creating an integrated master data governance and grc...
TRANSCRIPT
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.
Creating an Integrated Master Data Governance and GRC Roadmap
Jay Gohil Protiviti
1
In This Session
• Learn how to plan for and integrate master data governance and GRC initiatives
• Understand and identify ownership of data and alignment with risk owners
• Examine how to use SAP GRC to establish and manage governance around your
master data
• Implement controls around key master data elements to ensure compliance with data
governance policies
• Determine how to use Access Control rule sets to identify risks across systems, how to
provision and approve appropriate access, how to use Process Control CCMs to identify
key master data element changes, and how to use Access Violation Management (AVM)
to identify and quantify SoD risks
2
What We’ll Cover
• Comprehending the Basics of Master Data Management
• Taking a Look at the Key Data Elements
• Understanding Ownership of Data and Risk
• Governing Process and Data
• Integrating and Managing Data Standards and Compliance Together
• Examples of How Master Data Governance Affects Your GRC Landscape and How
Organizations Can Plan and Integrate GRC to Manage Risks
• Wrap-Up
3
MDM – An Overview
Think of master data management (MDM) as the home of accurate data concerning everything that is vital to the company.
According to Gartner
• Master Data Management (MDM) is a technology-enabled discipline in
which business and IT work together to ensure the uniformity, accuracy,
stewardship, semantic consistency, and accountability of the enterprise’s
official shared master data assets
• Master data is the consistent and uniform set of identifiers and extended
attributes that describes the core entities of the enterprise, including
customers, prospects, citizens, suppliers, sites, hierarchies, and chart of
accounts
Source: Gartner Glossary, Master Data Management (MDM) www.gartner.com/it-glossary/master-data-management-mdm
4
MDM – An Overview (cont.)
Virtually all organizations can benefit from effective master data management, but the magnitude of value varies
widely. As illustrated in the Figure, two factors are particularly important when quantifying MDM’s value: the number
of types of data and the range of uses for the data.
Volume of Entities
Ran
ge
of
Use
s f
or
En
titi
es
Key Influencers of Master Data Management
Value
Volume of Entities
The organization’s primary data entities generally are customers,
products, employees, and suppliers. As the volume of data in any
or all of these grows, the importance and complexity of managing
the data increases.
Range of Uses
The more systems, functions, and business units that use
customer, product, employee, and supplier data, the more value an
MDM solution can have.
5
Need for Master Data Management
Because it is used by multiple applications, an error in master data can cause errors in all the applications that use
it. For example, an incorrect address in the customer master might mean orders, bills, and marketing literature are
all sent to the wrong address. Similarly, an incorrect price on an item master can be a marketing disaster.
A credit-card customer moves from 2847 North 9th St. to 1001 11th St. North.
Master Data
Mismanagement
Example
The customer changed his billing address immediately, but did not receive a bill for several months. One day,
the customer received a threatening phone call from the credit-card billing department, asking why the bill has
not been paid. The customer verifies that they have the new address, and the billing department verifies that the
address on file is 1001 11th St. N. The customer asks for a copy of the bill, to settle the account.
After two more weeks without a bill, the customer calls back and finds the account has been turned over to a
collection agency. This time, they find out that even though the address in the file was 1001 11th St. N, the
billing address is 101 11th St. N.
After a bunch of phone calls and letters between lawyers, the bill finally gets resolved and the credit-card
company has lost a customer for life.
In this case, the master copy of the data was accurate, but another copy of it was flawed.
Master data must be both correct and consistent.
Source: Microsoft
6
Need for Master Data Management (cont.)
Problem: Master data is fragmented across multiple systems vertically and horizontally.
MDM: Bring together data from multiple systems and build whole records and data sets using match and merge.
Data
Fragmentation
Problem: Same Master data attributes exist in multiple systems, leading to data divergence (DOB: System A = 6/1/80, System
B = 1/6/80).
MDM: Pick “best” value, based on trust scores.
Data
Duplication
Problem: As with all data, master data quality deteriorates over time.
MDM: Pre-cleanse and standardize data (e.g., gender). Data Quality
Problem: Multiple systems have “slices of truth” with inconsistent data quality and standardization.
MDM: Bring together and present “single source of truth” for consumption by users and systems.
Single Source
of Truth
Problem: “Vertical” systems don’t bridge well across Members, Providers, Products, Customers, Employees, etc.
MDM: Provide visibility across multiple data domains (e.g., providers that are also members).
Bridging the
Gap
Source(s): Insideanalysis
7
Key Trends in Master Data Management
Gartner has identified some new trends in the master data management market which are generating increasing
interest within the MDM market and are expected to have a significant impact on it over the next few years.
It is estimated that 66% of Fortune 1000
organizations have deployed two or more
MDM solutions to support their enterprise
MDM strategies.
A number of MDM software vendors market
their products as supporting multi-domain
MDM capabilities.
When evaluating software products to meet
multi-domain MDM needs, organizations
should evaluate each relevant master data
domain and validate that the vendor can
satisfy the requirements.
Growing Demand for
MDM Software
Last year, 15% of organizations added
social media data about their customers to
the customer master data attributes they
manage.
Social media analytics will prove insight and
trends into what the market thinks about a
company’s products and services.
Social network data will integrate with
customer data, creating a business need for
the MDM systems to provide additional
integration capabilities.
Increasing Links Between MDM
and Social Networks
Last year, 10% of packaged MDM
implementations were delivered as SaaS in
the public cloud.
On-premise MDM solutions are increasingly
being integrated with SaaS applications.
There are various cloud-sourced data
services which provide data quality or data
integration as a service and provide
valuable support during MDM
implementations.
Few MDM vendors have developed specific
cloud-based MDM products that are
scalable, elastic, and multitenant.
Rising Adoption of MDM
in the Cloud
8
What We’ll Cover
• Comprehending the Basics of Master Data Management
• Taking a Look at the Key Data Elements
• Understanding Ownership of Data and Risk
• Governing Process and Data
• Integrating and Managing Data Standards and Compliance Together
• Examples of How Master Data Governance Affects Your GRC Landscape and How
Organizations Can Plan and Integrate GRC to Manage Risks
• Wrap-Up
9
Master Data Management – Lifecycle
The following table illustrates the differing CRUD cycles for four common master-data subject areas
Customer Product Asset Employee
Create Customer visit, such as to website or
facility; account created
Product purchased or
manufactured; SCM involvement
Unit acquired by opening a
PO; approval process
necessary
HR hires, numerous forms,
orientation, benefits selection,
asset allocations, office
assignments
Read Contextualized views based on credentials
of viewer Periodic inventory catalogues
Periodic reporting purposes,
figuring depreciation,
verification
Office access, reviews,
insurance claims, immigration
Update Address, discounts, phone number,
preferences, credit accounts
Packaging changes, raw
materials changes
Transfers, maintenance,
accident reports
Immigration status, marriage
status, level increase, raises,
transfers
Destroy Death, bankruptcy, liquidation, do-not-call Canceled, replaced, no longer
available
Obsolete, sold, destroyed,
stolen, scrapped Termination, death
Search CRM system, call-center system, contact-
management system
ERP system, orders-processing
system
GL tracking, asset DB
management HR LOB system
Source: Microsoft
10
What We’ll Cover
• Comprehending the Basics of Master Data Management
• Taking a Look at the Key Data Elements
• Understanding Ownership of Data and Risk
• Governing Process and Data
• Integrating and Managing Data Standards and Compliance Together
• Examples of How Master Data Governance Affects Your GRC Landscape and How
Organizations Can Plan and Integrate GRC to Manage Risks
• Wrap-Up
11
Building Blocks of MDM
MDM Framework
Vision
Strategy
Metrics
Organization Rules
Information Governance
Enabling Infrastructure
Information Lifecycle The MDM Framework is a set of MDM best
practices that are organized into seven building
blocks of MDM. These building blocks provide
high-level focus areas for planning the various
stages of an MDM program.
12
Ownership
Risk Owners, Process Owners, Role Owners … Data Stewards, Data Owners?!
How will you create and maintain an MDM governance organization that includes executive sponsorship,
policymaking, decision arbitration, and daily operational administration?
How will the governance structure enforce its will?
Appoint data stewards in key areas of the business who will be accountable for the production, definition,
security, and integrity of master data assets.
Identification of data stewards aligns well with the concept of role ownership within GRC.
Naturally, data stewards will be responsible for approving the roles that allow users to create, read, update,
and display the data.
13
Defining Data Owners and Data Stewards
Role Responsibility
Data Owners
The Data Owners are the decision makers for establishing data quality requirements. Responsibilities
include:
• Owning the implementation and ongoing management of data quality improvements
• Establishing data quality requirements (timeliness, accuracy, completeness, accessibility)
• Determining and approving access and re-use of data
• Establishing the backup/recovery/archiving requirements
• Understanding legal/compliance/regulatory issues impacting data
• Setting priorities and sponsoring projects for all work-related to the maintenance and processing of
the data
• Approving all governance matters impacting the processing of data
Data
Stewards
The Data Stewards manage the process to maintain the data for the owner. Responsibilities include:
• Assisting with issue tracking, escalation, and resolution
• Documenting data definitions (Business Glossary)
• Proposing changes and/or improvements to the Data Owner to improve efficiency or resolve issues
• Acting as proxy for Data Owner on projects, initiatives, and operational functions
14
What We’ll Cover
• Comprehending the Basics of Master Data Management
• Taking a Look at the Key Data Elements
• Understanding Ownership of Data and Risk
• Governing Process and Data
• Integrating and Managing Data Standards and Compliance Together
• Examples of How Master Data Governance Affects Your GRC Landscape and How
Organizations Can Plan and Integrate GRC to Manage Risks
• Wrap-Up
15
People, Process, and Technology
• Understand current roles and
responsibilities of key
stakeholders and how they will
change or expand
• Data stewards and data owners
may be the same as role owners
or risk owners
People
• MDM initiatives will require
changes to IT governance
processes
• Propagate those changes into
access management/IT
governance processes
• Changes to controls (e.g.,
security, configuration, approvals)
Process
• Plan for the necessary technical
prerequisites
• Alignment of MDM lifecycle with
the right tools
• Leverage existing investments or
use MDM to implement new
functionality
Technology
16
MDM Lifecycle and GRC Integration Points
Alignment of GRC technologies with
MDM lifecycle can be done early
Search
Create
Read Update
Destroy
• AC – Access Provisioning
• AC – Risk Analysis – Sensitive Access
• AVM – SoD Quantification of Exceptions
• AC – Access Provisioning
• Process Control CCM – Master
Data Changes
17
What We’ll Cover
• Comprehending the Basics of Master Data Management
• Taking a Look at the Key Data Elements
• Understanding Ownership of Data and Risk
• Governing Process and Data
• Integrating and Managing Data Standards and Compliance Together
• Examples of How Master Data Governance Affects Your GRC Landscape and How
Organizations Can Plan and Integrate GRC to Manage Risks
• Wrap-Up
18
A disciplined, effective approach to MDM is typically made up of the following phases:
Master Data Management Roadmap
6. Develop the
Master Data Model
5. Create Steering
Committee
4. Appoint
Data Stewards
3. Collect and
Analyze
Meta Data
2. Identify Data
Producers and
Consumers
1. Identify Sources of
Master Data
Phase I – Scope and Analyze Phase II – Recommend and Design
10. Implement Maintenance
Process
9. Modify
Systems
8. Design the
Infrastructure
and Test
7. Choose and Implement a toolset
Phase III – Implement Phase IV – Sustain
Once source of data has been determined, the producers and consumers have been identified and analyzed,
and the appropriate data governance structure has been put in place, then the project will move into the
modeling and implementation phases which are described below.
19
GRC Roadmap – Phased Approach
Quick Wins/Short Term (Phase 1) Enhanced Functionality (Phase 2) Visionary/Long Term (Phase 3)
Business Role
Management
Rule Set
Optimization
and Reporting
Security
Change
Management
Super User
Management
Emergency
Access
Management
Access Risk
Analysis
SoD
Access Request
Management
Automated
Provisioning
Automated
Controls
Process Control
Integration
Align your SAP Access Control roadmap with your data governance roadmap by phase and functionality
User Access
review
Automated
Reporting
Automated
Alerts
Automated
Provisioning
CCM
Consider SAP Security Optimization/Remediation Activities
Policy Mgmnt.
Phases and Functionality of
GRC
• GRC is a journey and
constantly evolving
• Allow for flexibility to integrate
with other systems
• Plan for adjustments in
configuration and functionality
• Use other initiatives to kick
start GRC improvements or
enhancements
20
What We’ll Cover
• Comprehending the Basics of Master Data Management
• Taking a Look at the Key Data Elements
• Understanding Ownership of Data and Risk
• Governing Process and Data
• Integrating and Managing Data Standards and Compliance Together
• Examples of How Master Data Governance Affects Your GRC Landscape and How
Organizations Can Plan and Integrate GRC to Manage Risks
• Wrap-Up
21
Technical Considerations – Planning for Technical Integration
In one example, the GRC plug-in was included as part of the server build
For SAP systems (in our example it was SAP MDG):
GRC plug-in installation is required
• Plug-in name: GRCPINW
♦ The plug-in component will be specific to the SAP NetWeaver® version
• Note: Support pack should match GRC system support pack!
For Non-SAP systems
• Integrate GRC with Greenlight connectors
• Understand feasibility using Greenlight connectors
22
Cross-System Analysis – The Functions and Risks
SAP recommends that functions are set up using physical systems/connectors and not logical systems
Create a Risk in the GRC front end which contains a conflict between the
function groups from the two different systems 1
Load the transactions into function groups by physical system 2
Create the risk as an SoD conflict between the two function groups 3
Generate Rules and Validate Rules via Access Rule Details screen 4
23
SoD Risk Questions and Discussions
Who should be involved in risk
discussions?
• Business Process Owners
• Data Stewards
• Functional Team
• Governance Team
• IT Compliance
• Audit
• Security Team
A list of SoD risks related to master
data can be found in Appendix A
• Review master data-related risks and evaluated creation of new
risks
• Understand complexities of new risks and function groups and how
to build function groups with sensitive actions and permissions
• Vendor maintenance has been part of SoDs, but is vendor
maintenance a new sensitive access risk?
How does master data management affect my SoD risks?
• Not unless you can restrict the ability for users to manage master
data via configuration-based controls. If you’re still relying on security
to control maintenance to master data, then you still need to monitor
for the risks.
Should I disable the existing risks related to master data management?
24
Security Changes and Architecture Considerations
Evaluate current standing access to maintain master data (e.g.,
vendors, customers, materials, etc.) within ECC
Consider restricting access to master data maintenance in ECC
and leverage master data management tool going forward
• Remember: Review master data maintenance access in Firefighter
IDs also!
Assign the needed access in the master data management tool
(e.g., MDG)
25
Effects on the Provisioning Process – Role Maintenance
Use Critical Level or Sensitivity
Fields to classify roles
Leverage role attributes within
Role Maintenance to classify roles further
Additional values can be configured for
Critical Level and Sensitivity from the back
end
• Navigate to Access Control Role
Management Specify Critical Level
• Navigate to Access Control Role
Management Define Role Sensitivity
Roles can be updated under Role
Management Role Maintenance
26
Effects on the Provisioning – Workflow Changes
Restrict access to request master data roles
or utilize workflow to obtain additional
approvals for master data access
Consider creating a separate path in MSMP
setup which routes based on the additional
role attributes
Navigate to Access Control Workflow
for Access Control Maintain MSMP
Workflows
27
Effects on the Provisioning – Workflow Changes (cont.)
Attributes from role maintenance can
be added here to route to specific
MSMP paths
Within the Table Settings, you
can add additional columns or
Condition Items
Update the BRF+ Initiator Rule to check for the role attributes (e.g., critical level,
sensitivity, etc.) and route to specific path for approvals
Insert the fields (Condition Items) into your decision table
28
Effects on the Provisioning – Role Restrictions
Set Provisioning Allowed value = No
Roles can be restricted under Role Maintenance Additional Details Provisioning
Additionally, you can prevent a role from being available for provisioning
• As an example, if you’re using another tool for vendor master maintenance, then you would want to restrict
users (and approvers) from selecting and requesting master data maintenance roles in ECC
29
Monitoring and Extending SoD Quantification with Greenlight Access Violation Management
Greenlight and SAP offer a solution to help quantify the financial impact of SoDs
The Access Violation Management application monitors SAP and non-SAP systems to identify when a
user actually processes an SoD within the system
Exceptions are identified and alerted and mitigation plans can be documented
Ensure monitoring capabilities are updated to account for a change in the process and technologies
30
Automated Monitoring with Process Controls
“Rule Engine” – Valuable to business users required to perform or test controls, whether for
compliance or monitoring business performance
Scenario
• Monthly report on vendor changes
(Master Data)
• Monthly report on manual JE
(Transactional Data)
• Confirmation that PRD
environment is locked down
(Configuration Data)
Rule Engine
Report of manual JEs over a certain amount
Rule Engine
Exception report and receive alerts when fields are changed
Rule Engine
Configuration change report and receive alerts if configuration changes
PC Functionality
31
Automated Monitoring with Process Controls (cont.)
Monitor the vendor change report and generate an exception alert any time a vendor is
updated within ECC and the change did not come from the master data management tool
32
Example PC Monitoring Controls – P2P and OTC
Business Process Control Description Master Data Config Transactional
P2P P2P duplicate invoice parameter changes
P2P Identify vendors that allow alternative payments to be processed
P2P Review of payments processed to alternative payees
P2P Review changes to alternative payee settings
P2P Identify vendors created without name or address details
O2C Review changes to credit limits allocated to new customers
OTC
An exception will be flagged where sales orders have been released from credit limit
checking where the amount is greater than a configured amount, where the sales
order has been released by a non-authorized user, or where the customer has had a
previous bad debt
OTC Review customers without an allocated credit limit
OTC High one-time customer sales items
P2P P2P duplicate invoice parameter changes
33
Example PC Monitoring Controls – GL, Assets, Inventory, Payroll
Business Process Control Description Master Data Config Transactional
GL Configure negative postings by company code
GL High-value direct entry invoices
GL
Manual Journal Entries – A manual journal processed above a trigger/threshold dollar
amount; a journal processed by a user who is not defined on an approved user listing;
or a journal entry processed to an unusual account, such as a reconciliation account
Assets Review changes to planned useful life values allocated to asset class records
Assets
Asset Useful Life Analysis – Useful life is defaulted from the asset class when an asset
record is created. Identify inappropriate depreciation postings by identifying exceptions
between the default useful life on the asset class and the useful life on each posted
asset.
IT Controls Restrict ability to change configuration items in the production environment
IT Controls Identify changes to security audit logging settings
Inventory All delivery document types should reference a sales order to ensure deliveries are not
processed without an approved sales order
Inventory Inventory clearing tolerances
Payroll Employees with same bank account record as vendors
34
What We’ll Cover
• Comprehending the Basics of Master Data Management
• Taking a Look at the Key Data Elements
• Understanding Ownership of Data and Risk
• Governing Process and Data
• Integrating and Managing Data Standards and Compliance Together
• Examples of How Master Data Governance Affects Your GRC Landscape and How
Organizations Can Plan and Integrate GRC to Manage Risks
• Wrap-Up
35
Where to Find More Information
• “High Value Roadmap Planning for SAP Access Control Solutions” (Protiviti, November 2013).
http://portal.on24.com/view/channel/index.html?showId=783829&showCode=ProtivitiCHNL&co
ntentId=789736 *
• Aric Quinones, “How to Quantify and Mitigate the Financial Impact of Your ‘Potential’ Segregation
of Duties Violations” (GRC 2016 Las Vegas).
• SAP Note 1696581 – Cross System SOD Analysis in AC 10.0
http://service.sap.com/sap/support/notes/1696581 **
• SAP Note 1178372 – Risk Analysis and Remediation – Cross and Logical systems
http://service.sap.com/sap/support/notes/1178372 **
• Luis Bustamante, “AC 10.0 Customizing Workflows for Access Management” (SCN, June 2011).
http://scn.sap.com/docs/DOC-1566
* Requires login credentials
** Requires login credentials to the SAP Service Marketplace
36
Where to Find More Information (cont.)
• Master Data Management
Gartner, “IT Glossary: Master Data Management”
www.gartner.com/it-glossary/master-data-management-mdm
William McKnight, “Exploring All MDM Value Propositions” (Inside Analysis,
September 2011).
http://insideanalysis.com/2011/09/mdm/
Roger Wolter and Kirk Haselden, “The What, Why, and How of Master Data
Management” (Microsoft, November 2006).
http://msdn.microsoft.com/en-us/library/bb190163.aspx
37
7 Key Points to Take Home
• Master data governance projects are transformational and GRC is a small component of these efforts that
should not be forgotten
• Data governance initiatives create a transformation around existing IT governance processes and should be
planned for
• Identification of ownership is critical for both data governance and GRC initiatives
• Evaluate your rule set to identify any new system-based access risks that arise from introduction of a
new tool
• Adjust the provisioning process to account for new tools, new owners, and new approval paths as outlined
in the data governance policies
• Use existing investments in Access Control and Process Control to implement monitoring controls around
key master data elements to ensure compliance with data governance policies
• Consider the technical prerequisites and the necessary configuration changes that need to happen to
support data governance
38
Your Turn!
How to contact me:
Jay Gohil
Email: [email protected]
Please remember to complete your session evaluation
39
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
Disclaimer
40
What We’ll Cover
• Comprehending the Basics of Master Data Management
• Taking a Look at the Key Data Elements
• Understanding Ownership of Data and Risk
• Governing Process and Data
• Integrating and Managing Data Standards and Compliance Together
• Examples of How Master Data Governance Affects Your GRC Landscape and How
Organizations Can Plan and Integrate GRC to Manage Risks
• Wrap-Up
• Appendix A: Master Data-Related SoD Risks
41
Appendix A: Master Data-Related SoD Risks
Business
Process
Risk
ID
Function 1
Description
Function 2
Description Risk Description Risk Detail
Risk
Level
Order to
Cash S003
SD01 - Maintain
Customer Master
Data
SD05 - Sales Order
Processing
Maintain fictitious customer
and initiate orders
A user could potentially create a sales order against the fictitious
account. The goods will then be delivered to the user and be
misappropriated. The user could also create a fictitious customer
and create sales orders for the customer without authorization.
This may result in excess goods being shipped or large amounts of
unpaid debt against the fictitious customer.
High
Order to
Cash S005
SD01 - Maintain
Customer Master
Data
SD03 - Sales
Rebates
Change rebate agmt and
change master record in cust
favor
Create a fictitious customer and modify rebates to enable the
customer to obtain favorable pricing conditions. This can result in
misappropriation of sold goods or the obtainment of goods at a
lower than expected price.
High
Procure to
Pay P008
PR01 - Vendor
Master
Maintenance
PR02 - Maintain
Purchase Order
Maintain a fictitious vendor
and initiate purchase to
vendor
Users can create a fictitious purchase order and then manipulate
the vendor bank or address details to ensure they are paid a
fraudulent amount. A user may be able to create a
fictitious/unauthorized purchase order for a fictitious/unauthorized
vendor in order to conceal the payment or to provide business to a
preferred unauthorized vendor.
High
42
Appendix A: Master Data-Related SoD Risks (cont.)
Business
Process
Risk
ID
Function 1
Description
Function 2
Description Risk Description Risk Detail
Risk
Level
Procure to
Pay P013
MM06 - Maintain
Material Master
Data
PR02 - Maintain
Purchase Order
Create PO to contain an
invalid material
User may create or change inventory stock details and create
purchase orders based on incorrect information. This may lead to
an incorrect recording of liabilities.
Medium
Procure to
Pay P018
MM06 - Maintain
Material Master
Data
PR05 - Purchasing
Agreements
Maintain material master and
add items to purchase
agreements
Add an attractive item to inventory not typically purchased and then
process a purchase agreement for the item. Medium
Procure to
Pay P023
PR01 - Vendor
Master
Maintenance
PR04 - PO
Approval
Maintain fictitious vendor and
approve purchases to vendor
Approve a purchase order and alter a vendor bank account thus
processing a fraudulent payment. High
43
Appendix A: Master Data-Related SoD Risks (cont.)
Business
Process Risk ID Function 1 Description Function 2 Description Risk Description Risk Detail Risk Level
Procure
to Pay P024
MM06 - Maintain
Material Master Data PR04 - PO Approval
Approve PO that contains
an invalid material
Hide a fraudulent purchase or order an attractive
item not typically purchased through manipulation
of the material master.
Medium
Procure
to Pay P027
PR01 - Vendor Master
Maintenance
PR05 - Purchasing
Agreements
Enter Purch Agreements
and create/modify fictitious
Vendor
A user with the ability to create a ghost vendor or
manipulate vendor details could process an
unauthorized purchasing agreement resulting in
the purchase of unauthorized items.
High
Procure
to Pay P036
MM06 - Maintain
Material Master Data PR07 - Requisitioning
Modify material master data
and create/change a
material req
Ability to add an item that is not normally
purchased by the organization and then release a
requisition for the purchase of the item.
Medium
44
Appendix A: Master Data-Related SoD Risks (cont.)
Business
Process Risk ID Function 1 Description Function 2 Description Risk Description Risk Detail Risk Level
Order to
Cash S004
AR07 - Process
Customer Invoices
SD01 - Maintain
Customer Master Data
Change customer master
and enter inappropriate
invoice
A user could potentially create a fictitious
customer account and subsequently process an
invoice against the fictitious account. This could
be used for example to manipulate outstanding
receivable figures or to misappropriate cash
received.
High
Order to
Cash S011 AR01 - AR Payments
SD01 - Maintain
Customer Master Data
Maintain a fictitious
customer and initiate a
payment
A user could alter a customer invoice amount and
then manipulate and misappropriate subsequent
cash receipts.
High
Order to
Cash S019 AR02 - Cash Application
SD01 - Maintain
Customer Master Data
Change the customer
master file and modify cash
received
A user has the ability to misappropriate cash
receipts through a variety of mechanisms
including altering terms of payment on the
customer’s account.
High