ERP Systems

Auditing Controls in ERP Systems - 2019

ERP Systems

MIS 5121.401 ■ Fall 2019 ■ Jim Baranello, CISM, CRISC, MBA

Week 02: Business Process; Assertions

Week 2 Wrap-up: Business Processes, Assertions

by Leave a Comment

Great job on the discussion.  This is what I want to see every week.   I think you raised all the salient points but let me summarize and share my views.

Q1: Business Process Experiences:  You have experience with a lot of different processes across a large number of industries, markets and settings.  A couple observations common to each example:

  • Processes are almost always comprised of a number of steps – sometimes a lot of steps (depending on level of detail provided)
  • The steps are usually executed by different people and usually different functions within an organization.  It’s often the handoffs between people and organizations that cause problems and inefficiencies.

Q2: SOX Laws – are they sufficient reaction or overreaction?  Great discussion.   My view is that the laws & regulations have had an effect because there have been fewer major control failures like Enron, Worldcom, etc. in the past.   The laws have sharpened the accountability of top level executives and management.  However, organizations must spend lots of $$ and it’s a lot, lot of work to develop and maintain the control system and discipline necessary to execute them.

Q3: Define a control environment:  Some great definitions – although I suspect internet search tools helped.  Couple of my comments related to the discussions:

  • The company culture and the tone set by senior management has a role in establishing a company’s control environment.  I’ll share a personal story from my experience about this in class.
  • The proper culture, tone and discipline necessary to support the control environment can’t just some from the top brass / executives.  It has to flow through to front line managers to be truly effective.  The challenge is how to maintain the alignment between senior management and front line managers.
  • We’ll learn more about this topic (in some detail) later in this class and your final exercise.

Q4: Differences between a compliance-driven vs. a profitability driven controls:  Both types of controls are important to the success of an organization.  Compliance controls are basic requirements for a company (necessary to operate legally) while profit controls support the ultimate goals and level of ‘success’ for a company.  Although the focus of compliance vs. profit controls is different, sometimes the same methods / means can be used to support both.

This coming week we will look more deeply at the Procure to Pay (P2P, PtP, Procurement process – I use the terms interchangeably) as well and the link between risks and financial assertions.

Week II – Lessons Learned

by Leave a Comment

WorldCom Organization

  • Corporate Shared Services
  • 4 Divisions:
    • North America [including: Canada], South America
    • Asia/Pacific
    • Eastern/Western Europe
    • Africa
  • Role of:
    • Board of Directors
    • Audit Committee
    • Internal Audit
      • Technology
      • Financial
      • Operational
    • External Audit [Arthur Anderson]
    • C-Level Suite [i.e. CEO, CFO, CIO, COO, etc.]
  • Big 4 [EY, PwC, KPMG, D&T] Services Rendered:
    • Audit Assurance
    • Taxes
    • Legal
    • Actuarial Services
    • Information Security
      • Due to Enron / WorldCom Big 4 cannot cross-sell
    • Corporate Fiduciary Responsibility
      • Role of Compliance / Operational Risk
      • Role of Audit
      • Role of General Counsel [Legal]
      • Todays Role of C-Level Suite
        • Post Sarbanes-Oxley, CIO signs off on Annual Report

Week 2 – Questions

by 10 Comments

  1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
  2. The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
  3. In your own words, how would you define a control environment?
  4. Describe a real life example of a companys profitability-driven controls. What arethe differences between a compliance-driven vs. aprofitability driven control?

What to do this week (and all future weeks)

by Leave a Comment

I want to go over your weekly activities a second time to make sure there is no confusion.

  • Via the Schedule menu watch the video lecture (if any), read the assignments and explore the additional materials for the week.
  • Each Tuesday (am) you will find a post of ~ 4 questions about that week’s readings and other content.
  • After finishing the videos, readings and other content, write a one or two paragraph comment on at least one (1) of the posted questions.  Comment by selecting Leave a Reply option at the bottom of my post on the course blog (Leave a Comment link also works).  Replies are due by 11:59 pm Sunday.
    (Note: I must approve your first reply or comment so don’t expect to see it right away. After that it will be automatic.)
  • Once everyone’s readings comments are on the blog, I expect you to read them over and comment on them.  Comments need to be posted on the class blog before 11:59 pm on Sunday.
    Note: Four (4) substantive comments each week considered a B.
  • Class (Monday)
  • I may post a summary note (if any) on Tuesday

To learn to the material well you need to be actively engaged in the online discussion.  Check it out and contribute everyday.  If you have questions, put them in a post or reply online so that everyone can see the answer.  If you find yourself confused, call me and we will talk about it (609.206.9783).