• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

ERP Systems

Auditing Controls in ERP Systems - 2019

ERP Systems

MIS 5121.401 ■ Fall 2019 ■ Jim Baranello, CISM, CRISC, MBA
  • HomePage
  • About
  • Syllabus
  • Roster / Schedule / Teams

Main Content

Week 14: Character vs. Controls Wrap-up

December 12, 2020 By Jim Baranello, CISM, CRISC, MBA

Continuing great job on the discussions.  I appreciate your responses and I learn from you.  You raised most of the important points but let me summarize my view.

Q1: How much automation of controls is best?  When should they be introduced?  Automated controls are ideal but not always possible or cost effective (e.g. complex scenarios or decision making).  My experience is leverage automation where possible and easily implemented.

As many of you pointed out ‘baking in’ the controls from the start is the easiest and most cost effective.  However they will added to as an organization grows, changes, etc.  Also, as the process matures and the external world changes you need to respond.

Q2: Describe the character of the leaders involved in the Real World control failures we reviewed.   The words you used I agree with: Arrogant, greedy, above control (‘absolute power corrupts absolutely’), self-interested, self-preservation response to pressures, etc.

These leaders were not necessary ‘bad’ leaders – many were very effective in accomplishing the goals of their organization.  However,  good leaders can have ‘bad’ character.  Creating a climate of controls need to balance (e.g. Sox type regulations) when this character drives illegal, immoral, or unethical behaviors.

Q3: A person’s character is very crucial in the audit industry.  How would you build your reputation and maintain a good ethical character in this industry?  This is something you have to do yourself.

I appreciate how Paul phrased it: Paul: ‘IT Governance: which is to “do the right thing, the right way”. Character is doing the right thing because it is the right thing to do.’  Integrity goes beyond the skills you have or knowledge of right things, but always doing the right things.

This integrity requires personal courage to stand up and be independent in our ‘end justifies the means’ world.

Q4: SAP’s GRC module may be important and effective, but can the cost of GRC be justified?

You all outlined in some detail what’s in this functional tool.  However in making the decision where to use you must weigh GRC’s costs vs. the cost of implementing controls other ways (often higher) plus the cost of not having needed controls or strength of controls in place.

 

Thanks for all your work in the participation blog this semester.   I trust it helped your learning.  Also remember to: do the right thing because it is the right thing to do.

Team Member Evaluation (Optional)

December 10, 2020 By Jim Baranello, CISM, CRISC, MBA Leave a Comment

All members of a team receive the same points for the exercise submissions. If you feel that one or more members are not doing their fair share, please do the following 2 things:

  1. Send email to all members of your team (.cc me) indicating that you will be submitting a team member evaluation form.  This step gives all members of the team the option of completing a form.
  2. Complete and submit the following form to me by email.

All responses will be kept confidential. 

 

Click Here for the Team Member Evaluation Form

Welcome to MIS-5121 – Beijing-BNAI!

December 6, 2020 By Jim Baranello, CISM, CRISC, MBA Leave a Comment

Introduction

Welcome to ITACS 5121, Auditing Enterprise Resource Planning Systems!

This course presents the fundamentals of ERP Systems, the business processes they enable and the controls necessary to assure they work properly. You will learn:

  • The basic business processes that ERP systems support
  • How these processes are implemented with ERP systems and
  • How to secure and control the processes and systems for the integrity, confidentiality, authenticity and reliability of information.

By examining how an organization can secure and control its ERP systems with an effective control environment, we understand how to enable and maintain the integrity, confidentiality and reliability of information required for regulatory, operational and financial expectations.

Before you begin the course, please take a few minutes to review the course format, and the syllabus items.

If you are new the MIS Community Site or the Canvas Learning Management Systems (LMS), you may want to begin with this video.

  • First, review the course objectives, which enumerates what you will be learning in this course.
  • Second, review the list of required text and reading materials.
  • Third, review the grading and course policies.
  • Fourth, review the course schedule, which shows the topics, reading, assignments and assessments throughout the duration of the course.
  • Finally, begin the first learning module, which includes an instructor introduction, followed by an introduction to the course material.

If you have any questions or concerns, please contact me: James.Baranello@temple.edu

http://community.mis.temple.edu/mis5121sec401fall2019/

Exam 2: Coming up November 11 – 13

November 3, 2020 by Jim Baranello, CISM, CRISC, MBA

A reminder that the second exam of the semester will be conducted by Blackboard and must be completed between Friday November 11 and Sunday November 13 (midnight).

Some specifics:

  • Questions mainly focus on course content (on-line and from class) from Weeks 7 – 10.  Note topics listed on any ‘Overview’ or ‘Review’ slides.
  • Some questions from prior material (see Review slides from Week 7) may also be included on the exam.
  • Test will be conducted via Blackboard – you must complete between Friday November 11 and Sunday November 13 (midnight).
  • Maximum amount of time to complete the exam is 40 minutes
  • Exam will be approximately 25 questions (variety of formats i.e. Fill in blank, multiple choice)
  • Some of the questions relate to a real-world like small business case.  I’ll publish case which you can pre-read, print, etc. Tuesday prior to the exam.

Filed Under: Exams Tagged With:

Week 10 Questions

October 31, 2020 by Jim Baranello, CISM, CRISC, MBA Leave a Comment

  1. Master data in an ERP system is highly integrated with various processes and effects many parts of the organization.  How does an organization assure this integration works well for all?
  2. Which department or person should play the key role in defining master data and assuring it’s quality?
  3. Which is more of a risk to a company: inaccurate data or excessive repetitive data?  Explain
  4. Which transaction do you believe is the most ‘Sensitive’ and therefore should have extra focus in an SAT (Sensitive Access to Transaction) audit?  Explain

Filed Under: Week 10: Data; SOD/SAT Review Tagged With:

Exercise 4 (SOD) Due November 11

October 31, 2020 by Jim Baranello, CISM, CRISC, MBA

Reminder:  Exercise 4 – Segregation of Duties is now due (via e-mail) on Saturday November 11 at 11:59 pm.

UpdatedGuide (Updated with additional SAP screen shots November 6 @ 7:30 pm)

 

Filed Under: Assignments Tagged With:

Week 9: Security: User Management, Segregation of Duties (SOD) Wrap-up

October 31, 2020 by Jim Baranello, CISM, CRISC, MBA

Continuing great job on the discussions – I enjoy your thoughtfulness and depth in answering.  I trust the questions help you explore and understand topics being discussed in a given week.
You raised most of the important points but let me summarize my view.

Q1: What is segregation of duties (SOD) and why is it a commonly used control?  – We discussed this topic in class.  Great examples of IT roles that should be segregated (e.g. development from DBA, development and security, development and move code, developers not in production system, development from audits).  We’ll discuss controls related to development more thoroughly in future classes.

Q2: Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component?  You nailed the core issue – ERP systems are large and complex.  Therefore the security is also large and complex – especially when there are complex requirements (many people needing broad access).

Q3: What are Key competencies of person responsible for security?  I like the terms you chose.  Specifically: Skepticism and curiosity
Functional Knowledge – critical to effectively make decisions
Decision making – to which I would add good judgement.
Data analytic – I call this basic smarts.  Security is highly complex and requires strong cognitive skills.

Q4: Companies are dynamic entities. Best practices for managing system users and their security access?   You provide many great ideas including:  Password policies and procedures, documenting change (more on this in a couple weeks), periodic user access reviews, least privilege access, proper management approvals, etc.  Bottom line is that security although sometimes viewed as a backroom IT task requires strong processes to be done well.

 

Filed Under: Week 09: Security: User Mgmt, Segregation of Duties Tagged With:

Exercise 3: Possible ‘Missing CO Object’ Error

October 28, 2020 by Jim Baranello, CISM, CRISC, MBA Leave a Comment

When performing Task 4 (Enter Journal Entry Transactions into the General Ledger) and the use of transaction FB50 you many find that one or more General Ledger accounts require the entry of a Cost Center (CO) value. You get and error such as ‘Account xxxxxxx requires the assignment of a CO object’.

This is an additional financial control.

This short guide shows how to address this issue.

Filed Under: Assignments Tagged With:

Real World Control Failure: Post your Presentation

October 24, 2020 by Jim Baranello, CISM, CRISC, MBA Leave a Comment

Your options for posting your Real World Control Failure presentations are:

  • Post as a comment to this post. This requires you to embed a URL to where your presentation is stored (e.g. on OneDrive or Google Drive).
  • Post as a new blog post. You can upload your presentation as media when creating the blog post. Make sure to select the ‘Real World Control Failure Presentations’ category.
  • Edit this post or send me your presentation and I’ll include in the list below.

 

Date Student Subject / Link
October 16 Candace Nelson Salvation Army
October 23 Lezlie Jiles USIS Separateblog post
October 30 Andres Galarza Ukrainian Artillery App
October 30 Parneet Toor UBS Rogue Trading Scandal
November 6 Khawlah AlSwaillem Marrone Bio Innovations
November 12 Kevin Berg Leone Industries
November 13 Xiaomin Dong PTC Inc. China
November 13 Yijiang Li Yahoo
November 27 Qiyu Chen Google Mail Hack
November 30 Mengting Li Target
December 1 Binju Gaire Advanced Emissions Solutions
December 4 Jing Jiang J Satyam Computer Services
Michelangelo Collura Lehman Brothers

Filed Under: Real World Control Failure Presentations Tagged With:

Exercise 3 – Due Date Changed to Saturday October 28

October 24, 2020 by Jim Baranello, CISM, CRISC, MBA Leave a Comment

I have changed the due date for Exercise 3 (Journal Entries) from Thursday until Saturday October 28 at the end of the day.

Note: this is a group exercise. Only one submission file (spreadsheet) is due from each team.

Filed Under: Assignments Tagged With:

Week 9: Questions

October 24, 2020 by Jim Baranello, CISM, CRISC, MBA Leave a Comment

  1. What is segregation of duties and why is it a commonly used control?  Give an example of two (e.g. IT) roles that should be segregated?
  2. Security in an ERP system (e.g. SAP) is complex.  What is the most fuzzy, difficult to understand component?  Explain
  3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful?  Why?
  4. All companies are dynamic entities with employees and others using systems coming and going all the time.  What best practices have you experienced or would you recommend for managing system users and their related security access?

Filed Under: Week 09: Security: User Mgmt, Segregation of Duties Tagged With:

Week 8: Security 2, Finance 2 Wrap-up

October 24, 2020 by Jim Baranello, CISM, CRISC, MBA

Continuing great job on the discussions. Keep up the good work.   My summary view is:

Q1: Do businesses rely too much on security administrators vs. security of the entire network?  Most of you highlighted the network being the highest risk.  I tend to agree with you – as in today’s computer environments, the network get’s you in the door.  Nevertheless, it’s important to manage all areas of security and make sure even the administrators are using state of the art practices and techniques.   Risks are everywhere.

Q2: Why only have one posting period open at a time? As you pointed out, this is mainly to prevent errant postings in the wrong month.  It also supports the discipline of making sure when events occur in the real or physical world, the corresponding transaction(s) occur in the ERP system.

Q3: What’s the most important finance / accounting control? …authorization control? Some good discussion on this question.  I would have preferred you using my list to prioritize but most of you didn’t have that list due to my late posting of the video.  My experience is that documented policies & procedures with strong reconciliation and auditing that they are followed is critical.  Focus as usual on the high value and high risk items.

Q4: Have you experienced difficult, cumbersome, … security problems?  Thanks for sharing some great stories of your real experiences.  Most of you highlighted password headaches.  Regardless, it’s important to understand the end results of what users are actually doing (law of unintended consequences).  If you lock down the process tight so everyone writes the password down on their screen – in the end you have poor security.  In the end, a balance is necessary – is the complexity worth the headache?  However, who gets to set balance is usually someone at the top of the organization.

Filed Under: Week 08: Security 2, Finance 2 Tagged With:

Lezlie Jiles: MIS 5121 Real World Control Failure

October 23, 2020 by Jim Baranello, CISM, CRISC, MBA Leave a Comment

L Jiles MIS 5121- Real World Control Presentation

Filed Under: Real World Control Failure Presentations Tagged With:

  • « Go to Previous Page
  • Page 1
  • Page 2
  • Page 3
  • Page 4
  • Page 5
  • Page 6
  • Go to Next Page »

Primary Sidebar

Weekly Discussions

  • Assignments (11)
  • Exams (7)
  • General (8)
  • Real World Control Failure Presentations (3)
  • Week 01: Introduction (2)
  • Week 02: Business Process; Assertions (4)
  • Week 03: Fraud, P2P Controls (2)
  • Week 04: OTC Process, Types of Controls (3)
  • Week 05: Inventory & Shipping Controls (3)
  • Week 06: Invoicing & Collection Controls (1)
  • Week 07: General IT vs. SAP Controls, Security 1 (2)
  • Week 08: Security 2, Finance 2 (3)
  • Week 09: Security: User Mgmt, Segregation of Duties (2)
  • Week 10: Data; SOD/SAT Review (2)
  • Week 11: Change Management, Development (3)
  • Week 12: Table Security, Control Framework (2)
  • Week 13: SAP Futures, Special System Access (2)
  • Week 14: Character vs. Controls (4)

Copyright © 2025 · Course News Pro on Genesis Framework · WordPress · Log in