SAP logical separation risks and

controls working session

Discussion Document
November 4, 2015

Discussion agenda

Page 2

Introductions, confirm problem statement and objectives

15 minutes

Level set on progress to-date

15 minutes

Discuss enterprise risk framework

10 minutes

Level set on SAP security architecture

10 minutes

Lessons learned from other spins and carve-outs

30 minutes

Co-develop solution framework and options

30 minutes

Co-develop roadmap

10 minutes

Background and objectives

Background
After careful consideration of timeline, risks, resources and other factors, the Air
Products team has decided to deploy logical separation through security to
segregate the SAP ECC system and ancillary systems to achieve Day One of the MT
spin
The IT team has encountered certain technical constraints to fully secure the
environment that, if not addressed, may result in material weaknesses in the controls
environment
Problem Statement

Develop a solution, in a cost effective manner and commensurate with the risk, to
demonstrate that only people who are authorized to write did write, for both the MT
and IG businesses

Working Session Objectives

Page 3

Develop framework for analyzing solutions

Develop options, both technical and non-technical

Develop roadmap to solving the issues

Role Testing Progress to Date

AP Testing Approach

Test Results

Create MT Security roles with NLE

changes (Plant/CoCode, etc.)

Role Category Owner (or designee)

performs testing

Accounting

80

37 pass
43 fail or warning

Identify/document Gaps discovered

during testing

QM
Technician

105

56 pass
49 fail or warning

Review documented gaps - approve

as is or recommend remediation
path

Buyer/
Sourcing

79

55 pass
24 fail or warning

Customer
Service Rep

52

34 pass
18 fail or warning

Remediate identified Issues

Repeat starting at Step 2

Page 4

Role

Tested

Results

Enterprise risk management: Risk areas

Risk area: IT logical access post-separation
Risk examples*
Potential mitigating actions
(High Level)
Unauthorized access to data that may result
Review of SAP separation
in destruction of data, improper changes to
strategy
data, including the recording of unauthorized Prioritize and risk rank security
or non-existent transactions, or inaccurate
roles based on access (i.e.
recording of transactions
Treasury vs. Customer Service)
The possibility of IT personnel gaining access Identify compensating controls
privileges beyond those necessary to perform
and/or continuous monitoring to
their assigned duties (SoD issue)
ensure MT resources are not
Unauthorized changes to data in master files
accessing AP systems and data
or systems/programs

Impact if not
mitigated

Impacted
organization

Significant
Air Products
deficiencies or
Material weaknesses
on Sep/2016 SOX
review
Fraud/error
Operational issues

*Risk as cited in AU-C 315 & PCAOB AS 12

Risk area: Internal Controls over Financial Reporting (ICFR)

Risk examples
Potential mitigating actions
(High Level)
Inaccurate Financial Reporting due to
nonexistent/immature internal controls
framework including those supporting ITGCs
(applicable to Materials Technology)

Implement an ICFR Separation

Readiness Program for the new
company including system
readiness
Review TSA provisions around
controls performed by AP for MT
and subsequent audit provisions
(key for IT and finance controls)

Impact if not
mitigated

Impacted
organization

ICFR framework is
not ready for day 1
Misstatement
leading to violation
of debt covenants
New company is not
SOX compliant on
Sep/2017

Materials
Technology

Note: Other separation risk areas could be identified through a targeted risk assessment exercise.

Page 5

Security in SAP: Standard vs Custom

Both standard and custom transaction security is based on what is in the

source code
Even SAP standard is not consistent in using source code to secure data

Most commonly used transactions have robust security

Some less commonly used transactions have gaps

Standard transactions:
Organizational levels are used in most transactions
Some standard transactions lack organizational security
Custom transactions:
Some may be copied over from standard transactions and may inherit
security objects
Others that are completely custom may not have any objects
Security authorizations depends on the coders and what was used
Security objects may not be easy to find, depending on layers of source code

Page 6

SAP Authorization Concept Environment

Person

Position

Project
accountant for
Materials
Technologies

Composite role

Project
Accountant

Single role

Transaction

Organizational value

Single Role:
Maintain project systems

Create work
breakdown structure

Company code

Create

Single Role:
Journal entry posting

Post journal entry

Plant

Change

Reverse journal entry

Cost center

Display

Post project settlement

Controlling area

Delete

Display accounting
document

Profit center

Reverse

Single Role:
Settle projects
Single Role:
Display accounting

Technical security authorization concept

Transaction
Display accounting
document
(FB03)

Page 7

Activity

Object
Accounting
Document:
Authorization for
Company Codes
(F_BKPF_BUK)

Field

Value

Company
code (BUKRS)

US10

Activity
(ACTVT)

Display (03)

Testing results breakdown analysis

Out of the 17 transactions
11/21/15
Already tested transactions

11/21/15

11/21/15
133

13

Without SAP standard

authorization control by org level

Out of the 100 transactions

11/21/15183
11/21/15

11/21/15
11/21/15
11/21/15 11/21/15
11/21/15 11/21/15
11/21/15

Page 8

With SAP standard authorization

control by org level

With SAP standard authorization

control by org level

46

Without SAP standard

authorization control by org level

13

To be Confirmed

41

Our experiences
Divestiture or Spin

Complexities

Sample scope

$17bn multinational
electricity and gas
utility company
separation of a stateowned utility
subsidiary to another
publicly listed utility
company

Single instance of SAP ECC in North

America with 10,000 users. Profiles
had open access without limitations by
company code
Separation of data and access was a
key part of the carve-out

Leveraged standard SAP organizational

security settings where possible
Assisted in extensive testing to identify gaps in
standard security and through custom
transactions
Removed transactions that could not be
secured properly and were not essential for
the business
Changed coding when transactions were not
secure but had high business impact

Automotive supplier
carved-out from a
Fortune 100
diversified industrial
company

Single instance of SAP had open

access without limitations by
organization structures (company
codes, profit centers, plants, etc.)
Very short window to closing the
transaction
Users spread across North America
and Europe

Assisted client in obtaining NewCo

requirements on SAP transactions and reports
Assisted in designing and testing new profiles
for NewCo
Advised on aligning security setup to Day One
operating model

Consumer packaged
goods company
underwent a series of
divestitures

Single global instance of SAP ECC.

Profiles setup with open access
Security needed to be locked down in
order for logical separation to happen
Ability for divested entities to view
RemainCo financials and conduct
purchasing on behalf of RemainCo

Advised on aligning security setup to Day One

operating mode
Assisted in designing new profiles for NewCos
Assisted in internal audit reviews
Assisted in identifying reports that provided
RemainCo financials
Mitigated ability for divested entities to
conduct purchasing on behalf of RemainCo

Page 9

Potential solution options

Over 60% of standard SAP transactions
offer org level as authorization criteria

11/21/15

11/21/15/Basis

11/21/15

Not used by MT, covered

through IT TSA

11/21/15

Limited access by MT,

covered through Business
TSA; manual process needed

11/21/15

Out of scope for this discussion

11/21/15

May need customized

technical solutioning or
workarounds

11/21/15

11/21/15
11/21/15

Page 10

Source: EY project experience and SAP data

Over 60% support standard SAP

authorization controls using
organization levels

Risk impact of security roles vs usage frequency:

Examples for discussion
Mapping of roles by risk impact and frequency
High
(rating 5)

Frequency

Enter
Time Sheet

Display
PM Orders

Change
Batch
Info.

Display
Material
Master

Change
Customer
Contact
Person

Process
Sales
Orders

Post
Entries in
General
Ledger
Change
Customer
Delivery

Change
PM Orders
Stock
Overview
Display
Proc.
Contract

Sample role /
transactions
from AP
testing log

Profit
Center
Reporting

Exclude
material

Low
(rating 1)
Low
(rating 1)

Page 11

Risk Impact

High
(rating 5)

Potential approach to address key risks

Potential custom solutions

High

Risk
ranking

Retire or find
process
alternative /
compensating
control

Custom solutions
or TSA

Minimal effort
needed

Monitoring

Design new profiles

Compensating control

Low
Low

Page 12

Technical solutions
(User exits, include Auth.
Object into code)

Operational
importance

High

TSA

Solution framework for discussion

Procedures

Define
objectives

Evaluate risks
and impact

Identify
solutions

Implement
solutions

Page 13

Tools

Define enterprise risks and overall security

separation objectives
Define type of access required by MT and
acceptable to AP

EY Security Assessment
Workbench
(see appendix)

Inventory and classify all transactions by risk and

impact
Assess output of IT testing against transaction risk
classification and overall objectives
Align with Day One operating model (role changes,
process changes and TSA needs)

Custom tcode analysis tool

(see appendix)
SAP GRC
Day One operating model
and detailed process and
product flows

Options to be evaluated for critical transactions:

1. Stay the path and absorb risks
2. Redesign new profiles
3. Leverage compensating controls
4. Deploy technical solutions (e.g., user exit)
5. Additional TSA services or legal means (NDA)

Leverage existing IT, Internal Audit and Spin PMO

procedures to develop, test, train and deploy
Implement and test compensating controls, including
security access to manage audit and ICFR risk

Task-based role model

(see appendix)
Position-role mapping
accelerator database

Spin milestones
EY Global Audit
Methodology

Appendix A: EY Practitioner Bios

Page 14

MICHAEL PORTER
Partner
Risk Transformation
Phone: +1 317 681 7223
E-mail: michael.porter@ey.com

Professional Experience Summary

Michael Porter is a Partner in the Advisory Services practice of Ernst & Young LLP. Michael has over 23 years of experience which includes providing IT risk, controls and
technology consulting services to large global Fortune 500 companies. His experience includes leading security and control design projects for global SAP
implementations, leading the implementation of SAP GRC v10, as well as leading multiple AICPA SOC reporting engagements, financial auditing, IT auditing (including IT
General Controls), and data analysis. He has served as the Midwest Region Third Party Reporting Practice Leader as well as Indianas IT Risk and Assurance (ITRA)
Leader. Michael also has extensive experience in addressing business process and IT controls, SAP security role design, system implementation testing, risk assessments
and Sarbanes-Oxley controls and security.

Engagement Experience

Extensive experience in leading internal controls design and implementation of SAP controls and security for large companies including life sciences and global Fortune
100 companies. Primary responsibilities included providing security and internal control expertise with a focus on automating internal controls during business
transformations.

Led the SAP internal controls, GRC and security team for a major US water utility. The implementation included designing automated SAP controls, segregation of
duties controls as well as implementing SAP GRC Access Controls and Process Controls.

Leading team implementing GRC 10.1 at global company integrating Access Controls and Process Controls as well as leading the global design of controls to increase
the percentage of automated controls to help the company lower the total cost of compliance.

Extensive experience in performing service organization reporting engagements (formerly SAS 70s) as well as serving as Engagement Partner and Pre-Issuance
Quality review Partner on multiple SAS 70s covering various industries including utilities, manufacturing and financial services.

Served as the Midwest Regions Third Party Reporting Practice Leader. Responsibilities include leading the largest Third Party Reporting business within E&Y North
America, providing training and quality oversight for engagements and for helping companies determine the appropriate Third Party Reporting solution to meet their
needs. Experience includes SAS 70/SOC 1 reports, AT 101 custom criteria reports and Agreed-Upon Procedures Reports.

Serves as the ITRA Practice Leader for the state of Indiana. Responsibilities include providing quality client service for global companies and other priority accounts,
managing the day to day operations of the E&Y Indiana ITRA practice including sales growth and recruiting as well as providing IT risk management leadership in the
marketplace.

Experience in leading third party reporting classroom training as well as in teaching ERP internal controls classes to large companies and in the Ernst & Young National
Education Center.

Extensive experience performing pre and post implementation reviews for companies implementing ERP systems to identify risks and mitigating ERP controls.
Experience in various ERP packages but specializing in SAP including implementing SAP GRC Access Control and Process Control v10.

Experience in leading the security testing activities for a global SAP implementation. Activities included developing a security testing plan and managing a team to
execute the plan to test the effectiveness of the security design.

BRIAN ZIEGLER
Senior Manager
Risk Transformation SAP Security
Phone: +1 773 726 4729
E-mail: brian.ziegler@ey.com

Professional Experience Summary

Brian Ziegler is a Senior Manager of the Risk Transformation practice of Ernst & Young LLP. Brian is considered by the industry to be a Subject Matter Resource in SAP
Security with fifteen years of SAP experience and a strong knowledge of project management, as well as a firm foundation in operations, access controls, and process
controls.

Project Management

Liaised with two site accounting managers in major automotive manufacturing plants to resolve accounting and month end close processes

Served as project manager for multifunctional SAP support model, helping with HR, SD, FI/CO, ETM, PS and MM resources with responsibility for over $2 million in
annualized billings

Served for three years as on-site functional Sales and Distribution liaison

SAP Security Experience & GRC Access Controls Experience

Assisted client with managed service transaction spin by performing logical separation of security roles, reviewing risk and assisting on appropriateness of transaction
service agreement, non-disclosure agreement and overall security design

Co-led with client HR security role remediation deployment

Provided thought leadership around SAP role design leading practices

Acted as functional lead of two SAP security role redesign projects

Worked on eight full system life cycle implementations

Developed functional design documents, technical design documents, led off-shore and on-shore teams of initial and full life cycle implementations

Developed scalable security models that could be leveraged for cross functional implementations and designed for sustainability

Managed productions support defects and role design changes for large scale (20,000 users) implementation

Strong experience in a variety of functions, including Finance, Supply Chain, Human Resources, and Business Planning and Consolidations

Evaluated sensitive and critical access issues around critical HR activities

Helped with cross-functional issues involving security and functional issues

Evaluated SoD rule sets for false positives and false negatives, tailoring the rule set to appropriately identify and remediate or mitigate appropriate risks

Assisted custom transaction review procedures and added custom transactions to rule sets

Developed training materials for a large community (1000+) of end users in GRC 10.0 User Access Management

EDWARD CAMPBELL
Senior Manager
Risk - Internal Audit
Phone: +1 610 613 8081
E-mail: ed.campbell@ey.com

Professional Experience Summary

Ed Campbell is a Senior Manager in the Advisory Services practice of EY. Ed has over twelve years experience in helping clients build success and execute against their
goals, while managing risks across their business. Ed has diverse skillsets in risk management across business processes and technologies, as well as, across risk
categories including operational, financial, strategic and compliance risk. Ed has led technology and enterprise wide risk assessments, Cybersecurity program
assessments, and is well versed in the use of data analytics to inform business and risk intelligence. Ed is responsible for overseeing large multi-national internal and
external audit engagements and is experienced on Internal Controls over Financial Reporting (ICFR) requirements. Ed has also has extensive experience in project
management methods, Service Organization Control Reporting engagements, IT governance, and data governance.

Engagement experience
For two multi-billion dollar Chemicals/Industrial Products companies Ed led Internal Audit transformation activities by advising on changes to IA vision, people model,
delivery model and IA enabling technologies. He was responsible for developing and defining short term and long term internal audit plans, performing company-wide risk
assessments and special projects. Ed has broad Internal Audit experiences in teaming with Subject Matter Resources to execute diverse risk based reviews including
Sustainability Assurance, Anti-bribery/Anti-Corruption, Data Quality Assessments, IT security assessments, Attack and Penetration, Social Engineering, Cloud Computing,
multi-stage system development lifecycle reviews.
Ed has led and performed Internal and External Audit support during pre/post transaction events for large national and multi-national companies. As part of the external
audit team Ed has led technology and control reviews supporting retro-active financial statement carve-out audits, as well as, data analytics in support of SEC filings. Ed
has also performed in this role, reviews of acquisition company controls for the purposes of ICFR readiness. On multiple Internal Audit clients Ed has performed security,
data, and other system reviews, as well as, business process controls and project governance audits for company spin-offs and separation (future SEC registrant)
transactions.
Ed is a leader in our Financial Audit IT Integration (FAIT) competency. Ed has deep experiences in supporting our External Financial Audit teams work around technology
risk and our ICFR opinion. Ed has supported the development of our FAIT transformation program and methodology. He is a quality leader supporting our Internal Quality
programs, including our PCAOB inspection process. Ed has also led teams through risk and control identification, process flow documentation, and understanding the flow
of information in business processes as an internal controls specialist (internal project). As part of the financial audit process, Ed has conducted hundreds of reviews of
internal controls for compliance under Section 404 of the Sarbanes-Oxley Act. Federal Government projects also include performing audits using the FISCAM
methodology.
Ed has experience in the planning, execution and implementation of data analytics program, as well as, data governance and data quality assessments. For a fortune 500
global consumer products company, Ed developed a framework for the application of data analytics in the internal audit process. For a utilities company in the water and
wastewater industry, managed a data quality assessment across six key business processes as part of a company-wide Business Transformation.
Performed independent verification and third-party reporting procedures through Service Organization Reporting reviews for a patient Bill Review and Case Management
Service Company, as well as state level Medicaid processors. Responsibilities include evaluating the design of and testing the operational effectiveness of transaction
processing, application specific controls, access (physical and logical) controls, and program change controls.

SONNY ORIGITANO
Senior Manager
Transaction Advisory Services IT spins and divestitures
Phone: +1 312 879 2852
E-mail: sonny.origitano@ey.com

Professional Experience Summary

Sonny is part of the Operational Transaction Services (OTS) practice focused on due diligence, integration and separation from an IT perspective. He has more than 20
years experience identifying and delivering business value through the effective use of technology. During his career, he has worked with a number of strategic and private
equity clients to conduct strategic information system planning, software selection, business process optimization, program management, application development and
implementation initiatives across several industries. Implementations included e-business, enterprise resource planning (ERP), customer relationship management (CRM),
web portal, custom developed applications, and data warehousing and mining solutions.
Sonny has extensive experience in pre-close and post-close integration and separation strategy and execution including; one-time cost identification; stand-alone financial
and operating models and synergy identification. He has experience in several industries including consumer packaged goods (CPG), manufacturing, distribution, retail,
mining and transportation and logistics. Previously, Sonny served as a Director with KPMG in their Transaction & Restructuring practice focused on identifying financial
and business implications based on the impact of technology as well as integrating and separating companies. He also previously served as Vice President of Advisory
Services focused on aligning information technology with business initiatives and headed up the Program Management Office (PMO) for The Bradford Exchange.
He has been a contributing editor for the Merger & Acquisition Journal for leading practices titled Dont Overlook IT When Calculating the Value-Creation Potential of a
Deal, a contributor for the Forrester report A CIOs Guide To Merger And Acquisition Planning as well as spoken at conferences including the Executive Technology Club
and Midwest Regional Users Group on topics including business and technology alignment as well as IT governance for value creation.

Engagement experience
Led the IT workstream through a $14.2 billion dollar global transaction separating a business unit in the life sciences industry including TSA development and costing and
separation strategy and planning for day 1 operations.
Supported Fortune 200 CPG organization through multiple separations of business units, including strategy and execution in preparation for Day One. Developed onetime cost estimates, TSAs and work plans to support Day One. Worked closely with IT and Internal Audit to identify and resolve security issues during the TSA period on
SAP.
Assisted the Enterprise Shared Service organization consisting of Marketing, Finance, IT and HR in Life Sciences through the separation of their global joint venture
platform. Supported the development of TSAs, the day 1 operating model and transition planning to the buyer.
Supported Fortune 200 Global Resource organization through the divestiture of their Diamond Mine asset including TSA development and separation strategy for day 1
operations. Collaborated with resources globally to identify and implement solutions in support of the transaction.
Assisted Private Equity acquisition of design and retail footwear carveout from Fortune 500 CPG company including development of financial model for one time expense
and run rate operations as a stand alone organization as well as operational issues for TSA consideration.
Assisted Fortune 500 CPG company through the carve-out and separation of a business unit. Led the IT and marketing workstream through cost identification, TSA
development, operational preparation and execution of the pre-Day One projects. Assisted the seller in identifying and recovering more than $3M in TSA and pre-Day One
cost efforts.

Appendix B: EY project experiences

Page 19

Day 1 ERP highlights from past transactions

Description
of SpinCo

Number
of
Duratio
SpinCo
Countrie
n
Revenue Logically
s
Separate

Nutritional
products

59

$3 -4B

Professional
6-9
Wound Care
Months
Business

34

$1-2B

Performance
15
Chemicals
Months

50+

$5 - 6B

70

$4 - 5B

100+

$2B

Animal
health
business

Pharmaceuti
6
cal business Months

Day 1 Support
Model

SpinCo Day 1 ERP

Clone
(w/ data)

Clone
(w/o
data)

New

TSA

SpinCo
owned

Selected companies had relatively minor to moderate systems isolation issues.

Notes

Creation of new entities and logically

separated within RemainCo ERP system
for Day 1
Provided 18 month TSA for SpinCo to
implement new ERP system
Creation of new entities and logically
separated within RemainCo ERP system
for Day 1
Provided 18 month TSA for SpinCo to
implement new ERP system
Copy of RemainCo ERP instance with
data cleansing / conversion prior to Day
1
Provided TSA support to SpinCo
Build/Config 9mth, 6mth data
migration/test
IT application support primarily
outsourced
Multiple ERP platforms globally
Logically separated within SAP ERP
platforms; cloned other financial
platforms with data conversion prior to
Day 1
Mix of logical separation and new ERP
implementation
New ERP was implemented pre Day 1
for some regions and others had IT TSA
until the implementation was finalized
Two ERP systems with dedicated teams

$17B Utility company with tight regulations

divest part of the business
Background

Approach

A $17B multinational electricity and gas utility company wanted to carve out a part of
the business. EYs intimate knowledge of the clients controls environment and
compliance requirements, supplemented by deep relationships, led into further
assisting with a state-owned utility separation project. At the beginning of this project
another vendor was selected to provide recommendations.
After two months with little progress, the client opted to choose EY instead and gave
six months to complete the project.
The state gave the utility company a very short separation timeline.

Helped the utility design SAP security roles in Finance, Supply Chain, and Human
Resources using a logical separation
Assisted in standing up an appropriate level of security to separate financial and
employee security data while adhering to contractual terms of the logical separation

Met the States mandate of standing up a logical separation on the spin date
Secured separation of employee and financial data, protecting confidence in finance,
human resources, and supply chain
Results

Page 21

Provided roles and user profiles for over 2000 users using both SAP and identity
management profiles for the new entity until they could be moved to a separate SAP
instance

Fortune 100 diversified industrial company

carve out a product line
Background

A Fortune 100 diversified industrial company wanted to carve out one of their loss
making product line. The company had a single instance of SAP with open access
without limitations by organization structures (company codes, profit centers, plants,
etc.). The deal had the following complexity.
Very short window for closing the transaction
Users were spread across North America and Europe
No prior experience of divestitures in the IT organization

Approach

Proposed logical separation of the NewCo in SAP with the following changes in
security / access of NewCo users
Identified transactions, reports and roles used by the users in NewCo on a regular
basis
Assisted client teams in designing and testing new profiles for users which limited
access to just the NewCo data
Worked with SSC teams to create a process to run reports or transactions where
access could not be modified

Results

Page 22

Operation separation was completed in nine months (security separation took 4-5
months) with the deal being closed on time
Users did not experience much change in their daily operations as they could use
existing reports and transactions
Parent company was able to restrict the access of its data by NewCo users on Day
one
New process to run reports and transactions with SSC facilitated in overcoming any
issues with the new profiles

Leading consumer goods company carve out

a single business unit
Background

Approach

Results

Page 23

The consumer goods company was divesting a business unit running on a single global
instance of SAP. The buyer was an Oracle environment with different Oracle
configurations supporting their business.
The goal for SAP security on day 1, was to allow the consumer goods company to
continue to operate the business as usual, while allowing the divested entity to
operate under the TSA. Additionally, the consumer goods company wanted to
secure data from access by the divested entity
Internal Audit and the PMO partnered to assist in identifying the impact to existing
controls as a result of the divestiture across Finance, Information Technology,
Human Resources and Purchasing
It was determined that new user IDs were not required for the divested employees
as SAP User Groups were leveraged. New security roles were built as needed and
roles and reports were modified to remove access to non-divested data

Internal Audit drafted a risk profile with 51 identified risks and confirmed that
management had defined mitigating actions for each risk.
As a result, Information Technology created a non-disclosure agreement for the
buyer who will have access to certain applications and specifically one role that
allows display of invoices across company codes

Appendix C: Tools and enablers

Page 24

Security Assessment Workbench

The diagnostics tool provides deep role design analytics through interactive dashboards
to identify unnecessary SoD risks and the related root cause based on the analysis of
roles, user assignments and tcode execution data.
Task based
roles

Page 25

Custom Transaction Code Analyzer

The ABAP Discover Tool analyzes

custom transactions for appropriate
authorization objects and detects
programs with missing security objects

Page 26

Task Based Role Model

Task Catalog
Task
Purchasing
Create and Change Purchase Orders

Transaction
Code
Transaction Description
ME21
Create Purchase Order

Purchasing

ME21N
Create Purchase
based role
model accelerator
is Order
the
foundation
for model
a flexible
model byis
EYs
task
based role
accelerator
Create and Change Purchase
Orders
ME22 actions
Change
Purchase Order
security
and
thedefining
foundation
for aaround
flexible
model
by
process
steps that
users
perform
defining
security
around
actions
andwithin
Create and Change Purchase
Orderssteps
ME22N
Change
Purchase Order
business
processes,
resulting
inwithin
a role
process
that users
perform
structure
that canresulting
be understood
by the
business
processes,
in a role
Create and Change Purchase
Orders
Maintain
Purchase Order
user
community.
structure
that can be ME24
understood
by the
Supplement
user
community.
This
model is designed
Create and Change Purchase
Requisitions
ME51 for rapid
Create Purchase Requisition
deployment
using roles
This
model is designed
for that
rapiddo not have
SoD
conflicts
and
can
be readily
deployment
using
roles
that
do Create
not mapped
have
Create and Change Purchase
Requisitions
ME51N
Purchase Requisition
to
positions.
SoD conflicts and can be readily mapped
to positions.
Create and Change Purchase
Requisitions
ME52
Change Purchase Requisition

Purchasing

Create and Change Purchase Requisitions

ME52N

Change Purchase Requisition

Purchasing

Create/Change Purchase Contracts

ME31

Create Contract

Purchasing

Create/Change Purchase Contracts

ME31K

Create Contract

Purchasing

Create/Change Purchase Contracts

ME32

Change Contract

Purchasing

Create/Change Purchase Contracts

ME32K

Change Contract

Purchasing
Purchasing
Purchasing
Purchasing
Purchasing
Purchasing

Page 27

Create and Change Purchase

Orders
EYs
task

Appendix C: Backup pages

Page 28

Our understanding of modules used by AP and MT

Module used by AP/MT

Most common org security

Finance (FI) mostly GL, some AP and AR, Fixed assets,

Treasury

Company code

Controlling (CO)

Controlling area , profit center, plant

Sales and distribution sales and billing (SD-SLS, SDBIL)

Sales organization, plant

Sales and distribution/logistics execution shipping (LESHP)

Shipping point

Credit and risk management (SD-BF-CM)

Credit control area

Materials management-Purchasing (MM-PUR)

Purchasing organization

Materials management-Inventory management (MM-IM)

Plant

Production planning (PP)

Plant

Project systems (PS)

Plant

Plant maintenance (PM)

Maintenance plant, planning plant

Quality management (QM)

Plant

Human resources (if used for a minimaster)

Personnel organization

Warehouse management (WM)

Warehouse number

Page 29