Edward N Beaver

1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties is a method of risk control that separates roles, responsibilities, authorizations, etc. between separate personnel to separate the necessary steps needed to be taken to commit fraud in areas most susceptible to fraud. This method of control essentially takes key steps in processes, especially where money “changes hands,” and splits them up among different personnel to mitigate the risk of one person having access and authorization to all the steps necessary to commit and hide fraud.

In IT, two examples of roles that should be segregated would be software development and implementation, and database administration and logging access. If software developers were able to put their own code directly into development, they could cause damage to the production environment or create ways to bypass controls and allow fraud to happen intentionally or inadvertently. Giving a database administrator access and authorization to logs for the database can give the DBA’s the ability to conduct unauthorized activity within a database and then remove or alter the logs to hide their activity after doing so. Both of these scenarios are sources of risk for a business and should be prevented by SOD controls.

2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain

I think the most fuzzy area within the security aspect of an ERP system is access and authorization controls. Since there are so many different t-codes in an ERP system, and so many different steps in a process, the many different accesses and authorizations necessary to conduct a job role can easily become confusing; especially with a large and complex business. When assigning and segregating all the different steps, roles, accesses, and authorizations in a process for a company, an individual could inadvertently be given enough access and authorization to find a way to commit fraud in a business. The confusion of all of this could easily “fly under the radar” of those assigned to monitor the checks and balances due simply to the complexity of the many different accesses, authorizations, and roles.

 1.What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task. 
It involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that no one person is solely in control. Segregation of duties improves security.
For instance, payroll management is an administrative area in which both fraud and error are risks. A good way to segregate duties for payroll is to have one employee responsible for the accounting portion of the job and someone else responsible for signing the checks. 
Another example is that a department in a company that provide its own IT support, should not do its own security, programming and other critical IT duties, because it would increase risk associated with errors and sabotage.

Right Sean, I want to add that segregation of duties is crucial to any organization and can help companies avoid the possibility of disastrous outcomes. I mean imagine what would happen if the keys, lock and code for a nuclear weapons system were all in the hands of one person? Scary right. Same applies to a software engineer who has the authority to move code into production without oversight, or access rights’ authentication. The idea is that companies shouldn’t give too much power to their employees.

What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties is a commonly used control because it helps manage conflict of interest. It restricts the amount of power held by any one individual. This segregation creates a barrier in which helps prevent fraud that could occur by an individual.
Two examples of IT roles that should be segregated are:
1. Software developers shouldn’t have access to production system; no code should ever be installed or entered into a production environment that has not been approved. Generally, development and production should always be separated.
2. Network and security and administrators should not report to managers who are directly responsible for the daily management of the servers. By not allowing that, ensures that their ability to maintain security controls is not influenced by those who are part of the process that is controlled.

Definitely Laly, segregation of duties limit the amount of power given to one person within an organization. When done properly it ensures that individuals don’t have conflicting responsibilities or are responsible for reporting on themselves or their superior. But, in your opinion, how does a company decide which duties should be segregated?

Good point Laly. These are really key business function that should be segregated.
A good way to actually “test” segregation of duties is to question some key point. First, ask if any one person can alter or destroy the company financial data without being detected. Second, ask if there is any one person who can steal or alter sensitive information. Lastly, ask if any one person has influence over controls design, implementation and reporting of the effectiveness of the controls. If the answer to any of these questions is YES, then you need to take a hard look at the separation of duties.

4. All companies are dynamic entities with employees and others using systems coming and going all the time.  What best practices have you experienced or would you recommend for managing system users and their related security access?
User password is a good practice, although it can be cumbersome I can’t think of any better way for a user to secure their information. In fact, good password scheme/policy is one of the basic security measures to prevent unauthorized access. By good password scheme I mean one that would touch all the following aspect:
Password Aging-setting password aging policy enforce the user to change his/her password periodically.

Minimum Length: Enforce a minimum length of password to at least 6 characters for example.

Non-dictionary words: If the operating system supports this feature, user won’t be allowed to select any password as a word from standard dictionary. ·

Password Uniqueness: the password uniqueness setting would force users to create new password, every time, preventing them from using password previously used in the past.

Another good practice would be to document any change in the system configuration either hardware or software. This is very helpful in situations like disaster recovery, detection for an intruder, trouble-shooting etc. If a company has several System Administrators, it is more important to have everything documented and also maintain additional copy of the documentation on different machine or as a hard copy in case something happens.

Alex, if only it were that easy. However, I think a good start to test SoD is to review the following:
– security/ IT policy and procedures
– security access
– organizational chart of duties and descriptions
– interview the key roles and players within the scope you are testing
– observe daily operations and the list can go on, depending on the organization and the scope.

1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Ans: Segregation of duties means dividing the tasks so that different people are handling different tasks. No person should have more that one duty or authority to in business. This control is vital to reduce or eliminate fraud. The below processes needs to divided and performed by different people to avoid fraudulent activities:
1. Custody of assets
2. Authorization
3. Recording
4. Verification
5. Managerial Review
According to the principle of segregation of duties, the person who has the custody should not be the one authorizing the transaction or recording it. No person should have more than one responsibility.
Segregation of duties uses:
1. It reduces the risk of errors as it ensures cross check of responsibilities
2. it ensures accuracy of data, completeness and security of resources.
3. Manages conflict of interest

In smaller it may not be possible to have segregation of duties as the number of people in the organization would be less and division may not be feasible. In such cases mitigating controls- compensation controls should be in place.

Example of segregation of duties in IT:
1. Software Developers: A software developer should not have access to production system. And a production system should not have rights to compile. In most organization there will be Application Development team, Production team and a separate support team exists. This way if any change had to be made all three teams needs to be informed and decisions are made with many people involved reducing the risk of people changing or modifying the application.
2. AD Admin: In an organization, various team can have rights to reset a password, like call center, local technical support etc, but the right to disable to an account should not be given to them. In my previous company to disable an account or re enable an account would require the approval from manager and HR. And even then a call center person wouldn’t be able to disable/enable the account- the local tech support could with the approval. A local technician couldn’t create a new user. That was done by the recruiting HR team. Even AD team couldn’t create a new user without the user details being input in SAP records.

I agree with your recommendations for password requirements. I would also add criteria preventing the user from reusing previous passwords when creating a new password. Preventing users from using old passwords mitigates the risk associated with a password that has been cracked and the attacker is just waiting for the user to change the password back to the cracked one. I’d suggest a minimum number of old passwords of at least 6 to prevent the user from reusing a password from the past 18 months in an environment that requires password changes every 90 days.

What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties means that no one person should be responsible for doing everything. It is a commonly used control because it prevent errors or fraud from occurring.

Two roles that should be segregated are investments and treasury. Members of senior management should only be able to authorize the opening of new bank accounts. Treasury activities like opening bank accounts and authorizing signatories should not be performed by employees involved in daily cash activities. Employees entering investment activity into the GL shouldn’t be the same person that opened and authorized the transactions. Investments are to be maintained by someone who is not involved in the daily investment process. That process could be best suited for senior members because they are not directly involved in daily processing.

What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties separates tasks that could be used together to produce an undesirable result, like fraud. The goal is to prevent one person to have sole control of a task or process.
It is a commonly used control because it lower risk of fraud/errors, and sometimes prevent fraud/errors from occurring.
Two IT roles that should be segregated are the Application development team (programmers) and the Maintenance team. There is a high risk of errors/fraud if the programmers are also the ones responsible to maintain the application. By implementing SoD, programmers would be responsible of developing the app and the maintenance team would be responsible to maintain and detect errors that the app may contain.

What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

According to ISACA, segregation of duties is the implementation of a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorized duties relevant to their respective jobs and positions. It is a strong internal control used to mitigate the risk to defer and prevent one personnel from having all access to all steps to commit fraud.

Below are two IT functions that should be segregated from rest of the IT functions

Information Security vs. Rest of IT Function
the person(s) responsible for information security is in a critical position and has “keys to the kingdom” thus, it should be segregated from the rest of the IT function. It is because this person is responsible for most of the settings, configuration, management and monitoring for security. Login credentials may also be assigned by this person, or they may be handled by human resources or an automated system. Therefore, this person has sufficient knowledge to do significant harm should he/she become so inclined. This risk is especially high for sabotage efforts.

Appdev vs. DBA and IT Operations
The development and maintenance of applications should be segregated from the operations of those applications and systems and the DBA. That is, those responsible for duties such as data entry, support, managing the IT infrastructure and other computer operations should be segregated from those developing, writing and maintaining the programs.

Source: ISACA
http://www.isaca.org/Journal/archives/2012/Volume-6/Pages/What-Every-IT-Auditor-Should-Know-About-Proper-Segregation-of-Incompatible-IT-Activities.aspx

1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties is, as the names suggests, when roles and responsibilities are separated among different personnel. The purpose of this is to act as a control, which does this in two major ways; preventing fraud and reducing error. As we learned from earlier classes and in other courses, by separating duties it reduces the likelihood from individuals committing fraud since to commit it, one must collude with other members of a process. Without segregation of duties, one can commit fraud due to no other oversight or anyone reviewing their work.

Another by product that many don’t bring up is that by segregating duties you create responsibilities among different personnel, which creates an environment where errors are reduced. For example, in the procure to pay process we talked about three-way matching which matches the purchase order, with the order receipt and the vendor invoice. Now in a segregated environment, all three documents will be handled by different departments. However, in a non-segregated environment this might be done by the same person or small group. Looking away from fraud, I bet the actual performance of this 3-way control is little to non-existent within the non-segregated environment. The reason I say this because individuals are more likely to trust their work instead of the work of others. Therefore, segregation of duties has an impact on the accuracy of processes and holding others accountable.

Two roles that should be segregated which come to mind are sales and accounts receivables in the Order to Cash process. These duties are separated since you don’t want the individual creating a sales order to be able to receive the cash as well. If that was the case, I could create a sales order for sale $400 but send at an invoice to the customer for $500. When the money came in, I recorded it as a sale of $400 and pocketed the $100 without anyone knowing. In my Real-World Control Failure project, the company I researched had fraud due to a lack of segregation of duties between sales and accounts receivable. Essentially, the head of sales received all the information and payment from a sale then transferred it to the accounting department. Therefore, he was able to commit fraud up until he left the company.

2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain

In my opinion, I think security in an ERP system like SAP is complex mostly because the program itself is complex. For most applications, if you want to only allow certain users to be able to access the application, then you require a username and password to access it. However, in SAP, it is essentially an application with a whole bunch of applications within itself that need to be properly separated among the entire user base. Separating these duties within SAP requires a certain understanding of the application since it requires knowing the role codes and transaction codes along with who should have access to what. However, I suppose what is fuzzy for myself and still have questions remaining on is how is SAP controlled in terms of monitoring as well as making sure the SAP system is configured properly and up to date. Is monitoring a function within the SAP system and if so, is it monitored by some central personnel or is it separated like the functions within SAP? I think I understand how identity and access management works within SAP, however, I think the other areas of security such as monitoring, encryption, data storage, etc is where I seem to be fuzzy on.

3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?

I think two key competencies that a security professionals within a company should have is the ability to identify and balance priorities as well as be a good decision maker. In today’s environment, it seems that security breaches can come from every which direction, however, some threats are more threatening than others. Likewise, some security vulnerabilities can be fixed easily while others might require a lot of time and resources. One can’t always just fix the “low hanging fruit” but you also can’t ignore huge projects that can fix a vulnerability. Therefore, it is important for a security professional to properly identify and prioritize the right security measurements and make correct decisions into how they should address that issue. This can also include the ability to shift priorities when new security vulnerabilities arise and require immediate action. By not correctly balancing priorities one can leave security gaps within a business environment which can result in security breaches or fraud.

4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?

Aside from the standard authentication processes that control who has access to a system, one of the best practices that I have seen during my IT audit internship was that of monthly or quarterly user access reviews performed by management. The company I audited had a high turnover rate and was also part of a more regulated market. To make sure that no one’s access wasn’t removed, it was the department’s head responsibility to review all the users who had access under their supervision. The Director of IT would send a list of users who still had access to the system to the department head. The department head would review the list, mark down any users who needed access removed, sign off on the review, and send it back to the Director of IT who would review if any changes were necessary. The purpose of this exercise is to be a supplementary control for the deprovisioning process. If for some reason, a user’s access was not removed when they were terminated, this process would identify that user and remove them properly. Due to the nature of this organization, this control was performed monthly. However, an organization can perform this bi-weekly, quarterly, or semi-annually depending on the number of users within a system and the risk the organization is willing to accept.

2)What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

In a business usually only one current posting period is kept open for a financial year to enter transaction related to that month, all other posting periods being closed. ( in general, the individual posting period correspond to a calendar month). This is to prevent wrong posting to a particular month.

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

Not necessarily. I think businesses focus more on network security than they do on software security controls like those in SAP. I think the bigger scare for a business contemporarily is a network intrusion risk than an internal employee risk. I think businesses fear the damage done by a reputation loss and the associated revenue loss associated with a hack than they do with internal fraud. Also, internal fraud, unless required by law in specific types of fraud in certain industries, is not mandated to be disclosed to the public, so a business could suffer fraud but not necessarily lose any reputation or revenues from customers.

4. You’ve used various computer systems in your lifetime, carreer. System security is complex and often maligned as cumbersome, difficult, beurocratic, etc. Have you seen these problems in your experience? Explain

I have seen these problems when I was in the military. We had controls for access to bases, buildings, and individual spaces before even getting to individual system security controls. Once you eventually got to a specific system you had to insert your “smart card” into the system’s keyboard and then type in your pin number, or you had to know your login name and password in lieu of using your “smart card.” Once logged into a system, a user had to have login ID’s and passwords for access to various programs, documents, folders, other networks, etc. If remembering all those different login ID’s and passwords wasn’t difficult enough, the passwords were required to be changed about every 60-90 days. When creating a new password there were minimum lengths, character diversity minimums, and your last 5 to 10 passwords could not be used depending upon the specific password being changed. It was very cumbersome to try and remember all your login ID’s and passwords, or find a way to write them down without them being easily linked to one another if they were ever found.
Aside from logins and passwords, many systems required approval from supervising personnel before something could happen that was important For example, say a piece of equipment was damaged and needed a replacement part. Well you would have to log into the program to write the job up and order the part(s). After that you would have to wait on your supervisors at various levels to “sign off” on the job and parts needed, and then you would have to wait on the department responsible to approve and issue the part(s) if available, or order the parts from another location. This added a lot of steps into doing something as basic as replacing a toner cartridge in an office printer.

1. protocols in programs like SAP, rather than look for security in the entire network? Explain

I would like to believe that most businesses do not rely too much on administrators to configure their security protocols in a program, like SAP, rather than look for security in the entire network. I would think that the businesses whether they be big or small focuses on their network security controls because, their data and their company solely rely on the security of their network and the functionality. I think the software aspect security controls, like SAP are bought based on their reputation and effectiveness across all boards. Their security infrastructure as a whole are more detrimental to their company, I believe; without having a secure network infrastructure they are undermining their business. Conversely, I think software security is important but looking at it from a business owner/ administrator I would be more concerned with the internal risk of an unsecure network and the breeding grounds of fraud within the company as well as hacking via network injection, malware, ransom ware, etc. Subsequently, I think administrators look for software like SAP or Oracle that have great brands and security controls in place to make sure their data is secure but rather also, focus more on their entire security network infrastructure more because, it’s the direct product of their businesses.

Wow!I would be very annoyed with all these protocols. But when you think about it, security goes with complexity. However, I think at a certain level of complexity people will start disregarding the official policy entirely and make the system more vulnerable.
Thanks for sharing Sean

You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain

The company I worked at forced us to change our password to access several online systems each month. Password had to be at least 8 characters long and include a special character, number, lowercase letter, and uppercase letter. The fact that I had to change my passwords every month was very annoying. I could not remember that type of password when it changed so frequently, so I had workarounds. Since each program forced a password reset at different intervals, I just sync all my passwords to be the same and reset them all on the schedule of the program that forces the most frequent password change. Now how secure was that? My point is that complex policies ultimately can lead to a security breach.

Alex,

At the Philadelphia DA’s Office we had the same protocol however, I noticed that this resulted in employees actually writing their passwords down and keeping them on their desk because they would always forget what their password was, definitely not secure.

4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain

At the DA’s Office we had a protocol that passwords had to be changed very often. I believe it was about 6 times every 4 months which was in direct correlation to the databases my unit had to use. However, I noticed that this resulted in employees actually writing their passwords down and keeping them on their desk because they would always forget what their password was. We had 6 databases and internet access which you needed passwords to use. Yet, I worked for the charging unit which was open 24 hours and people worked on a rotating shift work schedule, as you can image the IT people weren’t there to assist when someone would be locked out which, made it even more cumbersome and dysfunctional. Ultimately, leading to people getting locked out and being unable to access the database needed to do work. This also led to employees sharing credentials which is a big NO NO! Thankfully, I never had been locked out but the databases we used were very important such as the FBI National Crime Information Center Databases to complete background checks. Personally, I wouldn’t share my credentials because come one, who would risk it but believe me, people actually shared them.

1. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

I think the main reason is to avoid fraud/error and facilitate accounts reconciliation at the end of the month or year. Each organization follows a specific fiscal year variant. For example, Temple University fiscal year goes from July to June with 4 additional special periods. From July to June, a period is open every month and transactions made in a specific month are recorded to that month. Once a period has been closed there is not possibility to post in that period. This way every transaction is recorded/posted in the month (period) it has occurred.

Yeah, I think they both present risk and never said they didn’t. However, I think the network security controls are the first the priority for all businesses whether they are big or small because, that is their means of business. But, yes I agree with you alex! Thanks for your input.

3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
Some of the controls for financial accounting as mentioned below:
1. System and Authorization procedures should be in place to provide accounting control over revenue, expenses, assets/ liabilities. Only the authorized person should be able to create, modify/change/edit and close/delete any records/transaction.
2. Segregation of functional responsibilities to create accountability for system of checks and balance
3. Completeness check: Every transaction has to accurate, timely and complete.
4. Controls should be in compliance with the federal, state and local laws and regulations affecting the operations.
5. Proper approval procedures should be in place.
6. Reconciliation procedures should be in place- to compare two sets of records which relate to same transaction and verify if there are any differences.

Authorization control is the most important and only authorized should have access to many any modification to any system. We can achieve this with proper segregation of duties and by setting up processes to be followed. I also think completeness control is as important. Every transaction is properly and recorded on time. This increases reliability and reduces the chances of error both human or fraud.

I agree that Authorization Control is the most important control too. You can have all the other controls in place that you listed, but without proper authorization controls in place none of those other controls will matter. If the wrong people are authorized to create, alter, and/or delete some type of transaction when they should not be, then they can cause some serious problems for the business either on purpose or inadvertently. By making sure only the correct people have the authorization in place to do specific things in SAP/ERP then the the other controls can be effective, but without authorization controls the other controls are aesthetic at best.

2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

In general, the individual posting periods correspond to a calendar month and usually, at any one time, only one posting period may be open. The main reason for having one posting period open at a time for real time is to prevent frauds by prohibiting authorized users to access to other/previous periods to make changes. Any changes/corrections to be made, have to post to the special additional posting periods at the end of the year during year-end closing. That way can mitigate the risk of fraud.

4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain

The company I used to work for is a small estate real company and I did not see high system security taken place in the company. However, we had to change the passwords of our computer systems and email every Six months but most employees write down the password on a post-note. All passwords are required to have at least 8 letters including upper and lowercase, numbers but names or previous passwords are not allowed. My coworkers found it kind of annoying because they could never remember the passwords. All passwords have also to be saved in an excel spreadsheet in a server so that other employees are able to see them. I am not sure these password polices are common to exist in small companies but I believe the system security was not adequate to protect the data and OS.

You’ve used various computer systems in your lifetime, carreer. System security is complex and often maligned as cumbersome, difficult, beurocratic, etc. Have you seen these problems in your experience? Explain

One example that comes to mind in the Veterans Administration. I am currently using the GI Bill to finish graduate school so I need the VA to certify my credits at the start of each semester. Unsurprisingly it doesn’t have the best or most accessible website. The password requirements are probably the most cumbersome for me, although they are definitely designed to be secure. The website does not allow any password to contain an actual word, so it has to be completely random. While this does make for a more secure password, it becomes much more difficult to remember. Combined with upper/lower case, numbers, and special characters there is very little to use to help remember. I definitely think that strong passwords are important, but a balance is important because if it is too hard then people will be tempted to write down the password.

Definitely can relate to some of the systems I worked with while I was in the military. I remember when I was deployed there some computers that had login information taped onto them in plain site. Definitely not proper security protocol, but just assumed that someone had just given up or didn’t care.

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
I think most of companies focus on the security in the entire network rather than only rely on administrators to configure the security protocols in programs like SAP. For company’s security, it is true that software security is a crucial for them and they also focus on that. However, other securities are also important parts for all companies, like network security, physical security, software security, cyber-security, internal security, etc. Many companies use outsourcing security method so that they can focus more on internal and physical security within the company. So SAP is not the only focus for companies.

3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
1) Separation of duties: it involves splitting responsibility for bookkeeping, deposits, reporting and auditing. Less chance of fraudulent acts happens if further duties are separated.
2) Access controls: controlling access to different parts of an accounting or finance system via passwords, lockouts and electronic access logs can keep unauthorized users out of the system.
3) Physical audits: include hand-counting cash and any physical assets tracked in the accounting or finance system, such as inventory, materials and tools.
4) Documentation: standardizing documents used for financial transactions, such as invoices, internal materials requests, inventory receipts and travel expense reports, can help to maintain consistency in record keeping over time.
5) Trial balances: using a double-entry accounting system adds reliability by ensuring that the books are always balanced.
6) Approval authority: requiring specific managers to authorize certain types of transactions can add a layer of responsibility to accounting records by providing that transactions have been seen, analyzed and approved by appropriate authorities.

http://smallbusiness.chron.com/seven-internal-control-procedures-accounting-76070.html

Indeed Joshua, strong passwords can be very cumbersome and when you think about it, how many account do we all have online? can you imagine create strong password like that for each of them? There is absolutely no way, even with only 10 accounts, you can create passwords that are strong, unique and memorable. Maybe the safe thing to do is having some sort of password management system.

I know exactly what you’re talking about. I never understood why stringent password requirements and policies existed for certain systems. For instance, in the Navy we had Navy Knowledge Online (NKO), and I believe you used AKO if I remember correctly, for online training courses that were required semi-annually and annually. There was no real PII or any financial data in the system at all, but when it came to securing it with a password you had to create a very unique one with all sorts of criteria. On top of that, you had to change the password pretty frequently as well. I never understood why the policy was so strict when there was really nothing an intruder could get of consequential value if they were able to enter the system with your login ID or through some other security vulnerability. I’m pretty sure it was literally a lot of “red tape” to protect nothing at all.

1 Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network?  Explain

I believe most business rely too much on technology to look for security in the entire network rather than relying on administrators to configure the security protocols. And there are still some giant companies who do not care about the security protocols. Without the proper security protocols, I believe organization wont be able to guide its employees to properly behave. Take Wells, Fargo as an example, they open millions of fake bank and credit card accounts for customers over the past five years. Wells Fargo said it has fired 5,300 employees in relation to the scam. I think that no employee want to commit those crime but they were forced by the manager to do so to make its report look good. With that being said, if an efficient protocol was in place, it would restrict most employees from committing the fraud. Security for the entire network is as important as the protocols to prevent data breach so companies should also put more resources in their security systems to secure client’s personal data.

I also agree that authorization control is the most important control too because authorization is the process of enforcing policies by determining what types or qualities of activities, resources, or services a user is permitted. Other controls will be meaningless if unauthorized users are able to access to the system to create/alter transactions to commit fraudulent activities. Usually, authorization occurs within the context of authentication which is a way of identifying a user, typically by verifying valid user name and password before access is granted.

Binu,

I strongly agree with you. It’s all about who has access to what and when. Where I work, I am in charge of doing monthly reconciliations. I reconcile what we have in the system (IBM Cognos), deposit logs, and receipt book. The process is simple. The front desk receives the check from the customer, issues a receipt to the customer and records the amount in the deposit log. Then, the person at the front desk deposits the check at the accounting department who posts the transaction in the system. Imagine I was the one having all those privileges. It would have been really easy for me in this case to commit fraud.

What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

You define posting periods in your fiscal year variants. You can open and close these posting periods for posting. As many periods as you require can be open for posting simultaneously. Usually, only the current posting period is open for posting, all other posting periods are closed. At the end of this posting period, the period is closed, and the next posting period is opened. During period-end closing, special periods can be open for closing postings.
For postings from Controlling (CO) to Financial Accounting (FI), you can define a separate period interval. You can use this period interval to be able to make CO-FI postings to Financial Accounting using real-time integration during period closing, for example. This period is not valid for any other postings; such postings are checked using other period intervals.
You can differentiate the opening and closing of posting periods by account type. This means that, for a specific posting period, it is possible for postings to customer accounts to be permitted and for postings to vendor accounts to be prohibited.

I agree with you. The Authorization Control is the most important. The main reason is that Authorization is the basis by which the authority to complete the various stages of a transaction is delegated. These stages include the processes of Recording (initiate, submit, process), Approving (pre-approval, post entry review), and Reconciling. All transactions and activities should be carried out and approved by employees acting within their range of knowledge and proper span of control. Proper authorization practices serve as a proactive approach for preventing invalid transactions from occurring. For example, Level of authority should be documented. Documented authority creates an expectation of responsibility and accountability. Authority to perform a particular action may come in hard copy documents or system generated authority (example: ASTRA access system)

Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?

Internal control is a process — effected by plan management and other personnel, and those charged with governance, and designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting.
Your plan’s policies, procedures, organizational design and physical security all are part of the internal control process. The following are some general characteristics of satisfactory plan internal control over financial reporting:
1. Policies and procedures that provide for appropriate segregation of duties to reduce the likelihood that deliberate fraud can occur
2. Personnel qualified to perform their assigned responsibilities
3. Sound practices to be followed by personnel in performing their duties and functions
4. A system that ensures proper authorization and recordation procedures for financial transactions

The critical issue is that the plan’s internal control policies and procedures must be in place, performed by duly authorized plan personnel, or their designee who is capable of performing the control activities. Furthermore, plan management must accept responsibility for designing, implementing and maintaining internal control. For example, the plan can use its plan auditor to assist in identifying adjusting entries and drafting the financial statements and related disclosures. But to have effective controls to prevent, detect and correct misstatements in the financial statements, the plan must designate an employee to oversee the service who understands the benefit plan industry, understands how accounting entries affect the plan’s financial statements, is capable of making management decisions related to the monthly and year-end closing activities, and approves and accepts full responsibility for the plan auditor’s work product.

1. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
Ans : In my view, the financial and accounting controls can be ranked as below in decreasing order of importance (most important ranked first) :
• Approval Authority
• Completeness
• Accuracy
• Access Controls
• Separation of Duties
• Reconciliations
• Trial Balances
• Documentation
• Physical Audits

I rank Approval Authority as the most important as without the transactions being authorized by the right personnel, they signal failure of control even if the transactions are correct and complete. At the same time, incorrect Approval Authority could also give way to fraud being committed. I would rank Physical Audits as the least important as if the other controls are already in place, Physical audit would be more of a check to confirm that the transaction information and accounting is done correctly. There wouldn’t be far-reaching implications if Physical audit weren’t taking place but all other controls were already in place.

Sorry, this is the answer to Q.3.

Nice point Joshua. To add an example, In the firm that I had worked earlier, particular team was supporting a different company and that company had created accounts for these employees and had given the hiring status as contractors.

Now as a contractor:

1. the account would expire in 90 days and needed to be extended with approval from their onsite manager for extension before the completion of 90 days
2. the password had to be changed in 90 days and user could not use any of the last 10 passwords and it needed to of 8 characters with a mix of alphanumeric characters and special characters.
3. the account would be locked for 3 unsuccessful attempts.
3. The account will be disabled in 180 days of non usage.

The basic issue was that these employees worked only for short time and only during the busy season during financial audit period or taxation periods and most often did not require to login which made it easier for people to forget the password and this resulted in a large number of requests that were raised for password change, account unlock and extending the account/enabling issues at the start of every busy season.

I understand this complicated life both for employees and IT people but I also feel it was required to prevent unauthorized access to the system. And the company was aware of this and was ready to take up this challenge than put their information at risk.

Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

I don’t believe yet, compared to the configuration of software security protocols, which could be seen as a part of software security controls, the entire network security is a more complex project for business to mainly focus on, and in today’s business environment, it is becoming increasingly complex, as new Internet threats appear daily or even hourly. More than ever, good network security is vital to businesses of all sizes to protect the confidentiality, integrity and availability of your network and data, to protect your business from today’s sophisticated Internet threats, not just from software side.

Thanks for your sharing. Password management is very important for both users and companies to keep security, I totally agree with you that user experience should be adequately cared, because too strict regulation is very annoying. Besides, like you said, the password is too hard to be remembered so we have to write it down in some cases, that’s a definite vulnerability.

I agree with you that authorization is the most important one. Authorization makes sure that only authorized user has the proper permission to access a particular file or perform a particular action so as to reduce unauthorized access to a large extent, and then greatly mitigate the potential risks.

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

I believe business leaders do rely too much on administrators to configure security protocols, rather than practice over all security.

The reason I believe this is because many business leaders are not technology professionals. They don’t know about the vulnerabilities until they are informed by the IT professionals or they hear about it on the news. I doubt you will see many CFO’s reading about current IT control best-practices unless it is given to them by someone. The problem is, many business leaders are not passionate about IT, or even know about different network securities. They think everything must have been caused by a virus, installed randomly by an external source. The business leaders are focused on increasing revenue and/or reducing expenses. They don’t understand, security in the entire network is similar to making everyday safety activities. To fix this, security in the entire network has to become the company culture.

2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

The relevance of only being able to have one posting period open at a time for real-time postings because real-time postings are happening at that moment in time. The posting period open should be the current period, so it would be relevant to only have the current posting period open for real-time postings.

By only having the current period open for real-time postings, the opportunities for fraud are reduced by eliminating the integrity vulnerability. Having the ability to post real-time transactions in other periods would allow for a misrepresentation of the financial statements.

3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?

It is difficult to rank the importance of each control because they are all important based on what the control is controlling… Hope that isn’t confusing. Anyway, my ranking is based on what a small company, with limited resources should implement first, or most important.

1. Authorizations & Access Protection
This is generally set up by user and/or department to segregate duties throughout the company.

2. IT General Controls
This could be switched with Access Protection because polices will be implemented to allow access to the ERP application and/or the add-on functions (Apps, data, ect.)

3. Automated Testing and Monitoring of business processes, Keep Performance Indicators, ect
The controls should be monitored to determine if they are improving or worsening the business process. If it isn’t helping, things need to be changed.

4. Entity Level Controls
The integrity of the financial statements and management assertions should be accurate. Entity controls are internal controls used for each entity of the business to insure accurate completion.

5. Manual & Semi-Automated Business Process controls
Insuring the process is done correctly by a human and system will allow for a hands on review.

6. Automated Business Process Controls
This could also be very important for a large company, who has many customers or many steps in the business process. But from an importance point of view, you could always use Manual. It would take longer.

4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, beurocratic, etc. Have you seen these problems in your experience? Explain

My experience with computer systems security is switching from a local presence to a remote presence, for some of the reasons you mention. As long as you handle the due-diligence and proper vendor vetting, you will find the security on the system is much more robust than anything most company can build, manage, and maintain on their own. The costs, securities, and accessibility offered for “cloud” users makes moving many aspects of the computer system out of the office.

However, bureaucracy at the top will always be present with a local or remote computer system. The most difficult thing to do is, convincing a successful leader there is a better strategy than the one that made them successful. Many times you can show them why the system will benefit the company, but if you don’t have the comradery with the decision maker, you may have to wait for funding while the decision makers weekend friend moves forward with their project.

Q4: You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, eurocratic, etc. Have you seen these problems in your experience? Explain

In my past experience in the Korean Army, I was in the Signal Corpsman unit. Since we dealt with a lot of confidential information within the Army, it was very cumbersome and difficult to access the computer systems. We had multiple layers of authentification to log-in to the computer system and changed the passwords 2 times a week. And the Army tried not to rotate the passwords so we were always ending up memorizing new random ones. Just one problem I experienced with the multiple layers of the authentification was that it took much longer to get into the computer. So when a senior manager wanted to get some data from our team. Somehow, when it was urgent, It slowed down our reporting system.

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

Based on my experiences with internships and in the ITACS program, it seems that a lot of the focus on security protocols are not within programs such as SAP but more on network security. I suppose one of the reasons why many focus on network security is due to the fact that SAP or ERPs in general, are more buried within the network. When I say this, I mean that those whom interact with the SAP system as usually members of the organization, not outside vendors or customers. Therefore, if an individual is looking to gain unauthorized access, they will need to gain access to the network first then gain access to the application. With that being said, the security protocols that SAP offers are relatively robust and security professionals can take advantage of that to properly identify and authenticate users of the SAP system, which acts as a security feature within the organization and a second layer of defense in the entire network.

2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

From an accounting perspective, having multiple periods throughout the year is a way to help prevent inappropriate management assertions such as completeness and cutoff. For example, if a business has monthly accounting periods, as in it “closes it books” every month, then you don’t want members of the accounting department to accidentally book an entry into the following month. This control likely serves two purposes. One, it works as a manual entry control which can work as a validity check or reasonable test, that prevent employees from non-maliciously creating transactions in the wrong posting period. The second, it works as a control that prevents individuals from maliciously posting transactions into the wrong posting period. While I do believe this control serves to prevent human error, I do think it can serve both purposes.

3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?

After doing a quick google search, I came across seven internal controls over finance/accounting. It seems that this list has a list of very broad control categories, however, I have ranked them in order of most important to least important.

1. Access controls: This control focuses on limiting who can access what within an accounting system. Without this control, users can access different areas of the financial system which causes a segregation of duties issue, which could potentially lead to fraudulent activities. Therefore, in order to have proper segregation of duties these controls need to function properly.

2. Separation of Duties: This control focuses on separating responsibilities among different members of the accounting process in order to reduce the risk of fraudulent activities and decrease potential human error. I rated this after access controls because even though you properly segregate duties, if you can’t enforce it then they are not properly segregated.

3. Reconciliations: This control works as a reconciliation against other account balances. In an accounting system, reconciliations can be performed as a check to make sure that data entered into the system is appropriate and are using the correct balance. This is one of the more important controls because it makes sure that balances are correct and that before going forward, one can verify that balances reconcile and everything ties out.

4. Trial Balances: A trial balance works much similar to that of a reconciliation. However, a trial balance works like a reconciliation to make sure that all the debits and credits match each other, which they are supposed to. Likewise, trial balances are used to compile financial statements at year end or when audited. This is important from a financial standpoint since it more or less makes sure the accounts have been properly recorded throughout the year.

5. Documentation: According to the website, this control works by standardizing all documentation that they fit a certain form and look such as invoices, purchase orders, etc. By doing this, it has the potential to reduce human error when inputting data into the accounting system, reduce confusion of purpose of documents, and also helps during an audit.

6. Approval authority: This control works by having a manager or superior approve a transaction or record before it can be processed. In the case of large transactions, this can serve as a way to make sure that the right personnel have responsibility over transactions. The reason why I put this lower on importance is because it should only affect big transactions and not control the majority of a company’s transactions.

7. Physical Audits: This control is a physical audit such as counting inventory or money. The reason why I rated this last is because it is only detective in nature. Since it only verifies that a correct counting was made, I would much rather have a preventative control in place than one that is detective.

List from: http://smallbusiness.chron.com/seven-internal-control-procedures-accounting-76070.html

4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain

Yes I have in multiple organizations. Security by its very nature seems to be bureaucratic since it often times is comprised of a higher level employee limiting what you can and cannot access. Since most of my recent work experiences have been internships, I by default am usually given limited access to systems and files. In order to gain access, I generally had to submit a ticket where a supervisor and a manager both had to sign off that the access I was requesting was appropriate. While this can be considered a good thing from a security standpoint, from a user standpoint it can be frustrating as you have to request authorizations to certain files/applications of which can take a while and end increasing one’s idle time. But as I stated earlier system security is cumbersome by its very nature, since it often at the expense of efficiency. A user might complain that having to sign on in the morning to their computer is a hassle or that connecting to a VPN to share documents is a waste of time. However, these simple authentication controls require relatively little time but can significantly protect an organization from unauthorized users. I think the major problem as to why system security seems cumbersome, difficult, and bureaucratic, is because users don’t understand the full purpose of each action.

Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

From my experience, the COO, focused more on security protocols than the security of the enterprise network. Throughout different projects, I noticed how vigilant the whole department was when it came to for application security. Protocols were clearly defined for incidents like Phishing and Malware. Strong password policies were strictly followed.

Operational security protocols were also deployed, for instance, tools like round-the-clock monitoring and they had a dedicated tenured security team to ensure that security remained strong.

On the other hand, I observed that the organization had physical security controls missing. The card-reader at the entrance was out of order and the replacement took more than a month. It was a huge exposure since all the ports on the network can be used to infiltrate and compromise the entire network. In another instance, the contract with Managed Service Provider also had loopholes.

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

I believe the company as whole and board might be more concerned and focused on overall security in the network. From ERP perspective, the ERP mangers would focus more on internal controls. I think, earlier when ERP softwares were in the process of making and still evolving, overall security was not the priority. However now, ERP tools like SAP has come a long way and is integrated with web-based tools and technologies for security. However requirement of security is also increasing with the increase of using mobile phone, cloud storage, distributed network and cyber attack on rise. Including level of security in a complex ERP system becomes cumbersome.
Overall security must be though about when ERP is installed. Internal controls may change with business and ERP managers will update when required if not implemented the system will show errors soon. This is not same with overall security. Data integrity, availability and confidentiality aspect must be based on the security considerations and planning done at initial design stage.

Q 2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

A Posting Period Variant is useful in opening or closing finance posting periods across many Company Codes at one time. You define a posting period variant and assign it to various Company Codes.

SAP provides a feature to open multiple posting periods simultaneously and has no restriction on the number of posting periods.
Generally, business keeps only a current posting period open in a financial year for customers and vendors to enter transaction related to that month and all other posting periods are kept closed since becomes difficult to book revenue and cost in the correct period and can lead to inaccurate entries may be due to human errors.
Sometimes prior period is open to allow period-end adjustments.
This allows to manage multiple company codes through a single posting period and hence managing fraud.

Q1: Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

With respect to this question, I would say yes and no. I think it really depends on what you do or who you are in your organization. Over the summer, I worked for the Fox Information Technology, Temple University as a Technology Consultant. When I was an employee there, I was always discussing security issues or any suspicious activities on our web with a network specialist or managers who were the System Administrators. I was heavily relying on them because they were the only key to helping me secure or configure the computer systems that I was working on. At the same time, I was also a student at Temple University. As a student, my concerns in terms of security were how Temple can protect my credentials, personal data, or financial information – TU Pay – from any kinds of incidents related to outside intruders. That is, does Temple has an indestructible security process in their network system so that when a hacker tries to compromise the data, Temple can fight back to secure their students/faculty/staff’s information.

Mansi,

This is a great answer. I would say segregation of duties should be ranked top most. It is very important to first assign right duties to right person and define the organisational chart before the approval authority works on the approval process. It is very important to approve right kind of roles for the right person in order to manage fraud.

Q2: What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

One of the main reasons for only being able to have one posting period open at a time for real time postings is to prevent users from entering wrong information to wrong posting period. As we have talked about a human error many times already in class, the best way to preclude the human error from happening is to make the process automated. Because only one posting period opens at a time, users are limited to jump around to other posting periods. It really helps the system record correct data into right sections.

One of the similar case occurred in my organisation. There were people from infrastructure team who never use to lock their system while leaving the desk for some temporary period of time. This came into the notice of the information security team and they were warned. Still they found it complex to lock the system every time they leave the desk. Because of this next time an incident was raised against this activity which I believe was correct. Therefore the way not sharing the passwords is important, leaving the system lock while leaving the desk is also very important and is a part of maintaining the system security in the organization.

Q3: Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?

1. Separation of Duties
Separation of duties involves splitting responsibility for bookkeeping, deposits, reporting and auditing. The further duties are separated, the less chance any single employee has of committing fraudulent acts. For small businesses with only a few accounting employees, sharing responsibilities between two or more people or requiring critical tasks to be reviewed by co-workers can serve the same purpose.

2. Access Controls
Controlling access to different parts of an accounting system via passwords, lockouts and electronic access logs can keep unauthorized users out of the system while providing a way to audit the usage of the system to identify the source of errors or discrepancies. Robust access tracking can also serve to deter attempts at fraudulent access in the first place.

3. Physical Audits
Physical audits include hand-counting cash and any physical assets tracked in the accounting system, such as inventory, materials and tools. Physical counting can reveal well-hidden discrepancies in account balances by bypassing electronic records altogether. Counting cash in sales outlets can be done daily or even several times per day. Larger projects, such as hand counting inventory, should be performed less frequently, perhaps on an annual or quarterly basis.

4. Documentation
Standardizing documents used for financial transactions, such as invoices, internal materials requests, inventory receipts and travel expense reports, can help to maintain consistency in record keeping over time. Using standard document formats can make it easier to review past records when searching for the source of a discrepancy in the system. A lack of standardization can cause items to be overlooked or misinterpreted in such a review.

5. Trial Balances
Using a double-entry accounting system adds reliability by ensuring that the books are always balanced. Even so, it is still possible for errors to bring a double-entry system out of balance at any given time. Calculating daily or weekly trial balances can provide regular insight into the state of the system, allowing you to discover and investigate discrepancies as early as possible.

6. Reconciliations
Occasional accounting reconciliations can ensure that balances in your accounting system match up with balances in accounts held by other entities, including banks, suppliers and credit customers. For example, a bank reconciliation involves comparing cash balances and records of deposits and receipts between your accounting system and bank statements. Differences between these types of complementary accounts can reveal errors or discrepancies in your own accounts, or the errors may originate with the other entities.

7. Approval Authority
Requiring specific managers to authorize certain types of transactions can add a layer of responsibility to accounting records by proving that transactions have been seen, analyzed and approved by appropriate authorities. Requiring approval for large payments and expenses can prevent unscrupulous employees from making large fraudulent transactions with company funds, for example.
Ads by Google

Source: http://smallbusiness.chron.com/seven-internal-control-procedures-accounting-76070.html

All of the 7 accounting controls above are imperative to preclude it from any financial incidents. Among those 7 controls, I think the Separation of duties is the most important; on the other hand, the Trial balances is the least important control. The Separation of duties is very important because it is one of the most basic, critical controls to prevent an organization from an internal fraud. As opposed to it, the Trial balances is the least important because nowadays most of the companies are trying to transform their accounting systems to become more automated. That is, there will be less errors in the financial documents since more transactions are going to be made automatically.

4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain

While working as an Associate Application Developer for Highmark BlueCross BlueShield I was given a laptop in which I was able to access the company system remotely from any location as long as I had Wi-Fi access. I also would need a key fob with a code that changes every time I click it to enter it in along with my password. If the number was not enter within the 30sec time limit then I would have to click it again and re-do it with the new number. It was a security procedure for the company so I understood why it was there but 30secs to enter it was a little bit much. I was the only one with access to the key fob and I also had to enter my password login which was required to change every 3 months. So it was a lot to remember for steps to logging in to their system remotely. And on top of that if the requirements was not in my user access account then I would not be able to login and would have to wait for the request to go through the chains of approval before I would gain access.

Fred, this is a great point. Despite the obvious importance of security, many of today’s business leaders still view it as a drain on resources. As you mentioned, increasing revenue and cutting costs is their focus, and this can lead to poor security decisions that may cost them more in the long run. Security is the responsibility of everyone within the organization, not just IT. I feel that, unfortunately, many organizations must learn this the hard way (through data breaches or other harmful incidents), before they make changes.

Q1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain.

No I think that most businesses understand the importance of security both for an entire network and within specific programs like SAP. Each comes with its own set of vulnerabilities and relying too much on the protocols of one leaves the other at great risk. If administrators relied solely on the security of SAP, it could open the network to attackers, which could cause serious harm to the organization in a variety of ways.

Q2. What is the relevance of only being able to have on posting period open at a time for real time postings? What does this prevent from happening?

Having only one posting period open at a time helps prevent things being posted to the wrong period. This is sometimes done fraudulently, by shifting revenues or expenses to manipulate records. But it can also be a case of human error, someone manually entering the wrong period by mistake.

Q4. You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain.

Like many others, I think one of the most “cumbersome” security process that I’ve experienced has revolved around passwords. At some of my previous jobs, frequent required password changes have led to unsafe practices for the sake of convenience. One of the most glaring problems was people putting their password on post-it notes by their desk, after giving up on attempting to remember. In addition, many people cycled through passwords, using the same three or four. Again, this made things easier for the individuals, but was definitely not proper protocol.

Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

I believe business should focus more on the security in programs like SAP. As the programs likes SAP stores and processes all this financial data, which means that you need to control.
Nowadays, many company face the threat from insiders. For example, Wells Fargo’s employee to meet the sale target, opened opened bank and credit card accounts in customers’ names without their authentication. Obviously, the employees exploited the vulnerabilities of its organization program without enough security protocols.

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

No since businesses use program like SAP to administer most of its daily operations from placing orders, making sales, checking inventory, etc. SAP is such an important tool for a business that there focus should be on it since if it gets compromise then many issues can arise. Attackers can get into their SAP databases and mess up orders which could cost them business. But they also need to focus on other security protocols within their organization or else they leave it vulnerable to an attack. SAP is the database system use but there are desktops that have them install so those must be protected also.

2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

The posting period is for the quarter that the company is in and it separates it from the rest of the year. The advantage is being able to see the results of how the company did at that time and compare it to the other quarters. It also helps to detect fraud if there are anything unusual in one period then the other. For example, seeing revenue for a consistent amount for two quarters and for the next seeing it spike up tremendously with no sales being made. With it being separated it would be easier to detect fraud and investigate.

Priya,

I absolutely agree with you. Just like the PCs, the ERP applications were developed to process data and help companies manage their business processes efficiently. As you rightly pointed out that contexts in which the technology is consumed has increased and so have the tools.

For e.g.: various ERPs have mobile apps that my company had made sure that our sales team had them on their company issued devices. As the convincing increased, so did the exposure to different threats. My company then had to also include some changes in its user-access control policy ensuring timely changes in security protocols of NetSuite ERP.

Hi Binu,

You provided a really good example of some of the frustrations by users in regards to access and password security policies. What would you suggest that they do differently or do you think that the process should remain the same? In your example, I think it would be easier to give them a temporary password that expires in 3-4 months. Once expired, the system admin or the individual granting access can verify and make sure that the accounts are disabled until next busy season. Depending on the type of access management software that the organization uses, the system admin or another individual can reset all the passwords back to default and require a password change upon sign in. This way it doesn’t bog down the process for individuals calling to have their accounts unlocked and it reduces the frustration of the contractors.

Dan,

I believe that the authorization control is the most important one of all. For instance, in the context of principle of least privilege, think about a company where a sales person has access to the HR system data. That sales person doesn’t need that access in order to finish his/her job resulting in violation of the principle of lease privilege. Over-privileged users can be victims of spear-phish or email phish attack and can open an email they are not supposed to, which can put the entire organization at risk.

So, even if you have others controls in place, without a sophisticated authorization control, everything will go in vain. If an attacker/fraudster gets privileges to change or delete data, transactions or download information, this can compromise all the aspects confidentiality, integrity and availability. Thus, I feel that if principle of least privilege is correctly followed for configuring systems, defining permissions for different accounts and really planning the application security, we can certainly take away some of the options that attackers may use against us and hence authorization control becomes the most important control.

Vu,

I can certainly relate to this. In my case, the authorization request sometimes took more than three days. On one hand, I had a pile of customization requests growing and on the other hand, I was waiting to get the authorization.

Hey everyone,

I will throw in my two cents on this subject. As much as people want to bash password complexities, I honestly think that having complex password requirements is not too big of a hassle but that people make it harder than it has to be. Half the case is remembering passwords, and if you create the password to be memorable than it isn’t a problem. For myself, I have always been a big proponent of the acronym style. For example. A phrase that I can remember is that “I am a student in the ITACS program”. I then take this phrase and put it into a password by taking the first letter of each word in the sentence. Therefore my password can become something like this; IAAsitip16. This password will likely meet complexity requirements and after 7-8 times entering the password I can normally enter it pretty quick. Likewise, this makes it harder to pinpoint the password in cases where the passwords are not encrypted.

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

I don’t think business rely too much on administrators to configure the security protocols in programs like SAP. I think business should focus on security in the entire network. Computer networks have grown rapidly. If business do not take network security seriously, there could be major consequences, such as loss of privacy, theft of information, and even legal liability. One of the reason why network security is important is because it protect company’s assets, which are hardware and software. If the entire network is not secured, then it’s no point for business rely on administrators to configure the security protocols in programs like SAP because these software program could be easily attacked.

There are four goals of network security that all business should have:
1. Integrity: The assurance that the information is trustworthy and accurate.
2. Confidentiality: Ensuring that only authorized individuals have access to the resources being exchanged.
3. Availability: Guaranteeing the information system’s proper operation.
4. Authentication: Ensuring that only authorized individuals have access to the resources.

What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

The relevance of only being able to have one posting period open at a time is because typically these postings happen in a calendar month requiring only one posting open at that time. This is important because it helps to prevent fraud from occurring and it assists in prohibiting unauthorized individuals from having access to other posting periods. Typically, changes will require postings during the end of year closing which is a great way to reduce the risk of fraud.

Jianhui,

Wells Fargo is a great example of of what happens when security protocols are not effectively in place. This lack of security was carried out for for too long even though high level management “believed” they had a handled on the situation. When situations like these are left unchecked and not handled promptly, it only creates more of a snow ball effect which never ends well for the reputation of senior level management and the company as a whole.

Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?

Considering the list of financial and accounting controls, I believe one of the most important controls is authorization control.

Authorization controls are important from a financial standpoint because it is a proactive measure that prevents invalid transactions from happening. Documenting authorization creates responsibility and accountability which help to clearly identify what individuals have authority to initiate, submit, reconcile, view and approve certain transactions. In case anything goes wrong, this is important control to have in place.

2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

You can open as many posting period as you want in SAP. Generally, for business only the current posting period is kept open for a fiscal year to enter transactions related to that period. The relevance of only being able to have one posting period open at a time for real time postings is to prevent entries being recorded at wrong period. For example, if the expenses or revenue are posted at a wrong posting period, then it will affect the company’s financial statements, which will provide management and investors inaccurate financial information to make decisions based on the company’s performance. Also, it prevent fraudulent activities from happening, it prohibited authorized users to have access to make any changes in other periods. Adjusting entries should be recorded at the end of an accounting period to alter the ending balances in various general ledger accounts. These adjustments are made to more closely align the reported results and financial position of a business.

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

In my point of view, it depends on the specific scenario. Indeed, the security of entire network of the organization is very important, however, to improve the secure level of entire network, huge amount of investment in IT infrastructure like firewall and other hardware is required. If the company is a major public company with valuable information assets, of course, the security of entire network is very important to prevent the information assets damaged by cyber-attacks. However, if it’s a small company or new starting business, huge investment in entire network may negatively affect the financial statements of the company. In this scenario, focus on securing the key programs like SAP can maximize the protecting of the information assets of the new start company with minimized cost.

3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?

Financial and accounting controls are listed as follow:

1. Segregation of duties: Splitting responsibilities for bookkeeping, deposits, reporting and auditing to different person or departments to avoid one single employee handles all key accounting processes.

2. Access Authority: Only authorized users are allowed to access to the systems. The access controls usually involve setting passwords, lockouts and electronic access logs.

3. Approval Authority: Large payments or other sensitive financial actions are required approval from management level.

4. Physical Auditing: To mitigate the risk of potential fraud, physical audits like checking the inventory, materials, and tools are required.

The most important control is the segregation of duties. Because if all key accounting procedures are responded by only one person without others’ supervision, if the accounting fraud occurred, management may not find out, and damage the assets of the company. The physical control also important, but compare with other controls, it’s less important because the physical auditing is a secondary control to ensure the assets’ security even after the primary controls failed.

4. You’ve used various computer systems in your lifetime, carreer. System security is complex and often maligned as cumbersome, difficult, beurocratic, etc. Have you seen these problems in your experience? Explain

Password is one of the major system security concern that we all have, no matter it is for work, school, or personal. As students, Temple request us to change our passwords every six month. For security purposes, the password cannot be reused in the previous terms, it must have eight characters with at least a capitalized letters and numbers. Oftentimes, we cannot remember our password so we had to write down somewhere, which it is not a good way do it.

In the company I work for, we have a common password to log in our computers. My work rely heavily on email and CRM, each of the employee has his or her own account and passwords. I have seen my co-workers posted their log in information on sticky notes and posted on the laptop screen. Because we are a CPA Accounting firm so we have lots of client’s sensitive information such as SSN, bank information, their log in information to the government sites, etc. Therefore, to secure passwords are very important. This year we started using a password management service called LastPass, which stores encrypted passwords in private accounts. It’s very convenient and secure to manage the all the passwords we have for different accounts. You only have to remember one master password for LastPass account and the rest of your passwords are locked up in your LastPass vault. Nothing is 100% secure, however I think LastPass is more secure than record all the password accounts in excel sheet or write them down somewhere.

2. What is the relevance of only being able to have one posting period open at a time for real time postings?  What does this prevent from happening?
Each company can decide how many posting periods they want to keep open at a time. However, most companies chose to keep one open at a time so that account postings are posted to the correct month and there is less chance of error or fraud. Once a period is closed changes are generally not made therefore there are controls set in place to ensure that the full and correct data are inputted at the right time (before the posting period for those transactions close).

What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

Posting periods are defined in fiscal year, it will allow you to post and make changes in the documents only in a specific period in a company, usually the current posting period is open and all other periods are closed, at the end of a period, it will be closed and the next period is opened. This kind of control prevents documents from being posted to a wrong posting period.

4. You’ve used various computer systems in your lifetime, career.  System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc.  Have you seen these problems in your experience?   Explain
The most cumbersome experience I’ve had at both school and all of my jobs were changing my passwords frequently and not allowing me to reuse previous passwords and forcing me to make them complex. This is definitely needed for security systems however it is an annoyance. This is definitely hard especially when you are not supposed to store your password or write it down so it makes it hard.

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network?  Explain
No, I think a lot of businesses do rely on the configurations of security protocols but those can get compromised so they have realistic measures or proactive staff who continually check for other threats. Being proactive and having security protocols definitely gives businesses full security on their systems. For example in my company the directors and managers a long with IT personnel ensure that the system has manual checks and protocol so we do not lose revenue.

2. What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

You define posting periods in your fiscal year variants. You can open and close these posting periods for posting. As many periods as you require can be open for posting simultaneously.
Usually, For example, when u post a transaction for a particular month,eg- June
than the posting period is open for June only, and the past and the future periods are closed, in likewise when june will end up, than the system will automatically open
posting period for July and June will be closed. In this way it function.

Firstly, it can prevent some human error, as the closed period would not allowed to enter.
Secondly, it can help company compliance with regulation, as SOX shows company should be responsible for the information they report.

Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain.

In my experience most of the security efforts have been very much an across the board effort. In order to truly enhance your security posture it would be wise to look at the environment holistically from each layer and in order to do that you would need to put just as much emphasis on the individual application security protocols/controls as you would to the rest of the network.

What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

They only allow to have one posting period open at a time for real time postings in order to prevent fraud and eliminate false reporting. As we know financial statements need to be audited for compliance purposes. This prevents people from going back to closed periods and adjusting the numbers which would be tempting to do for a number of reasons, specifically the fraud and reporting issues stated above.

Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?

1.Access Controls
2. Documentation
3. Segregation of Duties –
4. Approval Authority
5. Physical Audits
6. Trial Balances

Ultimately access control would be the most important from my perspective because it is the first line of defense in protecting the confidentiality and integrity of the sensitive accounting information. In a close second I put segregation of duties. These 2 controls go hand in hand with the ultimate goal of protecting very sensitive data by only giving people access to the information that need it to perform job functions but also to eliminate the opportunity element that occur in cases of fraud.

You’ve used various computer systems in your lifetime, career. System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc. Have you seen these problems in your experience? Explain.

In my most recent experience most applications I’ve had to use for work were web applications and the security actually wasn’t too overbearing from what I can recall. The biggest challenge for me was getting access to the numerous systems that were available. We were a growth by acquisition company so the portfolio expanded by acquiring a completely new company and bringing their systems along with for the administration of the tools. Once I had access though from my memory it was pretty smooth sailing. The most painful part of the process was gaining access approval and waiting for the necessary approvals to go through. I have a feeling I may be in the minority in this question though haha.

3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?

I have found seven accounting and financial control procedures after Google research. Below are the list of the seven controls, I would rank them from most important to the least important.

1. Access Controls
2. Separation of Duties
3. Reconciliations
4. Documentation
5. Trial Balance
6. Approval Authority
7. Physical Audits

I believe access controls is the most important one out of seven control procedures. This control limits users who can have access within an accounting system. It’s a preventive control that mitigate the risk of fraudulent activities. Separation of duties is also important because an organization must splitting responsibilities among employees to reduce the chance of committing fraudulent acts. For example, someone who responsible for invoicing should not be the same as person who collecting the payment. The least important control is physical audits, it’s a detective control. Physical counts of money or inventory can be very time consuming, I think it will work more effect for smaller companies. In my opinion, it’s essential to have preventive controls taking place because it always good try to prevent somethings bad from happening.

Source: http://smallbusiness.chron.com/seven-internal-control-procedures-accounting-76070.html

Absolutely, it’s important for companies to compliance with regulation. You are right that to have one posting period open at a time for real time postings reduce human error from recording to a different posing period. In addition, it prevent fraudulent activities from happening, it prohibited authorized users to have access to make any changes in other periods.

Just to add in, it also limited user to make changes from other posting period to prevent them committing fraudulent acts.

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

I think the IT personnel should understand basic finance and accounting principles. More importantly, I think IT personnel should be properly trained to understand the areas of finance and accounting where fraud is most likely to occur. By training the IT personnel to properly identify where fraud is likely to occur when it comes to money, those personnel are an added “set of eyes” on process functions that are handled with and by technology. Being trained, they are more likely to develop a control and risk awareness mentality and they can leverage their expertise in a system or process handled by their software/hardware, and make recommendations on where, when, and how fraud can take place in a business function or process. If those personnel do not understand basic accounting and finance tenets, they can develop and implement a process function that easily allows fraud to take place.

3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

Taxes might be handled differently. The US has a sales tax, but isn’t applicable in every state, nor with every customer. When I was in the US Navy and had to make a government purchase from a local vendor the purchase was a tax-free purchase. Many other countries have many different types of taxes, and they can e calculated very differently. Controls may have to be implemented to have separate personnel who enter tax information and calculations in an ERP manually.

The billing/invoice process may be different international when compared to domestic policy in the US. Domestic policy allows the issue of an invoice at each individual purchase made, or at the end of a billing cycle (i.e cellphone, electricity, water, etc.). Nations outside the US may have specific regulations in place regarding billing and invoice issue. A country may have a policy that no charge can be placed until an actual transfer of goods/services occurs, so the ERP system would have to implement a control to make sure the invoice is not issued until the order is fulfilled completely.

Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

Accounting and financial reports differ from one country to another. When doing business domestically the company must implement controls that will comply with GAAP and SEC rules. However, when doing business an international level, the company must follow the accounting rule of the host country. For example, some countries have a VAT (value added tax) which is a tax on the amount by which the value of an article has been increased at each stage of its production or distribution. In this specific case the company would have to implement controls to avoid frauds.

As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn?

I think IT personnel should have a certain understanding of finance and accounting. In fact, the IT personnel should have the minimum knowledge of accounting rules. Even though, numbers don’t lie, it is easy to play with them and commit fraud. The IT personnel should be able to identify accounting discrepancies. In fact, having a finance/accounting background plus his/her IT skills will allow him/her to see irregularities in the system.

1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?

If I were responsible for the Finance/ Accounting controls for the company I worked for, I would manage the risk coming from the non-financial functions jobs by tightening our Finance/ Accounting controls. I would make sure the controls that I had in place were properly secure in the realm of our duties. I would make sure that no other non-financial functions were able to access our Material Master Information Data or any data that was not already provided to them already based on their departments function. If non-financial functions needed any information in regards to the P2P or the OTC process they would need to go through my Department to get the data need and from there we would properly distribute the data information if needed and document the information that was given and to whom it was given to. I wouldn’t be able to directly implement controls to the non-financial function job sectors, but I indeed would be able to make sure our controls are safely in place to protect the integrity, confidentially and accessibility within our department by securing our environment but as well as our customers general data.

Not only that, I’m a firm believer of providing education throughout the whole department. I would have suggested classes or informative discussions or work with management within each department and explain the risk that each department has on other departments. With today’s every increasing knowledge of technology each department as well as IT needs to be familiar with the associated risk involved throughout the processes of the business realm.

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
As stated in my response to question 1, I think learning is key and detrimental to a company’s growth and maintains stake within the market. I think finance and accounting knowledge should be at a basic understanding knowledge in retrospect to the environment they are working for ie. IT personnel. The IT personnel supporting a business’s application should indeed have a general understanding/ concept of what is the process and function of that application they are supporting in regards to the business function itself. The general bases behind my response is if the IT personnel does not have the foundation of finance/ accounting while supporting an application they might not fully understand what realm of the application should not be intersecting or the severity of the databases integrity and confidentially. If they have this basic understand they will not only be able to strength the systems application but also be able to tailor their support/ maintenance to certain facets that might need more than others. Overall, by providing the general understanding, in terms of working knowledge to the IT personnel would allow them to execute their job more efficiently as well as produce a sufficient/efficient support to the application process for the users.

4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security to know about how the ERP system works? What is one (1) specific thing they should know?
I think it is necessary for people responsible general IT controls related to Network workstation, Server and database security to know about how the ERP system functions. I guess the basic idea of the workflow and the processes, risk associated and controls that need to be applied to each business function can help them design the audit controls better.
Additionally, in ERP like SAP includes environment security components like network security, workstation security, OS and database security. SAP provides security to network defining who can access the applications or the servers. It also offers recommendation to network topologies which includes the SAP Web dispatcher and SAProuter to protect the local network. The use of an SAP Web dispatcher can conceal the host name and the ports of the application server. SAP Security team will have to closely work with the IT team to develop and control security measures for the organization.

As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

Financial management is a crucial aspect of any thriving business. Profit maximization, or stockholder wealth maximization, are two real concerns for any organization – and they depend on solid financial decisions. To make good decisions, management needs good information. And that information comes from the accounting system.
From the accounting system come the financial statements. These statements contain important information about the organization’s operating results. This information is important for effective management, and financial control. As a manager, or any other person with financial responsibility, you have to be able to interpret this information yourself.
Businesses record their performance in standard formats called financial statements. The most common of these are: Balance Sheet (also known as a Statement of Financial Position, or a Statement of Financial Condition)；Income Statement (Statement of Profit and Loss, Statement of Earnings, Statement of Operations)；Cash Flow Statement.

How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?

Network Security Task Force consulted with IT security professionals on campus about concerns with the current state of security in ERP systems. From these conversations, it was clear that security issues generally fell into one of two areas:

It has become extremely difficult to understand how to securely configure an ERP system and the myriad of products purchased to integrate with it—products like report generators, data warehouses, learning management systems, imaging systems, portals, and others.

The overhead of managing access and authorization roles—for both the ERP and third-party software integrated with the ERP—is huge. Institutions said they had backed off from using role-based security because the overhead of managing it was just too high. For example, rather than setting up fine-grained role access so that only biology faculty can see the records of biology majors, an institution might set up one role called “faculty” and allow all faculty to see the records of all students, thus increasing the opportunity for data misuse and violations of data privacy.
Resource： http://er.educause.edu/articles/2007/11/a-security-checklist-for-erp-implementations

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

An IT personnel who is supporting business application should have a general understanding of finance and accounting concepts. Though in real time I don’t think it is necessary to support business applications but it helps him understand the vulnerabilities that exist in the program and develop means to correct it. If he/she doesn’t know what to protect from, it is difficult to formulate security controls for the application. Having a knowledge on the threats that each process may face gives the IT personnel enough leverage in supporting and protecting the application from data theft or fraud.

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

The same way accounting and finance people need to have basic computer skills, the same way IT personnel need to have basic knowledge in the two field. In fact, accounting/finance and technology job skills can go hand in hand. The use of a number of finance-specific software programs is increasing nowadays. In order to develop or implement proper business applications to respond to the need of the accounting and finance department, IT personnel need to know the basic of finance and accounting including, reading financial statement, and making sense of different accounting accounts. For instance, if a company wants to make their accounting process easy by utilizing a computer program or other system that will perform payroll and other functions, IT personnel need to be able to know the different accounting processes in order to create efficient system, including accounting software that would make it easier to compile financial data.

1. Controls are important to financial and accounting processes.  What would be different in the controls of a purely domestic US company vs. an international company?  Give 1 – 2 specific examples.

Before entering into an international supply agreement, companies should ensure that they are aware of all international regulations that might affect the purchase, including export compliance in the foreign market and import controls in the domestic market. 

In fact, international company need to have some form of foreign exchange control, which means that exporters must provide proof that they will be paid by the importer before they will be permitted to export valuable products.
Domestically, import controls safeguard U.S. importers from the imposition of monetary fines and penalties.

1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
If I were responsible for finance or accounting controls for my company, I would manage the risks coming from these non-financial function jobs by building more secured finance or accounting controls. First, I would build a secured finance or accounting department control to ensure that the controls are fully functional for this department and make its environment secure. Second, I would build an access control for finance or accounting people or non-finance or accounting people. Finance or accounting people have limited accesses based on their positions and duties, and I would not authorize access (including physical and digital) for non-finance or accounting people. third, I would recommend to our CIO that we need to train people at least twice a year to increase IT security awareness, so that not only finance/accounting is under control, but others will all be beneficial.

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
IT personnel supporting business applications should know and learn the basic accounting or finance knowledge, for example, basic balance sheet, income statement, cash flow statement, which one is asset, liability, or equity, plus which one is debit or credit. These basic terms are really important for all persons within an organization because people see them frequently. IT people should know these basics because they will increase the efficiency of work supporting business application.

Exactly, I agree with you. Companies operating in emerging markets face heightened corruption risks, increased oversight, and the need to comply with an increasing number of anti-corruption laws. International company should focus on the compliance control, different countries have different regulations.

4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works?  What is one (1) specific thing they should know?

 IT is driving business growth and it is now part of corporations. One of the main goal of ERP is to facilitate the flow of information so business decisions can be data-driven. ERP software suites are built to collect and organize data from various levels of an organization to provide management with insight into key performance indicators in real time. SAP Is the most commonly used ERP software and people responsible for general I/T controls need to know how it works.

You bring up a good question. I think IT personnel should know some basic and important principles about the business area they are assisting within, but I think more in depth knowledge would probably be with a business analyst or project manager. The BA/PMP’s purpose is to fully understand the business needs for a function or process when it comes to leveraging IT to make it more efficient or possible to my understanding. So I think those personnel would be the type that would have the more granular knowledge in any particular business function or process. What do you think?

Q2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

I think it is imperative for IT personnel to be aware of the financial/account related terms and concepts, especially if the personnel is supporting business applications. As I am learning more about the SAP ERP system, I would really hope that I had more finance and accounting knowledge in my background. Using the ERP software is not only knowing how to use the software, but utilizing the software to process/manage/maximize the business operations. In order to do so, besides knowing the technology understanding the concepts of how the business is operated in terms of finance/accounting would be crucial., specifically working with A/R, A/P, Payments, etc.

In addition to your points I would like to add one more point. An international company would require a control to manage currency difference which is not required for a domestic US company.
Also an international company would need a control to manage the time zone for each of the country where they have their operations.

Exactly, I agree with you that management needs information to help them make good decisions. With the help of information systems and databases, separate information now is gathered and meaningful, which allows decision makers better understand the business. Developing these information systems and databases require IT personnel have basic understanding in the finance and accounting.

Question 1: As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?

If I’m responsible for Finance/ Accounting controls for my company, the first thing I would do is identifying the risks which coming from the non-Financial function jobs. For example, within the P2P process, shipping process existing the risks to damage or loss the packages. Moreover, both P2P and OTC process exist potential risks that the system may be cyber attacked. To mitigate the risks, effective controls are necessary.

Before implementing specific controls, I will evaluate the damage and frequency of the risks and identify which types of risks they are, and which type of controls can mitigate the risks. Furthermore, from finance and accounting’s perspective, balance the cost and benefit of the controls is very important. If the company is a new start company, may be transfer the risks to a third party like purchasing an insurance is an alternative choice for the decision maker. But if it’s a major public company with valuable information assets, the high level perspective controls like Firewall and antivirus software are necessary.

Question 2: As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

Generally, IT personnel already have technical skills in cyber areas, but for supporting business applications, they should also learn the basic concepts of finance and accounting so that they can have basic understanding of business. As IT personnel, they might no need to learn too specific knowledge of finance and accounting, but they do need to understand some general ideas.

More importantly, the business is about maximize the benefit of shareholders and maintain the profitability of the company. To achieve this purpose, upper management need to make good decision based on the gathered information. Therefore, it’s very important that IT personnel supporting business applications with the understanding of finance and accounting, because this can better help them developing the IT system to support the managers’ decision making.

Q2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

Business processes within an ERP system demands a fair knowledge of Finance. For this reason, an IT personnel supporting business application such as ERP and handling processes such as Procurement and Order to cash should have good understanding of finance. Such processes involve handling balance sheets, general ledger and so on. The success of such business application depends on the domain knowledge of the person working on it.
But in case if there is an internal business application such as to manage and support the website of the organization, the IT personnel will not require much knowledge in Finance.

4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security to know about how the ERP system works? What is one (1) specific thing they should know?

I believe that it is very important for the people whose responsibility is to generate the general I/T controls to know how ERP systems work. I think they should at least have that basic understanding and foundation of the ERP functions as whole. By understanding the flow of the process along with integrated applications that collect, store, manage, and interpret data from product planning, manufacturing, service delivery, marketing and sales, inventory management; they would be able to understand the risk associated with the process, as well as see what controls need to be applied within each business functions as they are integrated differently within the application software itself. While creating these controls and understanding the functionality of the software they can cater the controls specific to each realms network to make sure certain controls are in place to prevent access vice versa (i.e. encryption, VPN’S, malware screens, etc.)

3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
The controls will definitely vary based on the company geographical extent
1. Time zone – The timezone that the multinational firm will have to consider will be country specific.Thus the order to cash process will consider the time zone based delivery of orders, contacting the customers for collection. Payment and delivery dates will have to consider the time difference.The controls for shipping, warehousing, returns will vary as multinational firms will have orders crossing borders.
2. Government and Taxes – The billing, invoice generation and calculation will be handled differently, unlike financial management in companies that operate domestically, a multinational company has to deal with country specific government regulations, tariffs and taxes. The government and cultural policies will also direct the payment process.ex.A country may not have cash on delivery option.
3. Exchange Rate Risk – In a multinational firm the cash flows will be denominated in different currencies, and will be affected by the exchange rates that differ based on the prevailing inflation rate in the foreign countries where they operate.
4. Compliance requirements – The standards and compliance requirements may vary country wise.

Brou,

I think the IT personnel should be familiar with every main business function. As you said, the “IT department [use data] to design and implement solutions that can enable the business to operate effectively and efficiently”. How would the IT personnel be able to design and implement solutions if he/she is not familiar with the business function he/she designing the solution for?

I agree with you Deepali. What background knowledge is required depends on the business process the person is handling. I every business will have its own processes and tools, application and transfer of knowledge will be easy if the basics are clear.
ex. It will be easy for a recently hired project manager who to handle FICO if he was performing the same duties in his earlier organization. But the difficult part is to understand the processes of the new company, Transactions will be same but processes might vary.

Nice post Priya. Great point about the different currencies in different countries. The exchange rates vary daily and poses a great deal of understanding to have controls around it.

The government laws are different, cultural differences, the import/export policies all needs to be considered and so it becomes important to understand the business environment in these geographical locations and have good controls to protect the organization from risks.

As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

An IT professional should at least have a basic understanding of business applications in additional IT specific to their job. Information systems are there to support the business functions, so it is important to understand what the functions and processes are. While technical knowledge is crucial, a lack of understand about the business functions can severely hinder a IT professionals effectiveness. Business knowledge can enable an IT professional to know where to look for fraud, understand the information system configuration and controls, and troubleshoot issues. If there fraud is suspected, then a basic understanding of accounting, finance and the business operations are crucial to know where to look and what to look for. For example, how to reconcile accounts to see if they match, what accounting terms mean or even why specific controls are needed. An IT professional should be able to understand financial statements and accounting entries at a high level, otherwise the data in the ERP may not make sense.

1 Having seen the P2P and O2C processes and their areas susceptible to failure and risks, it is evident that the success of the ERP system greatly depends on users performing different tasks throughout the process. It is possible that non-financial personnel involved with the ERP systems post to accounting records which could be incorrect for a variety of reasons. If I were responsible for Finance / Accounting controls, I would ensure that the following controls are put in place to ensure minimal instances of incorrect accounting information being posted :
• Involving Senior management and line management of non-financial employees and getting their buy-in so that they would implement the necessary steps to minimize incorrect accounting. In cases of failure, management would be required to revert with the action plan to rectify the issue and prevent future misses
• Effective communication with the non-financial employees
• Awareness and informative trainings imparted to inculcate an attitude of alertness towards the accuracy of information being entered
• Posters being displayed as reminders to enter accurate data
• Ensure that each instance of inaccurate data is recorded and have a 3 strike rule in place so if an employee has entered incorrect information more than twice, he or she is required to take a refresher training. Also, root cause analysis could be done to identify if there are any gaps in the trainings which the employee had taken earlier.

Think one of the larger risks for a US based company that operates internationally is the Foreign Corrupt Practices Act (FCPA). It is broadly worded which makes controls harder to define. Especially for emerging markets, as noted above, face systemic corruption. In fact, it may be considered the cost of doing business in a particular country to bribe, which would violate FCPA. Strong controls would be essential in this example to avoid regulatory issues.

Great post, Priya. Time zone reminded me one of the SAP assignment questions. We had to control the time zone within the US since the business dealt with domestic customers. As you mentioned above, based on the geographical extents setting time zone controls will vary. If you wanted to do your business in Asia, you would need to add their calendar into your ERP system so that the delivery days wouldn’t conflict with Asian-specific holidays.

1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?

As a person responsible for Finance/Accounting controls for a company, I would recognize that controls revolving around non-financial function jobs are just as important as those controls involved in the accounting process. As we have discussed before, segregation of duties is one of the controls usually implemented around the finance/accounting processes. One could argue that in today’s world with technology doing almost all of the recording and reporting of financials, segregation of duties is created by access management from the non-financial function teams. Therefore, there is a risk that these segregation of duties are not properly segregated. One way to manage the risk is to perform some type of monthly or quarterly user access review by each department in the Finance/Accounting process. IT can provide a report to the department heads which identifies who has access to what in respect to each department, and that department head reviews and makes any corrections if necessary. If changes are to be made, the IT department makes those access changes as per the department head review. While this is not a preventive control, this will detect any users who might not be appropriate for certain access and help the finance/accounting teams verify that segregation of duties is kept.

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

I think it is important for IT personnel to that the skill or knowledge in understanding finance and accounting knowledge. While it is not entirely their responsibility, IT’s function is to support the business objectives and the more that IT personnel understand about the business processes, the better off they can support those objectives. Going off of my Question 1 answer, IT plays a big role in segregation of duties. While a finance or accounting process member might know that a person creating an invoice shouldn’t be the one to receive it, a member of IT might not. I suggested that a monthly/quarterly user access review could be implemented to review the users who have access to that departments functions. This would be considered a corrective control since it detects any wrong users and goes about correcting it. However, if IT had knowledge of accounting/finance functions and which to properly segregate, I would consider it a preventative measure because IT can identify users who possibly shouldn’t have access to a system and possibly double check with a supervisor to make sure access is appropriate. I think overall, if IT personnel have more business knowledge, it makes them more well-rounded and able to understand better the business functions that they are supporting.

3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

First off, the quantity and effectiveness of controls depends on the type of regulations put in place on certain companies. I know in the United States, the SEC requires that publicly traded companies must have their financial statements audited and the controls around those financial statements must be audited as well. Therefore, even in the United States you might see large publicly traded company have more controls in place to the financial and accounting processes than a large private company. So from a high level view, I think there would be a difference in the number and quality of controls depending on the regulations of international companies. With that being said, the one major control difference would be the way taxes are recorded and paid. Depending on the country, sales tax could or could not be a regulation, which means that some companies would need to include in their business processes to charge sales tax to the customer if sales tax is implemented. For those countries that do not have sales taxes, then no control needs to be implemented that has a customer pay.

4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?

I think that knowing about ERP systems is a very good skill to have as a person responsible for general IT controls, however, I do not feel that they need to be an expert in the area. IT General Controls consist of controls that affect all of the components within an IT environment, from the hardware to the software to the data. The most common IT General Controls (ITGCs) are access management controls, program change management controls, and lastly system and data backup controls. Since ERP’s play a big role in transferring and recording information from all areas of the IT environment, it is beneficial that the individual has a solid knowledge of the system and how they can go about controlling it. However, since ITGCs are controls in place that protect the entire IT environment, it is not crucial that the person responsible understand the nuances of the ERP. The one specific thing they should know is the entry and end point of the data to and from databases. This allows them to understand how the data flows in and out of the ERP system, which arguably from an accounting and finance perspective is the most important aspect.

Nice post Joshua. If we talk about applying controls and troubleshooting the issues, it is good to have a basic understanding of accounting so as to select and apply the most appropriate controls.
It is always said that an IT auditor should first understand the organizational culture in order to facilitate a successful audit. Understanding the applications such as SAP being used by organization to manage their financial data is a part of understanding their culture. So if the auditor will have the basic understanding of finance and accounting it will be easy for him to understand the audit requirement and perform a successful audit. In this way it is important for an IT professional working on a business which is linked to finance and accounting to have a basic understanding of the domain.

4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security to know about how the ERP system works? What is one (1) specific thing they should know?

It is important for people responsible for general I/T Controls to know about how ERP systems works so that:
a. They can manage the user login information
b. To manage the access rights for the users of the ERP system
c. Log management and analysis of the ERP System
d. Plan BCP/DR to ensure the availability of the ERP system
e. Manage upgrades to the ERP system
f. Validating user identity prior to granting access to system resources or data

One specific thing they should know is how the security of the data which is being entered and stored in the database is maintained. They should ensure strong cryptography of the data so as to keep it in an encrypted form because the success of such tools depends on how well the data is managed.

I agree with you completely, Deepali. In addition, the people responsible for general IT controls for an ERP system should know how the system works so that they are aware of the data on the system, it’s criticality and how their work can affect the outcome and availability of the information in the ERP system.

Q1. As we’ve seen in the P2P and OTC processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance/Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?

If I am responsible for Finance/Accounting controls, the best way I can manage risks from areas outside of my job function is to be sure the controls I have put into place are strong. For example, establishing a defined segregation of duties for different parts of the processes can reduce the opportunity for fraud. In addition, ensuring that financial/accounting information is not available to those who do not need access to it, reduces the risk of data misuse or manipulation.

Q2. As we continue to learn about business processes and ERP systems we often discuss financial or account relate terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain.

I believe that IT personnel should have knowledge of basic financial/accounting principles, at least. The more knowledge an individual has regarding standard finance and accounting practices, the easier it can be for them to notice anomalies that could be the a sign of mistakes or fraudulent activities. In addition, having the knowledge of both finance/accounting and IT can enable personnel to develop the most effective controls.

Q3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1-s specific examples.

One risk that a company would face if operating internationally, versus purely domestic, is that of culture. For example, we discussed earlier in the semester the importance of marking holidays and understanding how they can affect business. Every country a business operates in has its own set of holidays and days of observance. An international company must be sure that these different holidays are all in the system, so it can be sure that is knows if there will be delays in completing a process.

Q4. How important is it for people responsible for general IT controls (e.g. network, workstation, Server and database security) to know about how the ERP system works? What is one specific thing they should know?

People responsible for general IT controls should have working knowledge of how the ERP system works, since there are some areas of it that can fall under their job function, including upgrade/patch management, BCP/DR, and security configurations. General IT personnel should understand how the ERP system fits into the company’s IT environment and what other applications in that environment it is integrated with.

Hi Laly,

I would consider myself a firm believer of cross training employee’s throughout an organization as well. My reason for believing this is that the more an organization’s employees understand the different processes of the business, the better they can work and collaborate with other members of the business. With that being said, I do think there are checks and balances. Should we train a salesperson in detail how to receive and enter payments into the system? I would say no. However, should a salesperson understand who is responsible for receiving payments and possibly understand how the data flows. I would say yes to that. What do you think? Could there be some risk for too much cross training?

As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain.

As IT personnel who are using ERP systems to support business processes, it’s necessary to gain knowledge about where risks exist, and where fraud likely happens in each business process when it comes to finance and accounting, especially the process within their province. By knowing that, they can help control those risks and prevent potential fraud from IT perspective. Basic knowledge about data flow and its finance or accounting implication is also important for IT personnel to correctly implement application controls, for example, field check, reasonableness check, limit check, to control over the accuracy and quality of data in finance and accounting process. Besides, different jobs put different demands, for example, checking the accuracy of the account determination requires a good basic understanding of accounting and knowledge of the relevant chart of accounts, while calculating taxes ask for comprehending related policies and methods of calculation.

As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?

If I were responsible for Finance / Accounting controls, Segregation of Duties (SoD) is an integral part to cope with the risks coming from non-financial function jobs. Through reasonable Segregation of Duties, each position has a job description to clear its province. Accordingly, for those non-financial personnel who involved with ERP systems to perform finance or accounting related processes, Finance / Accounting department could empower them necessary financial knowledge by targeted training, workshop, etc, make sure those personnel are well-trained is important as well. Besides, once those non-financial personnel come to involve with finance or accounting related business processes, they should be adequately informed the vulnerabilities they represent to the Finance or Accounting department, so as to raise their awareness of security to mitigate risks may come from them.

As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?

The accounting records are the assertions made by the company to the owners of the company. The numbers used to make these assertions are generated based on the values of the company assets, minus the liabilities, which represents the owners value.

To protect the integrity of the accounting records from fraud outside of the finance / accounting department, I would look at the assets involving outside departments and develop duel level authentication for each transaction.

Example:

Cash & Payments – Never let anyone, not even owners receive or disburse cash / payments. All payments made or received will go through the finance department.

Accounts Receivable / Payable – All orders / suppliers will be approved by Finance Department

Inventory, equipment, and other tangibles – Will double check counts to verify value

Owners’ Equity – Owners will not have access to any part of the business records. A separate account will be created for dividend payments and profit sharing.

As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

It is important for IT personnel to know and understand supporting business applications to remain valuable to the company. It may be horrible to think about but many companies will place a value on the employee. Understanding the business and how business applications function will enable the IT personnel to explain how IT is aligned with the business.

That being said, I certainly wouldn’t want the IT staff to know bank accounts or other sensitive proprietary finance and accounting information. But, as long as the proper controls are implemented, a knowledgeable IT staff will only increase the value of the organization.

Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

1. The currency exchange would impact a purely domestic US company vs. an international company. The value of foreign money impacts the financial statements. Holding assets valued in multiple currencies will affect the balance sheet differently than a purely domestic US company

2. The tax rate would impact the balance sheet differently compared to a purely domestic US company. The government of the international company holds precedence. You have seen many companies merge / acquire companies in other countries to benefit from better corporate tax rates.

How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?

The people responsible for general IT controls should know how the ERP systems works, but shouldn’t have change / modify access to any other business department. Many questions about functionality will be directed to a company’s help desk. The people fielding these tickets should have a general knowledge of the ERP system. An example would be how to print from the ERP system or how to change account information. However, they shouldn’t be changing a user’s account information or modifying material records.

One important thing they should know about the ERP system is the patches and updates provided by the software provider. They should be aware of all updates and provide a safe and secure network environment. They should be up to date on current threats that target the ERP system and make sure the preventative measures are in place.

Fangzhou,

Great point about knowledge of business will help them develop IT systems to support the decision making. It might be difficult to see all of the time but the business decision makers are responsible for increasing the value of the company. This is achieved by generating more revenue or reducing the expenses.

If the IT personnel know this, it will be easier to explain how the IT project will accomplish reducing expenses, generating revenue, or both.

Nice post Fred. I like the way you have given the controls for each issue.

Having an approval process will mitigate the risks caused by single handling of a process. And by verifying the inventory values helps I reducing risks double entry, incompleteness, wrong entries etc.

3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

Accounting standard: GAAP v.s. IRS
In the United States, the federal securities laws require all US publicly held companies to file reports with the SEC to submit financial statement that are accurate, truthful and complete and prepared according to a set of accounting standard call Generally Accepted Accounting Principles (GAAP). International companies also have to follow different accounting rules and reporting standards based in different countries such as IRS.

Taxes:
Sales tax in the US is a regulation so domestic companies have to include sales tax in their sales, billing and invoice generated. Multinational companies operating in different counties would have follow different regulations in different counties and may or may not have to include sales tax.

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

IT personnel should have a clear understanding of finance and accounting since everything is adapting to online databases, everything is stored online. IT personnel must know what accounting records should not be easily to change to prevent fraud from being committed by inside users. They must put security measures in place to prevent things like that from happening. The balance sheet and general ledger should be the main things to know and understand since it effects the whole company. Any changes or discrepancy should be known and the IT personnel must be aware of that. They must be able to have logs of any changes being done so that they can track the person down who made the changes to see if they are able to. Therefore IT personnel supporting the business application must know what is being entered into the databases to understand if there is fraud being committed.

Agreed Fangzhou, it is very important to evaluate the potential risk that can occur first before implementing controls in place to mitigate them. You have to calculate the severity of the risk and check the frequency of the risk. That way you can measure about the importance of what to protect and where to put specific measures in place to prevent that type of risk from happening. You have to make sure that the risk coming from the non-Financial function jobs do not have any affect towards anything that can affect the financial data. If so, there must be measures in place to stop it in its track so that the data does not get infected.

1. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

I believe the IT personnel supporting business applications should have general understanding of finance and accounting in the process of the business function. Even though it is not their entire / assigned responsibilities, basic accounting / finance knowledge allows them to better serve and support the business objectives from the IT function perspective. It is very important for them to have that knowledge and if they don’t, how would they be able to detect any problems with the IT system / applications. Companies who want their IT personnel to have that specific knowledge to support the business objectives, they should provide training courses to teach them the basic knowledge.

1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?

If I were responsible for Finance / accounting controls for my company, the first control that came to my mind is performing reconciliation of the accounting record more frequently to audit the non-financial business functions with ERP system transactions. That is a detective control which can detect some significant errors and fraud. Second, I would have to make sure that the access to our finance / accounting function in the ERP system is only strictly granted to my department and no other non-financial department is able to access to our functions. It would be a risk of confidentially for us if they had the access to perform our functions in the ERP system. If they needed any information in regards to the procure to pay and order to cash process, they may be granted with temporary access to limited view the data.

Nice point Priya. Compliance requirements should be carefully taken into consideration, for example, you have to comply with the laws of the foreign countries in which company is operating, know about the different methods of calculating taxes from country to country, consider export / import restriction and deal with the customs of different countries. Any violations may bring about horrible results.

As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

In some cases, IT personnel who support business applications also customize system functionalities according to the need of business processes. In that case, the IT staff who is responsible for the customization will need accounting or finance knowledge to ensure that the business workflow is properly understood to develop a well-designed system. For e.g. Development of Accounting Information Systems (AIS) has five steps: Planning, Analysis, Design, Implementation and Support. Out of these, analysis, design and support require IT personnel to have basic knowledge of accounting to ensure that AIS objectives are met by implementing a robust AIS system and also being able to provide support; the capability to provide system support will certainly be not limited to the IT skills, but also the accounting skills of the IT personnel.

A moderate level of accounting knowledge possessed by the IT personnel can also be a preventative control; an extra layer of protection if in case some of the requirements gathered during requirement analysis phase were missing.

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts.  How much finance and accounting knowledge should IT personnel supporting business applications know and learn?  Explain
IT personnel need to have some basic accounting experience if they are supporting a firm that has account functions and systems. If they do have it from their education or previous experience the company should provide basic training and then show them key areas in the functions in which fraud is more likely to occur. This way, if the employees are trained through the program within the company and know where the faults may lie or why things are done a certain way. If they do not have on the job or previous experience in those functions it is very likely they will not be able to detect fraud in those applications.

HI Ming,

Good point with the targeted training and workshop, it is very important for those personnel of other non-finance function department to understand the company policy and standard.

I really like the fact that you mentioned it as a preventative control.

Wenlin,

Great post. I would like to add a point about “integration” of different systems. There was a time when organizations were adopting different systems to increase their digital quotient. Now, the trend is to integrate different systems as a whole to increase efficiency in organizations.

Data redundancy reduced, and organizations ended up saving a lot of time. Since, it integrated almost all the systems, it also increased different risks. Meaning, for instance, if there is a text field in a CRM system that is used by your customers to fill forms, if cyber-security control to process forms is absent that is a vulnerability, which doesn’t just expose the CRM, but also the other systems that is integrated with it. There are endless possibilities of attacks on such big systems. So, I think this is why it is important for people who design Network and workstation controls to also understand not just how an ERP system works but also how they are integrated with other systems.

1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
I would manage these risks by putting in place strong controls such as segregation of duties. In which accounting information is only available to the accounting department and people who require it as a necessity to complete their jobs or make decisions. Financial records or accounting information would not be available to non-accounting/financial functions so it can minimize risk of that exposing the company finances. Along with segregation of duties for functions within the non-accounting side would also be quarterly or bi-quarterly audits and checks on the controls to ensure they are doing their jobs and if additional measures need to be taken.

4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works?  What is one (1) specific thing they should know?
It is very important for individuals who are responsible for the general IT controls to know how the ERP system works. 1 specific thing is where vital information is obtained/entered so they know they know that the security on that portion of the server for that application needs to be very tight so no one can access that information.

3. Controls are important to financial and accounting processes.  What would be different in the controls of a purely domestic US company vs. an international company?  Give 1 – 2 specific examples.
A US company would strictly focus on following controls that are put in place for US companies such as SOX and only have to account for taxes through the IRS as well as follow guidelines that are only dealing with domestic companies.
An International company would have to deal with more controls that are put in place by other countries or international trade laws (different taxes and rate exchanges as well as accounting practices).

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

I think IT personnel supporting business applications should know basic accounting and finance concepts. Accounting is the language of business, be able to analyze financial statements are important. Just like our assignments, without any accountant background would be difficult for us to get the debit and credit on the general entries correct.

I like that you pointed out about assessing system security with respect to sensitive customer data and segregation of duties. I think SAP has a very sophisticated automated access control and enforced governance to minimize access risk and prevent the events like you mentioned in the posts from happening.

And, to add to your Patch management example, I think the SAP support package does recommends that no user other than the System Administrator should be logged on; and of course no background tasks are running as well.

3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

In US, we follow GAAP as the accounting standard, while IFRS is the accounting standard used in over 110 countries around the world. GAAP is considered a more “rules based” system of accounting, while IFRS is more “principles based.”
Government regulation and tax rate are also vary by countries. For example, in China, there are no sales tax and property tax. It’s very important do have a basic understanding of that foreign country’s culture and its way of doing business.
In addition, for international company exchange rate can also be hard to take control because it fluctuates.

1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?

I would implement preventive control to make sure that all the employees in my department are well trained on how to secure our information assets. In addition, I would make sure that only the employees in our accounting/finance department have the access to the accounting/finance functions of the ERP system. Segregation of duty is extremely important, we need to make sure that accounting personnel is not the same one who performing the sales. Secondly, I will make sure that detective controls taking place such as reconcile the financial statements to make sure information are correctly entered.

As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

IT personnel should be some what knowledgable of accounting and finance terminology. Since the functions often have the potential to work together. Having a baseline understanding definitelty helps the relationship run alot smoother. The same thing goes for Accounting/Finance, personnel who should have a good understanding of the IT world.

Fred Zajac – This is a good method. I like how you explained all of the components of the method you think will be best. This seems like a goos practice to help mitgate risk.

Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples

I think the currency exchange rate and tax regulation mattered.
In terms of currencies the currency exchange rate fluctuated timely. Changes in exchange rates between firms’ domestic currencies and the US dollar may influence the measurement of non-US firms’ market values ate two points in time. To investigate whether such changes might confound the measurement of changes in market.
values, we calculate a firm’s market value of equity using a constant exchange rate;
In terms of tax. firms domiciled in countries where in 1993There were relatively few accounting measurement choice restrictions (e.g., Switzerland)were able to implement IAS without violating their domestic-GAAPs. Alternatively,some domestic-GAAPs were quite similar to IAS. Thus, Canadian firms were able to meet the requirements of their domestic-GAAP and IAS by choosing measurement methods that satisfied both sets of standards. Some countries (e.g., France) permitted a firm to use domestic-GAAP in the parent company’s financial statements and IAS in its consolidated statements. Finally, in other countries, accounting standards and tax laws were highly aligned (e.g., Finland, Sweden), and firms typically used footnote reconciliations to meet IAS measurement requirements.

source: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.198.3081&rep=rep1&type=pdf

4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security to know about how the ERP system works? What is one (1) specific thing they should know?

The general I/T people is important to know about how the ERP systems works to implement the effective controls to ensure the credentials, integrity, and availability of the ERP system. As the development of hack technique, the related people should know the latest knowledge about the hack technique to prevent ERP from attacking.

2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

At a very minimum, the IT personnel supporting these systems should have general knowledge of the processes as a whole. Without these fundamental skills, trying to find areas more likely to have threats of fraudulent activity would be substantially more difficult. Obviously, the more intimate knowledge of finance and accounting the more effective the the personnel would be in identifying fraudulent activity and either stopping it before it happens or putting in controls to prevent it in the future. Ultimately, like all business decisions, I think it would be challenging to find personnel with expertise in these areas as well as have the necessary IT knowledge to be masters at both. Like all business decisions, you have to weigh the pros and cons of each and find a good balance.

Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

2 controls type that would differ from a domestic only business to an international business would be taxes and legal. As we all know, in the US alone tax measures have to be accounted for on a state to state basis as do legal requirements. For tax and legal purposes you would need to adhere to the host country that the specific transaction would apply to.

As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?

Segregation of Duties would be the number 1 rule I would apply in these highly sensitive departments. In addition to SOD controls I would also follow the principle of least amount of privilege necessary to complete their job function. It is critical to keep certain key processes like issuing POs and processing payments to separate individuals to mitigate the opportunity for fraud in these groups.

How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?

People responsible for general IT controls should have an intimate knowledge of how the ERP system works and what additional applications that it is integrated with. In order to be effective in implementing controls and identifying risks in the existing security posture they should be aware of what internal controls are built in and active in the SAP system to give an accurate risk assessment and to know where to direct limited resources.

https://www.dropbox.com/s/m10gscv6283lxi2/Toshiba%20Contol%20Failure1%20-%20Copy.pptx?dl=0

https://www.dropbox.com/s/k8qw56pwyvvig2x/Real%20World%20Control%20Failure.pptx?dl=0

2. Who in an organization should care more about the collections process – Finance or Sales? Explain

Finance should care more about the collections process. The ability of a business to continue operations is its ability to generate revenue, but more importantly to generate profits and positive income out of that revenue. Finance should be the portion of the organization that develops credit, discount, and tiered pricing policies based upon projected profit margins, and those margins’ ability to keep the business profitable. Since Finance should be setting policy such as that, Finance should be the portion concerned with ensuring the collection of accounts receivable because if terms are too lenient and revenues are not being collected timely enough the Finance department will have to be ready to draw on lines of credit to stay in operation, increase liquidity in other ways, and/or draw down spending to stem cash outflows. The Finance department should also be concerned with collections so as to use the data generated to adjust policies regarding credit extension, payment terms, and tiered pricing/discounts to generate faster collection of accounts receivable.

4. You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain

After going through the OTC process, I would be concerned about the consumer record and the purchase order record. I think separating those two responsibilities is key to prevent fraud in the process. If the same individuals have the ability to create and approve a consumer, and then create purchase orders for those customers, then supplies could be sent to fraudulent customers with no funds ever returning to close the accounts receivables for those orders. This, depending on the value of the product(s) being sold, could bleed a company out over a long or short period of time. I would be worried that even with a strong Separation of Duties controls policy in place in a business that collusion between employees could still be a risk. I would try and geographically separate those personnel as well to mitigate the risk of collusion as well.

1.Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How

I would attack the Warehouse Operations; the reasoning behind this attack would be based on targeting the supply chain. The supply chain handles, distributes, manufactures and processes the goods in order to deliver the products to the final costumer. This is a major factor within the OTC Process and with the supply chain being a complex network of interconnected players governed by many make them an easier target. As an attacker I would monitor the supply chain process within the OTC Process and see what process is the weakest. Once finding the vulnerability I would create a cyber-attack/ breech and gain access to their customers’ accounts.

Supply chain attacks are very relevant with today’s ever growing technology advancements. Supply chains possess complex characteristics that make them very difficult to protect and provide the attacker with an advantage.

2. Who in an organization should care more about the collections process – Finance or Sales? Explain

The Finance organization should care more about the collections process. The collection process entails many invoices and usually those being overdue invoices. Within this process the Finance Dept. has the ability to resolve payment issues and generate revenue. The main focal point of the Finance organization is dealing with the revenue of the business by making improvement of the operations by measuring and reporting regularly on key numbers crucial to the success of the organization. The Finance should care more about the collections process sine they are the organization within the business that develops discounts, prices, polices and credits; they are in charge of making sure the business is hitting their projected profit margins and overall profitability of the organization. The collection process should in fact be huge concern to the Finance Dept. due to ensuring their accounts are up-to-date, paid, collected (Ex: accounts receivable).

4.You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain

Upon learning the entire Order to Cash (OTC) Process, the part of the process that concerns me the most is segregation of duties. Within the OTC Process fraud could occur and that fraud being someone inappropriately creating/ changing sales documents and eventually, generating corresponding billing documents. That is a really concerning aspect within the OTC Process; someone would be able to physically take from a company throughout the life-span of their career and overall, hurt the company undetected. Segregation of duties is a huge aspect within the OTC Process and that risk would most definitely be a major concern of mine.

4. You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain

I’d be worried about the billing area because increasing cash flow is imperative to not just business success, but to making payroll and meeting expenses as well.. For instance, late payments can be damaging partly due to the unpredictability of cash flow. Similarly, delays in invoicing directly lead to delayed revenue recognition and in case of errors in invoices, a loss of revenues as well, which is against business objectives.

I think Finance (if not accounting) should care more about the collection process because it ensures the collection of outstanding accounts receivable and anything related to the revenue of the company. Some activities involved in this step include:
Investigating unapplied receipts
Analyzing / resolving short pay
Forward cash received to the bank,
Determine proper reserve for doubtful

As you can see, there is not so much sale activities here. the finance department deals with the cash flow and the revenue of the company so it would make sense if it is more involved in the collection process, carefully keeping track of numbers

2. Who in an organization should care more about the collections process – Finance or Sales? Explain*

Who in an organization should care more about the collections process – Finance or Sales? Explain

IT should be the responsibility of the Fiance department to track receivables, highlight in case of issues and ensure the payment is complete. In case the Finance department is getting no response from customer then Sales department can help. The Sales department’s focus is on selling more products and getting more business. They have the fear of ruining the relationship with the client if they get involved in collection. Hence they cannot be solely responsible but they can be asked for help if they feel comfortable to contact the client regarding payment. The job of Finance department is to ensure all transactions have been completed till the very end.

1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How?

If I was an outsider and was to attack the order to cash process of an organization I would attack the payment process.
Today the payment options are more and also the channels to make payment too. For example, the customer can pay directly from the bank, use credit/debit card or use apps like Paypal or have cash on delivery or issue a cheque etc. The most common method of payment transactions today are using digital wallets, smartphones. Most of this information is stored in the database of the organization. Especially with the option to remember the card number for future transaction option, opens the door for an attack.
This data that the organization holds can be misused by the attacker for fraudulent purchases or to withdraw money from the customer’s account. A social engineering attack to get the account information or details.
Credit card pin can be stolen:
The common communication protocols that are used between the card reader and the card: ZVT protocol: Used between point of sale system and card reader ; Poseidon: Card reader and merchant bank and OPI- Open Payment Initiative.
Example for an attack on ZVT protocol:
ZVT protocol originally designed for serial port connection is now used for Ethernet. This protocol has no authentication, which means that man in the middle attack is possible. The attacker can read the magnetic stripe data from the card and request for the PIN. This could be then used to get the card details at a retailer and can be used to clone the card. The attacker can then direct the card reader to perform an unauthenticated PIN less transaction using the magstripe data, leaving both the card holder and retailer unaware of the transaction.
The attack could be on the merchant also. ZVT protocol is also used to configure the card reader. Each card reader has a terminal ID which identifies the merchant and also a port number. The terminal ID and the port number pair are configured by the bank to refer to a specific bank account. ZVT allows both of these to be reconfigured by the attacker on the local network. So now the attacker will be able to divert the money to his own account by changing the terminal ID and port number.

With more options and ways to make payments, it opens more doors for threats. Organization should be well aware of there risks and take necessary actions.

Source: http://arstechnica.com/security/2015/12/common-payment-processing-protocols-found-to-be-full-of-flaws/

Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and Ho

It will depend on what I want (goods or money). If I want the goods, I would attack the shipping process. I would find a way to access the company shipping database. The goal would be to redirect all outbound merchandises to where I want. However, if I want the money (or information) I would attach the payment process. If I manage to get into the company payment system I would be able to gather customers information.
In both cases, it would be easier if I know somebody working at the company that I am targeting. The insider would facilitate my attack into the system as he would have access to the company shipping system or payment system.

1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How

If I were an organization attempting to cause negative things to another organization, I would make an attempt on its ordering and order fulfillment processes. Unlike the procure to pay process, payments are not being sent out by the company and I think that attempting to intercept payments to the organization will be difficult. With that being said, goods are processed and delivered to customers, which might be an easier avenue to steal from.

The reasoning behind focusing on the ordering and order fulfillment process is that if one can somehow circumvent the ordering process without a purchase order being made or accept a purchase order without an actual method of payment, then no payment could be collected. For example, if a sales order was able to “slip” through to the order fulfilment process that had falsified but yet approved methods of payments, then the order fulfillment personnel will ship the product as normal. However, it won’t be until the business goes to collect for its sales that it realized it had a fraudulent order and no payment will be received. Therefore, one can essentially get a free product. How to go about performing such a task, I am not sure. With that being said, a kickback scheme will be much easier.

If one can befriend a member of the sales order process, you can bribe them to provide you with discounts. While this might cost a bit more due to having to pay the person off, if one orders enough products through the business it could provide savings over a larger period of time. Bribing the sales person can come in a number of ways, such as a normal one-time bribe, percentage of sales bribe, or colluding to purchasing the products at a deep discount then selling them personally for a much higher profit. Regardless of which one, deep discounted sales can significant provide negative impacts to a business. While the sales are tracked and the fraudulent employee’s job is on the line, it is an easy method to negatively impact the OTC process.

2. Who in an organization should care more about the collections process – Finance or Sales? Explain

Overall, I think the accounting department are the ones who should care most about the collection process since they are the one’s involved in the receiving and recording of payments from sales. However, if I had to choose from Sales and Finance (as in financial planning/budgeting), then I would choose Finance. The finance department is responsible for identifying future financials, which is highly dependent on the ability for the company to collect on payments. Therefore, if the collections process is proving to be ineffective, then there could be a potential issue going forward in terms of the company’s ability to fund itself. Likewise, Finance would be more interested in improving their ROI which might make them more interested in the collection process as well. With all this being said, I do think Sales should have some care about the process since it’s not only important to get the sale, but actually receiving payment is half the battle.

3. Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

As I have stated before, I think foreign exchange risk will have a different impact on the invoicing and collections portion of the OTC process amongst domestic and international companies. Foreign exchange risk is the risk that the currency exchange rate can have an effect on the value of a transaction or investment. In this case for the order to cash process, a sale for a product can be made, but by the time the payment for the transactions has been received, a loss can be had on that transaction. While there does not seem to be to be much published online about how controls can mitigate foreign exchange risk, a control that could be used is to utilize forward exchange contracts for sales that reach a certain threshold. Essentially a foreign exchange contract is an agreement to which a certain amount of foreign currency will be bought on a specific future date. While this might not mitigate foreign exchange risks on all sales, large sales can mitigate the risks by using these contracts.

Another set of controls that would be different will be the fulfillment of orders by a specific date. In some businesses, when the delivery is made could be just as important as the product itself. In domestic sales, one can reasonably expect a delivery date and make sure that orders are fulfilled at the appropriate time. However, for international sales, delivery is much more complicated. Estimated shipping times naturally range depending on the type of transportation, customs can seize goods and cause delays, natural weather conditions can cause delay in delivery, and even cultural/political issues such as holidays or labor union strikes can all cause unpredicted delays in shipping. Therefore, the controls around shipping a product to meet the customers desired delivery date might be different in that they consider other factors when shipping their products.

4. You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain

For myself, I think the ordering sub process would the area to most keep me up at night. First, none of the other sub processes can start without completion of the ordering process. Therefore, if the ordering process were at any time to become ineffective (example being Amazon’s website not functioning) then a significant amount of sales could be lost. Secondly, I would be afraid of a kickback scheme or other fraudulent behavior among those putting in orders and if they are getting compensated by any customers. Lastly, I would be concerned over the credit management portion of the ordering process. If credit checks are not performed correctly, then later down the road receiving payments could result in a significant number of bad receivables. Since the Order to Cash process is the heart of any retail organization, I would definitely have some concerns that keep me up at night.

Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How?

Let’s take an example, a company like Amazon Inc. who carries O2C process on a regular basis. If I were to attack, I would target the order management process. Typically, an order is placed by the customer through the amazon web-store (front-end), which is then downloaded into Amazon’s order management system that is probably a back-end enterprise system where all customer orders are downloaded. The data is being transferred and there is possibility of an intervention during the exchange and data being corrupt; it can cause a lot of damage.

For instance, fields like customer name, address, phone number, goods in the cart, etc. can be compromised. Customers can receive products they never ordered, they can receive orders on the wrong addresses. I think a compromised order management system can jeopardize the entire order to cash process.

If the same attack is successful on an important day like Cyber Monday, where Amazon sells on an average 306 products every second, it can get into a serious trouble.

I absolutely agree with the point about relationship between sales team and customer you brought up. When customers see someone from the sales team, customers will certainly wonder if the sales person is there to collect money or offer a product. But, a sales person can indeed establish relationships with the customer’s purchasing department and sort of nudge them about the pending balance.

1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
If I were an attacker of an outside organization, I would attack the process of creating delivery, the reason is that in this process, customers provide shipping addresses, I would attack and change the shipping addresses to our client’s secret address or our organization’s secret address to ship to. another attack can be in the process of updating inventory, it would influence the internal inventory control system and lead a difference between the inventory physically and technically. Another attack can be creating invoice; this attack can let the company never create an invoice after shipment. The last can be in the payment process, our organization would change the receiving account to our secret account, allowing their customers to pay to us.

2. Who in an organization should care more about the collections process – Finance or Sales? Explain

Finance department should care more about the collections process. Finance department is focusing on collections, and should contact its client’s finance department, and sales department is focusing on how to increase customers and maintain good relationships, and should contact its client’s sales department. Finance department should use software to track payment status and update it to recently. If there are some sales adjustments, finance department can easily solve the problem from its software whereas sales department has no authorization to do it. This is kind of the separation of duties. We can never sale a product and receive the money by a same person, because it is really easy to modify the products sold and money collected.

4. You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain

If I were responsible for the controls of OTC process, third party shipping would keep up at night. During the day time work, I can finish all processes that can be done during the office time, however, third party shipping is my concern because it would involve several problems including products damages, thefts, wrong address deliveries, delivery time delays, international shipments, products returns, etc. these outside works cannot be guaranteed to finish as they promised. If an international customer creates a large bulk of high value products, what if the third party has the problems above? Another concern is about the payment process. International customers will pay for the products in different time zones. If an international customer pays for a large amount of money at night in Philly but that is in the morning during his time, and the payment cannot be done quickly, or even it can be done, nobody checks it immediately and may involve mistakes.

Good point Priya! You talked about the IT department should help finance department track payments. that is one of our jobs in the future! and maintaining good relationships is also important cuz finance department may lack the ability to play around with customers, rather than sales people, they are talent to do that!　

1.Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How.

Generally, the Order to Cash (OTC) process requires detail information of the customers’ personal identified information (PII) like name, billing address, or even credit card information. If I’m in the outside organization and wants to do something bad to the OTC, I would try to get the access authority of the company’s OTC system through a cyber-attack. For example, implement the phishing attacks to the employees who can access in the system. If any of those employees download the Trojan from the phishing emails, the Trojan allows me to monitor the information flow in that PC, and obtain the accessibility to the OTC system.

In this case, I can copy the sensitive information from the OTC, or even change them. For instance, if the customers’ addresses were changed, the packages would be shipped to the wrong places, which may significantly affect the shipping dates. From customers’ perspective, it higher the risk of losing those packages; from the company’s perspective, the reputation of company may be damaged, and significant loss in the information assets.

Question 2: Who in an organization should care more about the collections process – Finance or Sales? Explain

Comparing with sales, finance should care more about the collections process, because this process includes posting account receivable, contact accounts to collect past-due balances, prepare account status reports, research and resolve account receivable discrepancies. Actually, from this perspective, the collections process seems more related to the accounting department, since the initial invoices and other invoices created during the OTC process need to be collected so that the accountants can make the journal entries and other financial reports. But all of these collections of financial statements and reports are helpful for the Finance. By analyzing the financial reports, Finance can identify the possible issues and potential risks of the process. Since the most important thing for a company is to create more profit, the profitable analysis is also important for the Finance.

Source: http://www.slideshare.net/sadhiqali/order-to-cash-cycle-1235071

3. Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

The first different in the controls of a purely domestic US company and an international company is period reconciliation of shipping and invoicing records is more importantly and usually more complex for the international company. For example, for the purely domestic US company, the shipping process usually involved only one shipping company. However, the international company usually required long distance shipping, and more than one shipping companies may be involved. This higher the risk in losing shipments, and also enhance the importance of reconciliation of the shipping records with different companies.

Another different is that the international company require an effective regulatory audit of tax collections. Different from the purely domestic US company, an international company holds multiple oversea investment and assets in different countries. Most of the countries have different tax policies in the import tariff, which may significantly affect international company’s strategic decision making.

You bring up two very good points about the differences between a US domestic business and a multi-national organization. I know some countries mandate that earnings taken in those countries be kept within the borders of those countries for a specific time period, and reinvested there potentially, before they are allowed to be repatriated back to the home country of the business. I wonder if that would impact the sales process in any way, or if it would primarily impact the finance department of a business.

Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it?

The ability to enable risk based collections management depends on access to many different data elements, and mechanisms to generate scoring of those elements. The data elements and mechanisms in the example are detailed here:

Internal data elements – invoices to calculate delinquencies, other elements for credit review,
External data elements – to enable objective credit reviews,
A means to segregate customers for both scoring and strategy manipulation,
Scoring engines to generate delinquencies from AR transactions, risk classifications from credit reviews, scoring of customers for strategies,

Source： http://www.caliber-services.com/content/view/79/111/

Assuming I’m an outside organization with the goal to cause negative impact to a company’s Order to cash process, below are the ways in which I can cause harm to the sub-processes. The thought process for causing negative impact to each of the sub-processes in the O2C process is as below :

1. Quotation/order entry
=Stealing customer master data or hampering it’s integrity – however, that may or may not be of a lot of value depending on my intentions – if I’m a competitor, the customer data might be of value to me as I could devise a strategy such that customers would prefer to buy goods or services from me and not the company who’s O2C process I’m trying to harm. This could be achieved by giving attractive offers to the customers for buying from my company.

2. Provision of goods or services
=Here I might not have much control over how the company delivers it’s goods or services. At the same time, it might require more effort or funds to make any substantial adverse impact to this area of the process. I could probably bribe the company’s employees or vendors to create problems and delays in the process. But it could also backfire and my intentions could be exposed.

3. Billing (invoicing)
=Any harm that I could cause in this area of the order to cash process won’t really be long term harm. At most, there could be temporary failure in invoicing which could lead to slight chaos and delayed invoicing. In the bigger scheme of things, this might not be the best idea unless I can completely mess up the system so much so that the invoicing is all done inaccurately. Wrong invoicing would make customers irate and affect payments but even then, the impact would probably be only for a short duration and to only a smaller percentage of the customers.

4. Incoming payment
=Attacking the payment system – This would be the best way to harm the O2C process for a company. The payment system would contain Customer payment info. If I can get my hands on it, and the company cannot detect it, I could use it for financial gains for a long time. If however the company detects it, and lets their customers know of the theft of payment info, the company’s reputation will get impacted which could be beneficial to me if I am a competitor.

Attacking the payment system would be the best choice as it would have the greatest impact to failure of the O2C process aswell as the company’s reputation and customer loyalty. This would certainly shake up the company’s customer base and even share prices possibly.
Such an incident would be a huge blow to the company and have long-lasting effect too.

Q 1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How

Being an outsider, I would attack as a fictitious customer to an organization’s order to cash process.
This creates a risk of fraud orders, nonpayment of the order leading to monetary loss for the organization. For example, as a fictitious customer, I place an order and I am not a potential customer to pay for my order. In this way I will harm the integrity of the OTC process leading to monetary loss as I will not be paying for my order. So such an attempt to falsify the ordering system request without making the payment can be lead to financial loss specially if it is a big order.
In this way customer order system will be used to make a fraud order. Such frauds generally occur when customer choose cash on delivery. Fraud customers make orders which cost a big amount to the organization for production and delivery of the order. Once the order reaches the door for the delivery they either refuse to collect it or there is no such person available at the address who made the order. This leads to loss as it cost a good amount to produce and deliver such a big order and the invoice amount remains unpaid. Above that sometimes the order is so big that it becomes difficult for the organization to sell it and it expires

Yes Fangzhou! That will be easier to attack. plus attacking key persons in the organization is really good, cuz they hold more sensitive accounts!

1. Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

The difference in the controls of purely domestic US company vs. an international company would be:
A domestic company will not need any foreign exchange controls as there is no foreign currency involved whereas an international company would need controls to manage foreign currency as the order involves different countries having different currencies. So here the first task is to manage the currency difference and the second is to manage the Foreign exchange (FX) risk. FX is the risk of loss from depreciation of a currency in which cash is held. It is important to ensure clarity about the base currency for risk measurement and the relative importance of cash flow and accounting risk. Also a centralized credit limit should be enforced on international accounts. It can be managed by multi-currency cash pooling where the system converts all the account balance into a common base currency which can help in easy payment.

Another important control which an international company would need on their system can be to manage the time zone difference. It is very important to keep track of the difference in date and time during an international order so that there is no confusion on order delivery schedule. Managing a delay in delivery is very important to avoid any kind of monetary loss.

Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
As a fraudulent customer, one can try to wreck the order process
1. Providing incorrect details on purpose – address, bank account details
2. Deliberate return of goods even if goods are not damaged
3. Not completing the payment process
4. Giving bulk orders and cancelling or returning them

As a hacker or cyber attacker, one can exploit the software system that the company is using to attack the order to cash process
1.Attacks on the customers who are using the OTC process – ex. phishing attacks by sending email to other customers
2. Cyber attacks to payment module of the company – ex. SQL injection, CSRF attacks

With social engineering one can get access to the organization data. It could be via tailgating into the company facility or by getting access to the confidential information via posing a person in authority to the employees.

Yes, segregation of duties plays a crucial role within the order to cash process. It is necessary for companies to make sure oversight isn’t given to people whom have interest in other sections of the company that intersect. It is sort of creating the “perfect storm” environment where fraud could occur and run rampant without notice. I think some companies don’t think their employees would have those malicious intents to hurt their company because, as an employer you believe you hire based on the integrity of the individual as well as the qualification. Excellent addition Alex, thanks.

You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain

There are definitely a lot of controls would concern me, but the internal controls for cash would probably worry me most. It is easier for an employee to commit fraud with cash because it is a liquid asset. Cash is a much more attractive target for this reason than other assets accessible during the OTC process. An employee could steel inventory or supplies which is still an asset to the company, but it is a less attractive target. Segregation of duties is probably the most effective preventative control for cash because one person would not be able to independently commit fraud. Other important cash controls would be bank reconciliatory, proper authorization, and performance checks. It would worry me that the segregation of duties is not constructed as well as it could be, or its continued implementation is not where it should be. If the company is smaller, it is harder to properly segregate duties and create additional space between each one. Larger companies should conceptually be better able to segregate duties, so the smaller the company the more that I would worry.

Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How

I am going to take this from one of my favorite movies. The movie is called, Office Space.

I would attack the financial accounting department payment / Credit Card process, and have a small portion of the customer’s payment deposited into an account overseas. The transactions would be minimal and may fly under the radar.

I would do this by establishing a tax / fees expense account, and setting up automatic payments to deliver the payments to an overseas account. End up riding it out until the payments stop. They may never notice the $.05 “new tax” per transaction.

Here is another fraud story I heard about. Sometimes, a company would send a fake invoice to an old customers accounts payable department, when the account was inactive for over 6 months. In some circumstances, AP would pay the invoice because it was for less than $500, you are an approved vendor, and haven’t been invoiced in a while.

Who in an organization should care more about the collections process – Finance or Sales? Explain

This is a great question.

Finance
It is there job to manage the accounts payable and receivable. This is what they get paid to do. They should “care” more about fulfilling the duties of the job.

However…

If the sales people are working on commissions that are paid when the company gets paid, the sales department will care more.

This is when segregation of duties should factor in. Don’t allow the Sales department to perform collection duties. The conversations between the sales agent and the customer may not end in roses.

Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

Shipping Controls:
I would have tighter shipping controls if my suppliers or customers where located outside of the United States. The Service Level Agreement would only permit the international company to use approved shipping companies.

I would have stricter controls on sales to international companies. The quantity and cost would be capped until a relationship was established. Multi-level credit checks and approvals would be need for international companies where U.S. laws didn’t apply.

You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain

My biggest fear would be the shipping and available to promise. As a business owner and account manager, making the customer happy is our number 1 priority. There are too many things that are out of our control. The pre-sales, sales, billing, and payment portion of the O2C are controlled internally. The shipping is controlled externally. We are at the mercy of the shipping company. We can make corrections quickly in the pre-sales, sales, billing, and payment sections, but if the shipping company loses our package, we can’t track down the package and deliver it ourselves. Giving up control would keep me up at night.

When it comes to segregation of duties for collections, I am inclined towards making this as Finance function. The ability to reduce payments risk is how the efficiency of a Finance department is determined. Aligning credit and collection policies with organizations goals is an important part of the Finance department. Adoption of proactive approach by both Finance and Sales department will help in mitigating customer risks. Sales must act as an data collecting instrument which is analyzed by the Finance department to design policies which can effectively identify at risk customers.

Definitely agree that Finance should care more about the collection process than sales. Have a responsibility oversee collection as well as other financial aspects of an organization. Also helps with segregation of duties if a different person than the one selling is responsible for protection. It might enable fraud for employees in sales if they were also involved with collection. Also, sales employees should be focused on the actual selling of the product, not the logistics of accepting and tracking payments.

Fred,

This is ingenious. Don’t get me wrong, I do not encourage this type of behavior. I just think that it is clever. Doing so will not raise any red flag. If people were using this creativity to do good the world would be a better place.

Who in an organization should care more about the collections process – Finance or Sales? Explain

I think Both should be concerned. Finance should own the process of tracking receivables and flagging any potential issues. However once a problem has been surfaced by accounting, sales usually has a responsibility to take action to collect, unless there is a separate customer Account Management department.
If the account is difficult to collect on and Sales can assist especially if they see the customer on a regular basis, then Sales should assist.

Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

The answer lies in the differences across borders. Nation-states generally have unique government systems, laws and regulations, currencies, taxes and duties, and so on, as well as different cultures and practices. An individual traveling from his home country to a foreign country needs to have the proper documents, to carry foreign currency, to be able to communicate in the foreign country, to be dressed appropriately, and so on. Doing business in a foreign country involves similar issues and is thus more complex than doing business at home.

Resource: http://www.referenceforbusiness.com/management/Gr-Int/International-Business.html#ixzz4MVxV4x00

Hi Abhay,

I wasn’t sure if the accounting department would be considered under finance or not for the question. Regardless I still think Finance should be the department more concerned. To answer your question, if a company has a dedicated team, such as Finance, to collecting payments then I would say that sales department would be wasting their time. However, as a salesperson, they should know which customers are good about paying for their purchases or not. Say ABC Company sell goods to XYZ Company and they have not paid on their past 5 orders, then the salesperson for ABC Company probably should not be selling anymore to XYZ Company. Therefore I think that sales should be concerned about the collection process, but not as concerned as finance.

Hi Josh,

Good point about physical cash in the Order to Cash process. When these questions are raised I usually think of huge multinational businesses. However, companies as small as restaurants (could be franchises too) should be concerned with the controls over cash handling. As you said, cash is so desirable since it can easily be stolen and the value remains the same. Likewise, one theft isn’t likely to cause significant amounts of damage to the company, but thefts of small amounts over a long period of time can prove harmful. Therefore this makes it a high risk. I suppose one control that a small business can perform is by performing a reconciliation of cash at the end of the night against what is recorded on the cash register. I am sure that larger organizations have their own controls to make sure that physical cash handling is properly controlled.

1. Who in an organization should care more about the collections process – Finance or Sales? Explain

In my opinion, Sales should care more about the collection process since them receiving the money is crucial to the numbers. They do not get credit for it if the sale does not go though. For example, if a customer uses a credit card that was expire and it went through but then later decline since the card is invalid for the expiration date then the sale did not process and no transaction for that sale took place. So that collection process did not finalize due to the customer card information. The collection process must process correctly in order for the sale to count. Finance are more concern about the company revenues and expenses. The collection process is important to them too since it generates revenue but Sales is ultimately more important since sale gets credit only if its process successfully.

1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How
I would attack the system that controls the customer’s order. The customers are the most important thing to the company so getting them to turn on the company will cause a negativity impact. So I would hack into their database system that is responsible for shipping customers order and have them all get push back or even cancel. That way, customers will wonder what happen with their order when it was suppose to get deliver at this date but never came and get frustrated after they realize it was cancel. Nothing is like that anger you get when you expect something you really need to come but does not. That will enrage the customer and thus cause a negative impact to the customer since I will be targeting all their customers, not just one.

You make a good point about being a “fictitious” and fraudulent customer as it is a very real-world situation. Personally, I feel that if the order is not accepted upon delivery, and is sent back to the company, the loss due to effort spent in delivering etc. might be a very small amount. However, I do agree that COD orders can be used in causing big losses to a seller. I’d read about that sort of fraud occurring with one of the Indian ecommerce websites. The customer would order expensive items and repackage the delivered container with stones, papers, cheap phones, etc. then call customer service and have his money refunded. The company would think that there was an issue with their own supply chain and willingly refund the customers money. Over a period of 6-8 months, the company had lost a few thousand dollars

Priya,
I think in a scenario where Flipkart and Amazon are providing COD service to their customers in India. An attacker can just get an access of someone’s phone and completely compromise the COD service by entering OTPs as they come in. Probably order a lot of goods, as you mentioned, in bulk and the company will be left with delivering goods to a wrong customer; shipping & handling costs, etc.

4. You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain

My most concern area will be when order is shipped to customer or service is performed. I think shipping or delivering service is the most vulnerable part of the OTC process. First, I want to share one of my experience at work as an accountant. There was one client that we provide monthly book keeping service for her company, and we will send her the profit and loss statement up to date before the 15th of each month. Last month, our accounting firm was overwhelmed by the business tax return extension which must be filed on the 15th. Therefore, we didn’t send the PL statement to that client on time. Obviously, the client got upset and she refused to pay for last month’s book keeping service fee because we didn’t get the work done on the date as we promised. What I am trying to emphasis here is it’s very important to make sure we did everything we can to satisfy with customer’s needs. In this case, we must make sure our service is delivered not only accurately, but on time.

As Fred mentioned in his post, Shipping and delivery is not something that we hold much control of because usually third party such as UPS, USPS, FedEx will be responsible for deliver the products to the customers. Therefore, I believe shipping is one of the steps in OTC process that would keep me up at night.

Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How

If I am outside the organization, I think I will focus on the vulnerability of shipping process as it is the easiest. Physically, I just hired some people intentional damage, misplace, even steal the package. Technically, hack into customer’s account and change the delivery method or destination.

2. Who in an organization should care more about the collections process – Finance or Sales? Explain.
I believe since services should only be supplied to customers who have a good credit rating and if finance approves the supplier and allows the transaction to still go through it is their liability. They should be responsible to ensure that the customers they are approving are actually in good standing and the risk is minimal. They are responsible for that supplier from the moment they approve until the account is actually paid for. They will decide if the supplier gets to purchase more However, sales should follow up with their orders until they are fully paid for.

1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process.  Where would you attack it? Explain Why and How
I would hack their customer information and change shipping addresses for all companies as well as steal and overcharge their customers. This would make customers not want to do business with this organization as they are misusing their information. This would attack both the order processing and pricing sections of their OTC process. For example if this was done to a company at large no one would receive the orders they placed and cause a lot of chaos within the company.

3. Controls are important in all the OTC processes including invoicing and collections.  What would be different in the controls of a purely domestic US company vs. an international company?  Give 1 – 2 specific examples.
1. Payment processing – To ensure that the global policies and payment processes are being followed.
2. Shipping processes – To ensure that all of the global processes for shipping are being followed. So items are not stopped at customs.
These controls would need to be tighter since you are working with international customers and most likely cannot send them to collections and effect their credit since that is an American system. In fact, I would ensure the international customer cleared their bill before shipping any items to them to ensure payments are made. Only after they have done this several time would I extend them credit.

2. Who in an organization should care more about the collections process – Finance or Sales? Explain

I think finance department should care more about the collections process because finance department is responsible for paying vendors or suppliers (accounts payable), accepting payment from customers (accounts receivable), The primary focus of finance department are allocating assets, reducing liabilities and managing cash flow. However, I believe there should be collaboration between the sales and finance department. In order to collect the correct amount of money, communication is needed between the sales department and finance department. For example, if there is a sale event going on, finance department should be notified.

4. You’ve now seen the entire Order to Cash (OTC) Process.  If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)?  Explain 
Availability of products (inventory controls) to ship out and shipping out on time. These are the largest items that would keep me up at night since as a consumer these are the two most important items to me when placing an order. If the availability is not their and my inventory is not accurately recorded and I tell a customer after they placed the order that it is not there and will not be shipped on time they will most likely not want to do business with me again. Losing customers is essentially what will keep me up at night.

I agree. This is a great point. Finance is approving the sale by saying the client is good (in the sense of their credit rating). However, sales should follow through with their customers. They are not simply making sales but handling their clients and contributing to the business, which includes seeing their sales through.

This is very well put. I believe both functions should be responsible.

3. Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

One example I can think of is the control of money collections due to foreign exchange rate. For international company there is foreign exchange risks occurs because currency’s exchanges rate fluctuates. It’s very important to have a defined date that the money should be collected and both parties agreed with the foreign exchange rate.

Also, when doing the business with international company tariffs and quotas needed to be taking into consideration. They can have a huge impact on the profits of an organization because it might either cuts revenues from the result of tax on those products we are shipping overseas or restricts the amount of revenues that can be earned. Therefore, doing research and have a good control on custom is important.

You’ve now seen the entire Order to Cash (OTC) Process. If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)? Explain

If I were responsible for the controls of OTC Process, one area I concern mostly must be payment process. This link contains a lot of sensitively financial information, such as credit card information, once disclosed may lead to huge financial loss, or reputation damage to the company, you will pay a fat price with even small mistake. So, I have make sure that the payment system is enough secure, the involved personnel are totally reliable, the human errors are properly controlled to the minimum, the recovery plan is in place to cope with emergence situations. Besides, a higher demand is put up by the fast-changing business environment to address any potential risks.

1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process. Where would you attack it? Explain Why and How

I would attack the payment process if I am an outside organization with goal to cause negative things to happen to an organization’s OTC process. The reason is because payment process contains all customer’s PII such as name, address, bank information, etc. After I obtain those information, I can basically do whatever I want to. I am able to change the shipping address, charge more than the amount I am supposed to from the customers, etc.
First, I would find out who are those people have the access to the system. Then, I would cyber-attack the company’s OTC system by phishing attacks to my targets. Employee is vulnerable to the organization because they might lack of the awareness of secure company’s asset. If one of these employees download the Trojan from the phishing emails then I am able to obtain the access to the OTC system.

Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

Different from domestic company, an international company need to manage foreign-exchange risk,that’s a kind of risks refers to the potential for loss from exposure to foreign exchange rate fluctuations, that an asset or investment denominated in a foreign currency will lose value as a result of unfavorable exchange rate fluctuations between the foreign currency and domestic currency.

International companies face foreign-exchange risk, because this type of companies makes interest and principal payments in a foreign currency. For example, let’s assume XYZ Company is a Canadian company and pays interest and principal on a $1,000 bond with a 10% coupon rate in Canadian dollars (CAD). If the exchange rate at the time of purchase is $1 CAD: $1 USD, then the 10% coupon payment is equal to $100 Canadian, and because of the exchange rate, it is also equal to US $100. Now let’s assume a year from now the exchange rate is 1:0.85. Now the bond’s 10% coupon payment, which is still $100 Canadian, is worth only US $85. Despite the other side’s ability to pay, the company has suffered financial loss because of the fluctuation of the exchange rate.

Source: http://www.investinganswers.com/financial-dictionary/forex/foreign-exchange-risk-3181

Nice attack Fangzhou, that would be a good way to cause negative impact for the company if you got into the companies OTC process. No one would notice you were in there making changes or copying sensitive information that could potentially harm the company. Customers are important to the company and targeting to corrupt there delivery dates will sure get their attention. No one likes getting late packages so that will cause anger and backlash towards the company which can in turn ruined their reputation.

Thanks for your sharing. As you said, nowadays, the common method of payment transactions is using credit/debit card, digital wallet, in each Order to Pay process, this information will be recorded, and all of this information is sensitively financial information. Once the payment system is hacked, the stolen information may be used for financial fraudulence or crime, it will also damage one company’s reputation cause if that happens, no customers or partners want to have any finance-related connection with you. I think no more negative things rather than this.

Q2: Who in an organization should care more about the collections process – Finance or Sales? Explain

Finance should care more about the collections process. This is because the Finance department is the direct entity to collect money and report those processes into the system. If any payment is unpaid or not collected, it is mainly the Finance department duty to complete those. For example, when I was working at the grocery store, I had to receive invoices and scan them into our procurement system. And sometimes, if I miss an invoice to scan into the system, I always got a phone call from our finance department to complete scanning. So from my experience, Finance should care more about the collections process than Sales.

Who in an organization should care more about the collections process – Finance or Sales? Explain

I think that Finance should be more concerned with the collections process. My reason for this is because Finance works really closely with accounting in perfoming analysis work and reporting to close out the books by specific periods. From the perspective of balancing the books and reporting I think Finance should care more about the collections process.