The Objectives of risk assessment and what can be at risk have been included in my previous article and are not being duplicated.
This article includes highlights of risk assessments vis a vis the following.
· 1 Configuration Table level
· 2 Field Choice Level of Configuration Tables.
· 3 Master data Tables level
· 4 Field levels of master data tables
· 5 Documents level
· 6 Field level of documents
7.Activities(including unethical) that can affect business adversely.
Six(6) Templates have been proposed for risk assessment towards each of the above.
· 1. Conducting Risk Assessment at the “Configuration Table level”
· 2. Conducting Risk Assessment at the “Field Choice level of Configuration Tables.”
· 3. Conducting Risk Assessment at the “Master data Tables level”
· 4 . Conducting Risk Assessment at the “field level “of Master data Tables
· 5. Conducting Risk Assessment at the “Documents “ level
· 6. Conducting Risk Assessment at the “ field level” of Documents
·
You can also refer to my video on the subject at the link below
1. Conducting Risk Assessment at the “Configuration Table level”
a) what are configuration tables
Configuration tables are primarily used in the ERP environments in business functions. These tables store data representing different information types that functional users may require frequently. Developing Configuration Tables in each function lay the foundation of various types of aspects in each function, as relevant.
In the context of F& A function, a few of important configuration tables are as below.
· Company codes
· Document Types
· Chart of account
· Customer/vendor account groups
· Tax codes
· Payment methods
And so on many more
These must be accessed before initiating a business transaction relevant to the function.
In short, Configuration tables support the functionalities of the modules for which these have been designed. Each configuration table carries fields. Therefore risk assessment should be carried out at both the configuration table level and at the Field level.
The Configuration tables are developed /designed at the initial stage of implementing ERP based on joint discussions of the concerned competent persons in the relevant function (in this case, CFT-cross functional team of F&A and ERP/IT specialists) as these form the backbone of a robust ERP system.
b)Five (5) activities for assessing risks Risk at - Configuration Table level
The following five key activities are proposed to be performed. These are usually identical for all functions in any industry and should be carried out by a team from various sub-functions with in F&A and any invitee from other functions like Legal & secretarial or any other function
1. Identifying parameters that can influence “Configuration Table level” Risks
identifying a list of essential aspects (with inputs from the IT/ERP team or an Internal audit) that can influence likely risks accrued by accessing the Configuration table level.
· Likely adverse impact on cycle time /throughput time of process execution for which configuration table is relevant
· Business Process in F&A function (while using specifically identified configuration table) not getting executed completely or inaccurately
2. Designing Risk assessment template at the Configuration table level
3. Software Programming of Risk Assessment template for configuration table for workflow and navigation
4. Populating Configuration table level risks in the template
5. Affecting Changes in above.
More details are available in my books available at Amazon as per the following links.
Paper back-amazon link: India
Paper back-Amazon link-Global
c)Template 1
For classifying risks at the Configuration table level-
(Illustrations for 5 configuration tables)
Header
Function: Corporate F&A; Function Code: xxxx Risk assessment Date: xxxxxx
Risk assessment is based on the likely adverse impact of incorrect selection of configuration table
Cycle time/throughput time of the business process/activity in which the Configuration table is used
2. Business Process does not get executed completely or is executed incorrectly
Footer
Description of the configuration table | Code assigned (e.g.in SAP-ERP) | Risk classification | Remarks If any |
Company codes | T003 | High | |
Chart of account | T004 | High | |
Customer/vendor account groups | T005 | High | |
Tax codes | T007S | High | |
Payment methods | T078k | High | |
and so on | to populate | to classify | |
S-O-D related Details/ Description | Created by | edited by | approved by |
Subfunction/team | CFT to populate | CFT to populate | CFT to populate |
user's level | CFT to populate | CFT to populate | CFT to populate |
user's position | CFT to populate | CFT to populate | CFT to populate |
Dates | CFT to populate | CFT to populate | CFT to populate |
Notes:
· 1. The configuration tables must be accessed by a person specifically empowered in
F&A or in any other function.
· 2. CFT can directly replicate this process for risk assessment for all the configuration
tables.
· 3. S-O-D (Segregation of duties ) must be ensured by clearly specifying i)created by ii)
Edited by iii)Approved, as shown in the last four(4) rows in the above table. CFT can
also add columns like review by and viewed by columns in this template.
· 4 The risk classification captured above by the author is only for understanding, and the
CFO can amend risks as appropriate at his/her complete discretion.
· 5This template would become part of the Risk control manual
· 6. Coding schemes provide a structured and standardized approach to categorizing
and managing various elements within a business system that the business must
evolve. Often, these are driven by the ERP system implemented.
· 7. The populated templates/risk manuals must have restricted circulation
2. Conducting Risk Assessment at the “Field Choice level of Configuration Tables.”
a) what are fields
· Fields refer to the individual data elements within a database table. These fields store specific information about a particular record in the table.
· Fields in the context of SAP-ERP can be of various data types, including
Character strings, e.g. Vendor name/customer name
Numbers e.g., Invoice number
Dates, e.g. Date of invoice or date of material received document or due date for payment
Currency values, e.g. Net sale value or Inventory value
· Fields of different types are used in Configuration tables, master data tables & documents
· Fields store information about a specific business object and determine how it is displayed and processed within the system as per the examples given above
· Fields can be further customized and configured to meet the specific needs of a business, including the definition of data elements, data domains, and tables.
· A few examples of Fields in the FI -F&A function in SAP ERP are below for the user’s understanding.(All SAP-related information is from the Public domain)
Vendor account group =KTOKD
Document type =BLART
A/c Determination =KTOPL
Tax classification =TKOKD
Currency type =WAERS
Company code =BUKARS
Tax Code =MWSKZ
Document posting Key =BSCHL
Fiscal year variant =GJAHR
Bank key =BANKS
And so on
b)Five (5) activities for assessing risks Risk at – Field Choice level of Configuration Tables.”
1. Identifying aspects that can influence the Classification of “Field choice level” risks- w.r.t each configuration table
Once configuration tables have been identified, “Each” HOD/functional team, in consultation with risk management or the Internal audit team, Identifying a list of essential risk aspects can facilitate the classification of “Field choice level” risks as High or medium or low.
Some of the aspects, in the context of F&A, are as below:
· Whether field choice pertains to business areas can impact
Sales revenue or &
Costs or &
Statutory conformance or &
Quality of work/service rendered or &
Accuracy of financial reporting or &
Efficiency & effectiveness
2. Designing risk assessment template at “Field choice level” vis-à-vis each configuration table
3. Software programming of risk template for “Field choice level.” and navigation
4. Populating “Field choice” level risks vis-à-vis each Configuration table
5. Affecting Changes in the above
Template 2- For classifying risks at Field choice level of Configuration tables
(illustrations 12 field choices in 1 configuration table)
Function =F&A Code=xxxx
Header
Configuration table name=Company code data ; Code=T003,
Risk at Configuration table level =High. Field Code =BLART, Field Name =Document type
Footer
Field choice | Field choice code | Impact of incorrect Field choice | Risk Assesed |
Vendor Invoice-AP | KA | Inaccuracy of financial accounting & reporting | High |
Vendor Invoice-AP (Credit notes by vendor for discount/rejection ) | KR | do | High |
Vendor payment | KZ | Cash outflow | High |
Customer invoice-AR | RE | Inaccuracy of financial accounting & reporting | High |
Customer payment | RV | Cash inflow | High |
Customer credit note | RG | Inaccuracy of financial accounting & reporting | High |
General Journal Entry | SA | do | High |
Bank transfer | TR | Cash inflow/outflow | High |
Purchase order | BS | Material costs, consumption, cash pay-out | High |
Goods receipt | WE | Material accounting, Liabilities | High |
Assets requisition | AB | Inaccuracy of Asset accounting & reporting | High |
Assets retirement | RA | do | High |
and so on | |||
S-O-D related Details/ Description | created by | edited by | approved by |
Subfunction/team | CFT to populate | CFT to populate | CFT to populate |
user's level | do | do | do |
user's position | do | do | do |
Date | do | do | do |
Notes
1. The Field choices in configuration tables must be accessed by a person specifically empowered in F&A or in any other function.
2. CFT can directly replicate this process for risk assessment for all the field choices in configuration tables.
3 The other 5 (five) points are identical to those in the notes in the earlier Template
Users can find more examples in my book below.
· 1.Config Table name = Company code data, Field name=Currency type,
Field choices =4(four) i.e USD, INR, GBP, Euro & so on
· 2.Configuration table name=Chart of accounts, Field Name =A/C determination
Field choices=5(five) i.e Cash, A/C receivable, A/C Payable, sale invoice, cost of goods sold & so on
· 3.Configuration table name=A/C Group for customer or vendor, Field Name =Tax Classification
Field choices= 4(four) i.e Goods & Service tax, value-added tax, service tax, standards tax & so on
· 4. Configuration table name=A/C Group for customer or vendor, Field Name = Vendor account group
Field choices= 5(five) i.e. Raw material supplier, service provider, finished goods supplier, equipment supplier,sub-contractor & so on
And so many more configuration tables, fields and field choices
3 Conducting Risk Assessment at the “Master data Tables”
a) what are master data tables
Master data tables are primarily used in the ERP environments in business functions.
These tables contain the core data of a particular business entity or object. These tables store the most critical information about an object, such as customer data, vendor data, material data, etc., used for various transactions in business processes and reports.
Examples of Master data tables used by the F&A function in ERP-SAP are as below, along with codes and illustrations for a few important pieces of information:
· 1.G/L Account Master; Code=SKA1,
Information contained =GL Account number, Account description, Account group, Account type, and so on
· 2.G/L Account Master-Company code data; Code =SKB1
Information contained =Company code, Reconciliation Account assignment, Account currency and so on
· 3. Asset Master Record; Code =ANLA,
Information contained Asset description, asset class, asset number, net book value capitalization date, fiscal year, cost centre and so on and so on
· 4 Customer Master; Code= KNA1
Information contained Customer Name, Address, Payment terms and so on
· 5 Vendor Master; Code= LFA1
Information contained Vendor name, Address, Payment terms and so on
· 6 Material Master; Code= MARA
Information contained Material number, material description, UM, material
type, material group
F&A functions, with support from IT/ERP, facilitate the development of master data tables in the initial stages of implementing ERP solutions.
Maintaining the integrity and accuracy of Master data tables is essential for the smooth functioning of a business.
Risk assessment is carried out to assess the likely implication of the use of the Master Data Table level and consequent adverse implications of incorrect usage of the Master.
Risk assessment is based on specific/identified likely adverse consequences of incorrect accessing of the Master data table vis-à-vis aspects listed below.
· Sales revenue
· costs
· financial reporting
· Statutory conformance
· Quality of work output
· Efficiency/effectiveness
b)Five (5) activities for assessing risks Risk at – Master data table level”
1. Identifying parameters that can influence “Master data Table level” Risks
Once the Master data table requirements conceptualization has been done, the HOD/functional team identifies the consequence of incorrectly accessing and using specific /identified Master data tables as mentioned above.
2. Designing Risk assessment template at the Master data table level
3. Software Programming of Risk Assessment template for Master Data Table and navigation
4. Populating Master Data table level risks in the template
5. Affecting Changes in the above
Template 3 For classifying risks at the Master data table level (Illustrations-6 master data tables)
Header
Function: Corporate F & A ; function Code: xxxx Risk assessment Date: xxxxxx
Risk assessment is based on the likely adverse impact such as below:
· Financial reporting of Revenue, Costs, Assets, Inventories, etc
· P&L and BS accuracy
· Statutory conformance
· Adverse impact on cost
Footer
Description of Master data table | Code assigned (e.g.in SAP-ERP) | risk classification | remarks |
G/L Account Master | SKA1 | High | |
G/L Account Maste-Company code data | SKB1 | High | |
Asset Master Record | ANLA | High | |
Customer Master: | KNA1 | High | |
Vendor master | LFA1 | High | |
Material master | MARA | High | |
S-O-D related Details/ Description | Created by | Edited by | Approved by |
Subfunction/team | CFT to populate | CFT to populate | CFT to populate |
User’s Level | do | do | do |
User’s position | do | do | do |
date | do | do | do |
Notes
1. The master data tables must be accessed by a person specifically empowered in F&A or in any other function.
2. CFT can directly replicate this process for risk assessment for all the master data tables.
3. The other 5 (five) points are identical to those in the notes in the earlier Template
4 Conducting Risk Assessment at the “field level “of Master data Tables
a)Five (5) activities for assessing risks Risk at the “field level “of Master data Tables
The following five key activities are proposed to be performed. These are usually identical for all functions in any Industry.
1. Form a team to identify parameters that can influence “Field level” risks in each Master data table ” and carry out such risk assessments.
The risk assessment team, , in consultation with the Internal audit team, Identifies a list of essential aspects that can influence the classification of “Field level risks” as High or medium or low based on the following.
i) Field ingredients/information carried by the field
ii) Fields accessed unauthorizedly or amended
2. Designing risk assessment template at Field level vis-à-vis each Master data table
3. Software programming of risk template for Field level and navigation/workflow
4. Populating “Field-level “risks vis-à-vis all fields in each Master data table
5. Affecting Changes in the above
The adverse impacts (triggered by incorrect Field ingredients or unauthorised access & use of fields in the “Master data table” can be on :
· Sales revenue or &
· Material costs or &
· Cash inflow or outflow&
· Accounting in financial books or &
· Financial Reporting or &
· Statutory conformance or &
· Efficiency & effectiveness
Template 4- For classifying risks at Field level of Master Data tables in F&A
( Illustrations-10 fields in 6 master data tables, High-Risk master data tables)
Master data table name | Master data table code | Field name | Field code | Impact of incorrect “field-gradients ” or unauthorised access & use of fields | Risk assseded as | remarks | ||
G/L Account Master Record; | SKA1 | Account number | SAKNR | Incorrect Accounting or Inaccurate financial reporting | High | |||
do | do d | Chart of account | SAKTO | do | High | |||
G/L Account Master Record | SKB1 | Company code | BUKRS | do | High | |||
General Data in Customer Master | KNA1 | Customer number | KUNNR | incorrect accounting in financial books & Reconciliation issues | High | |||
Vendor Master Record - General Section | LFA1 | Vendor code | LIFNR | do | High | |||
do | do | Account blocked | SPERR | Material cost/cash outflow | High | |||
Asset Master Record Segment | ANLA | Asset description | BEZEI | Efficiency & effectiveness | High | |||
do | do | Capitalization date | AKTIV | Incorrect Accounting or Inaccurate financial reporting | High | |||
Material Master | MARA | Material description | MAKTX | Efficiency & effectiveness | High | |||
do | do | Unit of measurement | MEINS | Material costs | High | |||
S-O-D related Details/ Description | created by | edited by | approved by | Can be viewed by | Can be viewed by | |||
Subfunction/team | CFT To populate | CFT To populate | CFT To populate | CFT To populate | CFT To populate | |||
user's level | do | do | do | do | do | |||
user's position | do | do | do | do | do | |||
date | do | do | do | do | do |
Notes
1. The fields in master data tables must be accessed by a person specifically empowered in F&A or in any other function.
2. CFT can directly replicate this process for risk assessment for all fields in the master data tables.
3. The other 5 (five) points are identical to those in the notes in the earlier Template
There are many more illustrations in my book (covering 60 fields), and F&A users can add many more master data tables and fields
5. Conducting Risk Assessment at the “Documents “ level
There are several types of documents in F&A function as per few examples below and more can be added
Purchase vouchers
Sales vouchers
Journal vouchers
Debit notes
Credit notes
and so on.
· In the ERP-SAP environments, the types of documents are identified by a “Document type” -code BLART.
· A few of such documents in SAP are described as below as “Document type”
Vendor Invoice-(AP)=KA,
Vendor Invoice-(AP)-Credit notes by vendor rejection etc=KR,
Vendor payment=KZ
Customer invoice-(AR)=RE,
Customer payment=RV,
Customer credit note=RG
General Journal Entry=SA,
Bank transfer =TR,
Purchase order =BS,
Goods receipt=WE
Assets acquisition=AB,
Assets retirement=RA
· All such documents are stored in a Table called -BKPF(called accounting document header) in SAP, for which access must be restricted.
· In non-ERP environments also ,all documents that have financial implications must have restricted access (on a need-to-know basis ) and based on risk assessment.
· In the context of Documents generated in ERP-SAP, Risk assessment is proposed at
Document-level
Field level as per need
a)Five (5) activities for assessing risks Risk at the Financial Documents in F&A are as below
1. Identifying parameters that can influence “Document-level” Risks
2. Designing Risk assessment template at the “Document level”
3. Software Programming of Risk Assessment template for “Document-level” and navigation
4. Populating “Document-level” level risks in the template
5. Affecting Changes in the above
b)Template 5
-For classifying risks at the Document level (Illustration-4 F&A documents)
Header
Function: Corporate F& A ; function Code: xxxx Risk assessment Date: xxxxxx
Risk Impact: Parameters that are likely to have adverse impact attributed to unauthorised access of “documents” are as under :
· Revenue or
· Costs or
· Assets or
· Liabilities or
· Compromise on confidentiality of information
· And so on
Footer
Description of Document | Document Type | risk classification | Remarks/source document |
Payment voucher -PV | KZ | High | vendor invoice & purchase orders |
Sales voucher-SV | RV | High | Co-invoice on channel partner/customer & sales order |
Consumption voucher for back -flushing-JV | SA | High | Production order and Bill of material |
inventory valuation voucher-JV | SA | High | Inventory verification |
S-O-D related Details/ Description | created by | edited by | Approved by |
Subfunction/team | CFT To populate | CFT To populate | CFT To populate |
user's level | CFT To populate | CFT To populate | CFT To populate |
user's position | CFT To populate | CFT To populate | CFT To populate |
dates | CFT To populate | CFT To populate | CFT To populate |
and so on |
Notes
1. The documents must be accessed by a person specifically empowered in F&A or in any other function.
2. CFT can directly replicate this process for risk assessment for all types of documents.
3. The other 5 (five) points are identical to those in the notes in the earlier Template
6. Conducting Risk Assessment at the “Field Level” of the Documents
a)Five (5) activities for assessing risks Risk at the “Field Level” of the Documents
The following five key activities are proposed to be performed. These are usually identical for all functions in any Industry.
1. Form a team to identify parameters that can influence “Field-level risks in each Document” and carry out such risk assessments.
The risk assessment team, , in consultation with the Internal audit team, Identifies a list of essential aspects that can influence the classification of “Field level risks” as High or medium or low based on the following.
i) Field ingredients/information carried by field
ii) Fields accessed unauthorizedly or amended
2. Designing risk assessment template at Field level vis-à-vis each document
3. Software programming of risk template for Field level and navigation/workflow
4. Populating “Field-level “risks vis-à-vis all fields in each Document
5. Affecting Changes in the above
The adverse impacts (triggered by incorrect Field ingredients or unauthorised access & use of fields in the “Documents) can be on :
· Sales revenue or &
· Material costs or &
· Cash inflow or outflow&
· Accounting in financial books or &
· Financial Reporting or &
· Statutory conformance or &
Template 6- For classifying risks at the “Field level” of documents- (Illustration -10 fields in 4 documents )
Function =F&A Code=xxxx Document name= Payment voucher -PV; Document Type =KZ, Risk at Field level =High.
Document name | Document type and code | Field description | field code | Impact of incorrect “field-gradients ” or unauthorised access & use of fields | Risk assesed |
Payment voucher -PV; | Vendor payment (KZ) | Total amount | Total_Amount | Incorrect Material costs | High |
do | do | QunatityReceived | Qunatity_Received | Inaccurate Payment outflow/Material costs | High |
Sales voucher-SV | Customer payment (RV) | Total Amount | Total_Amount | Incorrect Sales revenue | High |
do | do | Quantity sold | Qunatity_Sold | Incorrect Sales revenue | High |
do | do | unit price | Unit_Price | Inaccurate Payment inflow/Revenue | High |
inventory valuation voucher-JV or GJ | General Journal Entry (SA) | Material code | Material_Code | Inaccurate material accounting | Medium |
do | do | Quantity adjusted | Quantity _Adjusted | Inaccurate material valuation | Medium |
Cost of goods sold-JV or GJ | inventory valuation voucher-(SA) | COGS Account | COGS _Account | Incorrect Financial reporting | Medium |
do | do | Raw Material Cost | Raw Material Cost | Inaccurate material cost | High |
S-O-D related Details/ Description | created by | Edited by | Approved by | Can be viewed by | Remarks |
Subfunction/team | CFT To populate | CFT To populate | CFT To populate | CFT To populate | Remarks |
user's level | do | do | do | do | |
user's position | do | do | do | do | |
Date | do | do | do | do | |
and so on |
Notes
1. The Field codes in documents must be accessed by a person specifically empowered in F&A or in any other function.
2. CFT can directly replicate this process for risk assessment for all the field choices in configuration tables.
3. The other 5 (five) points are identical to those in the notes in the earlier Template
In my book, there are illustrations for 39 fields of documents and F&A professionals can add more documents and fields
Activities(including unethical) that can affect business adversely.
· Inappropriate composition and levels /positions of the team members assessing risks at various levels as below.
· 1 Configuration Table level
· 2 Field Choice Level of Configuration Tables.
· 3 Master data Tables level
· 4 Field levels of master data tables
· 5 Documents level
· 6 Field level of documents
· Inappropriate software development and workflow of risk templates make risk capturing cumbersome and inefficient.
· Inaccurate classification of Risk (High, Medium, or Low) by team members vis a vis impact
· Non-periodic/non-timely review of previously populated risk template to incorporate the effect of any “changes in the design of fields” that might have happened affecting risk classification
· Non-comprehensive/incomplete capturing of all applicable configuration tables, master data table, documents, and fields therein, as applicable