- As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
- As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
- Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
- How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
Kevin Berg says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
This is an interesting question because I have a Bachelor in accounting and associates in Computer Science. My title is Systems Analyst and part of my function is knowing our ERP system NAV 2013 R2 in and out which requires data mining across all functions including financial reporting. I believe all IT personnel need to have at least two accounting courses and 1 financial course. This would teach all of the basics of financial accounting so that processes involved in both departments are understood so that you know what is sensitive and how double entry accounting and reporting works. It has helped me immensely having a strong background in accounting for working with ERP and other systems related to our business.
Andres Galarza says
Kevin,
I’m glad to see a point that I made in my own response echoed in experience. IT people play a support function in virtually every business they are a part of. As a support function, they are only made stronger by understanding either the principle business functions and goals of their company, or equally important departments (such as Finance, in your example).
Lezlie Jiles says
Hi Kevin,
Well said… And I definitely agree with your statement. It is important for any cross function to have a good working knowledge of the other functions in order to adequately perform their required jobs. IT personnel play a vital role in all functions related to the business, so it is imperative that IT personnel have a strong understanding of the functions.
Kevin Berg says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
Currency rate fluctuation is a big thing for international companies so control over purchase orders would be greater possibly for inventory reasons. If another countries currency takes a dive while yours is steady and strong you can take advantage of the lower currency exchange and over order. This could be tempting but it must also take into consideration what kind of material is being ordered. You don’t want to order to much glue that expires in a year so you should be sure it will be of high quality and has a long shelf life. Also you don’t want to sink too much cash into an asset that has a low turnover rate.
Binju Gaire says
Interesting points, Kevin. I agree with the currency rate fluctuation being a major differentiating factor between US and international companies. The lower exchange currency rates can be beneficial. Apart from the list you mentioned such as product expiry date and low turnover rate, other factors such as shipping price and delivery time can also be taken into consideration.
Kevin Berg says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
It is very important. One of the things IT controls is Permissions which is the number one important thing to understand. One of the most complex aspects of knowing systems is understanding the various ways different systems use permissions. For example, knowing how file server folder permissions is necessary to restrict unauthorized access to sensitive data. Every company has sensitive date, there are no exceptions. ERP systems are the same. They have sensitive data in it that needs to be locked down. Some ERP sensitive data includes Payroll, Contribution Margins, Profit Margins, Sales Figures, Salespeople Commisions and so on,
Every ERP system has their unique permissions. You need to be sure the shipping and receiving cant see chart of account balances, HR is the only group with access to Payroll, manufacturing doesn’t see sales margins etc. Permissions need to be determined on a very granular level. This is where the complexity comes from depending on your organization.
My company doesn’t use the HR function in our ERP. We have a separate stand alone computer that isn’t connected to our network that HR uses to do Payroll. We then outsource to ADP to calculate all the taxes and creates our paychecks.
Michelangelo C. Collura says
Interesting to hear about the HR function being separated. Is this done for security reasons, segregation of duty, some cost saving? This stood out to me because it shows how ERP works for some companies in some processes, but it doesn’t necessarily fit for every situation. Regarding the permissions, I certainly agree, and I’d say that the IT people need to have very strong relationships with all departments – and solid lines of communication – in order to ensure appropriate permissions are granted.
Andres Galarza says
Sorry to pile on, Kevin, but I’d be interested in hearing more too. Is it a lack of trust in the ability to control access management? Does ERP system just do that particular business function poorly? Very curious.
Parneet Toor says
Good examples Kevin. And I believe permissions are granted based on your role in the department which is defined in job description by the Manager which is a IT control to avoid fraud.
M. Sarush Faruqi says
Kevin,
Great examples. As everyone else has said, it is quite interesting to hear about the HR function being completely separate from the rest of the network. I would imagine this is a security related measure to reduce the risk of a hacker getting access to resources on the network such as Payroll and manipulating or stealing information. I’m interested to hear about this from your perspective. As far as permissions, you are absolutely correct in saying that they are set to restrict unauthorized access to sensitive information. From my experience, this done through role based access in which certain users are grouped together and given certain permissions based on the group they are in. The concept of least privilege is applied here to ensure that a user only has access to what their job requires of them.
Matthew J. Dampf says
“For example, knowing how file server folder permissions is necessary to restrict unauthorized access to sensitive data. ”
This is the scenario I was thinking about as well – permissions, not just for file shares, but for everything, including physical access to systems.
A side benefit of IT knowing ERP controls well is that it serves as a best practices template for IT functions in general. ERPs like SAP are designed by people who know best practices inside and out, and knowing ERP controls can teach IT a few things about how they should be operating.
Khawlah Abdulaziz Alswailem says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
I would manage these risks by implementing strong controls like segregation of duties and least privilege control. By applying these controls accounting information will be only available to the accounting department and people who need it as a necessity to complete their jobs or make decisions. Financial records or accounting information would not be reached by the non-accounting/financial functions so that may minimize the risk of that exposing the company finances. Along with applying these controls, I would suggest having training classes or informative discussions with management within each department to explain and discuss common risks and its impact on other units.
Parneet Toor says
Great visualization about the controls. I agree training is very important among departments to keep employees informed and up to-date regarding safeguarding controls and education of specific cross functional business flows in finance and non -finance area . Also, training helps in knowing more about employee week areas of knowledge during discussions and activities conducted by management.
Khawlah Abdulaziz Alswailem says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think it is important for IT personnel to have the basic skills and knowledge in understanding finance and accounting concepts. While it is not entirely their responsibility, but Information systems are there to support business functions, so it is necessary to understand what the functions and processes are. If they have this basic understanding, they will be not only able to strengthen the systems application but also be able to alter their support/ maintenance to particular needs and requirements. Also, Business knowledge can enable an IT professional to know where to look for fraud, understand the information system configuration and controls, and find the issues. If there is fraud suspected, then a basic understanding of accounting, finance, and the business operations will be a key to know where to look and what to look for.
Michelangelo C. Collura says
Knowing how the business works is definitely key to detecting fraud, and as you say, knowing about accounting (GAAP) would be a big help too. Since IT staff may not be that well-versed, I’d suggest they supplement their basic know-how with strong lines of communication with Finance and Accounting personnel.
Parneet Toor says
Great Post Khawla, you have mentioned about the fraud perspective of finance & accounting. I believe it is a fact that most frauds happen in finance & accounting because companies care about their financial position. I think basic knowledge of this area is important for IT personnel to understand finance/accounting terms for configuring business rules in the system. In addition, IT personnel must be trained for business flow and of sensitive areas to raise ‘Red Flags’.
Jing Jiang says
As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
First of all, I would like to know clearly about the responsibilities and roles so that I can reach the people to fix the problem. Segregate of duties is also important for the company to reduce the possibility that errors transferring from the non-financial functions to accounting records. In addition, monitoring such as physical counting, consistently checking the transactions, bank reconciliations periodically can be effective ways to reduce human errors or fraud.
Michelangelo C. Collura says
Very good point about the physical counting and continuous checking of transactions. This did not occur to me, and I imagine many IT staff would immediately look for a technical solution, potentially forgetting these more basic yet powerful accountability methods.
Parneet Toor says
I agree with you Jing.If I am responsible for finance & accounting department controls for my company, and to manage risk from non-financial function. Firstly, I would make sure on continuous basis the effectiveness of the controls by regularly testing and sampling from different areas of this department.
Secondly, I would create an access controls for finance and non- finance/accounting area. People will have role based access and limiting physical access to cross functional areas. Thirdly, I would have audit trail to track logs. This will help in tracking the activities of people who and when update or entered the transactions into the system.
Andres Galarza says
Incredibly important point you raised about roles and responsibilities. I have found through personal experience how detrimental to progress it is if you don’t clearly define who owes what to who and when.
Mengting Li says
I agree with you. People should clearly understand what are their roles and responsibilities. Then, SOD definitely is a good way to reduce potential risks and frauds. Also, integrated access control to support SOD. Make sure people won’t get the access get into the system they don’t need to.
Jing Jiang says
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think IT personnel should at least know the basic finance and accounting knowledge such as different accounts names, how transactions influence corresponding accounts, what are in the income statement and balance sheet. However, if you know and learn more, it will be more helpful for an IT personnel to find potential risks or issues in the process, and it will help an IT personnel to do the work more effectively. In addition, it would become one of your strengths and make you more valuable to stay in a company.
Binju Gaire says
I agree with you, Jing. I liked the fact that IT personnel should know different account names. This is really important because there are different account names that are used in the system. And it is equally important for all accounts to be appropriately used. Any errors in using account names can be problematic. Hence, the IT personnel should have knowledge on different account names to avoid errors.
Michelangelo C. Collura says
As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
I believe segregation of duties would work within SAP, ensuring that only Finance/Accounting staff can modify those entries in the systems, while Sales personnel could modify the entries within those fields, as we saw in Assignment 2. Since IT staff would be monitoring SAP use by all staff, they would need to have a clear policy in place, allowing them to quickly identify the appropriate access to the appropriate people for a given transaction process. Training would be crucial for IT, as their dropping the ball on SoD would potentially jeopardize the work of all other departments. To add another level of safety, company-wide training should be implemented, encouraging all staff to “stay within their lane” and avoid messes.
Jing Jiang says
SoD is important to reduce potential fraud. Training is also a good way to standardize employees’ behavior and improve security awareness in a company. To check the effectiveness of the training such as interviews employees is also important after each training. There is no 100 percent security. But the relative security needs the whole company to take effort.
Michelangelo C. Collura says
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
All IT staff should have some fundamental understanding of bookkeeping, knowing what belongs in Assets, in Liabilities, in O/E, and the need for balance at all times. They should know how to accurately report credits/debits. More specific knowledge would be expected in financially-focused firms, such as the Federal Reserve Bank system. To offset risk of excessive ignorance, IT staff should consult closely with Finance staff, especially during audits and ends of business cycles. Prompt and clear communication would be key when departmental knowledge is inadequate to the task.
Candace Nelson says
I like your phrase “risk of excessive ignorance” Michelangelo! It reminded me of the earlier days in my audit career when my colleagues and I would focus on financial process, regulatory compliance and operations audits and our IT peers would conduct separate technology audits. As opposed to addressing the technology aspects of each of the aforementioned audit types within the scope of the audit (e.g. conduct a T&E audit by looking at the controls over spending but also learning enough about the related system(s) to understand the most significant risks, such as access, general ledger mapping, interfaces, etc.). I believe that largely stemmed from the knowledge and skills each group of auditors possessed, which is what we were taught and how we were trained. A financial auditor was not expected to understand IT, and an IT auditor was not expected to understand Finance. Those days are over (which is the main reason I am pursuing this degree)!
The skills required of an IT professional generally don’t include finance and accounting 101. Therefore, it may be incumbent upon employers to ensure each of these groups (business and IT) have ample opportunities to learn about what the other does. Perhaps this could be accomplished via training, rotational assignments and tuition assistance programs.
Michelangelo C. Collura says
You’re putting yourself at the forefront of your peers, Candace, by boosting your skills with ITACS. I wish you the best in explaining why that means they need to pay you more after you graduate! 😀
Candace Nelson says
Haha Michelangelo – Thank you for the opportunity to LOL!
Fortunately, my new employer (of app. 3 months) values my educational pursuits more than my former employer did (hence former…). I have spoken with Senior Management at my current company about opportunities to shadow my IT counterparts in order to put my new found knowledge and skills to the test and they were very receptive to the idea.
Thank you also for the tip 😉
Michelangelo C. Collura says
Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
A purely domestic company would need to account for state or municipal laws affecting sales, so validity checks would need to be enacted to ensure proper tax information, prohibited substances, etc. This is also true for an international firm, but in that case, the controls would have an added layer of national guidelines for law, prohibitions, etc. Another control, used in both cases but differently, would be in accounting for business on national and/or religious holidays. In some cases, religious holidays would be identical to national holidays. Sometimes, there is some but not total overlap, and sometimes there is none at all. The restrictions on deliveries on Christmas in Arizona, for example, would not apply to deliveries on Rosh haShanah, but that would be reversed in Israel.
Michelangelo C. Collura says
How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
They would want to understand who makes what decisions in order to identify vulnerabilities or weaknesses in processes. This would require an understanding of how the ERP system delegates authorities and allows access to modify entries. Without knowing this, they would be unable to quickly address system errors from human mistake, fraud, etc.
Khawlah Abdulaziz Alswailem says
Rightly said, Michelangelo. Adding to your point, IT personnel also need basic ERP understanding for performing their own roles well. Knowing the risk-prone areas could help IT personnel manage the system better from a security controls perspective. It could also help in Disaster recovery planning as the person would be able to point out what data is critical and needs to be recovered in case of a major incident.
Parneet Toor says
Great post Kevin and Khawla. In today’s era, IT plays a very important role in the viability of the company and contribute to the success of the achievement of goals. Knowledge of ERP is add on to facilitate the flow of information when making business decisions.ERP application is customized to collect and organize information from various departments to save time and cost. Also provide key performance indicators to management for making informed decisions. Hence, it is vital to have knowledge of ERP.
M. Sarush Faruqi says
Great point everyone. I would like to add that people responsible for these IT General controls should have knowledge of what types of user use the system and for what purpose. An example that comes to mind for me is how an employee would use the system vs. their manager. While an employee will perform the day to day transactions, they might be restricted to complete ones which are high risk. In this case, a manager would have to approve high risk transactions based on the authorization they have. A manager might also use the system for tracking and monitoring purposes to see how many transactions certain employees do in a day or how many sales were done for reporting purposes to management. People responsible for IT General controls should know or have an idea of how such controls are implemented in an ERP System to learn about the use of it as an entire system.
Jing Jiang says
Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
International financial and accounting will deal with currency difference first because different countries would use different currencies. A company needs to determine an exchange rate because it is always changing. And accounting department should record related transaction base on the exchange rate, and record corresponding gains and losses based on the exchange rate fluctuations.
The company may also need to deal with different principles in the foreign country, which requires a consolidated financial statement to transfer foreign financial statement to U.S. GAAP.
Matthew J. Dampf says
Just to add onto this, tax liabilities could be different for the transactions being conducted as well. Two different transactions conducted by the same two companies could have different tax implications depending on the country that the process originated in, regardless of where they’re headquartered.
Parneet Toor says
Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
For International Company, foreign exchange control is crucial because they want some sort of assurance or proof that exporting company will be paid on time, at contract price rate, by importing company. On the other hand domestic companies are protected by US import controls regarding the payments.
Compliance Control: Every country have different rules and regulations regarding import and export business. So before entering into such business must ensure company is eligible to do business.
Example: India have GST tax for doing export business.
Easy compliance: A robust and comprehensive IT system would be the foundation of the GST regime in India. Therefore, all tax payer services such as registrations, returns, payments, etc. would be available to the taxpayers online, which would make compliance easy and transparent.
At the Central level, the following taxes are being subsumed:
1. Central Excise Duty,
2. Additional Excise Duty,
3. Service Tax,
4. Additional Customs Duty commonly known as Countervailing Duty, and
5. Special Additional Duty of Customs.
At the State level, the following taxes are being subsumed:
1. Subsuming of State Value Added Tax/Sales Tax,
2. Entertainment Tax (other than the tax levied by the local bodies), Central Sales Tax (levied by the Centre and collected by the States),
3. Octroi and Entry tax,
4. Purchase Tax,
5. Luxury tax, and
6. Taxes on lottery, betting and gambling.
Khawlah Abdulaziz Alswailem says
Good explanation, Parneet. In addition to your point, the billing/invoice process may be different international when compared to domestic policy in the US. Domestic policy allows the issue of an invoice at each individual purchase made, or at the end of a billing cycle (i.e cellphone, electricity, water, etc.). Nations outside the US may have specific regulations in place regarding billing and invoice issue. A country may have a policy that no charge can be placed until an actual transfer of goods/services occurs, so the ERP system would have to implement a control to make sure the invoice is not issued until the order is fulfilled completely.
Khawlah Abdulaziz Alswailem says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server, and database security) to know about how the ERP system works? What is one (1) specific thing they should know?
I think that knowing about ERP systems is a very good skill to have as a person responsible for general IT controls; however, I do not feel that they need to be an expert in the area. One important thing they should know about the ERP system is the patches and updates provided by the software provider. They should be aware of all updates and provide a safe and secure network environment. They should be up to date on current threats that target the ERP system and make sure the preventative measures are in place.
M. Sarush Faruqi says
Khawlah,
Great point about being aware of patch updates. At my employer, I receive push notifications that a patch update is needed and given the option to restart now or later. I delay as much as possible but regular patch updates are very important. People responsible for IT/General controls should know about updates because as of lot vulnerabilities are resolved when updates are done. This acts as a control to keep the environment as secure as possible. Personnel should seek knowledge about how the patch is applied and what it contains in terms of updates. This way, they will have an idea how secure the specific ERP system is and what improvements are needed. I agree with you that they do not need to be an expert in one area because there are lot of applications and environments to look after within the company but a general idea of what has been to an ERP system, what is being done, and potentially what is going to be done will a long way when it comes time for an audit.
Andres Galarza says
Q1: As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
I’d lean on my audit counterparts and expect that logging of system transactions is enshrined in some sort of management-support policy and appropriate standards. The reality is that different departments have competing priorities. If Accounting/Finance needs to ensure the accuracy of records produced by Shipping or Human Resources, then they need to verify on a regular basis.
Andres Galarza says
Q2: As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn?
This is a great foundational question, because I believe the answer applies to the IT profession in many industry. IT is a support profession. The more knowledgeable your IT people can become about the core business goals and functions, the better they can place their department within the context of the actual business.
This isn’t meant to disrespect the important role that IT obviously plays in virtually every business. It’s to emphasize the need for a support department to understand what their business actually does. It can only make them a stronger IT department.
Yijiang Li says
As you said, understanding the different business goals and objective across different department within an organization is important, however, some basic Finance/Accounting knowledge is always required. For example, what are the major difference between Income Statement and Balance Sheet? Or What kind of companies should apply GAAP, and who should apply IFRS?
Andres Galarza says
Q4: How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and database security) to know about how the ERP system works? What is one (1) specific thing they should know?
SAP doesn’t operate in a bubble. It may have a majority of its end-users outside of the IT department, but it’s still operating on workstations and networks that are owned and managed by IT.
I would say the one thing that IT absolutely needs to know is where and how SAP logs are stored. This would be critical when issues pop off or an audit comes around.
Binju Gaire says
Great points, Andres. IT personnel should be aware of SAP logs and where they are stored. IT personnel not only provide with the supporting functions in an organization, but also serve as resources for audit department for questions/concerns relating to the SAP system.
Candace Nelson says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
In order for an IT employee to adequately support an ERP system that impacts financial reporting, they need to understand the nature of information being processed, the source of such data, and the path it follows through various modules before being recorded in the general ledger. As an example, I was once involved in an SAP implementation on behalf of the accounting department of a utility company. Both employees and consultants (predominantly IT professionals, hereinafter “integrators”) assisted with this project that took well over 1 ½ years to complete.
Before it could be determined how SAP would function, the integrators needed to understand how the existing systems processed information to ensure a seamless transition. This required countless meetings, ongoing communications and shared accountability between IT and process owners throughout the enterprise in order for sufficient knowledge to be transferred about the business functions and the reliance on technology. In some cases, SAP modules were replacing activities that were being performed manually, so the integrators needed to determine how to automate these tasks. In other instances, SAP was replacing applications that did not interface with the existing financial reporting system, so the automation needed to be jointly developed. In order for the project to succeed (which it did), IT and the business needed to be partners, and the integrators needed to know nearly as much about the business as the process owners did.
Once the system went live, IT needed to continue learning about the business processes they served in order to do so effectively, while maintaining awareness of how technological advances could support achievement of business objectives, as well as the potential impact of emerging risks.
Andres Galarza says
What a cliffhanger! Was the implementation successful? It sounds like a lot of the “proper” groundwork was laid to ensure this project was successful.
Candace Nelson says
Hi Andres –
Yes, the implementation was successful which is a very good thing since it was the company’s Y2K solution AND they spent over $100M on it! I left the employ of that company back in 2005, but they still utilize SAP which is an indication that things were done correctly! That is one reason I am enjoying our tasks in SAP because I used to work with the system regularly and enjoyed the ability to drill down into the depths of transactions (data junkie that I am) 🙂
Thank you for asking!
Candace Nelson says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
Common IT general controls (“ITGC’s”) include:
• Logical access
• System development life cycle
• Change management
• Physical security (e.g. data centers)
• Backup and recovery
• Computer operation
An inherent risk associated with each of these functions is inadequately segregated duties. It important for conflicting duties within each of the aforementioned activities to be segregated. It is also important for the persons responsible for ITGC’s to understand the types of business functions that are incompatible, e.g. employees should not be able to approve the journal entries that they input.
Andres Galarza says
Candace,
That’s a good list of controls.. I like that you went beyond saying something like, “Segregation of Duties” and listed some items that would have concrete requirements.
M. Sarush Faruqi says
Candace,
Great post. Your list of IT/General Controls are on point. It is important for personnel who support the IT/General controls to know about the workings of an ERP system because this type of system uses a lot of these general controls. In addition to what you mentioned about segregation of duties, I would like to add that an ERP system might be broken down into views for certain users to see. For example, the view that the Purchasing Department can see is different than the view that the Sales Department can see in SAP. I’m assuming this would fall in line with access control but the concept is similar to Logical Access. People responsible for these controls should also know how an ERP system is designed in terms of architecture and where the data is stored once a transaction is completed.
Xiaomin Dong says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
If I were responsible for Finance / Accounting controls, Segregation of Duties (SoD) is an integral part to cope with the risks coming from non-financial function jobs. Through reasonable Segregation of Duties, each position has a job description to clear its province. Accordingly, for those non-financial personnel who involved with ERP systems to perform finance or accounting related processes, Finance / Accounting department could empower them necessary financial knowledge by targeted training, workshop, etc, make sure those personnel are well-trained is important as well. Besides, once those non-financial personnel come to involve with finance or accounting related business processes, they should be adequately informed the vulnerabilities they represent to the Finance or Accounting department so as to raise their awareness of security to mitigate risks may come from them.
Yijiang Li says
I agree wtih you, Xiaomin. Segregation of Duties (SoD) is always a critical principle to deal with potential risks. For these non-Financial function jobs, SoD would be quite efficient because it is able to assign a more suitable person to complete the corresponding work. Second, some basic finance/accounting knowledge is enough to fulfill this work, therefore, it doesnt have to be finance/accounting professionals to do it, so our control measures are more easier to manage.
Xiaomin Dong says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think IT personnel supporting business applications should know basic accounting and finance concepts. Accounting is the language of business, be able to analyze financial statements are important. Just like our assignments, without any accountant background would be difficult for us to get the debit and credit on the general entries correct.
Qiyu Chen says
I agree with you. I also believe the IT personnel supporting business applications should have general understanding of finance and accounting in the process of the business function. Even though it is not their entire / assigned responsibilities, basic accounting / finance knowledge allows them to better serve and support the business objectives from the IT function perspective.
Xiaomin Dong says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
In US, we follow GAAP as the accounting standard, while IFRS is the accounting standard used in over 110 countries around the world. GAAP is considered a more “rules based” system of accounting, while IFRS is more “principles based.”
Government regulation and tax rate are also varied by countries. For example, in China, there are no sales tax and property tax. It’s very important do have a basic understanding of that foreign country’s culture and its way of doing business.
In addition, for international company exchange rate can also be hard to take control because it fluctuates.
Qiyu Chen says
I agree with you. In the United States, the federal securities laws require all US publicly held companies to file reports with the SEC to submit financial statement that are accurate, truthful and complete and prepared according to a set of accounting standard call Generally Accepted Accounting Principles (GAAP). International companies also have to follow different accounting rules and reporting standards based in different countries such as IRS.Sales tax in the US is a regulation so domestic companies have to include sales tax in their sales, billing and invoice generated. Multinational companies operating in different counties would have follow different regulations in different counties and may or may not have to include sales tax.
Xiaomin Dong says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
IT is driving business growth and it is now part of corporations. One of the main goal of ERP is to facilitate the flow of information so business decisions can be data-driven. ERP software suites are built to collect and organize data from various levels of an organization to provide management with insight into key performance indicators in real time. SAP Is the most commonly used ERP software and people responsible for general I/T controls need to know how it works.
Candace Nelson says
Very good points Xiaomin –
Calls to mind the fact that IT also needs to know a company’s strategic (long term) and short term objectives as I learned in IT Governance. IT is a cost center and cannot operate in a vacuum. The IT objectives need to be aligned with overall business in order for a company to function effectively and efficiently. While this does not guarantee profitability, it certainly increases the likelihood that business objectives will be achieved!
Qiyu Chen says
good point. The general I/T people is important to know about how the ERP systems works to implement the effective controls to ensure the credentials, integrity, and availability of the ERP system. As the development of hack technique, the related people should know the latest knowledge about the hack technique to prevent ERP from attacking.
Lezlie Jiles says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
If I were responsible for Finance/Accounting controls within my company I would manage the risks coming from non-Financial function jobs by implementing SoD, limitation of access, and monitor GR/IR accounts ensuring that no non-financial job functions have access to the material master data. I would also implement a process to were the non-financial functions would have to go through departmental approvals to obtain access/information not related to their direct job function. I think that the best two controls here are SoD and limitation of access. These controls ensure that the integrity of our systems is being safeguarded and to further the insurance of integrity for these implemented process and controls I would make sure training is provided to all necessary employees. Training is also an important part of making sure everyone is on the same accord. Thereby, informing non-financial function positions of how to go about requesting a change, and the importance of protecting the material master data.
M. Sarush Faruqi says
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
From an accounting perspective, IT personnel supporting business applications should take the Basics of Financial Accounting class or Accounting 101 at the very least. The amount of accounting knowledge applied would vary depending on the role and application they support but all IT personnel should be familiar with the accounting equation, assets, liabilities, stockholder’s equity, the accounting financial statements, and reporting standards/regulations. In my experience, IT personnel supporting business applications at the Production Support level should have more knowledge than others since they will interact with the end user on the most consistent basis. When the end user explains a specific issue they are facing either verbally or written, IT personnel should be able to decipher what is being said if any accounting terms or concepts are used or explained. In this way, they can understand the issue and potentially identify what the problem might much more quickly. If any concepts need to be cleared with other IT personnel such as developers or QA, these IT personnel would be able to explain what is going on to them and clear any misunderstandings. From a business process standpoint, knowledge of accounting would be beneficial to know how the various steps in the process are effected.
Lezlie Jiles says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
It would be in their best interest to have at the minimum a basic knowledge of accounting. I believe it is important for IT personnel to at least know the difference between a debit and a credit, as well as how to “T” up an accounting equation. In order for someone to be able to support the business applications, they must have a clear understanding of the expected outcomes. Without that understanding, IT personnel cannot be expected to truly support the business application while maintaining the integrity and accuracy of the system.
Take for instance a department needed assistance with a glitch found in the “Check the status of various accounts”. IT personnel would definitely need to have an understanding of what the expected outcome would need to be in order to address the system’s issue.
Matthew J. Dampf says
“If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?”
I think the most important thing is leadership – having someone in charge of these non-Financial departments that understands the big picture and how these roles fill a critical need for the company. The rank-and-file employees won’t necessarily get it, but they can definitely be led by someone who does. The control environment should be set up at a higher level than the department, likely by someone in a similar role as mine in this scenario. If overall company leadership is strong, I should have confidence that my contemporaries in other departments share my concerns about how their departments are performing.
Binju Gaire says
I agree with you, Matthew. Leadership is critical in manage the risks coming from these non-Financial function jobs. It is not necessary that the company leader should be an expert in all the functions. However, if he/she demonstrates good leadership styles by working on the concerns shared by non-Financial departments in an effective way then no problems regarding risk management should arise.
Lezlie Jiles says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples
A domestic company operates within the US and is governed by the US security regulations. As well as their financial reporting is created according to the GAAP. On the other hand and international company conducts business in both the US and other countries. Depending on where they are geographical would determine what regulation they must follow. An international company would need controls such as embargo checks, export/import licenses, and if they are outside of the US their financial reporting is driven by International Financial Reporting Standard (IFRS).
Lezlie Jiles says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
In my opinion, I believe it is very important for personnel responsible for general IT controls to have a vast knowledge of how the ERP system works. Take for instance the controls related to data base security. If IT personnel’s purpose is to protect the confidentiality, integrity, and availability of the ERP system they would need to clearly and quickly identify the unauthorized activity or misuse by database users. However, they cannot accomplish this expected function without having a clear understanding of how the system works. I would think they wouldn’t know what to look for. Therefore, leaving the system open to malicious activities.
Binju Gaire says
Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
Controls to financial and accounting processes can vary depending upon US company and international company. The compliance need is a good example in differentiating controls of a purely domestic US company vs. an international company. US companies are required to be in compliant with GAAP, GASB, FASB and other regulatory standards. However, international companies are required to be in compliant with the standards that are established by their own country’s accounting board.
Yijiang Li says
Good point, Binju. In the United States, all companies have to generate their financial ststements based on the requirement of Generally Accepted Accounting Principles (GAAP). However, for most international companies, they are doing business around the world, therefore, a international commom standard is much important and that is International Financial Reporting Standards (IFRS). Understanding the difference between GAAP and IFRS would help an international company do business smoothly.
Qiyu Chen says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
If I’m responsible for Finance/ Accounting controls for my company, the first thing I would do is identifying the risks which coming from the non-Financial function jobs. For example, within the P2P process, shipping process existing the risks to damage or loss the packages. Moreover, both P2P and OTC process exist potential risks that the system may be cyber attacked. To mitigate the risks, effective controls are necessary.
Before implementing specific controls, I will evaluate the damage and frequency of the risks and identify which types of risks they are, and which type of controls can mitigate the risks. Furthermore, from finance and accounting’s perspective, balance the cost and benefit of the controls is very important. If the company is a new start company, may be transfer the risks to a third party like purchasing an insurance is an alternative choice for the decision maker. But if it’s a major public company with valuable information assets, the high level perspective controls like Firewall and antivirus software are necessary.
Qiyu Chen says
Question 2: As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
Generally, IT personnel already have technical skills in cyber areas, but for supporting business applications, they should also learn the basic concepts of finance and accounting so that they can have basic understanding of business. As IT personnel, they might no need to learn too specific knowledge of finance and accounting, but they do need to understand some general ideas.
More importantly, the business is about maximize the benefit of shareholders and maintain the profitability of the company. To achieve this purpose, upper management need to make good decision based on the gathered information. Therefore, it’s very important that IT personnel supporting business applications with the understanding of finance and accounting, because this can better help them developing the IT system to support the managers’ decision making.
Edward Gudusky says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
I would ensure that non-financial user accounts are properly configured where they will not have access to any of the financial screens or able to change any finance related settings. If a user account does not have permission to modify any sort of financial setting or transaction then the risk of unauthorized access will be minimal.
Edward Gudusky says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think IT personnel that need to support these business applications should have at least some basic finance/accounting knowledge. Not every IT person will be finance minded, and that’s ok, but IT people with some finance/accounting education would be stronger candidates for the jobs where business applications require support.
Edward Gudusky says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
It is pretty important that people responsible for IT controls should know about the ERP system in their business. They do not need to be experts in how to use the ERP system, but need to know enough about who needs to access what parts of the system and how to properly and securely grant or deny access to users in specific parts of the system.
Yijiang Li says
Good example, Edward. Access control is a essential responsibility for IT personnel, especially for system administrator. All data stored in the ERP system are critical and core information for any organization, therefore, access control could be quite important security measure to protect the data in ERP system.
Mengting Li says
I agree with you. There are more than 20000+ types of tables in the ERP system. Massive data and information in the ERP system. Therefore, Protecting information and data security is a very important job for IT personnel to know how to secure information in the ERP system.
Edward Gudusky says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
I have more of an IT background, so my first thought about what kind of control might be different internationally from a purely domestic US company comes to data center access and security. In an international company, the data center location and security is more of a concern than in a purely domestic US company. An international company home location my be the US and but have the majority of their locations overseas. If the data center is located in the US, the network security will need to be configured differently than if the entire company was located in the US so that external country IP addresses can access the data. This is a difficult task as many other countries have different ISP requirements.
Yijiang Li says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
For both regular business processes and ERP systems, Accounting/Finance function is always a required module. Therefore, understanding of basic finance and accounting knowledge will help IT personnel support business applications better.
Initially, learning about some basic differences of concepts for IT personnel supporting business applications between Income Statement (IS) and Balance Sheet (BS) is necessary, because it would help them realize the potential mistakes when the system is generating the transactions record. Second, figuring out some specific items of Balance Sheet is also required, such as Bank Account (Cash), Account Payable, and Account Receivable, because all of them are core accounts that are relevant to every single transaction occurred in the system.
Mengting Li says
Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
Coordinating and controlling worldwide operations can be complicated by the legal and economic systems specific to each country. Therefore, validity checks would be very important to make sure they meet the rules in other countries. Programmed check of data in accordance with predetermined criteria / logic, business rules.
Mengting Li says
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I have my Bachelor in accounting. When we learn about business processes and ERP systems we often discuss financial or account related terms and concepts. I don’t think IT people need to know accounting and finance knowledge as much as people who are majoring in accounting or finance. Some basic accounting and finance understanding could help IT people not only know how to implement ERP systems but also it helps IT people understand what’s going on in this system better.