Annamarie Filippone

Q4. Which transaction do you believe is the most ‘Sensitive’ and therefore should have extra focus in an SAT (Sensitive Access to Transaction) audit? Explain.

I don’t believe there is one correct answer for this question, since the transactions used by an organization and deemed “sensitive” will vary depending on the processes common to that o…[Read more]

Q3. Which is more of a risk to a company: inaccurate data or excessive repetitive data? Explain.

While both are risky for a company, I think that inaccurate data presents a greater risk. For one thing, there are many ways to filter out repetitive data, while the same cannot be said for inaccurate data. In addition, data is used for…[Read more]

Q2. Which department or person should play the key role in defining master data and assuring its quality?

I believe that the accounting department would be the department responsible for defining the master data and assuring its quality. However, I do not think they should act alone when it comes to defining the data. The departments that…[Read more]

Q1. Master data in an ERP system is highly integrated with various processes and affects many parts of the organization. How does an organization assure this integration works well for all?

Due to the reliance other processes have on the master data in an ERP system, it is crucial that the master data is created and maintained appropriately.…[Read more]

Q4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?

In regards to security access, every company I have worked for has utilized the principle of least privilege.…[Read more]

Q3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?

I think two key competencies an individual responsible for security needs are the ability to prioritize, as well as communicate. Not all security threats are created equal, and each has its own…[Read more]

Q2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain.

An ERP system by itself has the capabilities of many applications put together, which creates complexity for an organization. Specifically, I think determining access controls would be a difficult process. With thousands of…[Read more]

Q1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties (SOD) is the principle of sharing responsibilities of key processes by dividing critical functions of those processes to more than one person. This is a commonly used control because it…[Read more]

Q4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain.

Like many others, I think one of the most “cumbersome” security process that I’ve experienced has revolved around passwor…[Read more]

Q2. What is the relevance of only being able to have on posting period open at a time for real time postings? What does this prevent from happening?

Having only one posting period open at a time helps prevent things being posted to the wrong period. This is sometimes done fraudulently, by shifting revenues or expenses to manipulate records. But…[Read more]

Q1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain.

No I think that most businesses understand the importance of security both for an entire network and within specific programs like SAP. Each comes with its own set of…[Read more]

Fred, this is a great point. Despite the obvious importance of security, many of today’s business leaders still view it as a drain on resources. As you mentioned, increasing revenue and cutting costs is their focus, and this can lead to poor security decisions that may cost them more in the long run. Security is the responsibility of everyone w…[Read more]

Wenlin, I really like the second control you mentioned. As with any business relationship, outsourcing success is dependent on the cooperation of both parties. Training for employees on the various issues that can result from outsourcing, such as remote collaboration and cultural differences, should be started before outsourcing begins. This will…[Read more]

In addition to reviewing the vendor’s business continuity and disaster recovery plans, I believe the company doing the outsourcing must also ensure it has its own BC/DR plans. The difference between the two would be that a company’s business continuity and disaster recovery plans would focus on the required course of action if a vendor were to cea…[Read more]

This is a great point. While a company should develop its own understanding as to the risks certain processes face, it should also utilize the knowledge a vendor can provide. As an organization that provides similar services to a variety of customers, the vendor can have useful insights regarding risks that were gained through experience, which…[Read more]

Ariana, I agree that a vendor’s security processes should be one of the largest concerns for a company that is outsourcing parts of its business. This is why extensive research before selecting a vendor is crucial. A company should talk to past and present clients to understand their experiences. In addition, if there were security issues in the p…[Read more]

Q2. What controls can be implemented to mitigate the risks associated with outsourcing?

-Research: A company should complete a detailed analysis of potential vendors for outsourcing, having an understanding of their offerings, costs, and history, so it can make an educated decision regarding where it wants to outsource.

-Service Level…[Read more]

Q1. What are the benefits and risks of outsourcing?

Some benefits of outsourcing include:
-Cost savings
-Resource savings
-Access to expertise
-Scalability
-Time zone advantage

Some risks of outsourcing include:
-Decline in product/service quality
-Protection of intellectual property
-Dependence on vendor
-Regulatory/Legal…[Read more]

Q4. How important is it for people responsible for general IT controls (e.g. network, workstation, Server and database security) to know about how the ERP system works? What is one specific thing they should know?

People responsible for general IT controls should have working knowledge of how the ERP system works, since there are some areas of…[Read more]

Q3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1-s specific examples.

One risk that a company would face if operating internationally, versus purely domestic, is that of culture. For example, we discussed earlier in the…[Read more]