Deepali Kochhar

Mansi,

This is a great answer. I would say segregation of duties should be ranked top most. It is very important to first assign right duties to right person and define the organisational chart before the approval authority works on the approval process. It is very important to approve right kind of roles for the right person in order to manage fraud.

Q 2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

A Posting Period Variant is useful in opening or closing finance posting periods across many Company Codes at one time. You define a posting period variant and assign it to various Company…[Read more]

Leftover Factory debugger doubles as Android backdoor

A leftover factory debugger in Android firmware made by Taiwanese electronics manufacturer Foxconn can be flipped into a backdoor by an attacker with physical access to a device.
This can help the law enforcement or a forensics outfit wishing to gain root access to a targeted device.
It…[Read more]

Q1. Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

BCP and DRP are not synonyms rather they are different.

• Business Continuity Planning: is a policy cum implementation of measures which will ensure continuity of critical b…[Read more]

4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security to know about how the ERP system works? What is one (1) specific thing they should know?

It is important for people responsible for general I/T Controls to know about how ERP systems works so that:
a. They can manage…[Read more]

Nice post Joshua. If we talk about applying controls and troubleshooting the issues, it is good to have a basic understanding of accounting so as to select and apply the most appropriate controls.
It is always said that an IT auditor should first understand the organizational culture in order to facilitate a successful audit. Understanding the…[Read more]

Great points Yulun. To add to your point, I would also manage the logs and keep timely track of those logs. This will help in tracking the incidents and activity log of who and when entered the transactions into the accounting record. This will thus help in easy tracking and mitigation of any wrong occurrence.

Q2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

Business processes within an ERP system demands a fair knowledge of Finance. For this…[Read more]

In addition to your points I would like to add one more point. An international company would require a control to manage currency difference which is not required for a domestic US company.
Also an international company would need a control to manage the time zone for each of the country where they have their operations.

Rightly pointed Sean. I believe that it depends on the kind of business an IT Personnel is handling. If we take an example where an IT person need to audit the FICO Module of ERP, in this case the personnel should have basic to medium level of understanding of finance so that he can check the transaction records and determine necessary controls.…[Read more]

Tech support scams put UK Users at Risk

A warning issued of tech support scams aimed at UK users. A company named Eset revealed data and claimed that the UK’s share of HTML/FakeAlert malware rose to over 10% over the past month.

HTML/FakeAlert refers to the malware typically used in tech support scams. It flashes up fake alert messages r…[Read more]

What are the sources of Electromagnet Pulse (EMP)? Why is it a physical security threat? How can an organization defend itself against EMP?

An electromagnetic pulse (EMP) is a short burst of electromagnetic energy caused by an abrupt, rapid acceleration of charged particles, usually electrons. The sources of EMP can be a natural occurrence or…[Read more]

Agreed Priya. A very important point made. Although considered as Non-Functional requirements of an application, Security Vulnerability testing is a critical part of any business application. As a person to make negative impact on a business, I would try to find loopholes in the process which can help me access to sensitive data. Once I am…[Read more]

Sean,
In addition to your view, I believe Payments is an important area within the Order to Case process which requires the maximum control. Timely fulfillment of order and collecting payments involves handling of a variety of sensitive data sources including customer and credit information, inventory management and shipping and billing systems.…[Read more]

When it comes to segregation of duties for collections, I am inclined towards making this as Finance function. The ability to reduce payments risk is how the efficiency of a Finance department is determined. Aligning credit and collection policies with organizations goals is an important part of the Finance department. Adoption of proactive…[Read more]

Good point Paul. Credit checks are very important. Also it is important on the making a credit check at the customer’s end. Before processing an order, it is important to check the financial status of the customer as well as their previous payment records specially if it is a bulky order. This will help in avoiding non payment of the order.

1. Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

The difference in the controls of purely domestic US company vs. an international company would be:
A domestic company w…[Read more]

Q 1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How

Being an outsider, I would attack as a fictitious customer to an organization’s order to cash process.
This creates a risk of fraud orders, nonpayment of th…[Read more]

DressCode Malware Infects 400 Apps in Google Play

Dresscode Malware infected a total of 40 apps in google play and a total of 400 apps via third party app stores but the actual number can be much higher. Over 3000 apps distributed by Android mobile market have been infected with this Trojan.

Once the infected app is installed on a victim’s d…[Read more]

To add to the disadvantages, If the company is not maintaining proper user provisioning along with the identity systems with VPN administration it can lead to unauthorized access.

One such example of insufficient VPN management and security that lead to a breach comes from an employee terminated by a utility company, Energy Future Holdings. The…[Read more]