Skip to Content
avatar image
Former Member

Meaning of SOD......

Hi All,

What is meant by SOD in SAP Security.Please explain in detail...

Thank You.

Regards,

Swapna.D.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • avatar image
    Former Member
    Dec 18, 2007 at 08:50 PM

    Hi,

    _SOD_ means Segrigation Of Duties. While Implimentation of security Functional consultants will meet the BPOS (business process owners) and CORE users and they will segrigate the duties. As per thier responsebility they will prepere roll matrix (report).as per the report authorizations are giving. Roles are going to prepare . this is called SOD.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 18, 2007 at 09:07 PM

    Here is the "free" definition of SoD: http://en.wikipedia.org/wiki/Segregation_of_duties

    In SAP security, it could for example be the separation of Authorization Development from User Administration,

    and / or

    Not giving User Administrators access to administrate the user groups of their own IDs.

    and / or

    Restricting the authorizations for objects S_USER_VAL and S_USER_TCD to certain values for the Authorization Developers of business roles.

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 19, 2007 at 07:06 AM

    Segregation of Duties:

    Duties within the department or function should be separated so that one person does not perform processing from the beginning to the end of a process. Duties that should be segregated include:

    • Authorization

    • Custody of the assets

    • Recording transactions

    If an adequate segregation of duties does not exist, the following could occur:

    • Misappropriation of assets

    • Misstated financial statements

    • Inaccurate financial documentation (i.e., errors or irregularities)

    • Improper use of funds or modification of data could go undetected

    SOD matrix will be defined and it defines who would be having which access. It will define the risk involved in providing access to certain t-codes together.

    This would help us audit the security level and avoid security concerns. There are certains tools like Virsa and Approva which help us in maintaining the SODs.

    For more clarity, please follow this link

    http://findarticles.com/p/articles/mi_m4153/is_5_60/ai_110222003

    Regards,

    Imran

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 21, 2007 at 10:29 AM

    please refer to below links:

    http://www.sapsecurityonline.com/sox_sod/sox_sod.htm

    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f02855c9-2091-2a10-8682-af41abe087ba

    Sarbanes Oxley is a US law passed in 2002 to strengthen Corporate Governance and restore investor confidence.Sarbanes Oxley Act was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley.. Sarbanes-Oxley (or more popularly Sarbanes Oxley) law passed in response to a number of major corporate and accounting scandals involving prominent companies in the United States. These scandals resulted in a loss of public trust in accounting and reporting practices. Sarbanes Oxley legislation is wide ranging and establishes new or enhanced standards for all US public company boards, management, and public accounting firms.

    The passing into law of the Sarbanes-Oxley Act of 2002 regulates how financial data must be handled and protected in all publicly held corporations.

    SOD stands for seggrigation of duties.Basically you need to understand what is SOD. If you want to know little bit of information go to the standard SAP roles copy to Z or Y roles check out each role and transactions to have initial idea.

    Regarding SAP Authorization you find the details in the following link.

    http://help.sap.com/saphelp_nw04s/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm

    http://help.sap.com/saphelp_47x200/helpdata/en/52/671126439b11d1896f0000e8322d00/frameset.htm

    This is very small bit of information to share to start. There is very long way to understand each business area.

    i hope it will help you.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 21, 2007 at 10:33 AM
    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 06, 2008 at 09:32 AM

    SOD: Segreagtion of Duties.

    I will try to explain this in the lay man's term. A single user should not have all authorizations combining which there can be a possible fraud. Like for example a user cannot have authorization to create a expense report and then authorization to approve the same. If this is the case he will create expense reports and then approve them, which will lead to financial loss.

    So he should either be the creater or the approver.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      >

      > which will lead to financial loss.

      No. SOD analysis and implementing mitigating controls leads to (an initial) financial loss.

      >

      > create expense reports and then approve them

      This increases the operational risk of fraud as the probability of errors or misuse going undetected increases, unless mitigated (after-the-fact controls).

      Whether a fraud, if approved by an authorized person (delegation of company authority) and correctly posted in accounting (debit expense & credit accounts payable) is in fact a financial reporting risk, can be debated.