In the company we have a workflow tool where users raise a request to create/change vendor master data, approved by line manager, sent to the payment team to validate the bank details and key in the bank details in the tool, and finally changes automatically made into SAP system.
In this case, would a control in place to review if the changes made are accurate, still needed?
(We had this monitoring in place before the tool was implemented as they are manually updated into SAP)
Hi Virginia, Thanks for the great question. I personally think there are a few things to unpick here. There is clearly a preventative control here, whereby creation or changes to a vendor need to go through a process which involves good segregation of duties (from what you have described). Depending on your risk tolerance, and assuming these preventative controls are working, I would say there is no need to have a control to ensure the changes are accurate. If you did have this control, you are effectively putting in place both a preventative and detective control, which, unless there are massive issues with the end to end process, seems slightly unnecessary. What you can do however, is build this into a monthly higher level control. See here about Finance Key Controls: https://www.myauditspot.com/post/finance-key-controls. Keen to know which approach you decide to take. Thanks!