Ming Hu

In the Real World Control Failures we’ve reviewed, describe the character of the leaders involved. Is it a root of the control failures?

In my project, it was the CFO and CAO’s negligence that accounted for this failure, they knew the accounting stress faced by the company, and knew their accounting staff no longer able to perform monthly clo…[Read more]

SAP’s GRC module may be important and effective, but can the cost of GRC be justified? Explain

SAP GRC enables organizations to manage regulations and compliance and remove risks in managing organizations’ key operations by providing many useful modules, such as Access control, process control and fraud management, risk management. Alt…[Read more]

Nice point. An operating system is a set of program files and routines that controls a computer’s resources and provides access to a computer’s services. More specifically, an operating system allows a computer’s hardware components, including processors and drives, to communicate with its software components, such as applications and data…[Read more]

List common control issues associated with operating systems and remediation strategy/plan.

Control issues:
Trojan Horse – program that secretly performs some maliciousness in addition to its visible actions.
Virus – fragment of code embedded in an otherwise legitimate program, designed to replicate itself ( by infecting other programs ),…[Read more]

List common control issues associated with operating systems and remediation strategy/plan.

Control issues:
Trojan Horse – program that secretly performs some maliciousness in addition to its visible actions.
Virus – fragment of code embedded in an otherwise legitimate program, designed to replicate itself ( by infecting other programs ),…[Read more]

Nice point, any breach of confidentiality, integrity and availability of operating systems may cause system outage, data loss. For an organization, insecure operating system may put the organization at high risks, financial loss, data leakage, reputation damage, which are very disastrous.

Nice point, the lack of encryption is definitely a huge risk associated with operation systems, unencypted data or unencrypted channel for information communication means failing to protect your data and putting the brakes on business. Productivity, communication, and innovation decline because of the threat of letting business critical data fall…[Read more]

Nice point, I agree with you, when we use our personal computer, we usually tend to store personal and sensitive on it, such as default password, payment method, for convenience and process money movement or other high-risk transactions. If the security of OS is low, the computer may be easily broke through, and those sensitive data may be stole…[Read more]

Thanks for your sharing, Human error is the single biggest cause of cyber security incidents, I believe the scenarios you put up are not uncommon, especially in those small companies, the lack of security training causes most of employees’ lack of security awareness. Establishing a secure environment and providing right education is an effective…[Read more]

Nice point. I agree with you that control environment is the foundation, because control environment provides discipline and structure for all other components of internal control. Control environment factors include the integrity, ethical values and competence of the entity’s people; management’s philosophy and operating style; the way management…[Read more]

Nice point. You are right, digitization is an unmistakable and irreversible trend in nowadays society, technology is a powerful tool leveraged by organizations to conduct their business processes. From auditors’ perspective, having some understanding of technology is a good equipment to perform auditing. Take financial audit for example. The…[Read more]

Nice point. External hacking is absolutely a major risk most organizations facing now, not only many organizations lack the tools and processes to handle external cyber attacks, but also because those external hacking are targeted and well-organized. So even most IT and information security leaders are aware of the risk and high cost of external…[Read more]

Nice point about mobility. Adding mobility into the features of ERP system will make it more available and more user-friendly, cause mobile devices are playing a more and more important role in our daily life. It would achieve, such as faster decision making, greater operational efficiency, improved communication and collaboration, anytime access…[Read more]

Nice point Said. Customization definitely is a very important factor for customers, especially considering the fact that most of the companies are spending more money in customizing SAP ERP for their enterprise to bring the project in a great success. If the provider could supply more customization options, including design, change, upgrade, and…[Read more]

Nice point. In your example, some kind of Segregation of Duties may be infeasible, especially for those small businesses, because they don’t have too many employees and the price is too high. And I agree with you about miscalculation of Return on Investment, we all know how difficult it is to conduct a quantitative analysis, even for those big companies.

The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?

Nowadays, I would say that user-friendliness is one of the main focuses which would make ERP systems more competitive in future. Historically, the term “user-friendly” and SAP are sel…[Read more]

SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?

What I expect from SAP is how it could do to support change management. There are so many challenges the company face to implement successful change management.
How to control the qua…[Read more]

Nice point Yu Ming. About meshing compliance and security practices, you need to determine where business risks lie. Then put technology and processes in place to mitigate those risks. At that point, you also need to figure out how those measures satisfy compliance obligations. When the organization get that flowchart backwards—when it acts f…[Read more]

Thanks for your sharing, considering the second question about auditor independence, do you need to mention this in your audit reporting, i.e. when you conduct an audit, do you need to provide a written declaration confirming that there have been no contraventions of the auditor independence requirements, such like existence of interest conflict…[Read more]