ERP Systems

Auditing Controls in ERP Systems - 2019

ERP Systems

MIS 5121.401 ■ Fall 2019 ■ Jim Baranello, CISM, CRISC, MBA

Main Content

Week 14: Character vs. Controls Wrap-up

By

Continuing great job on the discussions.  I appreciate your responses and I learn from you.  You raised most of the important points but let me summarize my view.

Q1: How much automation of controls is best?  When should they be introduced?  Automated controls are ideal but not always possible or cost effective (e.g. complex scenarios or decision making).  My experience is leverage automation where possible and easily implemented.

As many of you pointed out ‘baking in’ the controls from the start is the easiest and most cost effective.  However they will added to as an organization grows, changes, etc.  Also, as the process matures and the external world changes you need to respond.

Q2: Describe the character of the leaders involved in the Real World control failures we reviewed.   The words you used I agree with: Arrogant, greedy, above control (‘absolute power corrupts absolutely’), self-interested, self-preservation response to pressures, etc.

These leaders were not necessary ‘bad’ leaders – many were very effective in accomplishing the goals of their organization.  However,  good leaders can have ‘bad’ character.  Creating a climate of controls need to balance (e.g. Sox type regulations) when this character drives illegal, immoral, or unethical behaviors.

Q3: A person’s character is very crucial in the audit industry.  How would you build your reputation and maintain a good ethical character in this industry?  This is something you have to do yourself.

I appreciate how Paul phrased it: Paul: ‘IT Governance: which is to “do the right thing, the right way”. Character is doing the right thing because it is the right thing to do.’  Integrity goes beyond the skills you have or knowledge of right things, but always doing the right things.

This integrity requires personal courage to stand up and be independent in our ‘end justifies the means’ world.

Q4: SAP’s GRC module may be important and effective, but can the cost of GRC be justified?

You all outlined in some detail what’s in this functional tool.  However in making the decision where to use you must weigh GRC’s costs vs. the cost of implementing controls other ways (often higher) plus the cost of not having needed controls or strength of controls in place.

 

Thanks for all your work in the participation blog this semester.   I trust it helped your learning.  Also remember to: do the right thing because it is the right thing to do.

Team Member Evaluation (Optional)

By Leave a Comment

All members of a team receive the same points for the exercise submissions. If you feel that one or more members are not doing their fair share, please do the following 2 things:

  1. Send email to all members of your team (.cc me) indicating that you will be submitting a team member evaluation form.  This step gives all members of the team the option of completing a form.
  2. Complete and submit the following form to me by email.

All responses will be kept confidential. 

 

Click Here for the Team Member Evaluation Form

Welcome to MIS-5121 – Beijing-BNAI!

By Leave a Comment

Introduction

Welcome to ITACS 5121, Auditing Enterprise Resource Planning Systems!

This course presents the fundamentals of ERP Systems, the business processes they enable and the controls necessary to assure they work properly. You will learn:

  • The basic business processes that ERP systems support
  • How these processes are implemented with ERP systems and
  • How to secure and control the processes and systems for the integrity, confidentiality, authenticity and reliability of information.

By examining how an organization can secure and control its ERP systems with an effective control environment, we understand how to enable and maintain the integrity, confidentiality and reliability of information required for regulatory, operational and financial expectations.

Before you begin the course, please take a few minutes to review the course format, and the syllabus items.

If you are new the MIS Community Site or the Canvas Learning Management Systems (LMS), you may want to begin with this video.

If you have any questions or concerns, please contact me: James.Baranello@temple.edu

http://community.mis.temple.edu/mis5121sec401fall2019/

Exercise 3 (Journal Entries) Clarifications

by Leave a Comment

As a result of some questions raised in class I have added some clarifying comments in the assignment. The comments are on page 9 in the previous events section. Note the changes in bold below.

The updated Exercise 3 Guide is here and also posted on the assignment page.

Events of interest that Occured Previously (in Prior year if no year is listed)

Date Description of Event

January 1, 2008 Production Machinery, Equipment and Fixtures were placed in service. They are expected to last 15 years with no salvage value.
July 30 Payment for GBIs advertisement in the English language edition of Italian Cycling Journal. Advertisement to run in six consecutive monthly publications starting in August. Assume this is the extent of GBIs prepaid advertising.
December 22 Windy City Bikes in Chicago, IL invoicied $22,000 for bicycle accessories from GBI. The terms of payment for Windy Citys order are 2 / 20 net 60 days (in laymans terms this means 2% discount if paid in 20 days and net open receivable is due in 60 days).

Guest Lecturer Steven Yannelli Bio

by Leave a Comment

Below is a brief bio of our guest lecturer on Monday (October 23)

“Steven Yannelli is a recognized leader in SAP application security who has worked in ERP security for the past 15 years. For six years, he managed the largest international SAP implementation to date (at Walmart) and has been a consultant with Deloitte & Touche and PriceWaterhouseCoopers. He is also a US Army combat veteran who served as a Captain and Commanding Officer within the 56thStryker Brigade Combat Team. He deployed to Iraq from 2008-2009 where he managed a secure communications network.

Steven holds a CISSP certification and a graduate degree from Drexel University. He is now a Senior Manager at CSL Behring and currently leads their global SAP security and consulting teams across four countries.”

Week 8: Questions

by Leave a Comment

  1. Do you believe businesses rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network?  Explain
  2. What is the relevance of only being able to have one posting period open at a time for real time financial postings?  What does this prevent from happening?
  3. Consider the list of financial and accounting controls discussed in class.  Rank them.  Which to you believe is the most important, the least.  Why?
  4. You’ve used various computer systems in your lifetime, career.  System security is complex and often maligned as cumbersome, difficult, bureaucratic, etc.  Have you seen these problems in your experience?   Explain

Week 7: IT vs. SAP Controls, Security 1, Finance 1 Wrap-up

by

Continuing great job on the discussions – I appreciate the growth you’ve shown in the quality and substance of the comments. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: How does Finance / Accounting manage non-finance people’s tasks that impact them?  Some good comments about cross-training, controls and other ideas.  After working as a non-finance person in processes that impacted financial results significantly, I firmly believe that every person performing a process task needs to know the basic impact of their efforts.  The impact knowledge needs to include at minimum the dimensions of finance / account as well as business results.

Q2: How much Finance  Account should I/T people know?  If you’re and I/T professional who’s job involved applications with any financial content (e.g. ERP systems) I recommend you learn what you can.  As a few or you pointed out – Finance is the language of business and business knowledge is critical to I/T success.  It doesn’t mean you have to have an accounting or financial degree but I encourage I/T folk to be inquisitive and learn what you can.  I particularly like the comment from one of the posts ‘How would IT personnel be able to design and implement solutions if he/she is not familiar with the business function he/she designing the solution for?’

Q3: Financial Controls domestic vs. International companies: just like other processes – differences of language and currencies are the critical differences.  The financial and tax practices of other countries vary considerably and related controls are necessary.  However, that doesn’t mean any less focus on the basic application and process controls.

Q4: Should I/T Professionals supporting general I/T (e.g. workstations, network, etc.) have knowledge of ERP?  There is not reason all IT folks need to know the details of ERP systems.  However, they do need to know the basics of what the systems do, their importance and how the IT work being performed supports the goals of the ERP systems.

In general, always ask questions and be inquisitive about the work you’re doing, especially along the dimensions of a) finance / accounting and b) the ultimate business / outcomes of the organization you’re working in / with.

Week 6 Wrap-up: Invoicing & Collections Controls

by

(My apologies for being late in updating this post – grading, etc. has been my focus). Continuing great job on the discussions. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: If an outside organization – where would attack the OTC process? – You suggested several innovative ways to attack the process.  In the end a decision like this would depend on your motives, what you capabilities where vs. known vulnerabilities.

Q2: Who should care more about collections – Sales or Finance?  Many of you pointed out that sales function often has a conflict of interest in dealing with collections because of their customer focus and loyalty.  Therefore, I believe collections needs to be ‘owned’ by a finance related function.  However, overzealous and callous collections process can erode customer satisfaction considerably.  There needs to be a cooperative relationship between the finance ‘owner’ of collections and the business and sales organizations to assure appropriate collections policies are in place and to work cooperatively with customers who don’t pay well – there needs to be united messages to the customer.

Q3: Controls domestic vs. international:  You pointed out many of the differences in your discussion.  My experience is that currency, import/export regulations, customs authorities and different shipping modes drive the major differences and depending on a company’s business appropriate control differences are also needed.

Q4: Order to Cash (OTC) Process – what keeps you up at night: This depends some on the  nature of the business you’re working with.  Regardless – I recommend keeping focus on value, $$ related segments of the process (e.g. pricing, invoicing, cash collections)

Always when working with the OTC process, make sure you understand the nature and structure of the business.  The OTC process must relate more than other processes to this nature and structure.

Week 7 Questions

by Leave a Comment

  1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
  2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts.  How much finance and accounting knowledge should  IT personnel supporting business applications know and learn?  Explain
  3. Controls are important to financial and accounting processes.  What would be different in the controls of a purely domestic US company vs. an international company?  Give 1 – 2 specific examples.
  4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works?  What is one (1) specific thing they should know?

Student: Control Failure Presentation

by Leave a Comment

Each week as part of our learning, I’ve included at least one Real World control failure example.  Starting in Week 7 (October 17) it will be your turn to continue this learning by contributing your own video presentation of a Real World Control Failure.

You are responsible to:

  • Send me (by e-mail) proposed 2+ alternate weeks when you would like to post your presentation (by October 11).  I’ll prepare a final schedule and publish in the blog’s roster section.
  • Find a real world example of a business process control failure (vs. just a hacking control failure example).
  • Prepare a brief review of the failure.  This PowerPoint (PPT) template contains all the content components / points required in the presentation.
  • In video format, create a presentation of your review / story.  Post that video as a comment to this blog post prior to class time of your week (based on an agreed sign-up schedule).

Note: 5% of the course grade is earned by this project.  Evaluation is based on:

  1. Including the required content components
  2. Clear, concise presentation of the control failure ‘story’ and lessons learned
  3. Originality in presentation of the control failure ‘story’

 

Exam 1: Take Monday October 9

by

The first exam of the semester will be conducted by Blackboard (you should see the link when you logon to Blackboard).  The exam is available to take only during the first hour of class on Monday October 9.

Some specifics:

  • Questions relate to course content (on-line and from class) through Week 5 (October 2)
  • Maximum amount of time to complete the exam is 40 minutes
  • Exam is 21 questions (variety of formats i.e. Fill in blank, multiple choice
  • Some of the questions relate to this real-world like small business case.  You are invited to pre-read, print, etc. prior to the exam.

Filed Under: Tagged With: