Modern SAP systems, although robust, can be vulnerable to internal fraud and threats. A classic example is Internal Fraud, which organizations are wary of even today. A survey done by KPMG in 2010 shows that a vast majority of the 200 CEOs who were questioned suppose that internal fraud is one of the most important risks for their organizations. A detailed study by the Association of Certified Fraud Examiners (ACFE) spanning through the years 2006-2010, noted an average of 7% annual losses due to internal frauds. Speaking in terms of losses in revenue: in 2010 alone, an average loss for a single incident constituted a whopping $ 1.7 million.
SAP systems facilitate data storages and operations like: procurements, stock resource management, human resources management, financial reports, and more, along with related data mining. Local or external attackers are intent on manipulating these SAP systems. The acquired data can eventually be used to manipulate any business or organization of its resources, like:
- Changing financial transaction limitations;
- Manipulating payment details with subsequent fraudulent details;
- Temporarily masking bank details of vendors or contractors (mask information for a period of time);
- Modifying transaction information that facilitates payment procedures;
- Manipulating goods in stock;
- Signoff or substitution of actual data;
- Manipulating human resources;
- Modifying payroll data creating ghost employees etc…
These are possible manipulations especially if SAP systems lack multi-level functional security control.