- As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
- As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
- Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
- How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
Imran Jordan Kharabsheh says
1. If I were placed in a position that involved managing the risks associated with non-financial functions, I would prioritize the creation of a list that detailed the impact and likelihood of occurrence for as many of the risks that are worth managing. Business processes primarily focused on for this list would include the delivery phase and administrative parts of the billing phase such as the follow-up on credit/debit memos. The methods I would use to go about mitigating risks such as these would include automation for all things administrative that could have unintended effects on the business functions. I would also provide proper guidelines, training and enforcement of policy on all those working the delivery portion of our business functions so as to avoid any mishaps that may effect inventory.
2. Taking into account my own experiences with both the finance and internal audit department, I have found that there is always knowledge that can only be learned through first hand experience. But if I had to place a minimum requirement for financial knowledge before the price for training becomes too steep, I would place the floor at an associate’s level, or be willing to accept business accounting credits associated with a business administration bachelor’s degree.
3. When considering the differences in financial controls between purely domestic companies and companies with an international presence, we must acknowledge the significantly wider scope of business related activities that international companies also take into consideration. An example of an essential control that needs to be implemented for international companies is strict adherence to international trade laws of all countries operated within. Another prominent control that you don’t often see on domestic companies, but are essential in international companies, is an automated currency management system directly linked to each country’s central banking system.
4. I think it is critical to the business’ security, and definitely in their best interest, for the company to train those responsible for IT controls on how ERP systems work and function. The primary reason I say this is because those responsible for IT controls need some understanding of the processes they technically can have access to, so as to instill a sense of responsibility and give them the tools to understand and create business solutions. An example of an essential bit of knowledge that a person responsible for IT controls is the document flow and automated pathing in P2P and OTC processes of ERP systems.
Imran Jordan Kharabsheh says
To better explain my second response, I feel it might help if people knew a bit more about my previous experience with finance and internal audit departments. During my sophomore year summer, while I was still completing my undergraduate degree, I took on an internship at an investment bank with the primary role of an internal auditor. While working there, I was tasked with running the audit tests and creating the reports for three departments: Finance, Asset Management, and Sharia Compliance. The two departments I spent the most time with were the Finance department followed shortly by the Asset Management department. After revisiting some of the notes I took during my university level accounting and finance courses, I found that I had a significantly easier time checking for compliance in the documents provided and tests I ran.
Rouying Tang says
Nice explanation, Kharabsheh. Your experience support the point well that an associate’s level business administration background is helpful for IT personal who support the business applications
Penghui Ai says
1. The most important mitigation is to segregate the duties to limit the authorization between non-financial and financial entries. To ensure safe use, employees should only be given access to manipulate data in their corresponding departments. Finance employees should be given the authorization to manipulate pricing and reporting items while marketing and sales employees should not be given authorizations to touch the accounting records. Therefore, the sales employees cannot change the accounting records to increase their commissions.
2. IT personnel should know how all financial statements items and related code. Since they do not have to deal with realistic accounting activities, these employees do not have to create different accounting terms, but they should have a relative understanding as to how the items in SAP interact with each other. Since the IT personnel is mainly responsible for maintaining and ensuring the continued use of the system, the knowledge does not have to mirror the expertise in accounting and finance.
3. First, the different accounting regulation is required by different countries. For example, most of the domestic company use GAAP and IFRS are usually used by European countries. Therefore, the controls based on different accounting policy could be different, such as FIFO and LIFO for inventory policy.
The second example is the standard of the documentation, a purely domestic US company is easy to main their documentation in a standardized way, but it is hard for the international company to standardize their documentation based different policies, formats, and language in different countries.
4. It is important for people responsible for general I/T controls know about how to use the ERP system to manage the authorization for each person. For example, when new employees or senior manager come into their position, the authorization should be changed at this time. In addition, when the auditor doing their auditing job, they should know whether the segregation of duties is done by a reasonable and acceptable way.
Haitao Huang says
HI AI, Great point on the ERP system control. I would like to add your point that it is also important for the IT security personnel to understand how the ERP system generate and maintain audit trial. Audit trial is critical in resolving issues and establishing responsibility. The audit trial should be configured to read-only attribute and stored in a secure location.
Yuan Liu says
1. I think the company should build quantitative risk indicators that can be monitored to ensure the company’s tolerance of risk is not breached. It includes the history of operational losses as the basis for capital quantification. At the mean time the should build a record policy to show incidents and near misses, and their impact in terms of financial losses or capital implications. The report should analyze the causes of such incidents, state what lessons have been learned, and indicate where similar incidents might occur elsewhere in the organization. This process can be augmented by scenario analysis. At the meantime, there should be a system to show the status of efforts to reduce risks, which can be better controls or business adjustments. The mean idea of the management of risk control is that we should find risk and evaluate it, then know to how to avoid its happening.
2. I think IT Auditor should understand all the financial statement as the basic skill, As we know, the ERP system is the integrated management of core business processes, often in real-time and mediated by software and technology. Business processes can be shown on the financial statement even Company’s financial status. IT Auditor should know how to analyze and make financial statement. Auditors put physical invoice track in the system for showing the company running process. If Auditors can understand the financial statement, it would help them understand company’s running better and clear.
3. U.S domestic companies operate mostly within the United States. They may import supplies or export products, but these activities normally represent a comparatively small share of total business activity. Domestic companies are typically governed by U.S. securities laws. Their financial reports are normally constructed according to generally accepted accounting principles (GAAP). When considering the differences in financial controls between purely domestic companies and companies with an international presence, we must acknowledge the significantly wider scope of business related activities that international companies also take into consideration. An example of an essential control that needs to be implemented for international companies is strict adherence to international trade laws of all countries operated within. Another prominent control that you don’t often see on domestic companies, but are essential in international companies, is an automated currency management system directly linked to each country’s central banking system..
4. Improved CollaborationThe features of ERP applications can vary depending on the program that you are using, but all of these systems enable you to share and edit data as well as to improve security and access. There is no need to merge information across various systems or sources. Because all of the data is compiled, stored, shared and accessed through a single system, there is no concern about how accurate, complete or secure the data files are.
Yuan Liu says
The ERP system does not only improve collaboration, It also simplified regulatory compliance. Successful execution of your ERP project can help company to gain and maintain compliance through the improved ability to manage and secure data and to generate suitable reports. After entering invoice information and other supply chain information, the system will be running all the information automatically based on our setting, which simplify the process of financial control.
Haitao Huang says
1. Non-financial risks, also known as operational risk, encompass of compliance risk, legal risk, IT system risk, human resources risk, operational control risk, business disruption risk, security risk, and so on. I would adopt following approaches to manage non-financial risks. First, identify all potential risks. Second, conduct a regular assessment using qualitative and quantitative methods to assess the frequency and impact of non-financial each risk. All risks should be prioritized based on the result of risk assessment. Once the risk assessment is completed, we can make educated, intelligent decisions about safeguard implementation and security policy alterations. Last but not least, all the safeguard should be monitored, reviewed, and updated on a regular basis.
2. IT personnel supporting business applications should have a basic understanding and knowledge of financial statements. An understanding of the financial statements will provide IT personnel with the basic terminology needed to communicate with your accounting and finance personnel. An understanding of the financial statements will also provide IT personnel with the knowledge to better understand demands from business process and to better solve issues when supporting business applications.
3. Each country has its own legal system, industrial standards, and custom. A company operates purely domestically only needs to comply with law and regulations in the country where the company has its appearance. This ease the burden on a company when the company designing its control policy. A domestic company can apply a single control policy to all branches because all its branches are subject to identical laws and regulations. The situation will be different companies operate internationally. An international company has to consider various factors in different countries where it operates business. The company might not be able to apply identical controls to all the branches. A control that is effective and valid in one country might be insufficient in other countries because each country has unique requirements for business. For example, if a pure US-based financial institute collects and process customer personal information, it has to take the Gramm Leach Bliley Act (GLBA) into account when designing controls. If the company extended its operation into Europe Union, it now must comply with the GDPR as well.
4. It is important for IT security personnel to understand the mechanism of ERP system in order to be able to rely on the processes in SAP ERP and to ensure the consistency of the data and the processing logic. One thing that IT security personnel should know is the ERP system configuration data. The personnel should ensure the configuration is consistent across the organization ensure consistent process and output.
Penghui Ai says
Hi Haitao, your opinions are very interesting. For the question 4, Consistency and process logic is very important for a I/T control personnel to understand because it helps them to implement internal controls. However, they need to know the segregation of duties as well, which is one important component of internal controls and rep system.
Rouying Tang says
1. If I am responsible for Finance/Accounting controls for my company, I would co-work with people from non-financial function jobs to be familiar with the non-finance functions. I need to determine the business impact and like hood from those functions to finance and accounting function. According to their influences and potential exposures, I would determine either accept the risk, take the most suitable measurements/controls, or transfer the risk by insurance.
2. Personally, I don’t think IT personal knowing to much finance and accounting knowledge is a good thing, since the applications IT personnel developed and supported will eventually be used in producing environment. They have abilities to build back hole, and if the back hole exits, it would be very hard for detecting those risks.
Rouying Tang says
3. For the purely domestic US company and an international company, the confidentialities requirement toward personal identifiable information are different. For European countries and consumers involved, the notifications and storages regulations are stricter than US company. So the process of online payment are different. Another different are time zoon and currency. We need to determine the corresponding unit to measure the money and times. An error regarding may cause the rejection of payments.
4. The one who responsible for general IT control must be familiar with how ERP system works, so that they can implant controls in daily process. For example a field check need to used for a password input.
Peiran Liu says
1, If I am responsible for accounting controls for my company, I would manage the risks coming from these non-Financial function jobs by setting limitation for the job and having supervision from the board. The job needs certain certification and several years of working experience, Having supervision from the board is just necessary for avoiding frauds.
2, IT personnel needs at least basic skills and knowledge for business application. Although the most part of knowledge and interactions will be learned by working, with basic skills and knowledge of finance and accounting IT personnel will be more easy and fast to learn.
3. For a purely domestic US company compared with an international company, there will be lots of differnet financial and accounting processes, which means controls will also be different. For example, currencies and time zones will be different, which means validity check will be different. Shipping needs more time for international companies, which means reasonableness test will also be different. Way to account is also different in different countries, which means the same company might have different assets results in different countries,
4. It is very important for people responsible for general I/T control to know about how ERP system works. If they aren’t familiar with the system, they might be fraud by IT personnel. In my point of view, I think that for people responsible for financial and accounting process, they at least need to know how to check Inventory Quantities, Bank Accounts, Sales Revenue, Cost of Goods Sold, Account Receivable and Customer Sub-ledger, which is the most easy way for checking the most important accounts for the company.