• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • HomePage
  • About
  • Structure
  • Schedule
    • First Half of the Semester
      • Week 1: Introduction
      • Week 2: Business Process; Assertions
      • Week 3: Fraud, P2P Controls
      • Week 4: OTC Process, Types of Controls
      • Week 5: Inventory & Shipping Controls
      • Week 6: Invoicing & Collection Controls
      • Week 7: IT vs. SAP Controls, Security 1
    • Second Half of the Semester
      • Week 8: Security: Roles, Finance Process & Controls
      • Week 9: Security: User Management, Segregation of Duties
      • Week 10: Data, SOD/SAT Review
      • Week 11: Change Management, Development
      • Week 12: Auditing, Table Security, Risk / Control Framework
      • Week 13: SAP Futures, Special System Access (updated Nov 30)
      • Week 14: Character vs. Controls
  • Assignments
    • Exercise 1: Procure to Pay
    • Exercise 2: Order to Cash
    • Exercise 3: Journal Entries
    • Exercise 4: Segregation of Duties (SOD)
    • Final Exercise: Risk-Controls Framework
    • Extra Credit Assignment
  • Roster / Schedule / Teams
  • Webex
  • Gradebook

Auditing Controls in ERP Systems

ERP Systems

Edward N Beaver

Week 9: Security: User Management, Segregation of Duties (SOD) Wrap-up

November 1, 2016 by Edward N Beaver

Continuing great job on the discussions – I enjoy your thoughtfulness and depth in answering.  I trust the questions help you explore and understand topics being discussed in a given week.
You raised most of the important points but let me summarize my view.

Q1: What is segregation of duties (SOD) and why is it a commonly used control?  – We discussed this topic in class.  Great examples of IT roles that should be segregated (e.g. development from DBA, development and security, development and move code, developers not in production system, development from audits).  We’ll discuss controls related to development more thoroughly in future classes.

Q2: Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component?  You nailed the core issue – ERP systems are large and complex.  Therefore the security is also large and complex – especially when there are complex requirements (many people needing broad access).

Q3: What are Key competencies of person responsible for security?  I like the terms you chose.  Specifically: Skepticism and curiosity
Functional Knowledge – critical to effectively make decisions
Decision making – to which I would add good judgement.
Data analytic – I call this basic smarts.  Security is highly complex and requires strong cognitive skills.

Q4: Companies are dynamic entities. Best practices for managing system users and their security access?   You provide many great ideas including:  Password policies and procedures, documenting change (more on this in a couple weeks), periodic user access reviews, least privilege access, proper management approvals, etc.  Bottom line is that security although sometimes viewed as a backroom IT task requires strong processes to be done well.

 

Week 9: Questions

October 25, 2016 by Edward N Beaver 134 Comments

  1. What is segregation of duties and why is it a commonly used control?  Give an example of two (e.g. IT) roles that should be segregated?
  2. Security in an ERP system (e.g. SAP) is complex.  What is the most fuzzy, difficult to understand component?  Explain
  3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful?  Why?
  4. All companies are dynamic entities with employees and others using systems coming and going all the time.  What best practices have you experienced or would you recommend for managing system users and their related security access?

Week 8: Security 2, Finance 2 Wrap-up

October 25, 2016 by Edward N Beaver

Continuing great job on the discussions. Keep up the good work.   My summary view is:

Q1: Do businesses rely too much on security administrators vs. security of the entire network?  Most of you highlighted the network being the highest risk.  I tend to agree with you – as in today’s computer environments, the network get’s you in the door.  Nevertheless, it’s important to manage all areas of security and make sure even the administrators are using state of the art practices and techniques.   Risks are everywhere.

Q2: Why only have one posting period open at a time? As you pointed out, this is mainly to prevent errant postings in the wrong month.  It also supports the discipline of making sure when events occur in the real or physical world, the corresponding transaction(s) occur in the ERP system.

Q3: What’s the most important finance / accounting control? …authorization control? Some good discussion on this question.  I would have preferred you using my list to prioritize but most of you didn’t have that list due to my late posting of the video.  My experience is that documented policies & procedures with strong reconciliation and auditing that they are followed is critical.  Focus as usual on the high value and high risk items.

Q4: Have you experienced difficult, cumbersome, … security problems?  Thanks for sharing some great stories of your real experiences.  Most of you highlighted password headaches.  Regardless, it’s important to understand the end results of what users are actually doing (law of unintended consequences).  If you lock down the process tight so everyone writes the password down on their screen – in the end you have poor security.  In the end, a balance is necessary – is the complexity worth the headache?  However, who gets to set balance is usually someone at the top of the organization.

Beaver – Real World Control Fail Presentation Example

October 24, 2016 by Edward N Beaver 1 Comment

Information  – link to web page or use ‘Add Media’ to store in this link

Week 8: Questions

October 18, 2016 by Edward N Beaver 133 Comments

  1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network?  Explain
  2. What is the relevance of only being able to have one posting period open at a time for real time postings?  What does this prevent from happening?
  3. Consider the list of financial and accounting controls.  Rank them.  Which to you believe is the most important, the least.  Why?
  4. You’ve used various computer systems in your lifetime, career.  System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc.  Have you seen these problems in your experience?   Explain

Week 7: IT vs. SAP Controls, Security 1, Finance 1 Wrap-up

October 18, 2016 by Edward N Beaver

Continuing great job on the discussions – I appreciate the growth you’ve shown in the quality and substance of the comments. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: How does Finance / Accounting manage non-finance people’s tasks that impact them?  Some good comments about cross-training, controls and other ideas.  After working as a non-finance person in processes that impacted financial results significantly, I firmly believe that every person performing a process task needs to know the basic impact of their efforts.  The impact knowledge needs to include at minimum the dimensions of finance / account as well as business results.

Q2: How much Finance  Account should I/T people know?  If you’re and I/T professional who’s job involved applications with any financial content (e.g. ERP systems) I recommend you learn what you can.  As a few or you pointed out – Finance is the language of business and business knowledge is critical to I/T success.  It doesn’t mean you have to have an accounting or financial degree but I encourage I/T folk to be inquisitive and learn what you can.  I particularly like the comment from one of the posts ‘How would IT personnel be able to design and implement solutions if he/she is not familiar with the business function he/she designing the solution for?’

Q3: Financial Controls domestic vs. International companies: just like other processes – differences of language and currencies are the critical differences.  The financial and tax practices of other countries vary considerably and related controls are necessary.  However, that doesn’t mean any less focus on the basic application and process controls.

Q4: Should I/T Professionals supporting general I/T (e.g. workstations, network, etc.) have knowledge of ERP?  There is not reason all IT folks need to know the details of ERP systems.  However, they do need to know the basics of what the systems do, their importance and how the IT work being performed supports the goals of the ERP systems.

In general, always ask questions and be inquisitive about the work you’re doing, especially along the dimensions of a) finance / accounting and b) the ultimate business / outcomes of the organization you’re working in / with.

Exercise 3 (Journal Entries) Due October 27

October 17, 2016 by Edward N Beaver

Reminder:  Exercise 3 – Journal Entries is due (via e-mail) on Thursday October 27  at 11:59 pm.

Week 6 Wrap-up: Invoicing & Collections Controls

October 11, 2016 by Edward N Beaver

(My apologies for being late in updating this post – grading, etc. has been my focus). Continuing great job on the discussions. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: If an outside organization – where would attack the OTC process? – You suggested several innovative ways to attack the process.  In the end a decision like this would depend on your motives, what you capabilities where vs. known vulnerabilities.

Q2: Who should care more about collections – Sales or Finance?  Many of you pointed out that sales function often has a conflict of interest in dealing with collections because of their customer focus and loyalty.  Therefore, I believe collections needs to be ‘owned’ by a finance related function.  However, overzealous and callous collections process can erode customer satisfaction considerably.  There needs to be a cooperative relationship between the finance ‘owner’ of collections and the business and sales organizations to assure appropriate collections policies are in place and to work cooperatively with customers who don’t pay well – there needs to be united messages to the customer.

Q3: Controls domestic vs. international:  You pointed out many of the differences in your discussion.  My experience is that currency, import/export regulations, customs authorities and different shipping modes drive the major differences and depending on a company’s business appropriate control differences are also needed.

Q4: Order to Cash (OTC) Process – what keeps you up at night: This depends some on the  nature of the business you’re working with.  Regardless – I recommend keeping focus on value, $$ related segments of the process (e.g. pricing, invoicing, cash collections)

Always when working with the OTC process, make sure you understand the nature and structure of the business.  The OTC process must relate more than other processes to this nature and structure.

Week 7 Questions

October 11, 2016 by Edward N Beaver 136 Comments

  1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
  2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts.  How much finance and accounting knowledge should  IT personnel supporting business applications know and learn?  Explain
  3. Controls are important to financial and accounting processes.  What would be different in the controls of a purely domestic US company vs. an international company?  Give 1 – 2 specific examples.
  4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works?  What is one (1) specific thing they should know?

Week 5 Wrap-up: Inventory and Shipping Controls

October 5, 2016 by Edward N Beaver

Continuing great job on the discussions.   You raised most of the important points but let me summarize my view.

Q1: Fraud Triangle on ‘One Piece at a Time’ video:  Opportunity – it’s obvious the workers were confident in the opportunity to take various car pieces (one piece at a time); Incentive – a ‘free’ car; Rationalization –  It’s a large company that won’t miss the parts

Q2: For the ‘One Piece at a Time’ video scenario – what should the operations manager do?  You shared some good ideas.  From a risk perspective I would recommend focusing on changes to prevent the large parts from being stolen (how does a transmission leave the plant unnoticed?).  However, some cultural change actions may also be supportive (and needed).

Q3: In shipping – what controls are different in purely domestic vs. international company?  Many differences were noted.  My experience the key differences are currency, languages, import-export regulations, expanded paperwork requirements, customs authorities are an added interested party.  The added complexity is often outsourced by companies to freight forward and import brokers.

Q4: What are 1-2 less obvious inventory control measures are used with us as consumers?  Are they effective?  Anti-theft, anti-shoplifting measures abound from tagged items with door alarms to video surveillance.  They seem effective to me.

 

 

  • « Go to Previous Page
  • Page 1
  • Page 2
  • Page 3
  • Page 4
  • Page 5
  • Page 6
  • Go to Next Page »

Primary Sidebar

Weekly Discussions

  • Assignments (11)
  • Exams (5)
  • General (6)
  • Real World Control Failure Presentations (27)
  • Week 01: Introduction (4)
  • Week 02: Business Process; Assertions (4)
  • Week 03: Fraud, P2P Controls (2)
  • Week 04: OTC Process, Types of Controls (3)
  • Week 05: Inventory & Shipping Controls (3)
  • Week 06: Invoicing & Collection Controls (1)
  • Week 07: General IT vs. SAP Controls, Security 1 (3)
  • Week 08: Security 2, Finance 2 (2)
  • Week 09: Security: User Mgmt, Segregation of Duties (2)
  • Week 10: Data; SOD/SAT Review (2)
  • Week 11: Change Management, Development (3)
  • Week 12: Table Security, Control Framework (2)
  • Week 13: SAP Futures, Special System Access (2)
  • Week 14: Character vs. Controls (4)

Copyright © 2025 · Magazine Pro Theme on Genesis Framework · WordPress · Log in