Yu Ming Keung

In future weeks we may have the privilege of having real world auditors join us for our discussions.  What questions would you like to ask the Auditors to answer for us?

1. Timeline of an audit
2. How do you present the finding of your audit? What opinions do you usually give?
3. What kinds of controls is organization most likely to miss?

1 What are the key components of SAP change management controls you would expect the auditor to review?  Why?

SAP change management is to help organizations determine what they need when they are managing change today, such as current challenges and opportunities, and how are they integrate change management and training. Risks and business…[Read more]

Master data in an ERP system is highly integrated with various processes and effects many parts of the organization. How does an organization assure this integration works well for all?

ERP is the business process software that allows an organization to use a system of integrated application by managing different modules such as finance,…[Read more]

Can’t agree more Abhay, compared to inaccuracies of data, redundancy of data is not that harmful in a business perspective because it just takes up more space in the database. It may take longer time to rearrange the database but doesn’t hurt the business. Deeplali also brought up a good point that Inaccurate data can affect the confidentiality,…[Read more]

Good post Fred,

If the payment process is handled by the wrong hand, companies may not be able to receive the correct payment because the transaction information is well sealed by the person. Segregation of duties is definitely an important control. I think the big transaction would need to be approved and need special care by upper management.

Good point Paul,

Inaccurate data is absolutely the real danger for a publicly traded organization because investors or creditors would invest and do the research based on the annual/quarterly report. Inaccuracies of data can harm the business reputation and the trust / confidence with its investors. I think the Accounting department would have…[Read more]

Well put Priya, I agree that FS01 and FS02 are another critical area to pay more attention during an audit. Since the person can create fake transactions in this functions, and it would need more controls such as segregation of duties to mitigate the risk. It is important to ensure the transactions is approved and all input data is correct.

Which transaction do you believe is the most ‘Sensitive’ and therefore should have extra focus in an SAT (Sensitive Access to Transaction) audit? Explain

I would think that FB01 (post document) or any manual journal posting transaction are the most sensitive transaction and it would need more focus and secured in general. This function is to…[Read more]

2. Which department or person should play the key role in defining master data and assuring it’s quality?

After my research for master data, it is any information that is considered to play a key role in the core operation of a business. Master data may include data records about material master, clients and customers, employees, inventory, s…[Read more]

Which is more of a risk to a company: inaccurate data or excessive repetitive data? Explain

In my opinion, Inaccurate data is definitely a bigger risk to harm and threat a company. The first reason is that it affects the decision making of stakeholders including the company itself. Inaccurate data can cause faulty reporting that can hurt the…[Read more]

NHS Trust Suspends Operations After Major Cyber Incident

An NHS foundation Trust was suffered a major cyber-attack over the weekend and it suspends all operations when they found out the cyber-attack, which affect the operations of hospitals in three city, Scunthorpe, Frimsby and Goole. They claimed that the virus infected its electronic system…[Read more]

4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?

I would recommend every dynamic entity needs to ensure the data integrity by having clear and easy to follow…[Read more]

Well put Joshua, I have never thought of the downside of segregation of duties. Instead of having one person doing all the things, you have to have two or more people performing different tasks, just for mitigating the risk of frauds or errors. I think that in small companies, who don’t have the ability to build a segregated environment, can…[Read more]

Yulun, I also similiar competencies in my own response for this question. It is crucial for the security person in the company because you cannot assume that the security is enough to protect the company’s information. You always have to have a questioning mind and be curious of what can go wrong in IT security. People without skepticism tend to…[Read more]

Hi Paul,

You have a very thoughtful response to the question, and I definitely agree with you. And I like how you compare segregation of duties to the 3-way match control in the procure to pay process. It is questionable and debatable that the three documents should be performed by one person or through three different departments. Having…[Read more]

I agree with you Fred, user access to the system is a big concern when it comes to company turnover, switching vendors. It would be a big risk for system integrity if access still remains for the ones with expired permission. Having a clear access policy for employees to follow is a must to ensure the permission access is granted to the right…[Read more]

Security in an ERP system (e.g. SAP) is complex.  What is the most fuzzy, difficult to understand component?  Explain

To me, the most fuzzy, difficult to understand component is the security of ERP systems itself because the system is complex. There are authorization process when the users log in to the system. There are concepts of a…[Read more]

3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?

I think the most important competencies for security people are professional skepticism and decision making ability. Skepticism is the attitude that includes a questioning mind, being alert to…[Read more]

What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

According to ISACA, segregation of duties is the implementation of a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that…[Read more]

Hi Fangzhou,

Great post, I agree with you that spam phishing is widely affected because it targets a massive amount of email users. It is inexpensive, quite and convenient but the success rate is lower compared to spear phishing. Compared to spam, spear phishing may take long time to modify the email for specific targets!