Proper protection of vendor master data
Part II of the series: “Automated Audit of the Configuration and Authorizations in SAP MM”
Today’s blog post presents you with three audit procedures for auditing authorizations of vendor master data.
1. Is everything well organized? Auditing organizational structures in SAP MM
2. Proper protection of vendor master data
3. The procedure for checking the approval process for purchase requisitions
4. Are your purchase orders ordered in the best way?
5. Everything under control for critical goods movements
6. How to protect your invoice verification
7. Clear interrelationships when recording the physical inventory
8. Customizing in SAP MM set at the test bench
9. Segregation of duties in “purchase to pay”
10. Good practices in relation to the segregation of duties between “purchase to pay” and “financial accounting”
Separation of SAP master data maintenance in Purchasing and in Financial Accounting
Vendor master data can be maintained in both purchasing and financial accounting. The difference is that no company code-specific data is allowed to be maintained in purchasing and that no purchasing-specific data is allowed to be maintained in financial accounting. Likewise, maintenance of bank details is reserved for financial accounting. In terms of authorizations, this can be mapped by using different transactions (FK*, MK*, XK*).
Four-eyes principle when maintaining sensitive data
When maintaining the vendor master data of a large number of users, there is often a need to implement a four-eyes principle for sensitive fields (such as bank details, for example). After a change is made, a different user has to check and approve the change. Sensitive fields can be defined for this purpose in customizing. If one of these fields is changed, the vendor is automatically locked for payments. The lock must be released by a different user (asymmetrical four-eyes principle). If no four-eyes principle is in place, payment-related vendor master data may be changed, which may result in payments to this vendor being redirected to a different account, for example.
Individual authorization for maintaining sensitive data
In addition to an asymmetrical four-eyes principle, there is also the option of explicitly allowing only specific users to change sensitive fields. Maintenance of these fields is then blocked for all other users that are generally permitted to maintain vendors. These fields must be defined in customizing.
You can download the details about all SAP settings here: