Master Data And Data Controls
Help Questions
CPA Information Systems and Controls (ISC) › Master Data And Data Controls
An organization discovers that the same customer exists in its CRM, billing, and shipping systems under three different names with three different addresses. This is best described as a:
Master data quality problem - duplicate and inconsistent records across systems indicate a lack of master data governance and a single authoritative source.
Data encryption failure exposing customer data to unauthorized modification.
User access control problem requiring additional access restrictions.
System integration failure caused by API connectivity issues.
Explanation
Duplicate customer records with inconsistent data across systems is a master data quality problem - the classic symptom of inadequate MDM governance. Answer A is correct. API failures (B), access controls (C), and encryption (D) are unrelated to the described data consistency issue.
Which of the following controls most directly prevents unauthorized additions to the vendor master file in an accounts payable system?
Requiring vendors to sign a confidentiality agreement before being added.
Encrypting all vendor records in the vendor master file.
Requiring that all new vendor additions be approved by an authorized manager who is independent of the accounts payable processing function, with supporting documentation.
Running monthly reports of all active vendors for management review.
Explanation
An authorization control requiring independent management approval for new vendor additions directly prevents unauthorized vendor creation - a key preventive control against fictitious vendor fraud. Answer C is correct. Encryption (A) protects confidentiality. Monthly reports (B) are detective controls. Confidentiality agreements (D) are legal controls, not data entry controls.
A company finds that its customer master file contains records for 800 customers who have had no transactions in the past three years. The most appropriate action is:
Review inactive records against retention policies and applicable regulatory requirements, archiving or inactivating records as appropriate while maintaining required records for the mandated period.
Encrypt the inactive records to protect them from unauthorized access.
Move all inactive records to a separate, unauthorized-access database.
Delete all inactive customer records immediately to clean up the database.
Explanation
Inactive master data should be managed through a formal review process - some records may need to be retained for regulatory or legal purposes while others can be archived or inactivated. Answer D is correct. Immediate deletion (A) may violate retention requirements. Encryption (B) doesn't address inactivity. Unauthorized database access (C) is not a data management control.
Which of the following is the most effective control for detecting unauthorized changes to the vendor master file?
Encrypting all vendor records to prevent unauthorized modifications.
Restricting access to vendor master data to read-only for all employees.
An automated report comparing all vendor master file changes to approved change requests, with unexplained changes escalated to management for investigation.
Requiring all vendors to confirm their information annually by mail.
Explanation
Comparing master file changes to approved change requests is a detective control that identifies unauthorized modifications - directly linking changes to authorization evidence. Answer A is correct. Encryption (B) prevents reading, not modification by authorized users. Vendor confirmation (C) is a separate reconciliation process. Read-only access (D) prevents all changes including legitimate ones.
A company's employee master data record is updated when an employee changes departments. Controls require the HR system to automatically update the payroll and access management systems. An auditor finds that access management was not updated in 12 of 50 sampled department changes. This finding indicates:
The access management system does not support automated updates.
The HR system has insufficient capacity to process all employee changes.
A minor documentation issue that can be resolved with a memo from the HR department.
An interface or automated provisioning control failure - the HR-to-access management integration did not consistently update access rights when employees changed departments.
Explanation
A 24% failure rate in automated access updates represents a significant interface control failure - employees who changed departments may have retained inappropriate access to their former systems. Answer C is correct. Capacity issues (A) would affect all updates. System support (B) would produce 100% failures, not 24%. The financial and security implications are not minor (D).
An organization implements a data stewardship program for its customer master data. A data steward's primary responsibility for master data is to:
Monitor and enforce data quality standards, resolve duplicate and inconsistent records, and serve as the accountable party for the accuracy and integrity of customer master data.
Back up the customer database on a daily basis.
Encrypt all customer records to comply with data privacy regulations.
Restrict access to customer data to the sales department only.
Explanation
A data steward is the operational accountability role for master data quality - monitoring quality metrics, resolving issues, enforcing standards, and ensuring the data remains accurate and fit for use. Answer C is correct. Encryption (A), backup (B), and access restriction (D) are IT operations and security functions, not data stewardship roles.
An organization's payroll system maintains an employee master file with salary and bank account information. An auditor reviews controls over this file and finds that payroll staff can modify bank account numbers without any secondary approval. The primary fraud risk is:
Employees will have difficulty receiving their pay if accounts are changed incorrectly.
Payroll staff may change bank accounts for legitimate employees who lost access to their accounts.
Payroll staff could redirect payroll funds to personal accounts by changing bank account numbers for other employees, a form of payroll diversion fraud.
Bank account changes will cause payroll processing to run slower.
Explanation
Unrestricted bank account modification in payroll is a direct fraud risk - payroll staff can redirect employee pay to accounts they control. This is one of the most common payroll fraud schemes. Answer D is correct. Legitimate reasons (A) do not eliminate the fraud risk. Processing speed (B) and payment receipt (C) are operational concerns, not the primary fraud risk.
A company's price master data contains approved pricing for 50,000 products. An auditor finds that 127 products have negative prices in the master file. This represents:
A minor finding since only 0.25% of products are affected.
A system configuration setting allowing price promotions.
Normal pricing variations within acceptable business rules.
A data quality control failure - negative prices are likely data entry errors or unauthorized modifications that could result in customers being paid to purchase products, causing revenue and financial reporting errors.
Explanation
Negative prices in a product master file are a significant data quality error - they could result in credit invoices being generated instead of sales invoices, directly affecting revenue. Answer A is correct. Price promotions use discount structures, not negative prices (B). Negative prices are not normal (C). Financial impact of 127 products could be material (D).
Which of the following represents the primary risk of maintaining outdated or inaccurate customer master data?
Customer service staff will have difficulty navigating the customer database.
Marketing campaigns will be less effective due to outdated customer preferences.
Billing errors, shipments to wrong addresses, incorrect tax calculations, and inaccurate accounts receivable records could result from using stale customer data in transactions.
The customer management system will require additional storage capacity.
Explanation
Inaccurate customer master data cascades through all downstream processes - billing, shipping, AR, tax calculations - because transactions reference master data at the time of processing. Answer C is correct. Storage capacity (A) and navigation difficulty (B) are operational concerns. Marketing effectiveness (D) is a business concern but not the primary data integrity risk.
An organization's ERP system is configured to prevent the same bank account number from being assigned to more than one vendor. This system control is best described as:
An access control restricting which users can update vendor bank accounts.
An output control that generates alerts about suspicious vendor payments.
An input/master data validation control that prevents duplicate bank account numbers in the vendor master file - directly blocking a common fictitious vendor fraud technique.
A processing control that validates bank account numbers after payments are made.
Explanation
A uniqueness constraint on bank account numbers in the vendor master file is a preventive input control - blocking at the data entry stage the creation of multiple vendor records pointing to the same bank account. Answer D is correct. Processing controls (A) and output controls (B) operate after entry. Access controls (C) restrict users, not data values.