- As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
- As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
- Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
- How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think the IT personnel should understand basic finance and accounting principles. More importantly, I think IT personnel should be properly trained to understand the areas of finance and accounting where fraud is most likely to occur. By training the IT personnel to properly identify where fraud is likely to occur when it comes to money, those personnel are an added “set of eyes” on process functions that are handled with and by technology. Being trained, they are more likely to develop a control and risk awareness mentality and they can leverage their expertise in a system or process handled by their software/hardware, and make recommendations on where, when, and how fraud can take place in a business function or process. If those personnel do not understand basic accounting and finance tenets, they can develop and implement a process function that easily allows fraud to take place.
Good point Sean. If the IT personnel know about enough about Finance and accounting it will be easier for them to catch “red flag when testing softwares for example.But, should companies hire IT people with already a basic understanding of accounting and finance or should they spend time training them? I mean should finance and accounting knowledge be mandatory for IT personnel?
That’s a good question, and like just about any good question I suppose “it depends.” It may come down to how fast the business needs those IT personnel up to speed with the knowledge needed to know where to place controls. A business that needs those personnel immediately might market the job positions with that requirement. Whereas, a business that has some personnel currently, or is training some, might not need the personnel they’re going to hire already knowledgeable since the need isn’t as pressing due to time. Also, the business might be wise to create an annual/semi-annual training topic for its IT personnel to continue to reinforce finance and accounting principles.
Brou,
I think it is better to hire IT people with a basic understanding of accounting and finance because training is costly and time consuming. Businesses want to be productive. Why would they waste time and money in training if they can hire someone with the qualifications they are looking for?
A business may actually prefer to train personnel over hiring personnel already trained for one simple reason; to avoid bad habits. By training its personnel itself, a business can assure that its personnel are being trained to do something properly, or at least how the business wants something done, and prevent the personnel from developing bad habits in the areas it wants them well versed in. It’s a lot easier to train somebody to do something correctly the first time than to try and instill correction after the fact.
Sean- I agree with your point. I also think it would be more effective to train someone over to hire already trained personnel. When people are trained in a certain way, they then tend to do it in the way they were trained at the first place. It would take a time and cost to train them; however, the bright side is that they will be trained to perform in the right manner.
Those pre-trained personnel sometimes cause an issue because they want to continue doing what they have been doing because they are so used to it. And they are reluctant to be changed.
Great post and discussion, Sean. I too agree with your point about preferring to train personnel rather than look for someone with a specific combination of accounting and IT skills. As you pointed out, its easier and more reliable to train a person as per the job requirements. In addition, it is also quite difficult to find practitioners with combination skills and experience. Such an employee would be difficult to come by, costly and require significantly more time and effort. Instead, training and grooming employees as per business needs would be a better option.
I believe it depends on the new hire position.
If it is a low level, they don’t need too much business knowledge because they will learn this from attending meetings and watching how the managers interact with business leaders.
If it is higher level positions, I believe it is expected that the IT person have a solid overview of business, what the company does, the systems in place and why they are in place, and the presentation skills to show the future of IT.
This is purely situational.
Sean, Great post. you pointed out the fraud perspective of finance/accounting people. that is true that most frauds happen in finance or accounting side because people care more about money. I think our program is the one good program to recommend us to have business background and then learn IT concepts and other related knowledge. I think that is really similar for the reason that business require IT people have accounting or finance basic knowledge
Rightly pointed Sean. I believe that it depends on the kind of business an IT Personnel is handling. If we take an example where an IT person need to audit the FICO Module of ERP, in this case the personnel should have basic to medium level of understanding of finance so that he can check the transaction records and determine necessary controls. Whereas if a personnel is working on some business such as an IT application which doesn’t have financial domain, in that case it is not necessary for an IT personnel to have knowledge in finance.
I believe that personnel in IT must definitely have knowledge in accounting and finance. As Sean pointed out, to understand what can go wrong in a system, first we have to understand the system and business is. ERP is so well integrated with business processes and the controls are the driving factor for a well managed ERP, an person handling ERP must be comfortable to work with jargon in accounting. I think accounting and finance training, so that companies can hire an IT expertise. More than the basic accounting and finance knowledge, I think the personnel must be well versed with business, domain knowledge and workflow of the company.
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
Taxes might be handled differently. The US has a sales tax, but isn’t applicable in every state, nor with every customer. When I was in the US Navy and had to make a government purchase from a local vendor the purchase was a tax-free purchase. Many other countries have many different types of taxes, and they can e calculated very differently. Controls may have to be implemented to have separate personnel who enter tax information and calculations in an ERP manually.
The billing/invoice process may be different international when compared to domestic policy in the US. Domestic policy allows the issue of an invoice at each individual purchase made, or at the end of a billing cycle (i.e cellphone, electricity, water, etc.). Nations outside the US may have specific regulations in place regarding billing and invoice issue. A country may have a policy that no charge can be placed until an actual transfer of goods/services occurs, so the ERP system would have to implement a control to make sure the invoice is not issued until the order is fulfilled completely.
In addition to your points I would like to add one more point. An international company would require a control to manage currency difference which is not required for a domestic US company.
Also an international company would need a control to manage the time zone for each of the country where they have their operations.
Definitely agree that currency and time zones are important areas to implement controls. Without proper controls for currency, the wrong amount can be linked to the wrong countries currency, which would corrupt the data and accounting/financial applications. Can either increase or decrease the value depending on the currencies in question. Also, some countries may have currency that is more volatile than others such as emerging markets where it would be necessary to update the exchange rates frequently. The time zones are also crucial because it can allow inaccurate shipment dates to be entered, or show inventory that is not available.
Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
Accounting and financial reports differ from one country to another. When doing business domestically the company must implement controls that will comply with GAAP and SEC rules. However, when doing business an international level, the company must follow the accounting rule of the host country. For example, some countries have a VAT (value added tax) which is a tax on the amount by which the value of an article has been increased at each stage of its production or distribution. In this specific case the company would have to implement controls to avoid frauds.
Said,
I totally forgot about GAAP until I read your post. If a company was doing business in Canada, Brazil, or the EU for example, it would have to use IFRS standards instead. That difference could definitely create another step for a business when consolidating accounting report information quarterly and yearly in either the domestic location, whether GAAP or IFRS is the standard, and the foreign locations if they are the opposite standard. Each standard might have different areas where fraud can occur, and may need different types of controls to mitigate the opportunity for fraud.
Hi Said and Sean,
At first when I read that the difference between GAAP and IFRS could cause differences in internal controls, I was little skeptical. However, you are right in that the accounting standards call for some different processes which requires a whole new set of controls. As you stated, one of those steps includes the consolidation process. After doing some research, it turns out that quite a few processes require differences in internal controls such as Tax, Legal, R&D, Treasury, and marketing/sales. If you wanted to read a little more in the differences I linked the article I found below.
Article: https://na.theiia.org/iiarf/Public%20Documents/International%20Financial%20Reporting%20Standards%20IFRS%20What%20Internal%20Auditors%20Need%20to%20Know.pdf
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn?
I think IT personnel should have a certain understanding of finance and accounting. In fact, the IT personnel should have the minimum knowledge of accounting rules. Even though, numbers don’t lie, it is easy to play with them and commit fraud. The IT personnel should be able to identify accounting discrepancies. In fact, having a finance/accounting background plus his/her IT skills will allow him/her to see irregularities in the system.
Food for thought :
IT personnel interact with business representatives including the accounting and finance department to determine the technologies required to align with the needs of the business. Hence, a clear understanding of how business users build, access, share and use data helps the IT department to design and implement solutions that can enable the business to operate effectively and efficiently. In that sense, do you think that IT personnel should actually be familiar (to some extent) with every main business function ( marketing &sales, human resources, accounting, finance) within the company?
You bring up a good question. I think IT personnel should know some basic and important principles about the business area they are assisting within, but I think more in depth knowledge would probably be with a business analyst or project manager. The BA/PMP’s purpose is to fully understand the business needs for a function or process when it comes to leveraging IT to make it more efficient or possible to my understanding. So I think those personnel would be the type that would have the more granular knowledge in any particular business function or process. What do you think?
Sean,
You are right, but I think the IT personnel should have a deep understanding of the business function they are assisting. Understanding, the business function will allow them to present more specific solutions.
I agree with your points in this entire discussion. The domain and business knowledge is necessary for systematic execution of IT functions in ERP. This knowledge can only be obtained by experiencing the business processes thoroughly. More than training, knowledge transfers sessions, shadowing a senior will be more helpful to get accustomed to the business.
Brou,
I think the IT personnel should be familiar with every main business function. As you said, the “IT department [use data] to design and implement solutions that can enable the business to operate effectively and efficiently”. How would the IT personnel be able to design and implement solutions if he/she is not familiar with the business function he/she designing the solution for?
I agree with you Said, and it’s good that you mentioned the potential fraud. Indeed, IT personnel already have technical skill in programing or developing the information systems. However, if they don’t have basic understanding of function concepts of finance and accounting, they may never know what those exact number means. In that way, the users of the system are able to fixing or entering incorrect data. Since the IT personnel are lack of the functional knowledge of finance and accounting, they may not find out what’s going wrong, and not able to stop the potential fraud.
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
If I were responsible for the Finance/ Accounting controls for the company I worked for, I would manage the risk coming from the non-financial functions jobs by tightening our Finance/ Accounting controls. I would make sure the controls that I had in place were properly secure in the realm of our duties. I would make sure that no other non-financial functions were able to access our Material Master Information Data or any data that was not already provided to them already based on their departments function. If non-financial functions needed any information in regards to the P2P or the OTC process they would need to go through my Department to get the data need and from there we would properly distribute the data information if needed and document the information that was given and to whom it was given to. I wouldn’t be able to directly implement controls to the non-financial function job sectors, but I indeed would be able to make sure our controls are safely in place to protect the integrity, confidentially and accessibility within our department by securing our environment but as well as our customers general data.
Not only that, I’m a firm believer of providing education throughout the whole department. I would have suggested classes or informative discussions or work with management within each department and explain the risk that each department has on other departments. With today’s every increasing knowledge of technology each department as well as IT needs to be familiar with the associated risk involved throughout the processes of the business realm.
Hi Laly,
I would consider myself a firm believer of cross training employee’s throughout an organization as well. My reason for believing this is that the more an organization’s employees understand the different processes of the business, the better they can work and collaborate with other members of the business. With that being said, I do think there are checks and balances. Should we train a salesperson in detail how to receive and enter payments into the system? I would say no. However, should a salesperson understand who is responsible for receiving payments and possibly understand how the data flows. I would say yes to that. What do you think? Could there be some risk for too much cross training?
Paul,
Yes, I believe cross-training is okay for certain functions but definitely not all. I think employees should know and understand the grand scheme of these in regards to the business as a whole and everyone’s functions. The more educated they are about the processes understanding I think it would allow for a seamless flow of business.
To answer your question, yes there can definitely be some risk involved with too much cross-training. A key factor to consider is allowing any single employee too much access to information. Segregation of duties is an important facet; There are reasons that security access of different levels is given on a need to know basis depending on job description, so it is very important to judiciously select which employees will be chosen to cross train for specific jobs. For example, you don’t want someone gathering sales figures learning how to do accounting and depositing tasks because that opens up room for fraud.
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
As stated in my response to question 1, I think learning is key and detrimental to a company’s growth and maintains stake within the market. I think finance and accounting knowledge should be at a basic understanding knowledge in retrospect to the environment they are working for ie. IT personnel. The IT personnel supporting a business’s application should indeed have a general understanding/ concept of what is the process and function of that application they are supporting in regards to the business function itself. The general bases behind my response is if the IT personnel does not have the foundation of finance/ accounting while supporting an application they might not fully understand what realm of the application should not be intersecting or the severity of the databases integrity and confidentially. If they have this basic understand they will not only be able to strength the systems application but also be able to tailor their support/ maintenance to certain facets that might need more than others. Overall, by providing the general understanding, in terms of working knowledge to the IT personnel would allow them to execute their job more efficiently as well as produce a sufficient/efficient support to the application process for the users.
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security to know about how the ERP system works? What is one (1) specific thing they should know?
I think it is necessary for people responsible general IT controls related to Network workstation, Server and database security to know about how the ERP system functions. I guess the basic idea of the workflow and the processes, risk associated and controls that need to be applied to each business function can help them design the audit controls better.
Additionally, in ERP like SAP includes environment security components like network security, workstation security, OS and database security. SAP provides security to network defining who can access the applications or the servers. It also offers recommendation to network topologies which includes the SAP Web dispatcher and SAProuter to protect the local network. The use of an SAP Web dispatcher can conceal the host name and the ports of the application server. SAP Security team will have to closely work with the IT team to develop and control security measures for the organization.
Nice post, Binu. Simply speaking, if they don’t know how the ERP system works, how could they conduct control? Only fully realizing how ERP system works can general IT controllers execute effective control, that is only realizing what to control can you decide how to control. For example, like you said “security”, going through the whole ERP system and each of its business process, you may gain an overview of associated risks, then you can move forward to determine how to control these risks.
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
Financial management is a crucial aspect of any thriving business. Profit maximization, or stockholder wealth maximization, are two real concerns for any organization – and they depend on solid financial decisions. To make good decisions, management needs good information. And that information comes from the accounting system.
From the accounting system come the financial statements. These statements contain important information about the organization’s operating results. This information is important for effective management, and financial control. As a manager, or any other person with financial responsibility, you have to be able to interpret this information yourself.
Businesses record their performance in standard formats called financial statements. The most common of these are: Balance Sheet (also known as a Statement of Financial Position, or a Statement of Financial Condition);Income Statement (Statement of Profit and Loss, Statement of Earnings, Statement of Operations);Cash Flow Statement.
Exactly, I agree with you that management needs information to help them make good decisions. With the help of information systems and databases, separate information now is gathered and meaningful, which allows decision makers better understand the business. Developing these information systems and databases require IT personnel have basic understanding in the finance and accounting.
Definitely agree. That basic knowledge not only helps them deliver relevant information, but also to know management is looking for without being given specific items each time. It can allow IT workers to be more efficient and proactive, and not only reactive to senior management.
I have never though of accounting knowledge can help them make better decision. I definitely agree. IT personnel who have basic knowledge can also have a better communication with the finance department and it would help the other employee to better understand the IT system.
How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
Network Security Task Force consulted with IT security professionals on campus about concerns with the current state of security in ERP systems. From these conversations, it was clear that security issues generally fell into one of two areas:
It has become extremely difficult to understand how to securely configure an ERP system and the myriad of products purchased to integrate with it—products like report generators, data warehouses, learning management systems, imaging systems, portals, and others.
The overhead of managing access and authorization roles—for both the ERP and third-party software integrated with the ERP—is huge. Institutions said they had backed off from using role-based security because the overhead of managing it was just too high. For example, rather than setting up fine-grained role access so that only biology faculty can see the records of biology majors, an institution might set up one role called “faculty” and allow all faculty to see the records of all students, thus increasing the opportunity for data misuse and violations of data privacy.
Resource: http://er.educause.edu/articles/2007/11/a-security-checklist-for-erp-implementations
Wenlin,
Great post. I would like to add a point about “integration” of different systems. There was a time when organizations were adopting different systems to increase their digital quotient. Now, the trend is to integrate different systems as a whole to increase efficiency in organizations.
Data redundancy reduced, and organizations ended up saving a lot of time. Since, it integrated almost all the systems, it also increased different risks. Meaning, for instance, if there is a text field in a CRM system that is used by your customers to fill forms, if cyber-security control to process forms is absent that is a vulnerability, which doesn’t just expose the CRM, but also the other systems that is integrated with it. There are endless possibilities of attacks on such big systems. So, I think this is why it is important for people who design Network and workstation controls to also understand not just how an ERP system works but also how they are integrated with other systems.
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
An IT personnel who is supporting business application should have a general understanding of finance and accounting concepts. Though in real time I don’t think it is necessary to support business applications but it helps him understand the vulnerabilities that exist in the program and develop means to correct it. If he/she doesn’t know what to protect from, it is difficult to formulate security controls for the application. Having a knowledge on the threats that each process may face gives the IT personnel enough leverage in supporting and protecting the application from data theft or fraud.
Well put, Binu – although an IT personnel supporting Business application might not be using or be required to use Finance or Accounting knowledge, it would help him/her to better understand or even identify the vulnerabilities in the process and formulate the steps to mitigate them. On the other hand, not having finance or accounting knowledge could be equivalent to having a blind spot – the staff might miss obvious failures and acts of fraud even if it were right in front of them.
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
The same way accounting and finance people need to have basic computer skills, the same way IT personnel need to have basic knowledge in the two field. In fact, accounting/finance and technology job skills can go hand in hand. The use of a number of finance-specific software programs is increasing nowadays. In order to develop or implement proper business applications to respond to the need of the accounting and finance department, IT personnel need to know the basic of finance and accounting including, reading financial statement, and making sense of different accounting accounts. For instance, if a company wants to make their accounting process easy by utilizing a computer program or other system that will perform payroll and other functions, IT personnel need to be able to know the different accounting processes in order to create efficient system, including accounting software that would make it easier to compile financial data.
Hi Alex,
Nice post, I like you mentioned the fact that accounting/finance and technology skills should go hand in hand. IT personnel have to fully understand the specific accounting /finance software, but if they don’t have general knowledge or don’t know how to read the accounting process and document, how can they be able to support the other function in regards to the alignment of business objectives with the IT functions.
1. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
Before entering into an international supply agreement, companies should ensure that they are aware of all international regulations that might affect the purchase, including export compliance in the foreign market and import controls in the domestic market.
In fact, international company need to have some form of foreign exchange control, which means that exporters must provide proof that they will be paid by the importer before they will be permitted to export valuable products.
Domestically, import controls safeguard U.S. importers from the imposition of monetary fines and penalties.
Exactly, I agree with you. Companies operating in emerging markets face heightened corruption risks, increased oversight, and the need to comply with an increasing number of anti-corruption laws. International company should focus on the compliance control, different countries have different regulations.
Think one of the larger risks for a US based company that operates internationally is the Foreign Corrupt Practices Act (FCPA). It is broadly worded which makes controls harder to define. Especially for emerging markets, as noted above, face systemic corruption. In fact, it may be considered the cost of doing business in a particular country to bribe, which would violate FCPA. Strong controls would be essential in this example to avoid regulatory issues.
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
If I were responsible for finance or accounting controls for my company, I would manage the risks coming from these non-financial function jobs by building more secured finance or accounting controls. First, I would build a secured finance or accounting department control to ensure that the controls are fully functional for this department and make its environment secure. Second, I would build an access control for finance or accounting people or non-finance or accounting people. Finance or accounting people have limited accesses based on their positions and duties, and I would not authorize access (including physical and digital) for non-finance or accounting people. third, I would recommend to our CIO that we need to train people at least twice a year to increase IT security awareness, so that not only finance/accounting is under control, but others will all be beneficial.
Great points Yulun. To add to your point, I would also manage the logs and keep timely track of those logs. This will help in tracking the incidents and activity log of who and when entered the transactions into the accounting record. This will thus help in easy tracking and mitigation of any wrong occurrence.
Many non financial functions have to capacity to direct the smooth functioning of the business. As a member of finance team I would ensure that the investment in procurement of raw materials is appropriate. As part of accounting team I would also ensure the correct credit check is done before the order is approved, so that the order will be place correctly and there will be minimum concerns with collections, return of goods.
Great point! I think the logon tracks are really helpful for business control!
I agree with you Yulun. Proper segregation of duties, defined access controls and educating the employees are great controls to avoid risks from a non financial business functions.
By properly assigning duties and giving accesses on need base requirement can mitigate most of the risks..
And if an access is given for particular account, proper termination of those accounts or removal of access should be done once the activity is over or if that employee is terminated or has left the project.
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
IT personnel supporting business applications should know and learn the basic accounting or finance knowledge, for example, basic balance sheet, income statement, cash flow statement, which one is asset, liability, or equity, plus which one is debit or credit. These basic terms are really important for all persons within an organization because people see them frequently. IT people should know these basics because they will increase the efficiency of work supporting business application.
Yulun, I am actually tempted to say the opposite. When I think about it, usually job description for auditor or accountant require knowledge of IT, but rare are the cases when I came across a job description for an IT position requiring finance of accounting knowledge.
Alexandra,I am not agree with you. The traditional accounting will be combine with IT technology, this is the developing industry. In the future, the accounting or finance employee should know the IT knowledge.
Alex! That is true that on the job descriptions, it is rare to see IT people need accounting knowledge. and for CS development people, it becomes impossible to let them read accounting balance sheet during their works. However, for us, IT auditors within business school, it becomes a requirement for IT related jobs.
In fact, it depends on the IT position. For an IT Auditor, I would say that it’s mandatory to have a financial background. One role of the IT Auditor is to find how people can use IT to commit financial frauds. How would he/she able to do that if he/she has no financial background?
Great points! It totally depends on what IT positions are you applying for. As a IT auditor, basic accounting knowledge such as be able to analyze financial statements, know the debit and credit side for the general entries. In addition, be able to identify the financial risks when looking at financial reports, etc, It could be difficult for someone who doesn’t have any accounting or finance background to work at IT auditor position. On the other hand, for IT programmer, whether has accounting or finance background is not that big of concern.
Alexandra,
You do raise a good point here. Whereas I believe that although, job descriptions for a Systems Analyst position may not say that it’s required for you to know about basic financial accounting, but there is a good chance that the employee will have to learn some basic concepts in the future.
For example, I was working as a Technology Analyst and my job description never mentioned anything about accounting nor finance. My company used NetSuite ERP system, where I was assigned a project to gather requirements from the logistics and accounting function. I ended up reading a lot about accounting in order to understand the work flow, which helped me a lot while work flow designing.
So, in retrospect, I do think that if I had the basic financial accounting knowledge, it would have saved me a lot of time.
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
IT is driving business growth and it is now part of corporations. One of the main goal of ERP is to facilitate the flow of information so business decisions can be data-driven. ERP software suites are built to collect and organize data from various levels of an organization to provide management with insight into key performance indicators in real time. SAP Is the most commonly used ERP software and people responsible for general I/T controls need to know how it works.
Absolutely,I agree with you. SAP is a common using type system of ERP, which collect and organize data to provide information to manager to make decision. General I/T controls should protect SAP system integrity, availably and confidentially.
Alex,
Nice post. You are absolutely right about the ERP system that help management oversee its organization from its operating perspective. That is, the ERP system is the key to run their business effectively and efficiently. To that end, the personnel who are responsible for I/T controls should have a good sense of how the ERP system works within their organizations in order to protect their important data/information assets.
Rightly said, Brou. In addition to the points you made, IT personnel also need basic ERP understanding for performing their own roles well. Knowing the risk-prone areas could help IT personnel manage the system better from a security controls perspective. It could also help in Disaster recovery planning as the personnel would be able to point out what data is critical and needs to be recovered in case of a major incident.
Q2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think it is imperative for IT personnel to be aware of the financial/account related terms and concepts, especially if the personnel is supporting business applications. As I am learning more about the SAP ERP system, I would really hope that I had more finance and accounting knowledge in my background. Using the ERP software is not only knowing how to use the software, but utilizing the software to process/manage/maximize the business operations. In order to do so, besides knowing the technology understanding the concepts of how the business is operated in terms of finance/accounting would be crucial., specifically working with A/R, A/P, Payments, etc.
Good post Daniel. IT people look like not need to know about accounting or finance knowledge, however, when we started studying SAP system, we do need to have the ability to read accounting or finance terms to finish our job(homework). it is really necessary for IT people.
Absolutely, not understanding accounting terms can prevent an employee from properly using the SAP system. As noted above, our homework cannot be completed without a basic understanding of accounting. For a full time employee using SAP, it is all the more important.
Joshua- I heard the term that Accounting is a business language. I can’t agree more with that being said. Accounting is the very basic elements of the business operations. Paying for goods and receiving money for selling products are simple transactions; however, they are what Accounting is all about. Having said that, when I use SAP in class to complete our assignment, personally, I think about Accounting more than how this ERP system works.
I’ll add my two cents into the conversation. You are right Dan that accounting can be seen as the language of business. If one were to think of it, any action a business takes should be reflected somewhere on the financial statements. Even if an employee is just thinking about what is best for the business, that will be added to the financial statements through a payroll expense. Therefore, by understanding accounting, you can understand how each action, resource, or debt ultimately turns into a piece on the financial statements. Since SAP is ultimately a way that consolidates the actions, resources, and debts into one IT system, it is beneficial for anyone who comes in contact with SAP (even IT personnel) to understand some basic accounting principles. One could even argue that programmers and information security professionals could benefit by understanding basic accounting knowledge. However, I think it is more important for professionals who work more with SAP that will benefit more by understanding this subject.
Good point Daniel, the financial/account terms are very important to learn since they must understand what exactly is an A/P and A/R and how it is not related. Very important when transferring or getting information to know what you are reading. Many of the databases contain these financial terms so understanding it is crucial to know what you are doing or looking for specifically. Like Yulun mention when using the SAP system, we came across these terms and we must understand what they mean in order to know what to look for.
Question 1: As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
If I’m responsible for Finance/ Accounting controls for my company, the first thing I would do is identifying the risks which coming from the non-Financial function jobs. For example, within the P2P process, shipping process existing the risks to damage or loss the packages. Moreover, both P2P and OTC process exist potential risks that the system may be cyber attacked. To mitigate the risks, effective controls are necessary.
Before implementing specific controls, I will evaluate the damage and frequency of the risks and identify which types of risks they are, and which type of controls can mitigate the risks. Furthermore, from finance and accounting’s perspective, balance the cost and benefit of the controls is very important. If the company is a new start company, may be transfer the risks to a third party like purchasing an insurance is an alternative choice for the decision maker. But if it’s a major public company with valuable information assets, the high level perspective controls like Firewall and antivirus software are necessary.
Agreed Fangzhou, it is very important to evaluate the potential risk that can occur first before implementing controls in place to mitigate them. You have to calculate the severity of the risk and check the frequency of the risk. That way you can measure about the importance of what to protect and where to put specific measures in place to prevent that type of risk from happening. You have to make sure that the risk coming from the non-Financial function jobs do not have any affect towards anything that can affect the financial data. If so, there must be measures in place to stop it in its track so that the data does not get infected.
Question 2: As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
Generally, IT personnel already have technical skills in cyber areas, but for supporting business applications, they should also learn the basic concepts of finance and accounting so that they can have basic understanding of business. As IT personnel, they might no need to learn too specific knowledge of finance and accounting, but they do need to understand some general ideas.
More importantly, the business is about maximize the benefit of shareholders and maintain the profitability of the company. To achieve this purpose, upper management need to make good decision based on the gathered information. Therefore, it’s very important that IT personnel supporting business applications with the understanding of finance and accounting, because this can better help them developing the IT system to support the managers’ decision making.
Fangzhou,
Great point about knowledge of business will help them develop IT systems to support the decision making. It might be difficult to see all of the time but the business decision makers are responsible for increasing the value of the company. This is achieved by generating more revenue or reducing the expenses.
If the IT personnel know this, it will be easier to explain how the IT project will accomplish reducing expenses, generating revenue, or both.
Q2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
Business processes within an ERP system demands a fair knowledge of Finance. For this reason, an IT personnel supporting business application such as ERP and handling processes such as Procurement and Order to cash should have good understanding of finance. Such processes involve handling balance sheets, general ledger and so on. The success of such business application depends on the domain knowledge of the person working on it.
But in case if there is an internal business application such as to manage and support the website of the organization, the IT personnel will not require much knowledge in Finance.
I agree with you Deepali. What background knowledge is required depends on the business process the person is handling. I every business will have its own processes and tools, application and transfer of knowledge will be easy if the basics are clear.
ex. It will be easy for a recently hired project manager who to handle FICO if he was performing the same duties in his earlier organization. But the difficult part is to understand the processes of the new company, Transactions will be same but processes might vary.
Hi Priya,
Your comment made me realize another reason why IT personnel should understand accounting/finance processes and why accounting/finance personnel should understand IT. That reason is career advancement. I think for new staff and new employees to an organization, they should focus on specializing in their area and becoming competent in their field first. However, as those personnel advance in their career it becomes more important to sometimes see the “big” picture and being able to understand accounting as an IT personnel or IT as an accounting personnel will help in that sense. I also think it is easier when you have spent quite a number of years with an organization to understand how the different processes and departments work together. I think what makes understanding different parts of a business more attractive is the ability to communicate to different functions in “their language” which is a key skill to have in a management position.
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security to know about how the ERP system works? What is one (1) specific thing they should know?
I believe that it is very important for the people whose responsibility is to generate the general I/T controls to know how ERP systems work. I think they should at least have that basic understanding and foundation of the ERP functions as whole. By understanding the flow of the process along with integrated applications that collect, store, manage, and interpret data from product planning, manufacturing, service delivery, marketing and sales, inventory management; they would be able to understand the risk associated with the process, as well as see what controls need to be applied within each business functions as they are integrated differently within the application software itself. While creating these controls and understanding the functionality of the software they can cater the controls specific to each realms network to make sure certain controls are in place to prevent access vice versa (i.e. encryption, VPN’S, malware screens, etc.)
Magaly,
You’re absolutely right. As they are the one generating all the controls, they need to understand how the ERP system work. It is just common sense. You can’t protect a system if you don’t know how it works.
I think if the question is only related to general IT controls related to Network, database or workstation then there is no need for IT personnel to understand ERP and its processes. Obviously knowledge about anything only adds value to the person and gives him a better understanding and gives a different viewpoint in finding solutions to existing problem. If the IT controls we are talking about are directly related to the ERP processes and functions- like the system used for maintaining the ERP application, the database etc, then the IT personnel needs to know where the risks lies and ways to protect it.
Thanks for the input Binu. However, I mean in the entirety of the functions of ERP the IT personnel should know the flows and facets of ERPS so they are able to set up and secure networks, databases, and workstations in accordance to departments; without the in depth knowledge how are they able to understand what controls to implement and what functions of the process have the most risk associated. Overall, in the grander scheme of things I think the general I/T controls should know ERP’S functions.
Exactly, Said!
I know if I were a business owner I would want to know that the general concepts and understandings of the ERP system are known so the people implementing those I/T controls know how to secure it or the risk associated with those functions as well as ways to mitigate potential threats.
Good reasoning Magaly, agreed they need to have basic understanding and foundation of the ERP functions. They must know the process and understand the flow of how the transaction goes from the beginning to end. Like you said, by having this understanding they are able to understand the risk associated with the process. By having that understanding, they then are able to put controls in place to mitigate the risk to keep the process flowing smoothly.
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
The controls will definitely vary based on the company geographical extent
1. Time zone – The timezone that the multinational firm will have to consider will be country specific.Thus the order to cash process will consider the time zone based delivery of orders, contacting the customers for collection. Payment and delivery dates will have to consider the time difference.The controls for shipping, warehousing, returns will vary as multinational firms will have orders crossing borders.
2. Government and Taxes – The billing, invoice generation and calculation will be handled differently, unlike financial management in companies that operate domestically, a multinational company has to deal with country specific government regulations, tariffs and taxes. The government and cultural policies will also direct the payment process.ex.A country may not have cash on delivery option.
3. Exchange Rate Risk – In a multinational firm the cash flows will be denominated in different currencies, and will be affected by the exchange rates that differ based on the prevailing inflation rate in the foreign countries where they operate.
4. Compliance requirements – The standards and compliance requirements may vary country wise.
Nice post Priya. Great point about the different currencies in different countries. The exchange rates vary daily and poses a great deal of understanding to have controls around it.
The government laws are different, cultural differences, the import/export policies all needs to be considered and so it becomes important to understand the business environment in these geographical locations and have good controls to protect the organization from risks.
Great post, Priya. Time zone reminded me one of the SAP assignment questions. We had to control the time zone within the US since the business dealt with domestic customers. As you mentioned above, based on the geographical extents setting time zone controls will vary. If you wanted to do your business in Asia, you would need to add their calendar into your ERP system so that the delivery days wouldn’t conflict with Asian-specific holidays.
You are right, Daniel. It’s very important to take calendar key into consideration. Also, for the system to have a control like this helps the company to monitor and track the transactions. As a customer I would like to have my order shipped to me on time. Especially when doing business with other country, the company must check holidays in that country to avoid delaying on shipment due to holiday.
Nice point Priya. Compliance requirements should be carefully taken into consideration, for example, you have to comply with the laws of the foreign countries in which company is operating, know about the different methods of calculating taxes from country to country, consider export / import restriction and deal with the customs of different countries. Any violations may bring about horrible results.
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
An IT professional should at least have a basic understanding of business applications in additional IT specific to their job. Information systems are there to support the business functions, so it is important to understand what the functions and processes are. While technical knowledge is crucial, a lack of understand about the business functions can severely hinder a IT professionals effectiveness. Business knowledge can enable an IT professional to know where to look for fraud, understand the information system configuration and controls, and troubleshoot issues. If there fraud is suspected, then a basic understanding of accounting, finance and the business operations are crucial to know where to look and what to look for. For example, how to reconcile accounts to see if they match, what accounting terms mean or even why specific controls are needed. An IT professional should be able to understand financial statements and accounting entries at a high level, otherwise the data in the ERP may not make sense.
Nice post Joshua. If we talk about applying controls and troubleshooting the issues, it is good to have a basic understanding of accounting so as to select and apply the most appropriate controls.
It is always said that an IT auditor should first understand the organizational culture in order to facilitate a successful audit. Understanding the applications such as SAP being used by organization to manage their financial data is a part of understanding their culture. So if the auditor will have the basic understanding of finance and accounting it will be easy for him to understand the audit requirement and perform a successful audit. In this way it is important for an IT professional working on a business which is linked to finance and accounting to have a basic understanding of the domain.
1 Having seen the P2P and O2C processes and their areas susceptible to failure and risks, it is evident that the success of the ERP system greatly depends on users performing different tasks throughout the process. It is possible that non-financial personnel involved with the ERP systems post to accounting records which could be incorrect for a variety of reasons. If I were responsible for Finance / Accounting controls, I would ensure that the following controls are put in place to ensure minimal instances of incorrect accounting information being posted :
• Involving Senior management and line management of non-financial employees and getting their buy-in so that they would implement the necessary steps to minimize incorrect accounting. In cases of failure, management would be required to revert with the action plan to rectify the issue and prevent future misses
• Effective communication with the non-financial employees
• Awareness and informative trainings imparted to inculcate an attitude of alertness towards the accuracy of information being entered
• Posters being displayed as reminders to enter accurate data
• Ensure that each instance of inaccurate data is recorded and have a 3 strike rule in place so if an employee has entered incorrect information more than twice, he or she is required to take a refresher training. Also, root cause analysis could be done to identify if there are any gaps in the trainings which the employee had taken earlier.
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
As a person responsible for Finance/Accounting controls for a company, I would recognize that controls revolving around non-financial function jobs are just as important as those controls involved in the accounting process. As we have discussed before, segregation of duties is one of the controls usually implemented around the finance/accounting processes. One could argue that in today’s world with technology doing almost all of the recording and reporting of financials, segregation of duties is created by access management from the non-financial function teams. Therefore, there is a risk that these segregation of duties are not properly segregated. One way to manage the risk is to perform some type of monthly or quarterly user access review by each department in the Finance/Accounting process. IT can provide a report to the department heads which identifies who has access to what in respect to each department, and that department head reviews and makes any corrections if necessary. If changes are to be made, the IT department makes those access changes as per the department head review. While this is not a preventive control, this will detect any users who might not be appropriate for certain access and help the finance/accounting teams verify that segregation of duties is kept.
Hi Paul,
Great post. However, I don’t know how realistic it is to perform the user access review by each department in real case scenario, if the access to the finance/accounting process is well restricted only to the finance / accounting department, I would rather implement a two-factor authentication for the ERP finance / accounting functions to make sure only the specific personnel have to login access to the function. I consider it is a preventive control
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think it is important for IT personnel to that the skill or knowledge in understanding finance and accounting knowledge. While it is not entirely their responsibility, IT’s function is to support the business objectives and the more that IT personnel understand about the business processes, the better off they can support those objectives. Going off of my Question 1 answer, IT plays a big role in segregation of duties. While a finance or accounting process member might know that a person creating an invoice shouldn’t be the one to receive it, a member of IT might not. I suggested that a monthly/quarterly user access review could be implemented to review the users who have access to that departments functions. This would be considered a corrective control since it detects any wrong users and goes about correcting it. However, if IT had knowledge of accounting/finance functions and which to properly segregate, I would consider it a preventative measure because IT can identify users who possibly shouldn’t have access to a system and possibly double check with a supervisor to make sure access is appropriate. I think overall, if IT personnel have more business knowledge, it makes them more well-rounded and able to understand better the business functions that they are supporting.
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
First off, the quantity and effectiveness of controls depends on the type of regulations put in place on certain companies. I know in the United States, the SEC requires that publicly traded companies must have their financial statements audited and the controls around those financial statements must be audited as well. Therefore, even in the United States you might see large publicly traded company have more controls in place to the financial and accounting processes than a large private company. So from a high level view, I think there would be a difference in the number and quality of controls depending on the regulations of international companies. With that being said, the one major control difference would be the way taxes are recorded and paid. Depending on the country, sales tax could or could not be a regulation, which means that some companies would need to include in their business processes to charge sales tax to the customer if sales tax is implemented. For those countries that do not have sales taxes, then no control needs to be implemented that has a customer pay.
Paul,
Great point about the regulations. You will see many companies exceed the regulation standard to market the upgrade in standards.
As a shareholder, you always want to hear how you were able to reduce costs by any legal means, even utilizing international laws to your advantage. However, as a customer, you always want to hear about how the product you are using are under the controls implemented by the United States.
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
I think that knowing about ERP systems is a very good skill to have as a person responsible for general IT controls, however, I do not feel that they need to be an expert in the area. IT General Controls consist of controls that affect all of the components within an IT environment, from the hardware to the software to the data. The most common IT General Controls (ITGCs) are access management controls, program change management controls, and lastly system and data backup controls. Since ERP’s play a big role in transferring and recording information from all areas of the IT environment, it is beneficial that the individual has a solid knowledge of the system and how they can go about controlling it. However, since ITGCs are controls in place that protect the entire IT environment, it is not crucial that the person responsible understand the nuances of the ERP. The one specific thing they should know is the entry and end point of the data to and from databases. This allows them to understand how the data flows in and out of the ERP system, which arguably from an accounting and finance perspective is the most important aspect.
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security to know about how the ERP system works? What is one (1) specific thing they should know?
It is important for people responsible for general I/T Controls to know about how ERP systems works so that:
a. They can manage the user login information
b. To manage the access rights for the users of the ERP system
c. Log management and analysis of the ERP System
d. Plan BCP/DR to ensure the availability of the ERP system
e. Manage upgrades to the ERP system
f. Validating user identity prior to granting access to system resources or data
One specific thing they should know is how the security of the data which is being entered and stored in the database is maintained. They should ensure strong cryptography of the data so as to keep it in an encrypted form because the success of such tools depends on how well the data is managed.
I agree with you completely, Deepali. In addition, the people responsible for general IT controls for an ERP system should know how the system works so that they are aware of the data on the system, it’s criticality and how their work can affect the outcome and availability of the information in the ERP system.
Q1. As we’ve seen in the P2P and OTC processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance/Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
If I am responsible for Finance/Accounting controls, the best way I can manage risks from areas outside of my job function is to be sure the controls I have put into place are strong. For example, establishing a defined segregation of duties for different parts of the processes can reduce the opportunity for fraud. In addition, ensuring that financial/accounting information is not available to those who do not need access to it, reduces the risk of data misuse or manipulation.
Q2. As we continue to learn about business processes and ERP systems we often discuss financial or account relate terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain.
I believe that IT personnel should have knowledge of basic financial/accounting principles, at least. The more knowledge an individual has regarding standard finance and accounting practices, the easier it can be for them to notice anomalies that could be the a sign of mistakes or fraudulent activities. In addition, having the knowledge of both finance/accounting and IT can enable personnel to develop the most effective controls.
Q3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1-s specific examples.
One risk that a company would face if operating internationally, versus purely domestic, is that of culture. For example, we discussed earlier in the semester the importance of marking holidays and understanding how they can affect business. Every country a business operates in has its own set of holidays and days of observance. An international company must be sure that these different holidays are all in the system, so it can be sure that is knows if there will be delays in completing a process.
Annemarie,
You are absolutely right, culture can be seen as a risk when doing business internationally. I would like to add to your holiday example something similar. Some countries have different business days than the US; their business days go from Sunday to Thursday. In this specific case, it is important to implement controls in the system to avoid any kind of delay.
Q4. How important is it for people responsible for general IT controls (e.g. network, workstation, Server and database security) to know about how the ERP system works? What is one specific thing they should know?
People responsible for general IT controls should have working knowledge of how the ERP system works, since there are some areas of it that can fall under their job function, including upgrade/patch management, BCP/DR, and security configurations. General IT personnel should understand how the ERP system fits into the company’s IT environment and what other applications in that environment it is integrated with.
Annamarie,
I like how you mention other applications in the environment if is integrated with. I would also add other devices the ERP system supports.
In today’s BYOD (Bring Your Own Device), some ERP systems provide apps for iOS and Android devices. The IT department should know how these are integrated with the environment as well.
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain.
As IT personnel who are using ERP systems to support business processes, it’s necessary to gain knowledge about where risks exist, and where fraud likely happens in each business process when it comes to finance and accounting, especially the process within their province. By knowing that, they can help control those risks and prevent potential fraud from IT perspective. Basic knowledge about data flow and its finance or accounting implication is also important for IT personnel to correctly implement application controls, for example, field check, reasonableness check, limit check, to control over the accuracy and quality of data in finance and accounting process. Besides, different jobs put different demands, for example, checking the accuracy of the account determination requires a good basic understanding of accounting and knowledge of the relevant chart of accounts, while calculating taxes ask for comprehending related policies and methods of calculation.
As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
If I were responsible for Finance / Accounting controls, Segregation of Duties (SoD) is an integral part to cope with the risks coming from non-financial function jobs. Through reasonable Segregation of Duties, each position has a job description to clear its province. Accordingly, for those non-financial personnel who involved with ERP systems to perform finance or accounting related processes, Finance / Accounting department could empower them necessary financial knowledge by targeted training, workshop, etc, make sure those personnel are well-trained is important as well. Besides, once those non-financial personnel come to involve with finance or accounting related business processes, they should be adequately informed the vulnerabilities they represent to the Finance or Accounting department, so as to raise their awareness of security to mitigate risks may come from them.
HI Ming,
Good point with the targeted training and workshop, it is very important for those personnel of other non-finance function department to understand the company policy and standard.
As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
The accounting records are the assertions made by the company to the owners of the company. The numbers used to make these assertions are generated based on the values of the company assets, minus the liabilities, which represents the owners value.
To protect the integrity of the accounting records from fraud outside of the finance / accounting department, I would look at the assets involving outside departments and develop duel level authentication for each transaction.
Example:
Cash & Payments – Never let anyone, not even owners receive or disburse cash / payments. All payments made or received will go through the finance department.
Accounts Receivable / Payable – All orders / suppliers will be approved by Finance Department
Inventory, equipment, and other tangibles – Will double check counts to verify value
Owners’ Equity – Owners will not have access to any part of the business records. A separate account will be created for dividend payments and profit sharing.
Nice post Fred. I like the way you have given the controls for each issue.
Having an approval process will mitigate the risks caused by single handling of a process. And by verifying the inventory values helps I reducing risks double entry, incompleteness, wrong entries etc.
Fred Zajac – This is a good method. I like how you explained all of the components of the method you think will be best. This seems like a goos practice to help mitgate risk.
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
It is important for IT personnel to know and understand supporting business applications to remain valuable to the company. It may be horrible to think about but many companies will place a value on the employee. Understanding the business and how business applications function will enable the IT personnel to explain how IT is aligned with the business.
That being said, I certainly wouldn’t want the IT staff to know bank accounts or other sensitive proprietary finance and accounting information. But, as long as the proper controls are implemented, a knowledgeable IT staff will only increase the value of the organization.
Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
1. The currency exchange would impact a purely domestic US company vs. an international company. The value of foreign money impacts the financial statements. Holding assets valued in multiple currencies will affect the balance sheet differently than a purely domestic US company
2. The tax rate would impact the balance sheet differently compared to a purely domestic US company. The government of the international company holds precedence. You have seen many companies merge / acquire companies in other countries to benefit from better corporate tax rates.
How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
The people responsible for general IT controls should know how the ERP systems works, but shouldn’t have change / modify access to any other business department. Many questions about functionality will be directed to a company’s help desk. The people fielding these tickets should have a general knowledge of the ERP system. An example would be how to print from the ERP system or how to change account information. However, they shouldn’t be changing a user’s account information or modifying material records.
One important thing they should know about the ERP system is the patches and updates provided by the software provider. They should be aware of all updates and provide a safe and secure network environment. They should be up to date on current threats that target the ERP system and make sure the preventative measures are in place.
I like that you pointed out about assessing system security with respect to sensitive customer data and segregation of duties. I think SAP has a very sophisticated automated access control and enforced governance to minimize access risk and prevent the events like you mentioned in the posts from happening.
And, to add to your Patch management example, I think the SAP support package does recommends that no user other than the System Administrator should be logged on; and of course no background tasks are running as well.
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
Accounting standard: GAAP v.s. IRS
In the United States, the federal securities laws require all US publicly held companies to file reports with the SEC to submit financial statement that are accurate, truthful and complete and prepared according to a set of accounting standard call Generally Accepted Accounting Principles (GAAP). International companies also have to follow different accounting rules and reporting standards based in different countries such as IRS.
Taxes:
Sales tax in the US is a regulation so domestic companies have to include sales tax in their sales, billing and invoice generated. Multinational companies operating in different counties would have follow different regulations in different counties and may or may not have to include sales tax.
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
IT personnel should have a clear understanding of finance and accounting since everything is adapting to online databases, everything is stored online. IT personnel must know what accounting records should not be easily to change to prevent fraud from being committed by inside users. They must put security measures in place to prevent things like that from happening. The balance sheet and general ledger should be the main things to know and understand since it effects the whole company. Any changes or discrepancy should be known and the IT personnel must be aware of that. They must be able to have logs of any changes being done so that they can track the person down who made the changes to see if they are able to. Therefore IT personnel supporting the business application must know what is being entered into the databases to understand if there is fraud being committed.
1. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I believe the IT personnel supporting business applications should have general understanding of finance and accounting in the process of the business function. Even though it is not their entire / assigned responsibilities, basic accounting / finance knowledge allows them to better serve and support the business objectives from the IT function perspective. It is very important for them to have that knowledge and if they don’t, how would they be able to detect any problems with the IT system / applications. Companies who want their IT personnel to have that specific knowledge to support the business objectives, they should provide training courses to teach them the basic knowledge.
This is very well stated Yu. Knowledge of the accounting system is crucial in serving the users of the application and is also crucial in detecting fraud in that function. I also agree that training should be provided to IT personnel so they know how that specific company does tasks and what can be prevented / or what risks or gaps there are in the controls process.
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
If I were responsible for Finance / accounting controls for my company, the first control that came to my mind is performing reconciliation of the accounting record more frequently to audit the non-financial business functions with ERP system transactions. That is a detective control which can detect some significant errors and fraud. Second, I would have to make sure that the access to our finance / accounting function in the ERP system is only strictly granted to my department and no other non-financial department is able to access to our functions. It would be a risk of confidentially for us if they had the access to perform our functions in the ERP system. If they needed any information in regards to the procure to pay and order to cash process, they may be granted with temporary access to limited view the data.
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
In some cases, IT personnel who support business applications also customize system functionalities according to the need of business processes. In that case, the IT staff who is responsible for the customization will need accounting or finance knowledge to ensure that the business workflow is properly understood to develop a well-designed system. For e.g. Development of Accounting Information Systems (AIS) has five steps: Planning, Analysis, Design, Implementation and Support. Out of these, analysis, design and support require IT personnel to have basic knowledge of accounting to ensure that AIS objectives are met by implementing a robust AIS system and also being able to provide support; the capability to provide system support will certainly be not limited to the IT skills, but also the accounting skills of the IT personnel.
A moderate level of accounting knowledge possessed by the IT personnel can also be a preventative control; an extra layer of protection if in case some of the requirements gathered during requirement analysis phase were missing.
I really like the fact that you mentioned it as a preventative control.
Thanks! It just struck me at the end 🙂
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
IT personnel need to have some basic accounting experience if they are supporting a firm that has account functions and systems. If they do have it from their education or previous experience the company should provide basic training and then show them key areas in the functions in which fraud is more likely to occur. This way, if the employees are trained through the program within the company and know where the faults may lie or why things are done a certain way. If they do not have on the job or previous experience in those functions it is very likely they will not be able to detect fraud in those applications.
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
I would manage these risks by putting in place strong controls such as segregation of duties. In which accounting information is only available to the accounting department and people who require it as a necessity to complete their jobs or make decisions. Financial records or accounting information would not be available to non-accounting/financial functions so it can minimize risk of that exposing the company finances. Along with segregation of duties for functions within the non-accounting side would also be quarterly or bi-quarterly audits and checks on the controls to ensure they are doing their jobs and if additional measures need to be taken.
Great Post, Jaspreet.
I like that you brought the point of Segregation of Duties (SoD). Cash is every organization’s favorite asset and thus it becomes imperative to put a big lock on the cash account to ensure its safety. Locks like Authorization (cash not going out of the organization without permission) and Record Keeping (what is going on in the cash account), custody (assigning someone responsibility to handle the cash), reconciliation. I think all the above four functions should be handled by four different people with a wall in between them, and as you correctly mentioned, quarterly or bi-quarterly audits by non-accounting personnel should be planned to ensure this wall is intact.
As long as other risks coming from non-Financial function jobs, I feel that there are certain risks that are not in the scope of someone who is designing the Financial/Accounting controls. For instance, in Order-to-cash process, if there the item is shipped to a wrong address, that’s out of your scope being from a Finance department. But, there are also cases like where customer not paying bills on time, you can have an effective credit management control to ensure that the particular customer is flagged the next time he/she places an order.
Jaspreet – Great post. I agree with having strong controls in place to mitigate certain risk. Segregation of duties, should always occur in these types of settings. Putting an emphasis on the controls is defintiely a plus.
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
It is very important for individuals who are responsible for the general IT controls to know how the ERP system works. 1 specific thing is where vital information is obtained/entered so they know they know that the security on that portion of the server for that application needs to be very tight so no one can access that information.
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
A US company would strictly focus on following controls that are put in place for US companies such as SOX and only have to account for taxes through the IRS as well as follow guidelines that are only dealing with domestic companies.
An International company would have to deal with more controls that are put in place by other countries or international trade laws (different taxes and rate exchanges as well as accounting practices).
Correct,
And to add another example to your list, US and other countries like, Australia, don’t follow the same accounting standards when they produce their financial reports;
US uses GAAP system and Australia uses AASB. This is eomething even the domestic companies need to keep in mind if they are planning to set up a branch in Australia.
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think IT personnel supporting business applications should know basic accounting and finance concepts. Accounting is the language of business, be able to analyze financial statements are important. Just like our assignments, without any accountant background would be difficult for us to get the debit and credit on the general entries correct.
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
In US, we follow GAAP as the accounting standard, while IFRS is the accounting standard used in over 110 countries around the world. GAAP is considered a more “rules based” system of accounting, while IFRS is more “principles based.”
Government regulation and tax rate are also vary by countries. For example, in China, there are no sales tax and property tax. It’s very important do have a basic understanding of that foreign country’s culture and its way of doing business.
In addition, for international company exchange rate can also be hard to take control because it fluctuates.
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
I would implement preventive control to make sure that all the employees in my department are well trained on how to secure our information assets. In addition, I would make sure that only the employees in our accounting/finance department have the access to the accounting/finance functions of the ERP system. Segregation of duty is extremely important, we need to make sure that accounting personnel is not the same one who performing the sales. Secondly, I will make sure that detective controls taking place such as reconcile the financial statements to make sure information are correctly entered.
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
IT personnel should be some what knowledgable of accounting and finance terminology. Since the functions often have the potential to work together. Having a baseline understanding definitelty helps the relationship run alot smoother. The same thing goes for Accounting/Finance, personnel who should have a good understanding of the IT world.
Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples
I think the currency exchange rate and tax regulation mattered.
In terms of currencies the currency exchange rate fluctuated timely. Changes in exchange rates between firms’ domestic currencies and the US dollar may influence the measurement of non-US firms’ market values ate two points in time. To investigate whether such changes might confound the measurement of changes in market.
values, we calculate a firm’s market value of equity using a constant exchange rate;
In terms of tax. firms domiciled in countries where in 1993There were relatively few accounting measurement choice restrictions (e.g., Switzerland)were able to implement IAS without violating their domestic-GAAPs. Alternatively,some domestic-GAAPs were quite similar to IAS. Thus, Canadian firms were able to meet the requirements of their domestic-GAAP and IAS by choosing measurement methods that satisfied both sets of standards. Some countries (e.g., France) permitted a firm to use domestic-GAAP in the parent company’s financial statements and IAS in its consolidated statements. Finally, in other countries, accounting standards and tax laws were highly aligned (e.g., Finland, Sweden), and firms typically used footnote reconciliations to meet IAS measurement requirements.
source: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.198.3081&rep=rep1&type=pdf
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security to know about how the ERP system works? What is one (1) specific thing they should know?
The general I/T people is important to know about how the ERP systems works to implement the effective controls to ensure the credentials, integrity, and availability of the ERP system. As the development of hack technique, the related people should know the latest knowledge about the hack technique to prevent ERP from attacking.
You are right that it’s important to know how ERP system works, if general I/T people don’t know how The ERP system works, then it’s challenge for them to implement controls to protect the system and resolve issues.
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
At a very minimum, the IT personnel supporting these systems should have general knowledge of the processes as a whole. Without these fundamental skills, trying to find areas more likely to have threats of fraudulent activity would be substantially more difficult. Obviously, the more intimate knowledge of finance and accounting the more effective the the personnel would be in identifying fraudulent activity and either stopping it before it happens or putting in controls to prevent it in the future. Ultimately, like all business decisions, I think it would be challenging to find personnel with expertise in these areas as well as have the necessary IT knowledge to be masters at both. Like all business decisions, you have to weigh the pros and cons of each and find a good balance.
Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
2 controls type that would differ from a domestic only business to an international business would be taxes and legal. As we all know, in the US alone tax measures have to be accounted for on a state to state basis as do legal requirements. For tax and legal purposes you would need to adhere to the host country that the specific transaction would apply to.
As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
Segregation of Duties would be the number 1 rule I would apply in these highly sensitive departments. In addition to SOD controls I would also follow the principle of least amount of privilege necessary to complete their job function. It is critical to keep certain key processes like issuing POs and processing payments to separate individuals to mitigate the opportunity for fraud in these groups.
How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
People responsible for general IT controls should have an intimate knowledge of how the ERP system works and what additional applications that it is integrated with. In order to be effective in implementing controls and identifying risks in the existing security posture they should be aware of what internal controls are built in and active in the SAP system to give an accurate risk assessment and to know where to direct limited resources.