Explaining Master Data

In SAP Process Control, documentation of master data forms the bedrock of efficient operations and compliance management. Master data encompasses essential information such as business process hierarchy, organization structure, regulatory requirements, account classifications, and risk profiles. This documentation serves as a central reference point, providing guidance, ensuring consistency, and facilitating compliance and governance efforts.

Efficiently handling master data in is critical for enabling precise risk evaluation, overseeing compliance, and, ultimately, driving success of the effectiveness of governance, risk, and compliance (GRC) endeavors in an organization.

 This ensures that all relevant information is properly documented and is readily available for continuous monitoring, reporting, and well-informed decision-making procedures.

Setting up the master data serves as a fundamental step in building the foundation for SAP Process Control.

There are main 6 master data components:

1. Organization hierarchy:  This is a hierarchical representation of an entity's structure based on the reporting requirements.
2. Business process hierarchy: SAP Process Control mainly focuses on providing a platform to support evaluation of controls in various aspects based on the regulatory and compliance requirements that the organization has to comply with. To use the functionalities to test the controls, it's important to document all the internal controls of the organization as part of the master data. A business process hierarchy in SAP Process Control comprises the process, subprocess, and control.
3. Regulation hierarchy: As part of this hierarchy, the organization documents the regulatory and compliance requirements to which it must adhere. This will be more explained in the next lesson.
4. Account groups: Account groups in the master data of SAP Process Control are utilized to manage the accounts included in the organization's trial balance. Each account is assigned to a specific account group, which helps organize and classify accounts based on criteria such as type, function, or risk level. Additionally, account groups facilitate the alignment of financial assertions with each account, ensuring compliance with regulatory requirements and internal control standards.
5. Control Objectives: Control objectives articulate the specific goals that subprocesses strive to accomplish in mitigating the risks inherent in the overarching process. These objectives guide the establishment of controls within the organization, ensuring that risks are effectively managed within acceptable levels determined by the organization's risk appetite.
6. Risk Catalog: This shared master data is utilized by both SAP Process Control and SAP Risk Management. However, within SAP Process Control, only the risk templates are used to define the organization's overall risk and control matrix (RCM).

Let's delve into the intricacies of master data types and their flow, exploring how the master data elements can be established within SAP Process Control.

Master Data is shared across three Governance, Risk and Compliance (GRC) components: SAP Access Management, SAP Risk Management and SAP Process Control.

SAP Process Control has two types of Master Data:

Central Master Data

Applies to the entire company. Master Data comprises core, foundational data that remains relatively stable and provides essential information about entities, objects, or elements used in business processes:

• Organization Hierarchy: Define organizational units, such as business units, departments, or divisions. These are essential for structuring control environments.
• Business Processes: Define the processes within your organization. These processes are subject to controls and risk assessments.
• Subprocesses: Break down business processes into smaller subprocesses. Each subprocess may have its own set of controls.
• Controls: Specify the controls that are in place to mitigate risks. These controls can be preventive, detective, or corrective
• Roles: Assign control owners responsible for maintaining and monitoring controls.
• Regulations and Policies: Define regulations, policies, and compliance requirements relevant to your organization. These serve as the basis for control design and assessment.
• Indirect Entity Level Control Hierarchy: The Indirect Entity-Level control catalog contains controls that are performed at the management level. 

Local Master Data

Applies to data within each organization. Transaction data represents the actual business activities and events conducted within an organization. It captures the specific details of individual transactions or operations:

• Organization-dependent sub processes.
• Organization dependent controls.
• Organization dependent policies.
• Organization dependent indirect entity level controls.

Master Data Framework in SAP Process Control includes a distinction between central (right) and local (left) structures.

A central structure usually encompasses the whole organization or enterprise level. The objective is to ensure consistency, maintain standards and achieve operational efficiencies. Central structures and processes allow organizations to maintain a holistic, top-down view of the processes and controls, making it possible for upper management to oversee and manage risks and procedures from a centralized viewpoint. Central structures are mainly used in organizations pursuing a harmonized process and control design across all units.

On the other hand, a local structure refers to procedures and controls pertaining to individual departments, units, or divisions within the organization. Local structures allow these organizational units to retain more autonomy and flexibility, which is particularly beneficial when unique processes or risks are associated with that specific unit. This decentralized model allows for tailored controls and risk management strategies.

For example, when a subprocess is assigned at the local level, it becomes a local object and receives a unique identifying number in the system. Customers are given the choice between allowing or not allowing local changes. This choice represents whether the organization prefers centralized (not allowing local changes) or decentralized (allowing local changes) management of compliance.

In a comprehensive SAP Process Control environment, organizations can have a combination of both central and local controls depending on the business processes and their levels of risk and complexity. The Master Data Framework helps to offer a clear view of both centralized and decentralized processes, controls, and associated risks, ensuring effective compliance management.

The process for manually creating Process Control master data typically follows this order:

• Setting up Regulations - Regulation Group, Regulation, and Regulation Requirement.
• Setting up Organizations hierarchy.
• Creating Risk Catalog - Risk Category and Risk Template.
• Setting up Control Objectives.
• Creating Account Groups.
• Assigning Business Processes - Processes, Subprocesses, and Controls.

The Master data assignments starts after all initial actions have been are created:

• Assigning corporate and organization roles.
• Assigning subprocesses to organizations.
• Assigning local subprocess and local control roles.

It's important to not that Indirect entity-level controls may be created at any time and assigned to existing organizations.

The Master Data flow will be step –by-step explained in the Lesson "Creation and Management of Master Data"

MDUG Tool is a standard delivered tool for SAP Process Control. Uploaded Data is usable as central master data not transactional master data:

Advantages:

• Efficiency in Bulk Operations: Specifically designed for mass data uploads, this approach significantly streamlines the process of importing large volumes of data into the system.
• Purpose-Built Tool: As a standard tool delivered for Process Control/Risk Management (PC/RM), it is optimized for the initial loading of master data, ensuring a smooth start-up phase.

Disadvantage: Limited Scope: Primarily intended for the initial load of PC/RM master data, it is not designed to support ongoing maintenance, which may necessitate additional tools or methods for long-term data management.

2) Manual Entry and Maintenance in SAP Process Control.

In general, the compliance team initially sets up the master data after installation and configuration of Process Control, including:

• Organization Hierarchy
• Assignment of corporate/organization roles
• Account Group Hierarchy
• Control Objectives and Risks Central Process Hierarchy

This can be resource intensive for a company.

Advantages: User Experience: Benefiting from a user-friendly and intuitive interface, this method facilitates easy navigation and data input for users.

Disadvantages:

• Access Control: Data entry permissions are strictly defined by user roles, potentially limiting broader organizational engagement.
• Resource Demand: It tends to be resource-intensive, requiring significant manual effort and time, which might affect efficiency.

There are no restrictions on the structure of the Organization hierarchy.

However, during the initial analysis phase, it's crucial for companies to determine how they will arrange their organization hierarchy, as compliance reporting will be based on this hierarchy.

There are several aspects to consider when arranging an organization hierarchy. Companies must decide on the model that will be used to define hierarchies and involve teams responsible for implementing multiple Governance, Risk and Compliance (GRC) components, such as SAP Access Control and SAP Risk Management, in the setup of the organizations. It's important to determine whether the hierarchy should mirror the company's organizational structure and ensure consistency in defining the hierarchy.

Different structures, such as geographical entities, functional or business units, can be used to create the organization hierarchy. Companies must also determine who is responsible for researching and rectifying control discrepancies for each location within the hierarchy, whether it's applicable business process owners, internal audit, SOX team members, or another group.

Organizational units must report on the mitigation of risks by internal controls to demonstrate the compliance of business processes and subprocesses within a specific organization. Controls are associated with an organization by linking them to subprocesses, allowing for analysis and monitoring at the organization level.

The Organization Hierarchy also includes several important features, such as setting up the hierarchy based on specific company requirements, assigning subprocesses and entity-level controls to one or multiple organizations, and controlling data access based on organization structure and assignment of owners.

Changes can occur within organizations, and these need to be updated in SAP Process Control. The Time Dependency functionality allows you to manage and track changes over time, ensuring that all updates are accurately recorded and reflected in the system.

See following image and explanation.

Exploring the graphic:

Time-Dependent Viewing and Tracking: There is a functionality that allows users to view the state of the organizational structure at any given historical point and to track the evolution of that structure over time.

Historical and Future Records: Master data objects can be set up with validity dates that either stretch back into the past before they were technically created in the system or that commence at some point in the future.

Contextual Data Viewing: It is important for users to be aware of the specific date for which they are viewing the master data objects because an object's attributes might differ depending on the time frame selected.

Let's take the example of CRG International Inc., a global company that frequently experiences changes due to mergers, acquisitions, restructuring, and promotions.

Assume that a significant reorganization takes place within CRG International, Inc. reshuffling many roles, merging certain departments, and creating new reporting lines. This change is scheduled to take effect on 1st April.

To handle this change within their SAP Process Control system, CRG would utilize the Time Dependency functionality. On 1st April, the company updates their organizational chart within the system, assigning this date as the Effective Date. This means, from 1st April forward, the new organizational structure is considered valid within the system.

The old organizational structure, which became obsolete as of 1st April, is also assigned an End Date of 31st March. This ensures that the system accurately reflects that the old hierarchy was in place up until the end of March, and the new structure took over from April.

Before all these changes take effect, CRG International Inc. can also employ an approval workflow. This system would require each organizational update to be reviewed and approved by responsible personas in the company such as the internal control manager. This process safeguards against mistaken or unauthorized changes, ensuring the maintained accuracy and reliability of the company's master data.

It's important to note: Should any changes occur in Master Data, they generally need to be reviewed and confirmed, with all relevant stakeholders being notified accordingly.

In SAP Process Control, the responsibilities and access levels of every employee are crucial. See following image and explanation.

This graphic outlines the access control measures in place for users within SAP Process Control. Each user's access is determined by their specific role, dictating their ability to view or edit master data objects. Users can only manage and run reports for their designated organizational unit and are not able to access or manipulate data belonging to other units. Additionally, users are granted visibility down the hierarchy, allowing them to interact with data objects at their level and below, but not above or outside of their domain.

Reporting is also controlled by the user's level of authorization, ensuring they can only see objects they own and those at lower levels.

For example, In GRC International Inc., you have distinct departments like Finance, Sales, IT, HR, and others.

Tony is in charge of Sales and, as Sales Manager, has permissions to access, modify, or manage all master data objects related to Sales - this includes sales reports, client data, and sales targets. However, Tony is not granted access to view or edit related data from other departments like the financial reports in Finance or personal records from HR, ensuring data integrity and confidentiality.

Claudia, an HR executive, can access all HR-related data, which includes staff records, payroll details, and attendance, among other things. However, Claudia is restricted from accessing data from departments outside her jurisdiction. She can't view or manipulate sales data or IT infrastructure data. Claudia's ability to generate and view reports is limited to her HR role.

At the top level of GRC International's Inc. hierarchy, you have the CEO or CTO who might need broader access across the organization. However, to maintain security and control, even they only have limited authority to edit or view master data objects that are necessary for their respective roles.

IT support technician - Jake. Due to the level of his role within IT, Jake is likely to have access only to IT-related incidents at his specific level and nothing above it. He could view and manage master data objects related to his work, like individual support tickets, but he wouldn't be able to view or edit high-level IT infrastructure data without appropriate clearance.

For efficient operation of SAP Process Control, it's necessary to assign users to specific roles within the process control framework. Refer to the detailed explanation of roles within an internal control framework.

Four Predefined Roles in SAP Process Control:

Internal Control Manager : serves as a critical liaison between management, auditors, and regulatory authorities, driving the organization's efforts to achieve operational excellence, financial integrity, and regulatory compliance

Control Performer: Plays a critical role in ensuring that control activities are carried out effectively and in compliance with relevant policies and regulations. This individual or role is assigned to perform the necessary activities, such as reviewing and approving control activities, documenting evidence, and taking corrective actions when needed.

Control Owner: play a crucial role in the organization's governance and risk management framework, ensuring that appropriate controls are in place to safeguard assets, protect against fraud and errors, and achieve regulatory compliance.

Control Tester: plays a crucial role in evaluating the effectiveness and reliability of an organization's internal control systems. Their primary responsibility is to assess the design and operating effectiveness of controls to mitigate risks, ensure compliance with regulations, and safeguard the organization's assets.

For more information about Process Control Application Roles visit SAP Help Portal. Process Control Application Roles | SAP Help Portal.