top of page
Writer's pictureArvind Dang

Assessing risks in the F&A function at Configuration, master data tables, documents, and field levels





The Objectives of risk assessment and what can be at risk have been included in my previous article and are not being duplicated.

This article includes highlights of risk assessments vis a vis the following.

 

·       1 Configuration Table level

·       2 Field Choice Level of Configuration Tables.

·       3 Master data Tables level

·       4 Field levels of master data tables

·       5 Documents  level

·       6 Field level of documents

 7.Activities(including unethical) that can affect business adversely.

 

Six(6) Templates have been proposed for risk assessment towards each of the above.

 

·      1. Conducting Risk Assessment at the “Configuration Table level”

·      2. Conducting Risk Assessment at the “Field Choice level of Configuration Tables.”

·      3. Conducting Risk Assessment at the “Master data Tables level”

·      4 . Conducting Risk Assessment at the “field level “of  Master data Tables

·      5. Conducting Risk Assessment at the “Documents “ level

·      6. Conducting Risk Assessment at the “ field level” of Documents

·     

You can also refer to my video on the subject at the link below



1. Conducting Risk Assessment at the “Configuration Table level”

a) what are configuration tables

Configuration tables are primarily used in the ERP environments in business functions. These tables store data representing different information types that functional users may require frequently. Developing   Configuration Tables in each function lay the foundation of various types of aspects in each function, as relevant.

In the context of F& A function, a few of important configuration tables are as below.

·       Company codes

·       Document Types

·       Chart of account

·       Customer/vendor account groups

·       Tax codes

·       Payment methods

And so on many more

 These must be accessed before initiating a business transaction relevant to the function.

In short, Configuration tables support the functionalities of the modules for which these have been designed. Each configuration table carries fields. Therefore risk assessment should be carried out at both the configuration table level and at the Field level.

The Configuration tables are developed /designed at the initial stage of implementing ERP based on joint discussions of the concerned competent persons in the relevant function  (in this case, CFT-cross functional team of F&A and ERP/IT specialists) as these form the backbone of a robust ERP system.

b)Five (5) activities for assessing risks Risk at - Configuration Table level 

The following five key activities are proposed to be performed. These are usually identical for all functions in any industry and should be carried out by a team from various sub-functions with in F&A and any  invitee from other functions like Legal & secretarial or any other function

1. Identifying parameters that can influence “Configuration Table level” Risks

identifying a list of essential aspects (with inputs from the IT/ERP team or an Internal audit) that can influence likely risks accrued by accessing the Configuration table level. 

·      Likely adverse impact on cycle time /throughput time of process execution for which configuration table is relevant

·      Business Process in F&A function (while using specifically identified configuration table) not getting executed completely or inaccurately

2. Designing Risk assessment template at the Configuration table level

3. Software Programming of Risk Assessment template for configuration table for workflow and navigation

4. Populating Configuration table level risks in the template

5.  Affecting Changes in above.

More details are available in my books available at Amazon as per the following links.

 Paper back-amazon link: India

 

Paper back-Amazon link-Global

 


c)Template 1

     For classifying risks at the Configuration table level-

                       (Illustrations for 5 configuration tables)

 

Header

Function: Corporate F&A; Function Code:  xxxx    Risk assessment Date: xxxxxx

Risk assessment is based on the likely adverse impact  of incorrect selection of configuration table 

  1. Cycle time/throughput time of the business process/activity in which the Configuration table is used

2. Business Process does not get executed completely or is executed incorrectly

Footer

Description of the configuration table

Code assigned

(e.g.in SAP-ERP)

Risk classification

Remarks

If any

Company codes

T003

High


Chart of account

T004

High


Customer/vendor account groups

T005

High


Tax codes

T007S

High


Payment methods

T078k

High


and so on

to populate

to classify


S-O-D related

Details/ Description

Created by

edited by

approved by

Subfunction/team

CFT to populate

CFT to populate

CFT to populate

user's level

CFT to populate

CFT to populate

CFT to populate

user's position

CFT to populate

CFT to populate

CFT to populate

Dates

CFT to populate

CFT to populate

CFT to populate

Notes:

·      1. The configuration tables must be accessed by a person specifically empowered in

F&A or in any other function.

·      2. CFT can directly replicate this process for risk assessment for all the configuration

tables.     

·      3. S-O-D (Segregation of duties ) must be ensured by clearly specifying i)created by ii)

Edited by iii)Approved, as shown in the last four(4) rows in the above table. CFT can

also add columns like review by and viewed by columns in this template.

·      4 The risk classification captured above by the author is only for understanding, and the

CFO can amend risks as appropriate at his/her complete discretion.

·      5This template would become part of the Risk control manual

 

·       6. Coding schemes provide a structured and standardized approach to categorizing

and managing various elements within a business system that the business must

evolve. Often, these are driven by the ERP system implemented.

·       7. The  populated templates/risk manuals  must have restricted circulation

2. Conducting Risk Assessment at the “Field Choice level of Configuration Tables.”

a) what are fields  

·      Fields refer to the individual data elements within a database table. These fields store specific information about a particular record in the table.

·      Fields in the context of SAP-ERP can be of various data types, including

  • Character strings, e.g. Vendor name/customer name

  • Numbers e.g., Invoice number

  • Dates, e.g. Date of invoice or date of material received document or due date for payment

  • Currency values, e.g. Net sale value or Inventory value

·      Fields of different types are used in Configuration tables, master  data tables & documents

·      Fields store information about a specific business object and determine how it is displayed and processed within the system as per the examples given above

·      Fields can be further customized and configured to meet the specific needs of a business, including the definition of data elements, data domains, and tables.

·      A few examples of Fields in the FI -F&A function in SAP ERP are below for the user’s understanding.(All SAP-related information is from the Public domain)

  1. Vendor account group =KTOKD

  2. Document type =BLART

  3. A/c Determination =KTOPL

  4. Tax classification =TKOKD

  5. Currency type =WAERS

  6. Company code =BUKARS

  7. Tax Code  =MWSKZ

  8. Document posting Key =BSCHL

  9. Fiscal year variant =GJAHR

  10. Bank key  =BANKS

  11. And so on

 b)Five (5) activities for assessing risks Risk at – Field Choice level of Configuration Tables.”

1. Identifying aspects that can influence the Classification of “Field choice level” risks- w.r.t each configuration table  

Once configuration tables have been identified, “Each” HOD/functional team, in consultation with risk management or the Internal audit team, Identifying a list of essential risk aspects can facilitate the classification of “Field choice level” risks as High or medium or low.

Some of the aspects, in the context of F&A, are as below:

·      Whether field choice pertains to business areas  can impact

  • Sales revenue or &

  • Costs or &

  • Statutory conformance or &

  • Quality of work/service rendered or &

  • Accuracy of  financial reporting or &

  • Efficiency & effectiveness


2. Designing risk assessment template at “Field choice level” vis-à-vis each configuration table

3. Software programming of risk template for “Field choice level.” and navigation

4. Populating “Field choice” level risks vis-à-vis each Configuration table

5. Affecting Changes in the above

Template 2- For classifying risks at Field choice level of Configuration tables

                   (illustrations 12 field choices in 1 configuration table)

Function =F&A      Code=xxxx

Header

Configuration table name=Company code data  ; Code=T003,

Risk at Configuration table level =High. Field Code =BLART, Field Name =Document type 

Footer


Field choice

Field choice code

Impact of incorrect Field choice 

Risk Assesed

Vendor Invoice-AP

KA

Inaccuracy of financial  accounting & reporting

High

Vendor Invoice-AP

(Credit notes by vendor for discount/rejection )

KR

do

High

Vendor payment

KZ

Cash outflow

High

Customer invoice-AR

RE

Inaccuracy of financial  accounting & reporting

High

Customer payment

RV

Cash inflow

High

Customer credit note

RG

Inaccuracy of financial  accounting & reporting

High

General Journal Entry

SA

do

High

Bank transfer

TR

Cash inflow/outflow

High

Purchase order

BS

Material costs, consumption, cash pay-out

High

Goods receipt

WE

Material accounting, Liabilities

High

Assets requisition

AB

Inaccuracy of Asset   accounting & reporting

High

Assets retirement

RA

do

High

and so on




S-O-D related

Details/ Description

created by

edited by

approved by

Subfunction/team

CFT to populate

CFT to populate

CFT to populate

user's level

do

do

do

user's position

do

do

do

Date

do

do

do

Notes

1. The Field choices in configuration tables must be accessed by a person specifically empowered in F&A or in any other function.

2. CFT can directly replicate this process for risk assessment for all the field choices in configuration tables. 

3 The other 5 (five) points are identical to those in the notes in the earlier Template    

 

Users can find more examples in my book below.

 

·  1.Config Table name = Company code data, Field name=Currency  type,

Field choices =4(four)  i.e USD, INR, GBP, Euro & so on

·  2.Configuration table name=Chart of accounts, Field Name  =A/C determination

Field choices=5(five) i.e Cash, A/C receivable, A/C Payable, sale invoice, cost of goods sold &  so on

·  3.Configuration table name=A/C Group for customer or vendor, Field Name  =Tax Classification

Field choices= 4(four)  i.e Goods & Service  tax, value-added tax, service tax, standards tax & so on 

 

·  4. Configuration table name=A/C Group for customer or vendor, Field Name  = Vendor account group

Field choices= 5(five) i.e. Raw material supplier, service provider, finished goods supplier, equipment supplier,sub-contractor & so on 

And so many more configuration tables, fields and field choices


3 Conducting Risk Assessment at the “Master data Tables”


a)    what are master data  tables

Master data tables are primarily used in the ERP environments in business functions.

These tables contain the core data of a particular business entity or object. These tables store the most critical information about an object, such as customer data, vendor data, material data, etc., used for various transactions in business processes and reports.

Examples of Master data tables used by the F&A function in ERP-SAP are as below, along with codes and illustrations for a few important pieces of information:

 

·  1.G/L Account Master; Code=SKA1,

  Information contained =GL Account number, Account description, Account group, Account type, and so on

·  2.G/L Account Master-Company code data; Code =SKB1

Information contained =Company code, Reconciliation Account assignment, Account currency and so on

· 3. Asset Master Record; Code =ANLA,

Information contained Asset description, asset class, asset number, net book value capitalization date, fiscal year, cost centre and so on and so on

·  4 Customer Master; Code= KNA1

         Information contained Customer Name, Address, Payment terms and so on

·  5 Vendor Master; Code= LFA1

         Information contained Vendor name, Address, Payment terms and so on

·  6 Material Master; Code= MARA

         Information contained Material number, material description, UM, material

         type, material group

F&A functions, with support from IT/ERP, facilitate the development of master data tables in the initial stages of implementing ERP solutions.

Maintaining the integrity and accuracy of Master data tables is essential for the smooth functioning of a business.

Risk assessment is carried out to assess the likely implication of the use of the Master Data Table level and consequent adverse implications of incorrect usage of the Master.

Risk assessment is based on specific/identified likely adverse consequences of incorrect accessing of the Master data table vis-à-vis aspects listed below.

·      Sales revenue

·      costs

·      financial reporting

·      Statutory conformance

·      Quality of work output

·      Efficiency/effectiveness

b)Five (5) activities for assessing risks Risk at – Master data table level”

1. Identifying parameters that can influence “Master data Table level” Risks

Once the Master data table requirements conceptualization has been done, the HOD/functional team identifies the consequence of incorrectly accessing and using specific /identified Master data tables as mentioned above.

2. Designing Risk assessment template at the Master data table level

3. Software Programming of Risk Assessment template for Master Data Table and navigation

4. Populating Master Data table level risks in the template

5.  Affecting Changes in the above

Template 3 For classifying risks at the Master data table level (Illustrations-6 master data tables)

Header

Function: Corporate F & A ; function Code:  xxxx    Risk assessment Date: xxxxxx

Risk assessment is based on the likely adverse impact  such as below:

·      Financial reporting  of Revenue, Costs, Assets, Inventories, etc

·      P&L and BS   accuracy

·       Statutory conformance

·      Adverse impact on cost

Footer


Description of Master data  table

Code assigned

(e.g.in SAP-ERP)

risk classification

remarks

G/L Account Master

SKA1

High


G/L Account Maste-Company code data

SKB1

High


Asset Master Record

ANLA

High


Customer Master:

KNA1

High


Vendor master

LFA1

High


Material master

MARA

High


S-O-D related

Details/ Description

Created by

Edited by

Approved by

Subfunction/team

CFT to populate

CFT to populate

CFT to populate

User’s Level

do

do

do

User’s position

do

do

do

date

do

do

do

Notes

1. The master data tables must be accessed by a person specifically empowered in F&A or in any other function.

2. CFT can directly replicate this process for risk assessment for all the master data tables.

3. The other 5 (five) points are identical to those in the notes in the earlier Template    


4 Conducting Risk Assessment at the “field level “of  Master data Tables

a)Five (5) activities for assessing risks Risk at the “field level “of  Master data Tables

The following five key activities are proposed to be performed. These are usually identical for all functions in any Industry.

1. Form a team to identify parameters that can influence “Field level” risks in each Master data table ”  and carry out such risk assessments.

The risk assessment team, , in consultation with the Internal audit team, Identifies a list of essential aspects that can influence the classification of “Field level risks” as High or medium or low based on the following.

i)              Field ingredients/information carried by the field

ii)             Fields accessed unauthorizedly or amended 

2. Designing risk assessment template at Field level vis-à-vis each Master data table

3. Software programming of risk template for Field level and navigation/workflow

4. Populating “Field-level “risks vis-à-vis all fields in each Master data table

5. Affecting Changes in the above

The adverse impacts (triggered by incorrect Field ingredients or unauthorised access & use of fields in the “Master data table” can be on :

·      Sales revenue or &

·      Material costs or &

·      Cash inflow or outflow&

·      Accounting in financial books or &

·      Financial Reporting or &

·      Statutory conformance or &

·      Efficiency & effectiveness

    Template 4- For classifying risks at Field level of Master Data  tables in F&A

           ( Illustrations-10 fields in 6 master data tables, High-Risk master data tables)


Master data table name

Master data table code

Field name 

Field code

Impact of incorrect “field-gradients  ” or unauthorised access & use of fields

Risk assseded as

remarks



G/L Account Master Record;

SKA1

Account number

SAKNR

Incorrect Accounting  or

Inaccurate financial reporting

High




do

do d

Chart of account

SAKTO

do

High




G/L Account Master Record

SKB1

Company code

BUKRS

do

High




General Data in Customer Master

KNA1

Customer number

KUNNR

incorrect accounting in financial books & Reconciliation issues

High




Vendor Master Record - General Section

LFA1

Vendor code

LIFNR

do

High




do

do

Account blocked

SPERR

Material cost/cash outflow

High




Asset Master Record Segment

ANLA

Asset description

BEZEI

Efficiency & effectiveness

High




do

do

Capitalization date

AKTIV

Incorrect Accounting  or

Inaccurate financial reporting

High




Material Master

MARA

Material description

MAKTX

Efficiency & effectiveness

High




do

do

Unit of measurement

MEINS

Material costs

High




S-O-D related

Details/ Description

created by

edited by

approved by

Can be viewed by

Can be viewed by




Subfunction/team

CFT To populate

CFT To populate

CFT To populate

CFT To populate

CFT To populate




user's level

do

do

do

do

do




user's position

do

do

do

do

do




date

do

do

do

do

do





 

Notes

1. The fields in master data tables must be accessed by a person specifically empowered in F&A or in any other function.

2. CFT can directly replicate this process for risk assessment for all fields in the master data tables. 

3. The other 5 (five) points are identical to those in the notes in the earlier Template    

 

There are many more illustrations in my book (covering 60 fields), and F&A users can add many more master data tables and fields

 

5. Conducting Risk Assessment at the “Documents “ level

 

There are several types of documents in F&A function as per few examples below and more can be added

  • Purchase vouchers

  • Sales vouchers

  • Journal vouchers

  • Debit  notes

  • Credit notes

and so on.

·      In the ERP-SAP environments, the types of documents are identified by a “Document type” -code BLART.

·      A few of such documents in SAP are described as below as “Document type”

 

  1. Vendor Invoice-(AP)=KA, 

  2. Vendor Invoice-(AP)-Credit notes by vendor  rejection etc=KR,

  3. Vendor payment=KZ

  4. Customer invoice-(AR)=RE,

  5. Customer payment=RV,

  6. Customer credit note=RG

  7. General Journal Entry=SA,

  8. Bank transfer =TR, 

  9. Purchase order =BS,

  10. Goods receipt=WE

  11. Assets acquisition=AB,

  12. Assets retirement=RA

·      All such documents are stored in a Table called -BKPF(called accounting document header) in SAP, for which access must be restricted.

 

·      In non-ERP environments also ,all documents that have financial implications must have restricted access (on a need-to-know basis ) and based on risk assessment.

·      In the context of Documents generated in ERP-SAP, Risk assessment is proposed at

 

  1. Document-level

  2. Field level as per need

 

a)Five (5) activities for assessing risks Risk at the Financial Documents in F&A are as below

 

 

1. Identifying parameters that can influence “Document-level” Risks

2. Designing Risk assessment template at the “Document level”

3. Software Programming of Risk Assessment template for “Document-level”  and navigation

4. Populating “Document-level”  level risks in the template

5.  Affecting Changes in the above

 

b)Template 5

-For classifying risks at the Document  level  (Illustration-4 F&A documents)

Header

Function: Corporate F& A ; function Code:  xxxx    Risk assessment Date: xxxxxx

 

Risk Impact: Parameters that are likely to have  adverse impact  attributed to unauthorised access of “documents” are as under :

·      Revenue or

·      Costs or

·      Assets or

·      Liabilities  or

·      Compromise on confidentiality of information

·      And so on

Footer


Description of Document  

Document Type

risk classification

Remarks/source document

Payment voucher  -PV

KZ

High

vendor invoice & purchase orders

Sales voucher-SV

RV

High

Co-invoice on  channel partner/customer & sales order

Consumption voucher for

 back -flushing-JV

SA

High

Production order and Bill of material

inventory valuation voucher-JV

SA

High

Inventory verification

S-O-D related

Details/ Description

created by

edited by

Approved by

Subfunction/team

CFT To populate

CFT To populate

CFT To populate

user's level

CFT To populate

CFT To populate

CFT To populate

user's position

CFT To populate

CFT To populate

CFT To populate

dates

CFT To populate

CFT To populate

CFT To populate

and so on




Notes

1. The documents must be accessed by a person specifically empowered in F&A or in any other function.

2. CFT can directly replicate this process for risk assessment for all types of documents. 

3. The other 5 (five) points are identical to those in the notes in the earlier Template    

 

6. Conducting Risk Assessment at the “Field Level” of the Documents

 

a)Five (5) activities for assessing risks Risk at the “Field Level” of the Documents

 

The following five key activities are proposed to be performed. These are usually identical for all functions in any Industry.

1. Form a team to identify parameters that can influence “Field-level risks in each Document”  and carry out such risk assessments.

The risk assessment team, , in consultation with the Internal audit team, Identifies a list of essential aspects that can influence the classification of “Field level risks” as High or medium or low based on the following.

i)              Field ingredients/information carried by field

ii)             Fields accessed unauthorizedly or amended 

2. Designing risk assessment template at Field level vis-à-vis each document 

3. Software programming of risk template for Field level and navigation/workflow

4. Populating “Field-level “risks vis-à-vis all fields in each Document

5. Affecting Changes in the above

The adverse impacts (triggered by incorrect Field ingredients or unauthorised access & use of fields in the “Documents) can be on :

·      Sales revenue or &

·      Material costs or &

·      Cash inflow or outflow&

·      Accounting in financial books or &

·      Financial Reporting or &

·      Statutory conformance or &

 

 

Template 6- For classifying risks at the “Field  level” of documents- (Illustration -10 fields in 4 documents )

 

Function =F&A      Code=xxxx  Document name= Payment voucher -PV; Document Type =KZ, Risk at Field level =High. 


Document name

Document type  and code

Field description

field code

Impact of incorrect “field-gradients  ” or unauthorised access & use of fields

Risk assesed

Payment voucher -PV;

Vendor payment  (KZ)

Total amount

Total_Amount

Incorrect Material costs

High

do

do

QunatityReceived

Qunatity_Received

Inaccurate Payment outflow/Material costs

High

Sales voucher-SV 

Customer payment

(RV)

Total Amount

Total_Amount

Incorrect Sales revenue

High

do

do

Quantity sold 

Qunatity_Sold

Incorrect Sales revenue

High

do

do

unit price

Unit_Price

Inaccurate Payment inflow/Revenue

High

inventory valuation voucher-JV or GJ

General Journal Entry

(SA)

Material code

Material_Code

Inaccurate material accounting

Medium

do

do

Quantity adjusted

Quantity _Adjusted

Inaccurate material valuation

Medium

Cost of goods sold-JV or GJ

inventory valuation voucher-(SA)

COGS Account

COGS _Account

Incorrect Financial reporting

Medium

do

do

Raw Material Cost

Raw Material Cost

Inaccurate material cost

High

S-O-D related

Details/ Description

created by

Edited by

Approved by

Can be viewed by

Remarks

Subfunction/team

CFT To populate

CFT To populate

CFT To populate

CFT To populate

Remarks

user's level

do

do

do

do


user's position

do

do

do

do


Date

do

do

do

do


and so on






Notes

1. The Field codes in documents must be accessed by a person specifically empowered in F&A or in any other function.

2. CFT can directly replicate this process for risk assessment for all the field choices in configuration tables. 

3. The other 5 (five) points are identical to those in the notes in the earlier Template    

 

 

In my book, there are illustrations for 39 fields of documents and F&A professionals can add more documents and fields

 

Activities(including unethical) that can affect business adversely.

 

·      Inappropriate composition and levels /positions of the team members assessing risks at various levels as below.

 

·       1 Configuration Table level

·       2 Field Choice Level of Configuration Tables.

·       3 Master data Tables level

·       4 Field levels of master data tables

·       5 Documents  level

·       6 Field level of documents

 

·      Inappropriate software development and workflow of risk templates make risk capturing cumbersome and inefficient.

·      Inaccurate classification of Risk (High, Medium, or Low) by team members vis a vis impact

·      Non-periodic/non-timely review of previously populated risk template to incorporate the effect of any “changes in the design of fields” that might have happened affecting risk classification

·      Non-comprehensive/incomplete capturing of all applicable configuration tables, master data table, documents, and fields therein, as applicable

581 views0 comments

Comments


bottom of page