creating an integrated master data governance and grc...

Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.

Creating an Integrated Master Data Governance and GRC Roadmap

Jay Gohil Protiviti

1

In This Session

• Learn how to plan for and integrate master data governance and GRC initiatives

• Understand and identify ownership of data and alignment with risk owners

• Examine how to use SAP GRC to establish and manage governance around your

master data

• Implement controls around key master data elements to ensure compliance with data

governance policies

• Determine how to use Access Control rule sets to identify risks across systems, how to

provision and approve appropriate access, how to use Process Control CCMs to identify

key master data element changes, and how to use Access Violation Management (AVM)

to identify and quantify SoD risks

2

What We’ll Cover

• Comprehending the Basics of Master Data Management

• Taking a Look at the Key Data Elements

• Understanding Ownership of Data and Risk

• Governing Process and Data

• Integrating and Managing Data Standards and Compliance Together

• Examples of How Master Data Governance Affects Your GRC Landscape and How

Organizations Can Plan and Integrate GRC to Manage Risks

• Wrap-Up

3

MDM – An Overview

Think of master data management (MDM) as the home of accurate data concerning everything that is vital to the company.

According to Gartner

• Master Data Management (MDM) is a technology-enabled discipline in

which business and IT work together to ensure the uniformity, accuracy,

stewardship, semantic consistency, and accountability of the enterprise’s

official shared master data assets

• Master data is the consistent and uniform set of identifiers and extended

attributes that describes the core entities of the enterprise, including

customers, prospects, citizens, suppliers, sites, hierarchies, and chart of

accounts

Source: Gartner Glossary, Master Data Management (MDM) www.gartner.com/it-glossary/master-data-management-mdm

http://www.gartner.com/it-glossary/master-data-management-mdm










4

MDM – An Overview (cont.)

Virtually all organizations can benefit from effective master data management, but the magnitude of value varies

widely. As illustrated in the Figure, two factors are particularly important when quantifying MDM’s value: the number

of types of data and the range of uses for the data.

Volume of Entities

Ran

ge

of

Use

s f

or

En

titi

es

Key Influencers of Master Data Management

Value

Volume of Entities

The organization’s primary data entities generally are customers,

products, employees, and suppliers. As the volume of data in any

or all of these grows, the importance and complexity of managing

the data increases.

Range of Uses

The more systems, functions, and business units that use

customer, product, employee, and supplier data, the more value an

MDM solution can have.

5

Need for Master Data Management

Because it is used by multiple applications, an error in master data can cause errors in all the applications that use

it. For example, an incorrect address in the customer master might mean orders, bills, and marketing literature are

all sent to the wrong address. Similarly, an incorrect price on an item master can be a marketing disaster.

A credit-card customer moves from 2847 North 9th St. to 1001 11th St. North.

Master Data

Mismanagement

Example

The customer changed his billing address immediately, but did not receive a bill for several months. One day,

the customer received a threatening phone call from the credit-card billing department, asking why the bill has

not been paid. The customer verifies that they have the new address, and the billing department verifies that the

address on file is 1001 11th St. N. The customer asks for a copy of the bill, to settle the account.

After two more weeks without a bill, the customer calls back and finds the account has been turned over to a

collection agency. This time, they find out that even though the address in the file was 1001 11th St. N, the

billing address is 101 11th St. N.

After a bunch of phone calls and letters between lawyers, the bill finally gets resolved and the credit-card

company has lost a customer for life.

In this case, the master copy of the data was accurate, but another copy of it was flawed.

Master data must be both correct and consistent.

Source: Microsoft

http://msdn.microsoft.com/en-us/library/bb190163.aspx

6

Need for Master Data Management (cont.)

Problem: Master data is fragmented across multiple systems vertically and horizontally.

MDM: Bring together data from multiple systems and build whole records and data sets using match and merge.

Data

Fragmentation

Problem: Same Master data attributes exist in multiple systems, leading to data divergence (DOB: System A = 6/1/80, System

B = 1/6/80).

MDM: Pick “best” value, based on trust scores.

Data

Duplication

Problem: As with all data, master data quality deteriorates over time.

MDM: Pre-cleanse and standardize data (e.g., gender). Data Quality

Problem: Multiple systems have “slices of truth” with inconsistent data quality and standardization.

MDM: Bring together and present “single source of truth” for consumption by users and systems.

Single Source

of Truth

Problem: “Vertical” systems don’t bridge well across Members, Providers, Products, Customers, Employees, etc.

MDM: Provide visibility across multiple data domains (e.g., providers that are also members).

Bridging the

Gap

Source(s): Insideanalysis

http://insideanalysis.com/2011/09/mdm/

7

Key Trends in Master Data Management

Gartner has identified some new trends in the master data management market which are generating increasing

interest within the MDM market and are expected to have a significant impact on it over the next few years.

It is estimated that 66% of Fortune 1000

organizations have deployed two or more

MDM solutions to support their enterprise

MDM strategies.

A number of MDM software vendors market

their products as supporting multi-domain

MDM capabilities.

When evaluating software products to meet

multi-domain MDM needs, organizations

should evaluate each relevant master data

domain and validate that the vendor can

satisfy the requirements.

Growing Demand for

MDM Software

Last year, 15% of organizations added

social media data about their customers to

the customer master data attributes they

manage.

Social media analytics will prove insight and

trends into what the market thinks about a

company’s products and services.

Social network data will integrate with

customer data, creating a business need for

the MDM systems to provide additional

integration capabilities.

Increasing Links Between MDM

and Social Networks

Last year, 10% of packaged MDM

implementations were delivered as SaaS in

the public cloud.

On-premise MDM solutions are increasingly

being integrated with SaaS applications.

There are various cloud-sourced data

services which provide data quality or data

integration as a service and provide

valuable support during MDM

implementations.

Few MDM vendors have developed specific

cloud-based MDM products that are

scalable, elastic, and multitenant.

Rising Adoption of MDM

in the Cloud

8

What We’ll Cover








• Wrap-Up

9

Master Data Management – Lifecycle

The following table illustrates the differing CRUD cycles for four common master-data subject areas

Customer Product Asset Employee

Create Customer visit, such as to website or

facility; account created

Product purchased or

manufactured; SCM involvement

Unit acquired by opening a

PO; approval process

necessary

HR hires, numerous forms,

orientation, benefits selection,

asset allocations, office

assignments

Read Contextualized views based on credentials

of viewer Periodic inventory catalogues

Periodic reporting purposes,

figuring depreciation,

verification

Office access, reviews,

insurance claims, immigration

Update Address, discounts, phone number,

preferences, credit accounts

Packaging changes, raw

materials changes

Transfers, maintenance,

accident reports

Immigration status, marriage

status, level increase, raises,

transfers

Destroy Death, bankruptcy, liquidation, do-not-call Canceled, replaced, no longer

available

Obsolete, sold, destroyed,

stolen, scrapped Termination, death

Search CRM system, call-center system, contact-

management system

ERP system, orders-processing

system

GL tracking, asset DB

management HR LOB system

Source: Microsoft


10

What We’ll Cover








• Wrap-Up

11

Building Blocks of MDM

MDM Framework

Vision

Strategy

Metrics

Organization Rules

Information Governance

Enabling Infrastructure

Information Lifecycle The MDM Framework is a set of MDM best

practices that are organized into seven building

blocks of MDM. These building blocks provide

high-level focus areas for planning the various

stages of an MDM program.

12

Ownership

Risk Owners, Process Owners, Role Owners … Data Stewards, Data Owners?!

How will you create and maintain an MDM governance organization that includes executive sponsorship,

policymaking, decision arbitration, and daily operational administration?

How will the governance structure enforce its will?

Appoint data stewards in key areas of the business who will be accountable for the production, definition,

security, and integrity of master data assets.

Identification of data stewards aligns well with the concept of role ownership within GRC.

Naturally, data stewards will be responsible for approving the roles that allow users to create, read, update,

and display the data.

13

Defining Data Owners and Data Stewards

Role Responsibility

Data Owners

The Data Owners are the decision makers for establishing data quality requirements. Responsibilities

include:

• Owning the implementation and ongoing management of data quality improvements

• Establishing data quality requirements (timeliness, accuracy, completeness, accessibility)

• Determining and approving access and re-use of data

• Establishing the backup/recovery/archiving requirements

• Understanding legal/compliance/regulatory issues impacting data

• Setting priorities and sponsoring projects for all work-related to the maintenance and processing of

the data

• Approving all governance matters impacting the processing of data

Data

Stewards

The Data Stewards manage the process to maintain the data for the owner. Responsibilities include:

• Assisting with issue tracking, escalation, and resolution

• Documenting data definitions (Business Glossary)

• Proposing changes and/or improvements to the Data Owner to improve efficiency or resolve issues

• Acting as proxy for Data Owner on projects, initiatives, and operational functions

14

What We’ll Cover








• Wrap-Up

15

People, Process, and Technology

• Understand current roles and

responsibilities of key

stakeholders and how they will

change or expand

• Data stewards and data owners

may be the same as role owners

or risk owners

People

• MDM initiatives will require

changes to IT governance

processes

• Propagate those changes into

access management/IT

governance processes

• Changes to controls (e.g.,

security, configuration, approvals)

Process

• Plan for the necessary technical

prerequisites

• Alignment of MDM lifecycle with

the right tools

• Leverage existing investments or

use MDM to implement new

functionality

Technology

16

MDM Lifecycle and GRC Integration Points

Alignment of GRC technologies with

MDM lifecycle can be done early

Search

Create

Read Update

Destroy

• AC – Access Provisioning

• AC – Risk Analysis – Sensitive Access

• AVM – SoD Quantification of Exceptions

• AC – Access Provisioning

• Process Control CCM – Master

Data Changes

17

What We’ll Cover








• Wrap-Up

18

A disciplined, effective approach to MDM is typically made up of the following phases:

Master Data Management Roadmap

6. Develop the

Master Data Model

5. Create Steering

Committee

4. Appoint

Data Stewards

3. Collect and

Analyze

Meta Data

2. Identify Data

Producers and

Consumers

1. Identify Sources of

Master Data

Phase I – Scope and Analyze Phase II – Recommend and Design

10. Implement Maintenance

Process

9. Modify

Systems

8. Design the

Infrastructure

and Test

7. Choose and Implement a toolset

Phase III – Implement Phase IV – Sustain

Once source of data has been determined, the producers and consumers have been identified and analyzed,

and the appropriate data governance structure has been put in place, then the project will move into the

modeling and implementation phases which are described below.

19

GRC Roadmap – Phased Approach

Quick Wins/Short Term (Phase 1) Enhanced Functionality (Phase 2) Visionary/Long Term (Phase 3)

Business Role

Management

Rule Set

Optimization

and Reporting

Security

Change

Management

Super User

Management

Emergency

Access

Management

Access Risk

Analysis

SoD

Access Request

Management

Automated

Provisioning

Automated

Controls

Process Control

Integration

Align your SAP Access Control roadmap with your data governance roadmap by phase and functionality

User Access

review

Automated

Reporting

Automated

Alerts

Automated

Provisioning

CCM

Consider SAP Security Optimization/Remediation Activities

Policy Mgmnt.

Phases and Functionality of

GRC

• GRC is a journey and

constantly evolving

• Allow for flexibility to integrate

with other systems

• Plan for adjustments in

configuration and functionality

• Use other initiatives to kick

start GRC improvements or

enhancements

20

What We’ll Cover








• Wrap-Up

21

Technical Considerations – Planning for Technical Integration

In one example, the GRC plug-in was included as part of the server build

For SAP systems (in our example it was SAP MDG):

GRC plug-in installation is required

• Plug-in name: GRCPINW

♦ The plug-in component will be specific to the SAP NetWeaver® version

• Note: Support pack should match GRC system support pack!

For Non-SAP systems

• Integrate GRC with Greenlight connectors

• Understand feasibility using Greenlight connectors

22

Cross-System Analysis – The Functions and Risks

SAP recommends that functions are set up using physical systems/connectors and not logical systems

Create a Risk in the GRC front end which contains a conflict between the

function groups from the two different systems 1

Load the transactions into function groups by physical system 2

Create the risk as an SoD conflict between the two function groups 3

Generate Rules and Validate Rules via Access Rule Details screen 4

23

SoD Risk Questions and Discussions

Who should be involved in risk

discussions?

• Business Process Owners

• Data Stewards

• Functional Team

• Governance Team

• IT Compliance

• Audit

• Security Team

A list of SoD risks related to master

data can be found in Appendix A

• Review master data-related risks and evaluated creation of new

risks

• Understand complexities of new risks and function groups and how

to build function groups with sensitive actions and permissions

• Vendor maintenance has been part of SoDs, but is vendor

maintenance a new sensitive access risk?

How does master data management affect my SoD risks?

• Not unless you can restrict the ability for users to manage master

data via configuration-based controls. If you’re still relying on security

to control maintenance to master data, then you still need to monitor

for the risks.

Should I disable the existing risks related to master data management?

24

Security Changes and Architecture Considerations

Evaluate current standing access to maintain master data (e.g.,

vendors, customers, materials, etc.) within ECC

Consider restricting access to master data maintenance in ECC

and leverage master data management tool going forward

• Remember: Review master data maintenance access in Firefighter

IDs also!

Assign the needed access in the master data management tool

(e.g., MDG)

25

Effects on the Provisioning Process – Role Maintenance

Use Critical Level or Sensitivity

Fields to classify roles

Leverage role attributes within

Role Maintenance to classify roles further

Additional values can be configured for

Critical Level and Sensitivity from the back

end

• Navigate to Access Control Role

Management Specify Critical Level

• Navigate to Access Control Role

Management Define Role Sensitivity

Roles can be updated under Role

Management Role Maintenance

26

Effects on the Provisioning – Workflow Changes

Restrict access to request master data roles

or utilize workflow to obtain additional

approvals for master data access

Consider creating a separate path in MSMP

setup which routes based on the additional

role attributes

Navigate to Access Control Workflow

for Access Control Maintain MSMP

Workflows

27

Effects on the Provisioning – Workflow Changes (cont.)

Attributes from role maintenance can

be added here to route to specific

MSMP paths

Within the Table Settings, you

can add additional columns or

Condition Items

Update the BRF+ Initiator Rule to check for the role attributes (e.g., critical level,

sensitivity, etc.) and route to specific path for approvals

Insert the fields (Condition Items) into your decision table

28

Effects on the Provisioning – Role Restrictions

Set Provisioning Allowed value = No

Roles can be restricted under Role Maintenance Additional Details Provisioning

Additionally, you can prevent a role from being available for provisioning

• As an example, if you’re using another tool for vendor master maintenance, then you would want to restrict

users (and approvers) from selecting and requesting master data maintenance roles in ECC

29

Monitoring and Extending SoD Quantification with Greenlight Access Violation Management

Greenlight and SAP offer a solution to help quantify the financial impact of SoDs

The Access Violation Management application monitors SAP and non-SAP systems to identify when a

user actually processes an SoD within the system

Exceptions are identified and alerted and mitigation plans can be documented

Ensure monitoring capabilities are updated to account for a change in the process and technologies

30

Automated Monitoring with Process Controls

“Rule Engine” – Valuable to business users required to perform or test controls, whether for

compliance or monitoring business performance

Scenario

• Monthly report on vendor changes

(Master Data)

• Monthly report on manual JE

(Transactional Data)

• Confirmation that PRD

environment is locked down

(Configuration Data)

Rule Engine

Report of manual JEs over a certain amount

Rule Engine

Exception report and receive alerts when fields are changed

Rule Engine

Configuration change report and receive alerts if configuration changes

PC Functionality

31

Automated Monitoring with Process Controls (cont.)

Monitor the vendor change report and generate an exception alert any time a vendor is

updated within ECC and the change did not come from the master data management tool

32

Example PC Monitoring Controls – P2P and OTC

Business Process Control Description Master Data Config Transactional

P2P P2P duplicate invoice parameter changes

P2P Identify vendors that allow alternative payments to be processed

P2P Review of payments processed to alternative payees

P2P Review changes to alternative payee settings

P2P Identify vendors created without name or address details

O2C Review changes to credit limits allocated to new customers

OTC

An exception will be flagged where sales orders have been released from credit limit

checking where the amount is greater than a configured amount, where the sales

order has been released by a non-authorized user, or where the customer has had a

previous bad debt

OTC Review customers without an allocated credit limit

OTC High one-time customer sales items

P2P P2P duplicate invoice parameter changes

33

Example PC Monitoring Controls – GL, Assets, Inventory, Payroll

Business Process Control Description Master Data Config Transactional

GL Configure negative postings by company code

GL High-value direct entry invoices

GL

Manual Journal Entries – A manual journal processed above a trigger/threshold dollar

amount; a journal processed by a user who is not defined on an approved user listing;

or a journal entry processed to an unusual account, such as a reconciliation account

Assets Review changes to planned useful life values allocated to asset class records

Assets

Asset Useful Life Analysis – Useful life is defaulted from the asset class when an asset

record is created. Identify inappropriate depreciation postings by identifying exceptions

between the default useful life on the asset class and the useful life on each posted

asset.

IT Controls Restrict ability to change configuration items in the production environment

IT Controls Identify changes to security audit logging settings

Inventory All delivery document types should reference a sales order to ensure deliveries are not

processed without an approved sales order

Inventory Inventory clearing tolerances

Payroll Employees with same bank account record as vendors

34

What We’ll Cover








• Wrap-Up

35

Where to Find More Information

• “High Value Roadmap Planning for SAP Access Control Solutions” (Protiviti, November 2013).

http://portal.on24.com/view/channel/index.html?showId=783829&showCode=ProtivitiCHNL&co

ntentId=789736 *

• Aric Quinones, “How to Quantify and Mitigate the Financial Impact of Your ‘Potential’ Segregation

of Duties Violations” (GRC 2016 Las Vegas).

• SAP Note 1696581 – Cross System SOD Analysis in AC 10.0

http://service.sap.com/sap/support/notes/1696581 **

• SAP Note 1178372 – Risk Analysis and Remediation – Cross and Logical systems

http://service.sap.com/sap/support/notes/1178372 **

• Luis Bustamante, “AC 10.0 Customizing Workflows for Access Management” (SCN, June 2011).

http://scn.sap.com/docs/DOC-1566

* Requires login credentials

** Requires login credentials to the SAP Service Marketplace

http://portal.on24.com/view/channel/index.html?showId=783829&showCode=ProtivitiCHNL&contentId=789736

http://portal.on24.com/view/channel/index.html?showId=783829&showCode=ProtivitiCHNL&contentId=789736

http://service.sap.com/sap/support/notes/1696581







36

Where to Find More Information (cont.)

• Master Data Management

Gartner, “IT Glossary: Master Data Management”

www.gartner.com/it-glossary/master-data-management-mdm

William McKnight, “Exploring All MDM Value Propositions” (Inside Analysis,

September 2011).


Roger Wolter and Kirk Haselden, “The What, Why, and How of Master Data

Management” (Microsoft, November 2006).















37

7 Key Points to Take Home

• Master data governance projects are transformational and GRC is a small component of these efforts that

should not be forgotten

• Data governance initiatives create a transformation around existing IT governance processes and should be

planned for

• Identification of ownership is critical for both data governance and GRC initiatives

• Evaluate your rule set to identify any new system-based access risks that arise from introduction of a

new tool

• Adjust the provisioning process to account for new tools, new owners, and new approval paths as outlined

in the data governance policies

• Use existing investments in Access Control and Process Control to implement monitoring controls around

key master data elements to ensure compliance with data governance policies

• Consider the technical prerequisites and the necessary configuration changes that need to happen to

support data governance

38

Your Turn!

How to contact me:

Jay Gohil

Email: [email protected]

Please remember to complete your session evaluation

39

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other

countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

Disclaimer

40

What We’ll Cover








• Wrap-Up

• Appendix A: Master Data-Related SoD Risks

41

Appendix A: Master Data-Related SoD Risks

Business

Process

Risk

ID

Function 1

Description

Function 2

Description Risk Description Risk Detail

Risk

Level

Order to

Cash S003

SD01 - Maintain

Customer Master

Data

SD05 - Sales Order

Processing

Maintain fictitious customer

and initiate orders

A user could potentially create a sales order against the fictitious

account. The goods will then be delivered to the user and be

misappropriated. The user could also create a fictitious customer

and create sales orders for the customer without authorization.

This may result in excess goods being shipped or large amounts of

unpaid debt against the fictitious customer.

High

Order to

Cash S005

SD01 - Maintain

Customer Master

Data

SD03 - Sales

Rebates

Change rebate agmt and

change master record in cust

favor

Create a fictitious customer and modify rebates to enable the

customer to obtain favorable pricing conditions. This can result in

misappropriation of sold goods or the obtainment of goods at a

lower than expected price.

High

Procure to

Pay P008

PR01 - Vendor

Master

Maintenance

PR02 - Maintain

Purchase Order

Maintain a fictitious vendor

and initiate purchase to

vendor

Users can create a fictitious purchase order and then manipulate

the vendor bank or address details to ensure they are paid a

fraudulent amount. A user may be able to create a

fictitious/unauthorized purchase order for a fictitious/unauthorized

vendor in order to conceal the payment or to provide business to a

preferred unauthorized vendor.

High

42

Appendix A: Master Data-Related SoD Risks (cont.)

Business

Process

Risk

ID

Function 1

Description

Function 2

Description Risk Description Risk Detail

Risk

Level

Procure to

Pay P013

MM06 - Maintain

Material Master

Data

PR02 - Maintain

Purchase Order

Create PO to contain an

invalid material

User may create or change inventory stock details and create

purchase orders based on incorrect information. This may lead to

an incorrect recording of liabilities.

Medium

Procure to

Pay P018

MM06 - Maintain

Material Master

Data

PR05 - Purchasing

Agreements

Maintain material master and

add items to purchase

agreements

Add an attractive item to inventory not typically purchased and then

process a purchase agreement for the item. Medium

Procure to

Pay P023

PR01 - Vendor

Master

Maintenance

PR04 - PO

Approval

Maintain fictitious vendor and

approve purchases to vendor

Approve a purchase order and alter a vendor bank account thus

processing a fraudulent payment. High

43


Business

Process Risk ID Function 1 Description Function 2 Description Risk Description Risk Detail Risk Level

Procure

to Pay P024

MM06 - Maintain

Material Master Data PR04 - PO Approval

Approve PO that contains

an invalid material

Hide a fraudulent purchase or order an attractive

item not typically purchased through manipulation

of the material master.

Medium

Procure

to Pay P027

PR01 - Vendor Master

Maintenance

PR05 - Purchasing

Agreements

Enter Purch Agreements

and create/modify fictitious

Vendor

A user with the ability to create a ghost vendor or

manipulate vendor details could process an

unauthorized purchasing agreement resulting in

the purchase of unauthorized items.

High

Procure

to Pay P036

MM06 - Maintain

Material Master Data PR07 - Requisitioning

Modify material master data

and create/change a

material req

Ability to add an item that is not normally

purchased by the organization and then release a

requisition for the purchase of the item.

Medium

44


Business

Process Risk ID Function 1 Description Function 2 Description Risk Description Risk Detail Risk Level

Order to

Cash S004

AR07 - Process

Customer Invoices

SD01 - Maintain

Customer Master Data

Change customer master

and enter inappropriate

invoice

A user could potentially create a fictitious

customer account and subsequently process an

invoice against the fictitious account. This could

be used for example to manipulate outstanding

receivable figures or to misappropriate cash

received.

High

Order to

Cash S011 AR01 - AR Payments

SD01 - Maintain


Maintain a fictitious

customer and initiate a

payment

A user could alter a customer invoice amount and

then manipulate and misappropriate subsequent

cash receipts.

High

Order to

Cash S019 AR02 - Cash Application

SD01 - Maintain


Change the customer

master file and modify cash

received

A user has the ability to misappropriate cash

receipts through a variety of mechanisms

including altering terms of payment on the

customer’s account.

High

creating an integrated master data governance and grc...

Documents