in stock.
The identified errors shall be investigated and resolved timely.
Risk:
APPLICATION CONTROL
I05.C04 Stock movements generate automatic posting in

accounting system
SAP Module MM, FI ITAC 100 technical implementation

Using OBYC, define accounts for every movement generating

Control 5.19: Reconciliation between the finance
a posting in accounting.
module and the stock management module
ITAC objective: Stock movements are appropriately and

timely recorded in the accounting system

the system according to the Stock and Finance
Department requirements and organization.
The postings in accounting system shall be automatic.

OBYC: SPRO - IMG - Materials Management-Valuation and
Account Assignment - Account Determination - Account
Determination Without Wizard - Configure Automatic
Posting
Control 5.20: Approving the parameters for stock levels management
ICRF
The entity has put in place a system to optimise stock levels and to steer supplies in order to avoid any shortfalls and to limit
surplus stock and obsolescence.
The parameters for this system (minimums, maximums, back-up stock, re-supplying levels etc.) must be reviewed and approved
by the Stock/Logistics Manager at least once a year.
Any changes to the parameters must be authorised by the Logistics Manager.
Risks:
I05.T03 Acceptable level of stock is configured
I05.R03 Review of replenishment strategy
I05.T03 Acceptable level of stock is configured

Use MM02 Change Material, select MRP Views

Control 5.20: Approving the parameters for stock levels
Define:
management
- safety stock level,
- maximum stock,
- back-up stock,
ITAC objective: Stock replenishment levels are set to
- re-supplying levels and lot size
optimize stock level.
For retail variant of SAP, transaction used should be MM42.
ITAC description: Stock manager define appropriate
safety or minimum stock level, maximum stock level,
back-up stock level, re-supplying level and lot size to
optimize stock level.

MM02 Change Storage view of a material
MM42 – Change Material (retail variant)
I05.R03 Review of replenishment strategy

Management of parameters for stock levels definition is

Control 5.20: Approving the parameters for stock levels
included in MRP functionality and is available in table MARC
management
(defined at plant level).
Competency center should provide the MRP information
ITAC objective: material replenishment parameters are
from table MARC at least every year:
reviewed
- safety stock level,
- maximum stock,
ITAC description: MRP data report must be reviewed at
- back-up stock,
least once a year.
- re-supplying levels and lot size.
The requirements for this report (minimums, maximums,
backup stock, re-supplying levels etc.) shall be expressed
Another solution could be that the competency center
by the Stock Manager.
customizes a report providing the necessary information to
the business.
SE16 - Data browser If applicable, Competency Center must ensure that there is at
Table MARC Material at plant level least a role with the ability to use the transaction and that the
role has been assigned to the users selected by the business
Control 5.22: Monitoring off-site stock and goods on consignment
ICRF
There is a procedure for recording and managing off-site stock and stock on consignment.
This procedure in particular contains:
• The use of independent tracking reports in order to identify stock quantities and values,
• The frequency of stock counting for goods on consignment (at least once a year),
• The methods for reconciling the results obtained, and for investigating and solving any differences that are identified.
Risks:
APPLICATION CONTROL
I05.T04 Off site and consignment stocks are managed by inventory

management system

Use standard SAP transactions to review subcontractor and

Control 5.22: Monitoring off-site stock and goods on
consignment stock:
consignment
- MBLB for Subcontractor located stock
- MB54 for Vendor Consignment stock
- MB58 for Customer Consignment stock
ITAC objective: Stock managed on site but not owned by
- MB5T Stock in transit
the entity (e.g. consignment stock) or off-site stock
managed by the system (e.g. stock located at
subcontractors) are identified by inventory management
system and properly managed for accounting purpose.
ITAC description: Competency center implements
specific processes for managing Consignment and
subcontractor into inventory management system. Stock
department uses these specific processes to manage this
stock.

MBLB for Subcontractor located stock
MB54 for Vendor Consignment stock
MB58 for Customer Consignment stock
Control 5.23: Approving stock adjustments following a stock counting
ICRF
The Stock Manager shall justify, document and keep track of any significant inventory differences.
The Finance Department shall authorise and approve any adjustments (globally, by product family, or by article).
Accounting entries shall be documented and kept track of.
Risks:
I05.C05 Define tolerance limits for inventory difference postings
I05.R04 Stock adjustments review
I05.C05 Define tolerance limits for inventory difference postings

Set the tolerance: define tolerance groups for posting

Control 5.23: Approving stock adjustments following a
differences by level of management.
stock counting
OMJ2: SPRO > IMG > Materials Management > Inventory
Management & Physical Inventory > Physical Inventory >
ITAC objective: Significant inventory differences are
Define Tolerances for physical inventory differences
posted by relevant management.
Then assign users to the tolerance groups.
ITAC description: Competency Center should define
tolerance limits by amount by total and/or by item.

OMJ2: SPRO > IMG > Materials Management > Inventory
Management & Physical Inventory > Physical Inventory >
Define Tolerances for physical inventory differences.
I05.R04 Stock adjustments review

Generate report of physical inventory adjustment using

Control 5.23: Approving stock adjustments following a
either MI20 – Physical Inventory list or MB51 with movement
stock counting
types used for inventory discrepancy.
ITAC objective: Review of stock adjustments
ITAC description: Competency Center shall provide
and/or customize the reports based on the Business
Warning: MB51 could give access to MI07. Do not give those
requirements and organization.
transactions in the same role.
Stock and Finance Department shall review the report
after the stock adjustments entered in the system based
on the physical stock counting,

MI20 Physical inventory list
MB51 Material document list.
Control 5.26: Review of anomalies
ICRF
Any quantities without a value, any values without a quantity, and any negative values or quantities must be investigated,
monitored or corrected at least once a month.
Risks:
Risk 5.3 - Surplus stock and an excess of reserved stock
APPLICATION CONTROL
I05.C06 Configure inventory management system to forbid negative

quantity in stock

Set negative quantity value as forbidden in SPRO at storage

Control 5.26: Review of anomalies
location level.
Risk addressed by ITAC: R5.1, R5.2
Use OMJ1: SPRO > Material Management > Inventory
ITAC objective: Negative quantity for inventory is
management and physical inventory > Goods issues /
forbidden
transfers postings > Allow negative stocks.
If negative stock must be allowed in business process, at least
the system according to the Business Requirements.
once a month, a review must be performed to investigate,
monitor and corrected the situation.
OMJ1: SPRO > Material Management > Inventory
management and physical inventory > Goods issues /
transfers postings > Allow negative stocks
Control 5.27: Reconciliation between the stock in accounting, the stock
management system and the physical stock
ICRF
The Accounting Department shall justify the stock accounts on a monthly basis, reconciling:
• The accounting system (or the finance module),
• The stock management system (or the stock module),
• The results of the stock counting, when available.
The identified differences must be investigated and resolved within the month.
Risks:
APPLICATION CONTROL
I05.R05 Report of stock values

In order to reconcile MM and FI on stock, extract the report

Control 5.27: Reconciliation between the stock in
which shows stock balances as per FI and MM via transaction
accounting, the stock management system and the
MB5L or appropriate specific report.
physical stock
Competency center should run a batch of this report and save
a copy of the results for potential future analysis (for instance
ITAC objective: Report the stock balance between the
MCBA plant analysis in standard).
finance and the stock system(s)
The creation of the report should be part of month end
ITAC description: Competency center provides a report
activity.
for stock quantities and valuation in stock management
system according to business needs. Finance department
reconciles this report with inventory valuation in balance
with the ability to use this transaction and that the role has
sheet at least once a month.
been assigned to the users selected by the business

MB5L - List of Stock Values: Balances
MCBA - Plant analysis
Control 5.30: Approving the scrapping and destruction of stock
ICRF
Any scrappings or destructions of stock must be performed in accordance with local legislation.
The Stock Manager shall systematically review and approve the list of the articles to be scrapped, using the procedure approved
by the Finance Department.
The Accounting Department shall reconcile:
• The scrapping report, the list of articles to be scraped and the stock variation recorded in the stock management system,
• The amount of stock destroyed and written off, in accordance with Group rules.
Risks:
I05.A04 Access review to register scrapped stocks
I05.R06 Review scrapping and destructions
I05.A04 Access review to register scrapped stocks


Control 5.30: Approving the scrapping and destruction
of stock
identify those users with the ability to to post goods for
scrapping.
should not be granted access to scrap or destruct stocks.
Stock and Finance Department shall review the list of
- MIGO Good Movement
users.
- MIGO_GI: Goods Issue
- MB1A: Goods Issue
(New version).
2) at least the following authorization objects: cf.
I05.A01 and change movement types:
- M_MSEG_BWA, attributes ACTVT, value 01 and
BWART values 551-556 (and custom scrapping
movement types if applicable)

applicable).

further revisions.

I05.R06 Review scrapping and destructions

Use MB51 and movement types 551 to 556 (and custom

Control 5.30: Approving the scrapping and destruction
scrapping movement types if applicable) to report about
of stock
scrapping and destructions. In addition, the reason and
assignment should be used.
ITAC objective: Review the list of articles scrapped
and/or destroyed
Stock Manager uses the report to review the list of

article scrapped or destroyed.

MB51 - Material Doc. List

ICRF itac
SD FI MM Category R5.1 R5.2 R5.3 R5.4 R5.5 R5.6 R5.8
5.2 I05.C01 X C X X X X X X
5.2 I05.T01 X X T X X X X X X
5.4 I05.A01 X X A X X
5.6 I05.C02 X C X X X
5.6 I05.A02 X A X X X
5.7 I05.A03 X A X X X X X X
5.7 I05.R01 X R X X X X X X
5.8 I05.R02 X R X X X
5.11 I05.T02 X T X X
5.13 I05.C03 X C X X X X
5.19 I05.C04 X X C X
5.20 I05.T03 X T X X X
5.20 I05.R03 X R X X X
5.22 I05.T04 X T X X X
5.23 I05.C05 X C X X X
5.23 I05.R04 X R X X X
5.26 I05.C06 X C X X
5.27 I05.R05 X R X X
5.30 I05.A04 X A X X X X
5.30 I05.R06 X R X X X X
15 10 9 9 5 13 8
ICRF 06: Purchasing
Control 6.6: Review of purchaser profiles and access permissions to the purchase
management system
ICRF
Purchasers access to the purchase management system and to the accounting system (account payables) must comply with
segregation of duties (see control 5).
Using the control tools provided by the IT Department, the Purchasing Department shall each year review and validate users
profiles within the Purchasing Department.
Risks:
Risk 6.1 - Theft or misuse of assets
Risk 6.12 - Acceptance and payment of goods and services that do not comply with the order, or were not ordered nor received
Risk 6.13 - Poor valuation and recording of supplier invoices
I06.A01 Access review to maintain supplier master data
I06.A02 Access review to approve supplier

creation/modification/deletion
I06.A03 Access review to create supplier agreement or contract

Technical category Access Review

Control 6.6: Review of purchaser profiles and access
permissions to the purchase management system
identify those users with the ability to maintain vendor
master data.
should not be granted access to maintain supplier master
data.
ITAC description: Competency Centers provide reports
according to the Business requirements and
organization. Purchasing and Accounting departments
- XK01 Create vendor (create all views)
use the reports to perform the review, no less than once
- XK02 Change vendor (change all views)
a year.
- XK06 Mark vendor for deletion
- FK01 Create vendor (create accounting views)
- FK02 Change vendor (change accounting views)
- MK01 Create vendor (Purchase views)
(New version).
- MK02 Change vendor (Purchase views)

- F_LFA1_APP, attribute ACTVT, values 01, 02 or 06
- F_LFA1_BEK, attribute ACTVT, values 01, 02 or 06
- F_LFA1_BUK, attribute ACTVT, values 01, 02 or 06.

applicable).
Purchasing and/or Accounting must review the report in

further revisions.

I06.A02 Access review to approve supplier creation/ modification/
deletion


identify those users with the ability to approve
creation/modification/deletion of suppliers.
ITAC objective: Review user list to detect userid that Use standard report S_BCE_68002111 (SAP Menu: Tools
should not be granted access to approve supplier -> Administration -> User Maintenance -> Information
creation/modification/deletion. System -> User -> and generate a variant for Critical
according to the Business requirements and 1) the following transactions:
organization. Accounting Department uses the reports to - FK08 vendor individual confirmation
perform the review, no less than once a year. - FK09 vendor collective confirmation
S_BCE_68002111 report – with critical authorizations 2) at least the following authorization objects:
(New version). - F_LFA1_APP, attribute ACTVT, value 08
- F_LFA1_BEK, attribute ACTVT, value 08
- F_LFA1_BUK, attribute ACTVT, value 08
- F_LFA1_GEN, attribute ACTVT, value 08
- F_LFA1_GRP, attribute ACTVT, value 08

applicable).
Accounting department must review the report in order to

ensure the user list is appropriate. If needed, users can also
run the report with the appropriate variant for further
revisions.

I06.A03 Access review to create supplier agreement or contract

Technical category Access Review

identify those users with the ability to create agreement or
contract.
should not be granted access to create supplier
agreement or contract.
organization. Purchasing department uses the reports to
- ME31, ME31K Create a contract
perform the review, no less than once a year.
- ME31L Create Scheduling Agreement.
- ME32, ME32N, Change Outline Agreement
- ME32K change contract
- ME32L change Scheduling Agreement.
(New version).

- M_RAHM_BSA attribute ACTVT, values 01 or 02
- M_RAHM_EKG attribute ACTVT, values 01 or 02
- M_RAHM_EKO attribute ACTVT, values 01 or 02
- M_RAHM_WRK attribute ACTVT, values 01 or 02

applicable).
Purchasing department must review the report in order to

revisions.

Control 6.7: Review of profiles, other than purchasers with
access permission to the purchase management system
ICRF
Access to the purchase management system and to the accounting system (account payables) must comply with segregation of
duties (see control 5).
Using the control tools provided by the IT Department, the Functional Departments shall check users profiles within their
department. It shall be done on an annual basis and in collaboration with the Purchasing Department.
Risks:
I06.A04 Access review to create purchase orders
I06.A05 Access review to approve purchase orders
I06.A06 Access review to process goods receipts
I06.A07 Access review to perform service receipts
I06.A08 Access review to record supplier invoices
I06.A04 Access review to create purchase orders

Generate a report of users with the ability to create, change

Control 6.7: Review of profiles, other than purchasers
or maintain purchase orders.
with access permission to the purchase management
system
Use standard report S_BCE_68002111 (SAP Menu: Tools ->
Administration -> User Maintenance -> Information System ->
User -> and generate a variant for Critical Authorizations
with:
should not be granted.
- ME21, ME21N Create Purchase Order
- ME22, ME22N Change Purchase Order
organization. Purchasing departments and functional
- ME24 Maintain Purchase Order
departments use the reports to perform the review, no
- ME25 Create PO with Source Determination
- MEMASSPO Mass Maintenance: Purchase Order
- ME59, ME59N, Automatic Generation of POs.
ITAC 100 Transactions - Custom Transactions (Z*) if applicable
(New version). 2) at least the following authorization objects:
- M_BEST_BSA attribute ACTVT, values 01 or 02
- M_BEST_EKG attribute ACTVT, values 01 or 02
- M_BEST_EKO attribute ACTVT, values 01 or 02
- M_BEST_WRK attribute ACTVT, values 01 or 02
3) the appropriate Organizational data for each company in

the scope of the Competency Center (if applicable).
I06.A05 Access review to approve purchase orders


identify those users with the ability to release purchase
system
orders.
should not be granted access to release purchase orders.
organization. Purchasing department uses the reports to
-ME28 Collective release for purchase orders
-ME29N Individual release for purchase order
-MEW5 Collective Release of Purchase Orders
-ME35K Release (Approve) Purchasing documents
(New version).
- M_BEST_BSA attribute ACTVT, value 02
- M_BEST_EKG attribute ACTVT, value 02
- M_BEST_EKO attribute ACTVT, value 02
- M_BEST_WRK attribute ACTVT, value 02
- M_EINK_FRG attributes FRGCO, value * and FRGGR
value *

applicable).
Purchasing department must review the report in order to

revisions.

I06.A06 Access review to process goods receipts


identify those users with the ability to process goods receipts.
system
should not be granted access to process goods receipts.
- MIGO, MIGO_GR, MIGO_GO: Goods Receipt
organization. Purchase or functional departments use
- MB01, MB0A, MB31: Goods Receipt for Order
year.
2) at least the following authorization objects: cf.
I05.A01 and change movement type:
- M_MSEG_BWA, attributes ACTVT, value 01 and:
(New version).
- For Goods receipt of Purchase Orders: BWART
values 101 -106 and custom movement types if
applicable.
- For other Goods Receipts: BWART values 451-
452 & 501-506 & 511-532 & 561-566 & 581-582 &
Custom movement types if applicable.

applicable).
Purchasing and/or functional departments must review the

report in order to ensure the user list is appropriate. If
needed, users can also run the report with the appropriate
variant for further revisions.

I06.A07 Access review to perform service receipts


identify those users with the ability with the ability to
system
perform service receipts.
should not be granted access to perform service receipts.
organization. Purchase or functional departments use
- ML81 Service Entry Sheet
- ML85 SES release strategy
year.
- M_BEST_BSA attribute ACTVT, value 02
(New version).
- M_BEST_EKG attribute ACTVT, value 02
- M_BEST_EKO attribute ACTVT, value 02
- M_BEST_WRK attribute ACTVT, value 02

applicable).
Purchasing and/or functional departments must review the

report in order to ensure the user list is appropriate. If
needed, users can also run the report with the appropriate
variant for further revisions.

I06.A08 Access review to record supplier invoices
SAP Module MM,FI ITAC 100 technical implementation


identify those users with the ability to create invoices.
system
should not be granted access to record supplier invoices.
- MIR6 Post Held MIRO Invoices
organization. Accounting department uses the reports to
- MIR7 Park invoice
- MIRA Fast Invoice Entry,
- MIRO Enter Incoming Invoice,
ITAC 100 Transactions - MR08 Cancel Invoice Document,
S_BCE_68002111 report – with critical authorizations - MR44 Post Parked Document,
(New version). - MRHR Enter Invoice,
- MRRL Evaluated Receipt Settlement,
- MRRS Evaluated Receipt Settlement,
- MRBR For blocked invoices.

- F_BKPF_BLA attribute ACTVT, value 01
- F_BKPF_BUK attribute ACTVT, value 01
- F_BKPF_KOA attributes ACTVT, value 01 and KOART
value K

applicable).
Accounting department must review the report in order to

revisions.

Control 6.17: Approving the creation/modification/deletion of supplier accounts
ICRF
The Accounting Department may only create/modify/delete a supplier account if it has received prior official permission from
the Purchasing Department. This permission shall be set forth in a creation/modification/deletion application form that contains
proof and documentation confirming approval has been given.
Only original bank details (IBAN) will be accepted. They must correspond to accounts in the name of the legal entity and located
in the registered country of the supplier.
Any additions or sensitive changes (IBAN, payment terms, delivery address etc.) must undergo an independent monthly review
(by a person who does not have access permission to create/edit such details), in order to ensure that no unauthorized
creations/modifications/deletions have taken place.
Risks:
Risk 6.4 - Damage to the Group’s image due to illegal practices and irresponsible behaviour of suppliers
I06.T01 Maintain alternative payee
I06.C01 Key information is required for supplier master data
I06.R01 Review supplier master data changes
I06.T01 Maintain alternative payee

Alternative payee should be recorded in the vendor data. To

Control 6.17: Approving the
affect alternative payee to a vendor, use specific fields in
creation/modification/deletion of supplier accounts
vendor master data using either:
XK02 Change vendor (change all views)
FK02 Change vendor (change accounting views)
ITAC objective: If payments are made to third parties
(factor), alternative payee should follow the supplier Therefore, standard payment process will be proposed
creation/modification/deletion process. directly to alternative payee.

ITAC description: Payments created for third parties with the ability to use these transactions and that the role
(alternative payee) must be managed by purchasing and has been assigned to the users selected by the business.
accounting departments with the same process as
payments created internally (including master data
restriction access).

XK02 Change vendor (change all views)
FK02 Change vendor (change accounting views)
I06.C01 Key information is required for supplier master data

The mandatory fields in SAP enforce that the required vendor

information is configured by supplier account group.
SPRO transaction -> SAP Reference IMG -> Financial
Accounting New-> Accounts Receivable and Accounts Payable
ITAC objective: Ensure that all key information is
-> Vendor Accounts -> Master Data -> Preparations for
captured in suppliers master data
Creating Master Data -> Define Account Groups with Screen
Layout) to go to the function “Vendor”
ITAC description: Mandatory fields for suppliers’ master
data are set by Competency center according to Business
- Vendors name,
requirements and supplier account group.
- Registration number (for France SIREN)
- Tax reference number (e.g. VAT number)
ITAC 100 Transactions - IBAN (including account owner),
SPRO transaction -> SAP Reference IMG -> Financial - Payment terms,
Accounting New-> Accounts Receivable and Accounts - Payment method
Payable -> Vendor Accounts -> Master Data -> - Check double invoice
Preparations for Creating Master Data -> Define Account - Reconciliation account
Groups with Screen Layout to go to the function - GR based invoice verification
“Vendor” - Currency
- Tolerance Group (On invoice verification) -> confer to
control I06.C07 for further information.
I06.R01 Review supplier master data changes

Execute report S_ALR_87012089, which displays changes to

vendors in a report format. The report can be set up in order
to add a new field group to display any other vendor changes.
Limitation: this report doesn’t show if there are changes in
ITAC objective: Review significant supplier master data
bank data (but it will track creation and deletion)
changes.
according to the Business requirements (defining
sensitive information such as IBAN, payment terms,
payment method…) and organization. Finance
Department uses the reports to perform independent
review, no less than once a month.

S_ALR_87012089 - Display Changes to Vendors
Control 6.18: Closing the accounts of delisted suppliers
ICRF
Purchasers must officially and systematically notify the Accounting Manager of any delisted supplier so that the corresponding
supplier account can be closed.
Confirmation of the closure shall be sent to the purchaser.
Risks:
Risk 6.4 - Damage to the Group’s image due to illegal practices and irresponsible behaviour of suppliers
APPLICATION CONTROL
I06.T02 Blocking supplier process

Use XK05 to block vendors. This transaction will block logistic

Control 6.18: Closing the accounts of delisted suppliers
(creation of new purchase orders for the vendor) and
accounting processes at once.
ITAC objective: Block supplier in accounting system
Use XK06 Flag for deletion vendor, in order to flag all the
when removed from purchase system
delisted vendors.
ITAC description: When a supplier is delisted by the
Note: Flag for deletion alone (without blocking the vendor)
Purchase department, it should be blocked in the
will not prevent the creation of new sales order to the
accounting system too. Purchasing and accounting
vendor.
systems should communicate to block supplier (to avoid
that any transaction can be performed wit the vendor)
and then flagged them for deletion accordingly.
has been assigned to the users selected by the business.
XK05 Block/Unblock vendor (centrally)
XK06 Set deletion indicator (centrally)
Control 6.19: Approval of new/modified supplier tariffs and purchasing terms
ICRF
If a supplier’s tariffs or other purchasing terms are recorded in the purchasing management system, a report tracking all
additions/modifications to these tariffs and purchasing terms shall be reviewed, at least once each month, by the purchaser’s
line manager (independent control).
Risks:
Risk 6.11 - Faults in the purchase order process
APPLICATION CONTROL
I06.R02 Supplier's tariffs and purchasing terms are reviewed

If Purchasing Info Record is used:

Control 6.19: Approval of new/modified supplier tariffs
The standard report that records all supplier’s tariffs addition
and purchasing terms
and modifications is transactions ME14, which tracks all price
changes in Purchase Info Record.
ITAC objective: Supplier’s tariffs or other purchasing
A report must be created based on ME14 depending on local
terms are reviewed each month
needs.
ITAC description:
If contracts are used:
A report tracking all suppliers’ additions / modifications
is extracted from the system. Competency center should
changes to purchasing prices in contracts.
customize this report according to business and
organization needs. Purchaser’s line managers review
The standard report that records all supplier’s tariffs used in
these reports on a monthly basis.
purchases orders is ME1P. A variant with the dates should be
used in order to limit the information by month.
ME14 Changes to Purchasing Info Record (by PIR, not a
For Purchasing terms:
report)
ME1P Order Price history
changes to other purchasing terms (as payment terms,
payment method, incoterms…) in the vendor master.

Control 6.22: Reliability of purchase orders
ICRF
All orders that are issued must contain all the necessary details for proper processing:
• Sequential and unique order number,
• Supplier name,
• Required quantities and references,
• Applicable tariffs, discounts and purchasing terms,
• Deadline and method for delivery/providing the service,
• Payment terms.
All open orders must specify a closing date.
Risks:
Risk 6.9 - Failure to respect contractual obligations with suppliers
Risk 6.10 - Poor management of returns and litigation with suppliers and service providers
I06.C02 Key information is required in purchase orders
I06.C03 Key information is required in scheduling agreement / contracts
I06.C04 Purchase price is defined for supplier/material

I06.C02 Key information is required in purchase orders

Go to SPRO > Materials Management > Purchasing >

Purchase Order > Define screen layout at document level
Risks addressed by ITAC: R6.1, R6.9, R6.10, R6.11 and
R6.12
Set the following fields as “required”:
- Company Code
- Currency
captured in purchase orders
- Purchasing Organization
- Document Date/Period
ITAC description: Mandatory fields in purchase order are
- Material (Number and Quantity)
set by Competency center according to Business
- Vendor
requirements.
- Delivery Date
- Price
ITAC 100 Transactions - Payment terms
SPRO > Materials Management > Purchasing > Purchase - Incoterms
Order > Define screen layout at document level

I06.C03 Key information is required in scheduling agreement /
contracts

SPRO > Materials Management > Purchasing > Contract >

Define screen layout at document level select GR/IR control:
R6.12
Set the following fields as “required”:
- Company Code
- Currency
captured in scheduling agreement / contracts
- Purchasing Organization
- Document Date/Period
ITAC description: Mandatory fields in scheduling
- Material (Number and Quantity)
agreement / contracts are set by Competency center
- Vendor
according to Business requirements.
- Delivery Date
- Price
ITAC 100 Transactions - Payment terms
SPRO > Materials Management > Purchasing > Contract > - Incoterms
Define screen layout at document level - Validity end date

I06.C04 Purchase price is defined for supplier/material

Execute M/08 – Define calculation schema. For all the

relevant price calculation schemes, select them in Procedure,
then open the Control window: the price calculation schema
R6.12
must contain the first condition type (position 1) an item that
refers to the price included in the material master data,
ITAC objective: Purchase price is defined for
maintained centrally.
supplier/material and cannot be changed on purchase
order
Then, in M/06 select the condition types available in position
1 defined here before and, for all of them, parameter the
ITAC description: Purchasing department defines all
"Changes which can be made" - "Manual entries" to value D
cases where prices should be set by calculation schemes.
(Not possible to process manually)
Competency center implement purchasing system not to
allow changes on prices on purchase orders for these
categories.

M/08: SPRO > Logistic > Purchasing > Conditions > Define
price determination process > Define calculation schema

Control 6.23: Approving purchase orders
ICRF
All orders must be approved.
Purchase orders may only be issued by authorized people, and they must be approved in accordance with the official delegation
of powers and authorized signatory list.
Any alteration to an existing order must be formalized. Depending on the new amount, an additional purchase requisition must
be issued.
Any request for a change in the payment deadline must be approved by the Finance Department.
Risks:
Risk 6.3 - Purchases not made through the Purchasing Department
Risk 6.9 - Failure to respect contractual obligations with suppliers
APPLICATION CONTROL
I06.C05 Purchase orders need approval

Release groups, codes, indicators, strategies and possible

Control 6.23: Approving purchase orders
workflows configured in the system for the PO release.
Execute SPRO - Define Release Procedure for Purchase
ITAC objective: Purchase orders are validated according
Orders.
to delegation of powers and signatures implemented in
Enter the Release Groups Menu.
purchasing system.
Implement consistent release group and for each group
Release Object and Classes/characteristics (using transactions
ITAC description: Purchase and functional departments
CL02 and CT04) with the company policy.
provide Competency center with a table of delegation of
power or signature (scope and amounts). Competency
centers implement it in purchase orders release strategy.
As per Control 6.2, the delegated powers table, signed by

General Management is transmitted to Competency
Center which checks the implementation in the system.

SPRO > Material Management > Purchasing > Purchase
Order -> Release Procedure for Purchase Orders ->
Define Release Procedure for Purchase Orders.
CL02 Classes
CT04 Characteristics

Control 6.24: Monitoring non-received orders
ICRF
The people in charge of purchasing must review all purchase orders recorded in the system -for the categories they are
responsible for and on a relevant basis to be defined (daily, weekly, monthly etc.)- in order to identify and explain any order that
have not been received within the agreed deadline and to “clean up” any unjustified open orders.
At least once a quarter, the Purchasing Department shall ensure that this review has been performed correctly.
Risks:
Risk 6.7 - Poor organisation of the purchasing process and lack of coordination with the other departments
APPLICATION CONTROL
I06.T03 Follow up of open purchase orders (on delay)

For quarterly review, use the transaction ME2N or ME80FN in

Control 6.24: Monitoring non-received orders
order to retrieve all the information related to PO pending to
receive:
ITAC objective: Open purchasing orders are timely
1 - After setting all the parameters, obtain the List of report
monitored.
2 - In the menu bar (including fields sort, find...) click on
Change View, select -Del, then Execute
ITAC description: According to purchasing organization
3 - As a result, the report will display the Scheduled Qty tab
defined by Purchasing Department, Competency Center
and Qty delivered: open GR are displayed as "Qty delivered"
provides in purchasing system a view of open orders
equal to 0.
relevant to each purchaser’s scope. The people in charge
of purchasing monitor open orders on a regular basis and
at least quarterly, this review is formalized.
ME2N Purchase Order by supplying plant
ME80FN Purchase order analysis

Control 6.27: Recording of supplier invoices
ICRF
Before their transfer to the operational department for validation (ok to pay), all supplier invoices shall be systematically
received by the Accounting Department and recorded into accounting with a block for payment
A stamp “posted” must be put on the original invoice as soon it is posted into accounting.
Risks:
APPLICATION CONTROL
I06.C06 Set duplicate invoice criteria
SAP Module MM / FI ITAC 100 technical implementation

Configure the check for duplicate invoices.

Control 6.27: Recording of supplier invoices
SPRO transaction > SAP Reference IMG: SAP Customizing
Implementation Guide > Materials Management > Logistics
Invoice Verification > Incoming Invoice > Set Check for
ITAC objective Prevent incoming invoices being
Duplicate Invoices
accidentally entered and paid more than once.
Set whether rejection or warning should be used depending
ITAC description: Accounting department define criteria
on criteria used. Use OMRM for invoice modification
to identify duplicated recording of invoices. Competency
messages.
centers implement these criteria in the system as
warning or rejection.
Area M8 (invoice verification / valuation), message 108 &
462: variable Online and Batch must be set to E (rejected) or
ITAC 100 Transactions W (warning).
SPRO: SAP Customizing Implementation Guide >
Materials Management > Logistics Invoice Verification >
Incoming Invoice > Set Check for Duplicate Invoices
OMRM - IV Customer - Specific Messages

Control 6.30: Handling variances between the invoice and the order
ICRF
The entity has put in place a procedure, approved by the Financial Director, defining:
• The acceptable levels of variance between the invoice and the original order for the price and the quantity.
• The people authorized to accept the variances.
Risks:
Risk 6.10 - Poor management of returns and litigation with suppliers and service providers
APPLICATION CONTROL
I06.C07 Definition of tolerances limits between invoices and orders

1: Set the tolerances between the system invoice and vendor

Control 6.30: Handling variances between the invoice
invoice (at company level) using OMR6.
and the order
OMR6: SPRO transaction > SAP Reference IMG: SAP
Customizing Implementation Guide > Materials Management
ITAC objective: Invoices are validated according to
> Logistics Invoice Verification > Invoice Block > Set Tolerance
purchase order price and good receipt quantity with
Limits
acceptable variance.
Set at least the following tolerance limits:
- PP: Price variance - Upper and lower limits
ITAC description: Purchase department define
- DQ: Exceed amount: quantity variance (upper and lower
acceptable tolerance between invoice amount and the
limits) - Important tolerance,
product of purchase order unit price and good receipt
quantity. They also define users who can validate
2: Set the tolerance by vendor: define tolerance groups for
invoices within these variances. Competency center
each company code.
implement these rules into purchasing system.
OMRX: SPRO: Materials management > logistic invoice
ITAC 100 Transactions verification > Incoming invoice > Configure Vendor-Specific
OMR6: SPRO transaction > SAP Reference IMG: SAP Tolerances
Customizing Implementation Guide > Materials
Management > Logistics Invoice Verification > Invoice Then assign these tolerance groups to each vendor in the
Block > Set Tolerance Limits vendor master data.
OMRX: SPRO: Materials management > logistic invoice
verification > Incoming invoice > Configure Vendor-
Specific Tolerances

Control 6.33: Monitoring prepaid invoices received and not invoiced
ICRF
Any delivery received and not invoiced shall be recorded as GRNI (Goods Received Not Invoiced).
The entity shall put in place a tool or an organization allowing monthly identification, listing, valuation and recording of prepaid
invoices and of goods and services received and not invoiced.
Accounting must perform a monthly review of items received and not invoiced with the Purchasing Department.
Risk:
I06.C08 GRNI are automatically posted
I06.T04 Monitor unmatched invoices and receptions

I06.C08 GRNI are automatically posted

OBYC: SAP menu: Tools -> Customizing -> IMG -> Execute
Control 6.33: Monitoring prepaid invoices and goods
Project; SAP Reference IMG: SAP Customizing
and services received and not invoiced
Implementation Guide -> Material Management -> Logistic
Invoice Verification -> Configure Automatic Posting
ITAC objective: Post automatically Goods received not
Execute the transaction code OBYC. Click on the "Account
invoiced in accounting.
Assignment" button. For the materials management postings
group, double click on the GR/IR (transaction key WRX)
ITAC description: Any delivery received and not invoiced
clearing account and select the company’s chart of accounts.
shall be automatically recorded as GRNI (Goods Received
Set the account assignment.
Not Invoiced).
In FI with FS00 transaction, set these accounts to be "Post
ITAC 100 Transactions Automatically Only"
OBYC: SAP menu: Tools -> Customizing -> IMG -> Execute
Project; SAP Reference IMG: SAP Customizing
Implementation Guide -> Material Management ->
Logistic Invoice Verification -> Configure Automatic
Posting.
FS00: Edit G/L account centrally

I06.T04 Monitor unmatched invoices and receptions

Use MR11 with appropriate settings according to accountant

Control 6.33: Monitoring prepaid invoices and goods
scope to match and review Receptions not invoiced against
and services received and not invoiced
Invoices not received.
ITAC objective: Goods received not invoiced are
with the ability to use this transaction and that the role has
monitored.
ITAC description: Goods received not invoiced (GRNI)
accounts are monitored. Competency center should
provide a view presenting unmatched invoices and
unmatched receptions for accounting to clear them.
Accounting department should rationalize the amount of
GRNI account at least once a month.

MR11 – Clear GR/IR accounts


ICRF itac
FI MM Category R6.1 R6.2 R6.3 R6.4 R6.7 R6.9 R6.10 R6.11 R6.12 R6.13
6.6 I06.A01 X A X X X
6.6 I06.A02 X A X X X
6.6 I06.A03 X A X X X
6.7 I06.A04 X A X X
6.7 I06.A05 X A X X
6.7 I06.A06 X A X X X
6.7 I06.A07 X A X X X
6.7 I06.A08 X X A X X X
6.17 I06.T01 X T X X
6.17 I06.C01 X C X X
6.17 I06.R01 X R X X
6.18 I06.T02 X T X X
6.19 I06.R02 X R X X X
6.22 I06.C02 X C X X X X X
6.22 I06.C03 X C X X X X X
6.22 I06.C04 X C X X X X X
6.23 I06.C05 X C X X X X
6.24 I06.T03 X T X X X X
6.27 I06.C06 X C X X
6.30 I06.C07 X C X X X
6.33 I06.C08 X C X
6.33 I06.T04 X T X
18 0 1 4 1 4 4 5 17 11

ICRF 15: Financing & treasury

Control 15.4: Bank account inventory
ICRF
On a yearly basis, the Finance Department shall perform an inventory of the bank accounts in order to make sure that:
• All bank accounts have been clearly identified and recorded in the accounting,
• The number of accounts is consistent with needs,
• The signatures known for using the accounts are always up to date,
• Only banks that have been approved by the delegation/Treasury and Financing Department (DTF) are used.
Risks:
Risk 15.1 - Theft or embezzlement of funds
Risk 15.3 - Unjustified or unauthorized granting and taking out of loans
Risk 15.4 - Undertakings towards third parties of which the Group is not aware
Risk 15.5 - Unmanaged hedging transactions leading to fluctuating results
I15.C01 Bank accounts are identified as such in accounting system
I15.R01 List of bank accounts is reviewed

I15.C01 Bank accounts are identified as such in accounting system

Set house bank accounts for each paying company code using
FI12. Within SAP, “house banks” are associated to each
paying company code to represent the bank accounts that
can be used for payments. House banks are selected from
ITAC objective: The Bank accounts are set in the
the bank directory within SAP.
accounting system to avoid any payment error or cash
problem.
After creating a house bank for a company code a bank
account is defined that associates the bank account number
ITAC description: SSC Finance, Entities, Treasury
to a GL account number. The bank account currency and the
department (Delegation) sould put in place a procedure
GL account currency must match.
to validate the Bank accounts. Then, SSC Finance
Department provides the list of appropriate and
In addition, using FS00, the house bank must be indicated for
authorized bank accounts. Competency center define all
the GL account.
these bank accounts and no more into the accounting
system.

FI12 (SPRO > IMG > Execute Project; SAP Reference IMG:
SAP Customizing Implementation Guide > Financial
Accounting > Bank Accounting > Define House Banks)
FS00 Edit G/L Account centrally

I15.R01 List of bank accounts is reviewed

Generate report of bank accounts inventory using:

FI12 - Bank Accounts
All bank accounts according to chart of accounts as displayed
with S_ALR_87012328.
ITAC objective: List of bank accounts according to chart
of account and to accounting system customization are
reviewed to avoid any discrepancy.
with the ability to use these report/transactions and that the
role has been assigned to the users selected by the business.
ITAC description: Competency center provides bank
accounts inventory according to accounting system. SSC
Finance compares it to authorized and used bank
accounts (independent list maintained outside the
system).

FI12 - Bank Accounts
S_ALR_87012328 - G/L account list

Control 15.6: Review of users profiles and access to the cash management
system
ICRF
Access to the cash management system, to the modules of electronic banking and to the modules of the accounting system shall
comply with the segregation of duties described in control 5.
The relevant IT support team shall be informed of any changes (changes in the delegation of authorities, departures, transfers
etc.). At least once a year, the Financial Director shall perform a review of all user profiles and access permissions to the cash
management system, the modules of electronic banking and the modules of the accounting system.
Risks:
Risk 15.6 - Erroneous or unjustified payments
I15.A01 Access review to payment preparation
I15.A02 Access review to payment execution

I15.A01 Access review to payment preparation


Control 15.6: At least once a year, the Financial Director
shall perform a review of all user profiles and access
identify those users with the ability to payment of vendors.
permissions to the cash management system, the
modules of electronic banking and the modules of the
accounting system
Risks addressed by ITAC: R15.1, R15.6
ITAC objective Review user list to detect userid that
should not be granted access to payment preparation.
- F110 Parameters for Automatic Payment,
ITAC description: The Accounting Department (SSC)
should identify the people that are authorized to prepare
payments. Competency center provides the report to
review the users with granted access to prepare the
- F_REGU_BUK with attribute FBTCH, ACTVT, values 02,
payment.
11 or 12
The Accounting Department reviews the users no less
than once a year.
applicable).
(New version).
The Accounting Department (SSC) must review the report in
further revisions.


I15.A02 Access review to payment execution


Control 15.6: At least once a year, the Financial Director
shall perform a review of all user profiles and access
identify those users with the ability to execute payment of
permissions to the cash management system, the
vendors.
modules of electronic banking and the modules of the
accounting system
Risks addressed by ITAC: R15.1, R15.6
should not be granted access to payment execution.
ITAC description: The Accounting Department should
- F110 Parameters for Automatic Payment,
identify the people that are authorized execute payment.
Competency center provides the report to review the
users with granted access to execute the payment.
The Accounting Department uses the report to review
- F_REGU_BUK attribute FBTCH ACTVT, value 21
the users no less than once a year.
applicable).
(New version).
,
further revisions.


Control 15.21: Validation of the proposition to pay
ICRF
The preparation of payments is limited to transactions that have been authorised by an “ok to pay”.
The accounting Department ensures that all elements which have been proposed for payment have been confirmed as “ok to
pay” before being transferred to the signatories.
As soon as the payment form has been signed it should not be possible to modify it.
Risks:
Risk 15.6 - Erroneous or unjustified payments
I15.C02 Definition of tolerances limits between incoming/outgoing

I15.C03 Define sensitive fields for dual control before


I15.C02 Definition of tolerances limits between incoming/outgoing

1: Set the tolerance by customer: define tolerance groups for

Control 15.21: The preparation of payments is limited to
each company code.
transactions that have been authorised by an “ok to
pay”.
OBA3: SPRO: IMG > Financial Accounting (New) > AR & AP >
Risk addressed by ITAC: R15.1 and R15.6
Business Transaction > Incoming payments > Manual
Incoming payments > Define tolerances (customers)
ITAC objective: Payments are affected to appropriate
invoices Then assign these tolerance groups to each customer in the
customer master data.
the system to define the upper and lower tolerance limit 2: Define tolerance limits groups for employees between
regarding discrepancy between invoices and payments payments receipts and Invoices to clear invoices using
with regard to the Finance Requirement. transaction OBA4: SPRO: IMG > Financial Accounting (New) >
AR & AP > Business Transaction > Incoming payments >
ITAC 100 Transactions Manual Incoming payments > Define tolerances groups for
OBA3: SPRO: SPRO>IMG > Financial Accounting (New) > employees
AR & AP > Business Transaction > Incoming payments >
Manual Incoming payments > Define tolerances Execute OB57 - Assign users to tolerance groups
(customers) - Permitted payment differences for both revenue and
OBA4: SPRO: IMG > Financial Accounting (New) > AR & expense transactions
AP > Business Transaction > Incoming payments >
Manual Incoming payments > Define tolerances groups
for employees
OB57 (SPRO>IMG >Execute Project; then click 'SAP
Reference IMG button > Financial Accounting (New) >
General Ledger Accounting (New) > Business Transaction
> Open Item Clearing > Clearing Differences > Assign
users to tolerance groups

I15.C03 Define sensitive fields for dual control before

Define the fields for dual control in the customer/vendor

Control 15.21: The preparation of payments is limited to
master. The corresponding customer/vendor is blocked for
transactions that have been authorised by an “ok to
payment run if the entry is changed.
pay”.
Risk addressed by ITAC: R15.1 and R15.6
The block is removed when a second person with
authorization checks the change and confirms or rejects it.
ITAC objective: The accounting Department ensures that
all elements which have been proposed for payment SPRO: SPRO>IMG > Financial Accounting (New) > AR & AP >
have been confirmed as “ok to pay” before being Vendor Accounts > Master data > Preparation for creating
transferred to the signatories. vendor master data > Define sensitive fields for dual control
(vendors).
ITAC description: The accounting department must
define those sensitive fields in the customer/vendor SPRO: SPRO>IMG > Financial Accounting (New) > AR & AP >
master that must be controlled if they are changed Customer Accounts > Master data > Preparation for creating
before proceed to the payment. customer master data > Define sensitive fields for dual
The competency center must set up those fields in order control (customer).
to block the payment run if at least one of those fields is
changed

SPRO: SPRO>IMG > Financial Accounting (New) > AR &
AP > Vendor Accounts > Master data > Preparation for
creating vendor master data > Define sensitive fields for
dual control (vendors).
SPRO: SPRO>IMG > Financial Accounting (New) > AR &
AP > Customer Accounts > Master data > Preparation for
creating customer master data > Define sensitive fields
for dual control (customer).

Control 15.35: Verifying the valuation of foreign currency accounts
ICRF
Each month the Accounting Manager shall check that the foreign currency accounts have been valued in the SIF report in
accordance with the Group’s policy.
Risk:
Risk 15.7 - Incorrect assessment and/or recording
APPLICATION CONTROL
I15.C04 Foreign Exchange reevaluations are automatically posted by

the system during the closing process

Foreign currency valuation methods must be set up via OB59

Control 15.35: Verifying the valuation of foreign
currency accounts
Ensure the post translation indicator has been switched on:
Use transaction OB66 to ensure it is activated.
Note: The post translation indicator is set to take previous
ITAC objective: Foreign Exchange reevaluations are
revaluations of foreign currency transactions into account
automatically posted by the system during the closing
during clearing of the transactions.
process.
Define the automatic account determination for forex gains
ITAC description: Competency center configure
and losses via OBA1 :
accounting system to compute and post a proper foreign
Exchange rate in foreign currencies balances (and others)
exchange currency valuation method.

OB59: SPRO: Financial Accounting > General Ledger
Accounting > Businesstransactions > Closing > Valuating >
Foreign Currency Valuation > Define Valuation Methods. -
Foreign currency valuation method
OB66 - Post translations
OBA1 - FI configuration for forex automatic postings


ICRF itac
FI Category R15.1 R15.3 R15.4 R15.5 R15.6 R15.7
15.4 I15.C01 X C X X X X
15.4 I15.R01 X R X X X X
15.6 I15.A01 X A X X
15.6 I15.A02 X A X X
15.21 I15.C02 X C X X
15.21 I15.C03 X C X X
15.35 I15.C04 X C X
6 2 2 2 4 1

ICRF 16: Accounting & fixed assets

Control 16.2: Management of users profiles and access permissions to the
modules of the accounting system
ICRF
Access permissions to the modules of the accounting system are consistent with the segregation of duties.
Access permissions to the Accounting Department’s sensitive transactions (recording cash flow movements, write-offs of assets
and manual general entries) are restricted to relevant users and respect the rules for the segregation of duties.
The Financial Manager reviews regularly and at least once a year, all user profiles and access permissions to the modules of the
accounting system and shall inform the IT Department of any update requirements (departure, transfers etc.).
Risks:
Risk 16.2 - Misappropriation of assets and fraud
Risk 16.5 - Interim financial statements purposefully or unknowingly incorrect
Risk 16.6 – Intragroup irregularities
Risk 16.8 - Tax adjustments due to tax returns calculations based on inaccurate and incomplete accounting data
APPLICATION CONTROL


Control 16.2: Access permissions to the Accounting
Department’s sensitive transactions
identify those users with the ability to open/close accounting
Risk addressed by ITAC: R16.2, R16.5, R16.6 & R16.8
period parameters.
ITAC objective: Review user list to detect userid that Use standard report S_BCE_68002111 (SAP Menu: Tools
should not be granted access to close/open accounting -> Administration -> User Maintenance -> Information
period parameters. System -> User -> and generate a variant for Critical
appropriated reports according to the Business 1) the following transactions:
requirement and organization. Finance Department uses - OB52: Posting periods configuration
the reports to perform the review, no less than once a - OBBP: Posting periods variants
year. - Custom Transactions (Z*) if applicable
ITAC 100 Transactions 2) at least the following authorization objects:

S_BCE_68002111 report – with critical authorizations - S_TABU_DIS, attribute ACTVT 01 or 02
(New version). - Custom authorization objects used

applicable).

further revisions.


Control 16.6: Formalization of the Chart of accounts and of the rules for
allocation
ICRF
There is a formal Chart of accounts that is available to all accountants. It specifies, in particular:
• The content of the accounts and clearly defined rules about their functioning,
• Documentation about the complex accounting entries including automatic entries or entries from integrated systems.
Once a year, the Accounting Manager verifies that the Chart of accounts and the rules for allocation are updated and that they
allow him/her to comply with regulatory requirements (both local and Group, if applicable).
Risks:
Risk 16.3 - Incorrect Group accounts
Risk 16.4 - Failure to meet commitments to issue financial reporting information
APPLICATION CONTROL
I16.C01 Each business transaction posted in accounting system

should have a booking scheme

Set the right chart of accounts has been assigned to the

Control 16.6: Formalization of the Chart of accounts and
company via OBY6.
of the rules for allocation
Execute OB41 - Check Posting Key
ITAC objective: Define rules for allocation for automated
Assign each business transaction a corresponding debit and
posting.
credit posting key.
ITAC description: SSC Finance provides with potential
updates regarding chart of accounts and rules for
allocation. Competency Center implements into
accounting information system the booking schemes.

OB41: SPOR > IMG > Execute Project; SAP Reference IMG
> Financial Accounting (New) > Consolidation Preparation
(New) > Profit Center: Preparations for Consolidation >
Check Posting Key
OBY6 - Global settings at company code level

Control 16.7: General ledger/SIF correspondence table
ICRF
A correspondence table between the general ledger accounts and the SIF columns is kept updated.
The Financial Manager shall ensures that all elements needed to prepare the SIF are included in the correspondence table, and
in particular all accounts that operate a Group/non-Group distinction (in particular the accounts for invoices or credit notes to
issue, invoices or credit notes to be received).
At least once a year, the Accounting Manager checks that all the changes to the SIF accounts or to the general ledger accounts
have been correctly recorded and dealt with.
Risks:
Risk 16.1 - Incorrect decisions
Risk 16.4 - Failure to meet commitments to issue financial reporting information
I16.C02 System is configured to map local accounts to SIF
I16.R01 Review SIF accounts G/L accounts mapping

I16.C02 System is configured to map local accounts to SIF

Set Financial Statement Version Structure configuration by

assigning GL Accounts to the Financial Statement Items.
Execute OB58 - Define Financial Statement Versions.
ITAC objective: Map local chart of accounts to general
Assign GL Accounts to Financial Statement items.
ledger SIF in order to automatize the basic figures of the
SIF reporting.
ITAC description: SSC Finance and/or Business finance

department (depending on who is doing the SIF) provides
correspondence table between local chart of accounts
and SIF. Competency center sets this mapping into
accounting system.

OB58: SPRO > IMG > Execute Project > Financial
Accounting (New) > General Ledger Accounting (New) >
Periodic Processing > Document > Define Financial
Statement Versions

I16.R01 Review SIF accounts G/L accounts mapping

Generate report of financial statement using

S_ALR_87012284 - Financial Statement.
Report S_ALR_87012284 analyzes the G/L structure (per
ITAC objective: Review mapping of General ledger to SIF company) and indicates which accounts are not mapped.
to avoid any discrepancy and to adapt the mapping on SIF ledger must not display any unmapped accounts.
the local accounts changes.
ITAC description: Competency Center shall customize a with the ability to use these reports and that the role has
report of SIF and chart of accounts mapping. been assigned to the users selected by the business.
At least once a year, the SSC Finance and/or Business
finance Department use these reports to review the SIF
and chart of account mapping

S_ALR_87012284 - Financial Statement

Control 16.8: Review of open accounts
ICRF
The Finance Department shall perform an annual review of all open accounts and of their description in order to deactivate any
unnecessary or redundant accounts.
The Finance Department ensures that all inactive accounts cannot be used.
Risks:
Risk 16.6 - Intragroup irregularities
APPLICATION CONTROL
I16.T01 Block unused accounts

For all the G/L unused accounts identified, use FS05 Block
Control 16.8: Review of open accounts
master record to block them.
After the blocking, the Finance department shall extract the
ITAC objective: Unnecessary and redundant accounts are
up-to-date version of the G/L master record using FSP0 and
deactivated in order to maintain the system clean.
approve it.
ITAC description: After review of open accounts, SSC
finance requests Competency Center to deactivate any
unnecessary or redundant accounts.

FS05 - Block master records
FSP0 - G/L account master record

Control 16.9: Modification of the Chart of accounts
ICRF
Any creation or modification of the Chart of accounts shall be formally requested and approved by the Financial Manager.
Each request contains the accounting line reference, the corresponding SIF code as well as the journal entry model.
An annual review of the accounting Chart shall be performed.
Risks:
Risk 16.7 - Off-balance-sheet commitments not identified
APPLICATION CONTROL
I16.R02 Changes made to the chart of accounts are reviewed

Generate a report of the current chart of account using:

Control 16.9: Modification of the Chart of accounts
- S_ALR_87012328
R16.7
Generate report of changes made since last review using:
- FSP4 - G/L Account Changes in Chart/Accts
ITAC objective: Changes made to chart of accounts are
reviewed to detect any change that has not been
These reports can be batched using program RFSABL00:
approved.
changes to G/L account master data during the accounting
period. This program can be executed via report
ITAC description: Competency center provides
transactions:S_ALR_87009845, S_ALR_87009846,
appropriate report to review changes made in chart of
S_ALR_87012307, S_ALR_87012308, S_ALR_87100997
accounts. At least once a year Financial department
reviews these changes.
with the ability to use these reports and that the role has
ITAC 100 Transactions been assigned to the users selected by the business.
S_ALR_87012328 G/L Account List
FSP4 – G/L accounts changes in chart/accts
S_ALR_87009845
S_ALR_87009846
S_ALR_87012307
S_ALR_8701230
S_ALR_87100997

Control 16.10: Review of the access rights for modification of the Chart of
accounts
ICRF
Access permissions to the master files of the Chart of accounts are restricted to authorized persons.
The Financial Manager performs an annual review of access rights for creation, modification or deletion of accounts in the Chart
of accounts.
Risks:
APPLICATION CONTROL
I16.A02 Access review to maintain chart of accounts


Control 16.10: Review of the access rights for
modification of the Chart of accounts
identify those users with the ability to maintain chart of
accounts.
should not be granted access to maintain charts of
accounts.
ITAC description: Competency center provides reports
according to business organization listing users with
granted access to maintain chart of accounts. SSC
- FS00 - Edit G/L accounts centrally
Finance manager reviews it and asks for appropriate
- FS02 - Change Master Record
changes.
- FS03 - Display Master Record
- FSP0 - G/L acct master record in chrt/accts
ITAC 100 Transactions - FSS0 - G/L account master record in CO code
S_BCE_68002111 report – with critical authorizations - FSM2 - Change Sample Account
(New version). - OB_GLACC11 - G/L acct record: Mass maintenance 01
- OB_GLACC12 - G/L acct record: Mass maintenance 02
- OB_GLACC13 - G/L acct record: Mass maintenance 03

- F_SKA1_BES
- F_SKA1_BES (company level)
Activities to be monitored and that must be restricted
are 01 (creation) and 02 (modification).

applicable).

Finance manager must review the report in order to ensure


Control 16.11: Traceability of entries
ICRF
All entries must be recorded in journals that are identified and numbered sequentially. Each entry must be justified and
documented.
The entity has set up a procedure ensuring the traceability of the entry of accounting documents (sequential numbering of the
accounting documents, journal code, date of entry, person who has made the journal entry, archiving).
The Accounting Manager regularly checks that all journals are used correctly.
Risks:
I16.C03 Ensure the number ranges of documents is correct
I16.R03 Review manual entries made on automatic journals
I16.C04 Automatic posting changes are restricted
I16.C05 Reversal posting of all logistic transaction should be

defined into accounting system

I16.C03 Ensure the number ranges of documents is correct

Technical category Customization
Set up number ranges for all document types in use,

following recommendations from Finance department with
sufficient document range and automatic monitoring.
ITAC objective: Sufficient number ranges are set for all
Using FBN1 - Define document ranges, set up sufficient
document types to avoid any problem on the system
number range for significant document types in use.
when exceeded number limit.
ITAC description: Competency center sets document

numbering with sufficient range and configure
accounting system to monitor it automatically according
to SSC Finance needs.

FBN1: SPRO > Financial accounting > Financial accounting
global settings > Document > Document number ranges >
Define document number ranges

I16.R03 Review manual entries made on automatic journals

Generate report of manual entries or corrections:

S_ALR_87012015 Manual Depreciation
S_ALR_87012329 Account Assignment Manual
ITAC objective: Review modification on automatic
journals to detect anomalies in manual corrections:
especially, manual asset depreciation, manual
assignment of logistic transaction and document types
used for manual journal entries.
ITAC description: SSC Finances reviews manual

correction of automatic posting including depreciation,
or manual assignment of automatic posting.

S_ALR_87012015 Manual Depreciation

I16.C04 Modification of automatic posting is restricted

Execute OB32 - Document Change Rules -Line Item.

Switch off the field indicator "field can be changed" in order
to block changes of FI journal entries generated by automatic
posting.
ITAC objective: To forbid any modification on automatic
posting in order to ensure the integrity of the journal
When business required changes, let standard defined by SAP
entries.
to change these fields of OB32:
a) Posting period not closed
ITAC description: In accordance with SSC Finance, b) Line item not cleared
Competency center restricts possible changes on journal c) Customer debit or vendor credit
entries in the accounting system. d) No invoice-related credit memo
e) No credit memo from down payment
OB32: SAP Menu->Tools->Customizing->IMG->Execute Use FS00 to switch off the field indicator "field can be
Project; then click 'SAP Reference IMG button)->Financial changed" in order to block changes of FI journal entries
Accounting (New)-> Financial Accounting Global Settings generated by automatic posting.
(New)-> Document->Rules for Changing Documents -
>Document Change Rules -Line Item
FS00

I16.C05 Reversal posting of all logistic transaction must be defined
into accounting system

Define reversal document type, using OBA7 - Define

Document Type for Entry View, for all document type coming
from logistical system in field "Reversal Document type" or
let blank when reversal logistic transaction exist.
ITAC objective: Reversal posting (modification of
documents) of all logistic transaction should be correctly
The blank value in the "reversal document type" field
defined into accounting system.
indicates that the document type and reversal document
type are same.
ITAC description: Finance department provides
accounting rules for all reversal logistic transaction and
Competency center implements them into the system.

OBA7: SAP Menu path: IMG > Financial Accounting (New)
> Financial Accounting Global Settings (New) > Document
> Document Types > Define Document Type for Entry
View Types > Define Document Type for Entry View

Control 16.15: Review of manual entries
ICRF
All manual entries shall be supported by documentary evidence.
The Accounting Manager ensures that all manual entries are appropriately justified and documented.
The Financial Manager reviews each non-standard manual entry, as well as those that have a significant impact on the accounts.
Risks:
I16.C06 Restrict manual entries on accounts only impacted by

automatic postings
I16.C07 Define specific document type for non-standard manual entries
I16.R04 Non-standard manual entries are reviewed

I16.C06 Restrict manual entries on accounts only impacted by
automatic postings.

Set accounts that are not supposed to be impacted manually

to "Automatic posting only" using FS00 - Manage account
centrally. These accounts are typically part of:
- reconciliation accounts
ITAC objective: To avoid manual entries on accounts that
- integration points accounts
should be only updated by automatic postings.
- cash,
- payroll,
ITAC description: SSC Finance defines the list of accounts - deprecation of assets,
that should not be impacted by manual entries and - currency differences,
Competency center restrict manual journal entries on - sales,
these accounts in accounting system. - purchases,
- stock.
FS00: SPRO – Manage accounts centrally Specific accounts can be used for month end manual
adjustment.

I16.C07 Define specific document type for non-standard manual
entries

In SAP document types are used for journal.

Set specific document type for manual journal entries under
review of SSC Finance using OBA7 - Define document type.
ITAC objective: Non-standard manual entries are easily
identified for further control by reports.
Standard document type for manual entries like SA or AB
should only be used for day-to-day, processed operations.
ITAC description: SSC Finance defines procedure to use
specific document type for non-standard entries. The
Competency center creates this document type into the
system.

OBA7: SAP Menu path: IMG > Financial Accounting (New)
> Financial Accounting Global Settings (New) > Document
> Document Types > Define Document Type for Entry
View

I16.R04 Non-standard manual entries are reviewed

Generate a report containing all non-standard manual entries

generated via S_ALR_87012289 - Compact Document Journal
report with specific document type defined for non-standard
manual entries.
ITAC objective: Non-standard manual entries are
reviewed by Financial Manager to check that there is no
Alternative report can be created based on journal entries
anomaly.
(table BSEG and BKPF).
ITAC description: A report of non-standard manual
journal entries entered in the GL is periodically extracted
from the system and reviewed. Competency center
provides report based on non-standard entries journal.
This journal is reviewed by Financial Manager.

S_ALR_87012289 - Compact Document Journal report
Table BSEG and BKPF for alternative report.

Control 16.20: Control of the general ledger balances/sub-ledger balances
ICRF
The data from the sub-ledger accounting or other management systems shall be reconciled each month with the general
accounting (balance, total debits, total credits). Any differences that are identified must be explained and corrected.
Risks:
I16.R05 AP and AR reconciled to GL
I16.R06 Control of the general ledger balances/sub-ledger balances

I16.R05 AP and AR reconciled to GL
SAP Module FI, SD, MM ITAC 100 technical implementation

Generate balances from SD and MM modules to reconcile

Control 16.20: Control of the general ledger
them with GL balances using:
balances/sub-ledger balances
FD10N - Displaying balances from SD
FK10N - Displaying Balances from MM
R16.8
FS10N - Displaying Balances from FI
ITAC objective: Accounting system matches sales and
purchase systems
ITAC description: Competency center provides reports to
reconcile sub-ledger and general ledger accounts and
detects processing failures/errors. The account
receivables and payables shall be reconciled at least once
a month by SSC Finance.

FD10N - Displaying balances from SD
FK10N - Displaying Balances from MM
FS10N - Displaying Balances from FI

I16.R06 Control of the general ledger balances/sub-ledger balances

Review the reconciliation with F-03

Control 16.20: Control of the general ledger
This transaction executes the program SAPF070 which
balances/sub-ledger balances
performs a consistency check and a reconciliation of
transaction figures within a time period for:
R16.8
- debits and credits on the customer, vendor and general
ledger accounts,
ITAC objective: All AR and AP items are posted in GL and
- against the debit and credit balances of the documents
credit and debit balances are creditor customer and
posted.
debtor suppliers are correctly classified.
Review can be formalized using:
ITAC description: Generate report of reconciliation
S_ALR_87012086 - reconciliation accounts assigned to
between general ledger and account payable and
vendors
receivable sub ledgers including affectation of debit and
credit accounts. General ledger and AR and AP sub
customers via
ledgers should be reconciled by Financial department at
least once a month.
with the ability to use these report/transactions and that the
role has been assigned to the users selected by the business.
F-03 - Clear Open Items
vendors
customers via

Control 16.22: Intercompany reconciliation
ICRF
Intercompany invoices shall be accounted or provided for as soon as the goods are received and the services are performed. Any
occurring disputes shall be corrected once they have been accounted for and terms of payment shall be strictly respected.
Rebates on invoices and partial payments are strictly prohibited.
Electronic invoicing for intercompany flows is to be used in priority.
Each month the entity shall confirm all intercompany payables and receivables with its partners (clients, suppliers, invoices and
credit notes to be received, accrued interests, foreign currency accounts etc.). The details of the accounts shall be sent within
the specified deadlines.
The Accounting Manager ensures that any discrepancies for the month in progress are cleared by no later than the following
month.
Risks:
I16.C08 Set Saint-Gobain as intercompany group in accounting system
I16.C09 Intercompany process in the same accounting system
I16.T02 Identify trading partners
I16.R07 Intercompany reconciliation

I16.C08 Set Saint-Gobain as intercompany group in accounting system

All Saint Gobain group companies must be customized in SAP

with their SIF code using transaction OX15.
Set automatic postings for clearing, specific GL accounts,
ITAC objective: Saint-Gobain group is defined in
document types used for internal and external invoices types.
accounting system to ensure the intercompany
reconciliation process.
ITAC description: Competency center define the Saint-

Gobain group as trading partners in accounting system.
Specific rules for intercompany are defined (such as
specific GL accounts).

OX15: SPRO > Enterprise structure > Definition >
Financial Accounting > Define Company (list of trading
partners)

I16.C09 Intercompany process in the same accounting system

When trading partners are implemented into the same SAP

client.
Configure specific document types for intercompany billing.
ITAC objective: Specific process for trading partners
Execute OVV8 - Define Order Types for Intercompany Billing.
manage by the same accounting system, allows easier
Configure Sale order document types for which intercompany
reconciliation.
billing is possible for the intercompany movements.
Set billing type to "IV" for intercompany billing.
ITAC description: Trading partners and associated
intercompany flow are identified in sales management
Each sales order document type must have a respective
system and accounting system.
document type used for intercompany billing including
- Purchase Order
ITAC 100 Transactions - Credit Memo
OVV8: SPRO: Sales and Distribution > Billing > - Debit Memo
Intercompany Billing > Define Order Types for - Returns
Intercompany Billing

I16.T02 Identify trading partners

Identify Saint-Gobain entity as trading partner via transaction

XD02 - Modify customer (sheet Control Data, field Trading
Partner) or XK02 –Change Vendors.
ITAC objective: Identify all Saint-Gobain subsidiaries as
trading partner in accounting system at the time of the
creation.
ITAC description: During creation of customer and
supplier, Business identifies trading partners and uses
the specific transaction in the system.

XD02 - Modify customer
XK02 – Change vendor

I16.R07 Intercompany reconciliation

For customer trading partners, execute report

S_ALR_87012172 - Customer balances.
Select dynamic selection.
In Customer master, select [Trading Partners] <> [empty].
ITAC objective: Reconcile intercompany operation
before group elimination.
For vendor trading partners, execute report
S_ALR_87012082 – Vendor Balance with the same selection.
ITAC description: Trading partners balances are
generated by the accounting system. General ledger and
AR and AP sub ledgers should be reconciled at least once
a month by financial department.

S_ALR_87012172 - Customer balances
S_ALR_87012082 – Vendor Balance

Control 16.26: Procedure for period end accounting
ICRF
The procedure for accounting closing and for preparing financial information is formalised, validated by the Financial Manager and
distributed. It specifies, in particular:
- A schedule of transactions to carry out,
- The allocation of responsibilities for performing, supervising and checking each transaction (by account or by category),
- A check list of tasks and entries to book, in particular for non recurring movements,
- A list of elements used to ensure that the cut-off is respected.
The Financial Manager regularly verifies the respect of the closing procedure.
Risks:
R 16.2 – Misappropriation of assets and fraud
R 16.4 - Failure to meet commitments to issue financial reporting information
R 16.6 - Intragroup irregularities
R 16.7 - Off-balance-sheet commitments not identified or granted without authorisations.
I16.C10 Fiscal Year Variant Posting periods
I16.C11 Posting period configuration

I16.C10 Fiscal Year Variant Posting periods
SAP Module FI, ITAC 100 technical implementation

Define a fiscal year variant via the OB29 transaction, then

assign the variant to the company code via the transaction
OB37.
ITAC objective: Fiscal Year Variant Posting periods are
configured to reflect the closing calendar of the client.
ITAC description: Fiscal year variant has been created

and assigned to the company code to ensure a timely
closing process in the system.

OB37 – Assign company code to fiscal year variant
OB29 – Fiscal year variants

I16.C11 Posting period configuration
SAP Module FI, ITAC 100 technical implementation

Assign the posting period variant to the company code via the
transaction OBBP.
Create a posting period variant and specify open accounting
ITAC objective: Accounting period configuration is
periods via the transaction OB52.
defined to support the business during the closing
process.
ITAC description: Accounting periods for user posting are

accurately defined to ensure accounting closing process
by module or group of accounts.

OBBP – Assign company code to a posting period variant
OB52 – Posting periods


ICRF itac
SD FI Category R16.1 R16.2 R16.3 R16.4 R16.5 R16.6 R16.7 R16.8
16.2 I16.A01 X A X X X X
16.6 I16.C01 X C X X X X
16.7 I16.C02 X C X X X X
16.7 I16.R01 X R X X X X
16.8 I16.T01 X T X X
16.9 I16.R02 X R X X X X X
16.10 I16.A02 X A X X X
16.11 I16.C03 X C X X
16.11 I16.R03 X R X X
16.11 I16.C04 X C X X
16.11 I16.C05 X C X X
16.15 I16.C06 X C X X
16.15 I16.C07 X C X X
16.15 I16.R04 X R X X
16.20 I16.R05 X R X X X X X
16.20 I16.R06 X R X X X X X
16.22 I16.C08 X X C X X X
16.22 I16.C09 X X C X X X
16.22 I16.T02 X X T X X X
16.22 I16.R07 X R X X X
16.26 I16.C10 X C X X X
16.26 I16.C11 X C X X X
2 15 11 3 15 11 3 8

ITAC 100 Implementation Guide For SAP (V2012)

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

ITAC 100 Implementation Guide For SAP (V2012)

Caricato da

Copyright:

Formati disponibili

Introduction ...........................................................................................................................................................

Control 4.6: Check on creating and editing prices ...................................................................................................... 19

Control 4.7: Approving Discount and special terms of sales ...................................................................................... 22

Control 4.9: Approving a new client ............................................................................................................................. 23

Control 4.18: Approving creations/modifications in the customers master file ........................................................ 26

Control 4.19: Checking account closures/deactivations .............................................................................................. 29

Control 4.20: Annual review of credit limits ................................................................................................................ 30

Control 4.22: Reviewing customer orders .................................................................................................................... 36

Control 4.27: Accepting returns .................................................................................................................................... 37

Control 4.34: Monitoring zero balance invoices .......................................................................................................... 43

Control 4.35: Monitoring credit notes .......................................................................................................................... 46

ITAC in Risks & Controls Matrix (ICRF 04) .............................................................................................................. 53

Control 5.6: Storage of sensitive articles....................................................................................................................... 60

Control 5.11: Monitoring supplies ................................................................................................................................ 67

Control 5.13: Management of discrepancies in delivery ............................................................................................. 68

Control 5.22: Monitoring off-site stock and goods on consignment ........................................................................... 73

Control 5.23: Approving stock adjustments following a stock counting ................................................................... 74

Control 5.26: Review of anomalies ................................................................................................................................ 77

Control 5.30: Approving the scrapping and destruction of stock .............................................................................. 79

ITAC in Risks & Controls Matrix (ICRF 5) ................................................................................................................ 82

Control 6.17: Approving the creation/modification/deletion of supplier accounts ................................................... 94

Control 6.18: Closing the accounts of delisted suppliers ............................................................................................. 98

Control 6.22: Reliability of purchase orders .............................................................................................................. 100

Control 6.23: Approving purchase orders .................................................................................................................. 104

Control 6.24: Monitoring non-received orders .......................................................................................................... 105

Control 6.27: Recording of supplier invoices ............................................................................................................. 106

ITAC in Risks & Controls Matrix (ICRF 06) ............................................................................................................ 111

Control 15.21: Validation of the proposition to pay .................................................................................................. 119

ITAC in Risks & Controls Matrix (ICRF 15) ............................................................................................................ 123

Control 16.7: General ledger/SIF correspondence table ........................................................................................... 127

Control 16.8: Review of open accounts ....................................................................................................................... 130

Control 16.9: Modification of the Chart of accounts ................................................................................................. 131

Control 16.11: Traceability of entries ......................................................................................................................... 134

Control 16.15: Review of manual entries .................................................................................................................... 139

Control 16.22: Intercompany reconciliation .............................................................................................................. 146

Control 16.26: Procedure for period end accounting ................................................................................................ 151

ITAC in Risks & Controls Matrix (ICRF 16) ............................................................................................................ 154

ICRF Controls Selected ICRF Controls itac

Itac main responsibilities are the following:

(A) Access review: (C) Customizing: (R) Report: (T) Transaction:

1 – Implementing a new Information System or a major up-grade of the system

2 – ITAC 100 Implementation in an existing Information System

In this context, 3 phases have to be considered:

(R) Report: Standard or customized reports.

The distribution of the ITAC 100 by category is as follow:

(A) Access (C) (R) (T)

ITAC 100 naming convention

I04.A01 Access review to Customer master data

I04.A02 Access review to cash receipts

I04.A03 Access review to create or maintain deliveries

I04.A04 Access review to create or maintain credit memos

I04.A05 Access review to create or maintain invoices

SAP Module FI, SD ITAC 100 technical implementation

Competency centers must provide to the business a report

2) at least the following authorization objects:

3) the appropriate Organizational data for each

Finance and/or Sales Departments must review the report in

Competency Center must ensure that there is at least a role

SAP Module FI ITAC 100 technical implementation

Competency centers must provide to the business a report

2) at least the following authorization objects:

3) the appropriate Organizational data for each

Finance and/or Sales Departments must review the report in