Sean Patrick Walsh

1. Have you ever been involved with an internal audit or audit of your process / project? Briefly describe.

When I was in the Navy I was involved in the Quality Assurance (QA) Program. One of my responsibilities was to conduct audits on QA Controlled Material lockers. Controlled Material was anything used in specific systems, such as 600 or…[Read more]

4. Next week we have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?

I would like to know how does an auditor build trust with those closest to the process areas where fraud can take place. Is it wise for an auditor to question employees directly with…[Read more]

3. How have you seen change management work in your organization? What improvement recommendations do you have?

Change management was always put out in a policy directive first. From there training was coordinated to capture all personnel so they were made formally aware of the change(s) being implemented. After the training time period was…[Read more]

I agree that the T-code you identified is definitely sensitive to fraud and error. The personnel who have authorization to execute changes with that transaction should be very limited. Those personnel should also probably have strict background checks carried out through administrative control policies to properly vet before receiving access and…[Read more]

Your example of inaccurate data shows some of the potential consequences that a decision made with inaccurate data can have on a business. I think inaccurate data and excessive repetitive data can both be equally risky for a business. Couldn’t inaccurate data be built into repetitive data? For example, say a business has multiple entries of an…[Read more]

I can’t say I agree that having whoever manages the material should necessarily be the one who controls the master data for the material. I think allowing whoever controls the actual material also control the data of the material could create the opportunity for fraud or error to take place. That is only “one set of eyes” on the material and its…[Read more]

I agree that controls are necessary to provide assurance of integration of master data for all. Policies and procedures stipulate who creates master data, and how it is created. Controls are what ensures those policies and procedures are carried out correctly. Controls catch errors, intentionally carried out or not, and ensure the master data is…[Read more]

2. Which department or person should play the key role in defining master data and assuring it’s quality?

I would think that the accounting department would be the department that defines master data and assures it’s quality. The three kinds of master records we learned about are material, customer, and vendor master records. All three of t…[Read more]

1. Master data in an ERP system is highly integrated with various processes and effects many parts of the organization. How does an organization assure this integration works well for all?

Since master data is so important and used in many different processes, controls must be put in placed to assure the integration of the data works for all.…[Read more]

Your second example of an administrator’s two different user accounts is a great example. A business that allows admins to share a root-user logon for use whenever needed loses the ability to track who made what changes to a system or network since any number of users who have access to the logon ID could be responsible. By mandating that a…[Read more]

Both of your examples of SOD make me wonder if conducting and hiding fraud is easier in a small business or a large business. A small business might be just a few employees or a lot of employees, but it may more than likely be housed in one single location. One centralized location where all employees conduct all facets of a company could…[Read more]

Your response made me consider something else as you reminded me that SAP, as an ERP system, is essentially a centralized application that does the work of what was done by many different apps previously. This adds complexity because SAP/ERP handles many different business processes that are carried out in many different business functional areas.…[Read more]

I agree with your recommendations for password requirements. I would also add criteria preventing the user from reusing previous passwords when creating a new password. Preventing users from using old passwords mitigates the risk associated with a password that has been cracked and the attacker is just waiting for the user to change the password…[Read more]

2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain

I think the most fuzzy area within the security aspect of an ERP system is access and authorization controls. Since there are so many different t-codes in an ERP system, and so many different steps in a process, the many…[Read more]

1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties is a method of risk control that separates roles, responsibilities, authorizations, etc. between separate personnel to separate the necessary steps needed to be taken to commit fraud in…[Read more]

I’ll do you one better. When I was a prison guard at the prison in Guantanamo Bay, we didn’t wear name tapes on our uniforms. Instead we were issued a number so that way the detainees did not know our names because somehow even there they had contact with the outside world and could visit harm on our families if they knew who we were. Well, at the…[Read more]

I know exactly what you’re talking about. I never understood why stringent password requirements and policies existed for certain systems. For instance, in the Navy we had Navy Knowledge Online (NKO), and I believe you used AKO if I remember correctly, for online training courses that were required semi-annually and annually. There was no real PII…[Read more]

I agree that Authorization Control is the most important control too. You can have all the other controls in place that you listed, but without proper authorization controls in place none of those other controls will matter. If the wrong people are authorized to create, alter, and/or delete some type of transaction when they should not be, then…[Read more]

I agree with your assessment. I would also describe the fraud potential by allowing users to access other posting periods would allow them to conduct “financial engineering” in their system which is moving costs and revenues to periods that they aren’t supposed to be recognized in for reasons to manipulate revenues. By only allowing the current…[Read more]