ERP Systems

Auditing Controls in ERP Systems - 2019

ERP Systems

MIS 5121.401 ■ Fall 2019 ■ Jim Baranello, CISM, CRISC, MBA

Main Content

Week 14: Character vs. Controls Wrap-up

By

Continuing great job on the discussions.  I appreciate your responses and I learn from you.  You raised most of the important points but let me summarize my view.

Q1: How much automation of controls is best?  When should they be introduced?  Automated controls are ideal but not always possible or cost effective (e.g. complex scenarios or decision making).  My experience is leverage automation where possible and easily implemented.

As many of you pointed out ‘baking in’ the controls from the start is the easiest and most cost effective.  However they will added to as an organization grows, changes, etc.  Also, as the process matures and the external world changes you need to respond.

Q2: Describe the character of the leaders involved in the Real World control failures we reviewed.   The words you used I agree with: Arrogant, greedy, above control (‘absolute power corrupts absolutely’), self-interested, self-preservation response to pressures, etc.

These leaders were not necessary ‘bad’ leaders – many were very effective in accomplishing the goals of their organization.  However,  good leaders can have ‘bad’ character.  Creating a climate of controls need to balance (e.g. Sox type regulations) when this character drives illegal, immoral, or unethical behaviors.

Q3: A person’s character is very crucial in the audit industry.  How would you build your reputation and maintain a good ethical character in this industry?  This is something you have to do yourself.

I appreciate how Paul phrased it: Paul: ‘IT Governance: which is to “do the right thing, the right way”. Character is doing the right thing because it is the right thing to do.’  Integrity goes beyond the skills you have or knowledge of right things, but always doing the right things.

This integrity requires personal courage to stand up and be independent in our ‘end justifies the means’ world.

Q4: SAP’s GRC module may be important and effective, but can the cost of GRC be justified?

You all outlined in some detail what’s in this functional tool.  However in making the decision where to use you must weigh GRC’s costs vs. the cost of implementing controls other ways (often higher) plus the cost of not having needed controls or strength of controls in place.

 

Thanks for all your work in the participation blog this semester.   I trust it helped your learning.  Also remember to: do the right thing because it is the right thing to do.

Team Member Evaluation (Optional)

By Leave a Comment

All members of a team receive the same points for the exercise submissions. If you feel that one or more members are not doing their fair share, please do the following 2 things:

  1. Send email to all members of your team (.cc me) indicating that you will be submitting a team member evaluation form.  This step gives all members of the team the option of completing a form.
  2. Complete and submit the following form to me by email.

All responses will be kept confidential. 

 

Click Here for the Team Member Evaluation Form

Welcome to MIS-5121 – Beijing-BNAI!

By Leave a Comment

Introduction

Welcome to ITACS 5121, Auditing Enterprise Resource Planning Systems!

This course presents the fundamentals of ERP Systems, the business processes they enable and the controls necessary to assure they work properly. You will learn:

  • The basic business processes that ERP systems support
  • How these processes are implemented with ERP systems and
  • How to secure and control the processes and systems for the integrity, confidentiality, authenticity and reliability of information.

By examining how an organization can secure and control its ERP systems with an effective control environment, we understand how to enable and maintain the integrity, confidentiality and reliability of information required for regulatory, operational and financial expectations.

Before you begin the course, please take a few minutes to review the course format, and the syllabus items.

If you are new the MIS Community Site or the Canvas Learning Management Systems (LMS), you may want to begin with this video.

If you have any questions or concerns, please contact me: James.Baranello@temple.edu

http://community.mis.temple.edu/mis5121sec401fall2019/

Week 12: Table Security, Risk/Control Framework Wrap-up

by

Continuing great job on the discussions. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: Have you ever been involved with an internal audit or audit of your process / project?
Thanks for all the good examples shared – they remind me of the many audits I performed or was involved with (often as the subject of the audit).
In today’s world, there are audits of may kinds and someday I expect everyone will have some experience an and auditee or auditor. I note a lot oa consistency regardless of the subject of the audit: It starts with a defined procedure or expectation of how the process of activity should occur, there’s a methodical way to review how activities occur in the real world to measure vs. that expectation with a defined way to capture the alignment and gaps and address the gaps that are found.

Q2:How is independence maintained when working for the company as an internal auditor?
In my experience independence is taken very seriously. You noted common components: Defined Code of Ethics, organizational separation, Defined audit procedure with lots of documentation – there are even audits of audits. A very important but harder to measure component is the mindset of the auditors and those being audited – we’ll talk more about that in Week 14.

Q3:When is the cost of implementing a compliance control higher then the benefit obtained?  What should an organization do to ensure efficiency and profitability?
Organizations don’t exists just to perform business process controls, audits, etc. They have a responsibility to address their missions (be that making profit or some other defined goal). There can be discussion where the control implementation costs are higher than the benefit. It all starts as many of you noted by doing a good risk assessment (part of you Final Exercise). With this information available management can make better decisions and strike the correct balance of control vs. cost.

 

Week 12: Questions

by Leave a Comment

  1. Have you ever been involved with an internal audit or audit of your process / project?  Briefly describe.
  2. How is independence maintained when working for the company as an internal auditor?
  3. When is the cost of implementing a compliance control higher then the benefit obtained?  What should an organization do to ensure efficiency and profitability?

Week 11: Change Management, Development Wrap-up

by

Continuing great job on the discussions. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: What key components of ERP change management controls should auditors review?  You provided some good background and details of the systems change management process.  From my experience the key components to focus on are: 1) defined policies and procedures (and proof they are followed)  2) Solid documentation of requirements (what the change should be) 3) testing and more testing and 4) strong approval / governance process.

Q2: Does your company use blueprints as documentation?  Why important? From the few responses it’s a mixed bag about organizations use of blueprints.  My experience is that the blueprints are very useful in implementing successful, complex processes.  They are excellent communication tools and help define for people new to the process or changing it later how it’s supposed to work.  It takes discipline and work to keep the blueprints up to date but in the long run are very useful as ERP systems and processes outlast those originally developing them.

Q3: How have your seen change mgmt work?  How would you improve? Only a few comments but they highlight some keys of good change management: clear communication about the ‘Why’ of change, Methods that those affected by the change can get their questions answered and employee involvement.

Q4: What questions would you like to ask auditors?   Some very good questions.  We’ll include some of them in coming weeks discussion.

Change management is one of the necessary evils of good systems management.  Doing it well requires lots of discipline, hard sometimes tedious work but in the end ERP systems won’t survive well without it.

Week 11: Change Mgmt Breakout Questions

by Leave a Comment

Below is the consolidation of the breakout session responses from yesterday’s class.  Some excellent comments and useful ideas.

Change Management practices may seem bureaucratic and time summing.  How do you manage the trade-off of added work vs. needed controls?

  • Compliance requirements for highly regulated industries (i.e. Health, Finance and Insurance)
  • By following change management practices it will help ensure the Quality of the product or service is better or at the same standard as it was previously.
  • Software automated testing prior to integration
  • A well-designed schedule – e.g. everyone knows what’s going to happen for preparation
  • Electronic approval process – e.g. IT help desk; approval by email
  • Update the documentation in order to assign approval align with the new work (changes are review)
  • Define option and response document  and clear and concise roles in align with new work
  • The date of when the change management practices are going to occur. what is affected
  • An emergency change process is in place
  • Changes are submitted for approval
  • Categorize everything
  • Quantify controls
  • Identify the risks that not checked.
  • Clients justify very easily
  • Prioritize controls
  • Put automated systems in place to that automated controls can be helpful
  • Training for employees
  • Perform change out of business hours if required so that it does not pile up and miss SLA
  • Prioritize changes based on risks mitigated, criticality of issue & solutions.
  • Perform Changes outside of Business Hours so that work is not affected and neither are large # of users impacted.
  • Streamline the change management process so that there is minimal disruption to services and hence fewer service requests to attend to as well, also changes should be reviewed thoroughly to ensure the change is successful.

What are the ramifications of managing change management in the scenario where the changes (e.g. development, etc.) are outsourced?

  • Cultural differences in the Company and the vendor organization
  • Security issues w.r.t Change performers having high privileged access to the system and messing it up.
  • Whether there is sufficient expertise in the outsourcing vendor implementing the changes
  • Cultural difference will affect process
  • Time zones can be different and hence SLA breach is possible
  • Security and privacy issues during change management
  • Schedule change control-the project schedule has been affected somehow and events in the project are being delayed.
  • Cost change control-the scope contents have not change, but the price for the items in the scope have increased or decreased.
  • Giving up control of the change management process
  • Adjusting to the new team and learning what each individual are skilled in.
  • Communication back and forth could be a challenge if there is a difference in time zone.
  • Granting access to the members who are outsourced to the programs used within the company, could take some time and are there security in place to mitigate risk.
  • Production of quality, control
  • Customer satisfaction of the service
  • Compliance standard align with our business objective
  • Application able to run on their system
  • Confidentiality of our sensitive data can be affected
  • Understanding of the required change (The ‘why’ is not consistently communicated by upper management to all team members)
  • makes monitoring adherence more difficult if things aren’t done in the same standard or by the same protocols that the main organization is enforcing or following
  • They may lack the understanding of the “business” it’s goals and vision of the organization as well as local employees
  • Design and functionality are out of control
  • Increase need of quality assurance
  • Data management issues
  • System uniformity

Week 11 Questions

by Leave a Comment

  1. What are the key components of SAP change management controls you would expect the auditor to review?  Why?
  2. In your company, do you use any blueprints as documentation?  Why are process blueprints important in the documentation?
  3. How have you seen change management work in your organization?  What improvement recommendations do you have?
  4. In future weeks we may have the privilege of having real world auditors join us for our discussions.  What questions would you like to ask the Auditors to answer for us?

Exam 2: Take November 13

by

The second exam of the semester will be conducted by Blackboard at the beginning of class next week (Monday November 13).

Some specifics:

  • Questions mainly focus on course content (on-line and from class) from Weeks 7 – 10.  Note topics listed on any ‘Overview’ or ‘Review’ slides.
  • Some questions from prior material (see Review slides from Week 7) may also be included on the exam.
  • Maximum amount of time to complete the exam is 60 minutes
  • Exam is approximately 25 questions (variety of formats i.e. Fill in blank, multiple choice
  • Some of the questions relate to a real-world like small business case (to be published Thursday). You are invited to pre-read, print, etc. prior to the exam.

Filed Under: Tagged With:

Week 10: Data, SOD/SAT Review Wrap-up

by

Continuing great job on the discussions. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: How to assure master data integration works well for all?  This is hard with ERP systems because master data is used so extensively across so many transactions, processes, etc.  Company needs to have a good plan, lots of well defined processes and controls.  It’s important that there is a broad understanding of master data and appreciation for good data.  This comes only with good training and strong management focus.

Q2: Who should play the key role in defining and assuring quality of master data?  All processes who use the data, not just the main users need a say in what the master data is (definitions, processes, etc.).  Because of the high degree of integration across business processes in ERP systems those in charge of master data need integration/ broad perspectives.   Accounting / finance is one critical voice but in my experience not the best to be in charge.  A strong financial focus can be just as bad as another groups focus (e.g. sales, supply chain, etc.)
My experience is there needs to be a defined master data coordinator (data steward is term many of you used – great term).  Great, cooperative master data coordinators and new Master Data Management (MDM) software are becoming a must for strong ERP system users.

Q3: What is riskier: inaccurate data or excessively repetitive data?  Both are bad.  You all gave some great examples.   I agree that inaccurate data causing problems is more common than repetitive, but be aware of both.

Q4: Which transaction is most ‘Sensitive’?  Many, many transactions are sensitive – no correct answer.  The rule of thumb I used is that any transaction that creates master data or creates or can lead to creation of a financial transaction is sensitive.  Note that many systems and configuration transactions are sensitive and need to be locked down in production.

A good ERP systems runs on good master data.

This coming week we will look change management and development aspects of ERP systems.

Extra Credit Assignment

by Leave a Comment

Background

Context is Global Bike Inc. (GBI) that we’ve used in all other course assignments.

You are an auditor in GBI’s internal auditing team.  As a result of your work at GBI you’ve uncovered a significant risk in one of GBI’s business processes.  You’ve made this risk known to your manager who requested that you investigate what potential changes / controls should be put in place to address the risk.

Assignment

You have the opportunity to address the audit committee of the board to discuss the risk you’ve uncovered in your work and recommended changes / controls.  Unfortunately, the agenda is packed and you only have 5 minutes to make your presentation.

Deliverables 

  1. Brief (1 slide?) Powerpoint slide(s)
  2. Brief script of what you plan to say to the audit committee

Grade

Treat like a ½ credit Assignment Exercise.  Full credit can yield extra 4 points in final grade (e.g. raise a grade of 90 to an 94)

Grading Rubric

  • Substantive content related to class content           2
  • Concise, clear message appropriate for audience   1
  • Convincing argument, message                                  1

Due   Send deliverables to professor by Tuesday December 12. Wednesday December 13.