ERP Systems

Auditing Controls in ERP Systems - 2019

ERP Systems

MIS 5121.401 ■ Fall 2019 ■ Jim Baranello, CISM, CRISC, MBA

Main Content

Week 14: Character vs. Controls Wrap-up

By

Continuing great job on the discussions.  I appreciate your responses and I learn from you.  You raised most of the important points but let me summarize my view.

Q1: How much automation of controls is best?  When should they be introduced?  Automated controls are ideal but not always possible or cost effective (e.g. complex scenarios or decision making).  My experience is leverage automation where possible and easily implemented.

As many of you pointed out ‘baking in’ the controls from the start is the easiest and most cost effective.  However they will added to as an organization grows, changes, etc.  Also, as the process matures and the external world changes you need to respond.

Q2: Describe the character of the leaders involved in the Real World control failures we reviewed.   The words you used I agree with: Arrogant, greedy, above control (‘absolute power corrupts absolutely’), self-interested, self-preservation response to pressures, etc.

These leaders were not necessary ‘bad’ leaders – many were very effective in accomplishing the goals of their organization.  However,  good leaders can have ‘bad’ character.  Creating a climate of controls need to balance (e.g. Sox type regulations) when this character drives illegal, immoral, or unethical behaviors.

Q3: A person’s character is very crucial in the audit industry.  How would you build your reputation and maintain a good ethical character in this industry?  This is something you have to do yourself.

I appreciate how Paul phrased it: Paul: ‘IT Governance: which is to “do the right thing, the right way”. Character is doing the right thing because it is the right thing to do.’  Integrity goes beyond the skills you have or knowledge of right things, but always doing the right things.

This integrity requires personal courage to stand up and be independent in our ‘end justifies the means’ world.

Q4: SAP’s GRC module may be important and effective, but can the cost of GRC be justified?

You all outlined in some detail what’s in this functional tool.  However in making the decision where to use you must weigh GRC’s costs vs. the cost of implementing controls other ways (often higher) plus the cost of not having needed controls or strength of controls in place.

 

Thanks for all your work in the participation blog this semester.   I trust it helped your learning.  Also remember to: do the right thing because it is the right thing to do.

Team Member Evaluation (Optional)

By Leave a Comment

All members of a team receive the same points for the exercise submissions. If you feel that one or more members are not doing their fair share, please do the following 2 things:

  1. Send email to all members of your team (.cc me) indicating that you will be submitting a team member evaluation form.  This step gives all members of the team the option of completing a form.
  2. Complete and submit the following form to me by email.

All responses will be kept confidential. 

 

Click Here for the Team Member Evaluation Form

Welcome to MIS-5121 – Beijing-BNAI!

By Leave a Comment

Introduction

Welcome to ITACS 5121, Auditing Enterprise Resource Planning Systems!

This course presents the fundamentals of ERP Systems, the business processes they enable and the controls necessary to assure they work properly. You will learn:

  • The basic business processes that ERP systems support
  • How these processes are implemented with ERP systems and
  • How to secure and control the processes and systems for the integrity, confidentiality, authenticity and reliability of information.

By examining how an organization can secure and control its ERP systems with an effective control environment, we understand how to enable and maintain the integrity, confidentiality and reliability of information required for regulatory, operational and financial expectations.

Before you begin the course, please take a few minutes to review the course format, and the syllabus items.

If you are new the MIS Community Site or the Canvas Learning Management Systems (LMS), you may want to begin with this video.

If you have any questions or concerns, please contact me: James.Baranello@temple.edu

http://community.mis.temple.edu/mis5121sec401fall2019/

Week 5 Wrap-up: Inventory and Shipping Controls

by

Continuing great job on the discussions.   You raised most of the important points but let me summarize my view.

Q1: Fraud Triangle on ‘One Piece at a Time’ video:  Opportunity – it’s obvious the workers were confident in the opportunity to take various car pieces (one piece at a time); Incentive – a ‘free’ car; Rationalization –  It’s a large company that won’t miss the parts

Q2: For the ‘One Piece at a Time’ video scenario – what should the operations manager do?  You shared some good ideas.  From a risk perspective I would recommend focusing on changes to prevent the large parts from being stolen (how does a transmission leave the plant unnoticed?).  However, some cultural change actions may also be supportive (and needed).

Q3: In shipping – what controls are different in purely domestic vs. international company?  Many differences were noted.  My experience the key differences are currency, languages, different logistics options (e.g. ships), import-export regulations, expanded paperwork requirements, customs authorities are an added interested party.  The added complexity is often outsourced by companies to freight forward and import brokers.

Q4: What are 1-2 less obvious inventory control measures are used with us as consumers?  Are they effective? The anti-theft, anti-shoplifting measures you all mentioned are very common. They seem effective to me.

 

 

Exam 1: Coming up October 9

by

A reminder that the first exam of the semester will be conducted by Blackboard and must be completed during the beginning of class time.

Some specifics:

  • Will include course content (on-line and from class) through Week 5 (October 2)
  • Test will be conducted via Blackboard – you must complete during the first hour of class time on Monday October 9. (remainder of class will start at 6:30 pm EST)
  • Maximum amount of time to complete the exam is 40 minutes
  • Exam will be approximately 21 questions (variety of formats i.e. Fill in blank, multiple choice
  • Some of the questions relate to a real-world like small business case.  I’ll publish case which you can pre-read, print, etc. Tuesday prior to the exam.

Filed Under: Tagged With:

Week 6 Questions

by 15 Comments

  1. Assume you’re an outside organization with goal to cause negative things to happen to an organization’s Order to Cash (OTC) process.  Where would you attack it?  Explain Why and How
  2. Who in an organization should care more about the collections process – Finance or Sales?  Explain 
  3. Controls are important in all the OTC processes including invoicing and collections.  What would be different in the controls of a purely domestic US company vs. an international company?  Give 1 – 2 specific examples.
  4. You’ve now seen the entire Order to Cash (OTC) Process.  If you were responsible for the controls of this process – what would keep you up at night (e.g. be your area of most concern)?  Explain 

Week 4 Wrap-up: OTC Process, Types of Controls

by Leave a Comment

I apologize for the incomplete post earlier – it’s been quite a week personally.  Good comments and discussion last week. You raised the key points but let me share my thoughts.

Q1: Who has a ‘great’ OTC process – as expected you shared several company’s excellent OTC process that you’ve experienced.  However, most were in the consumer market.  There are many companies in Business to Business (B2B) markets as well who have excellent OTC process.

Q2: Which portions of OTC process are most vulnerable – You shared some good examples and reasons.  There are vulnerabilities in every portion of the OTC process.  I believe however that the highest risks exist where the highest values are involved.  That may be the shipping portions of the process for example if you’re shipping high value materials (e.g. precious metals).  More frequently these risks exist in the portions of the process dealing with pricing, invoicing and cash collections.  It’s always important to understand the business and the details of the business process when analyzing risks.

Q3: Who should ‘own’ OTC Process controls – I firmly believe that an executive or senior level manager should be the ‘owner’ (person ultimately responsible) for the process.  That person may not know the details of the process, risks and controls.  However, they need to manage the people who do understand the details and have enough experience or knowledge to truly be responsible for the control structure and culture.  The CIO or CFO aren’t in my view aren’t best owners for the OTC process (see next comment).  Ask me sometime to share with you my experience of being this ‘owner’ for a fairly large company without the position and clout of being an executive or senior manager.

Q4: Competencies of OTC Process Owner – You mentioned some good examples in your answers.  In my opinion the key competencies are:

  • Focus on the Customer – the customer needs to be the key focus of the process. The process must exist to help / support create value for the customer which in turn brings value to the organization.
  • Basic understanding of the process, it’s key risks and controls. In my opinion it’s difficult to manage something you have no basic knowledge of.
  • Ability to lead and desire to recognize and make critical decisions (often with limited or conflicting information).

Extra Post: Well’s Fargo Fraud – I agree with the sense of frustration and outrage many of you shared.  If I were on the board, I’d be calling for the CEO’s resignation.  However, I had an interesting conversation with a person who worked in the banking industry this week who shared how the extent of the fraud could have remained under the radar of senior management.  If you’re interested, ask me in class to share what I learned.

Week 5 Questions

by 10 Comments

  1. Using the Fraud Triangle analyze the ‘One Piece at a Time’ video scenario and explain how the environment was favorable to Fraud.
  2. Assume the ‘One Piece at a Time’ video scenario could happen. If you are the operations manager responsible for the assembly line, what 1-2 key controls would you implement?Explain how the control addresses the risk.
  3. Controls are important in all the OTC processes including shipping. What would be different in the controls of a purely domestic company vs. an international company? Give 1 – 2 specific examples.
  4. As consumers we encounter (knowingly and unknowingly) inventory controls all the time (e.g. locked jewelry cases).What are 1-2 less obvious inventory control measures used. Are these measures effective?

Week 3 Wrap-up: Fraud, P2P Controls

by Leave a Comment

Great discussion this week.  You raised all the important points but let me share my thoughts.

Q1: ‘Assertions’ are important to who?  You shared many good scenarios and examples.  In my view, assertions are important to anyone who uses information provided by a company.  Whether those relying on the information are inside or outside the company, unless assertions / controls are in place they can’t count on the information.  We’ve talked mostly about financial information, but the veracity of non-financial information also requires assertions / controls.

Q2:  Which dimension of Management Assertions do you believe is the most important?  In my view, all the dimensions are of some value.  The industry and type of business can significantly impact the varying risk associated with each dimension.

Q3: Have you ever been victim of fraud?   Thanks for sharing your own personal and some cases emotional stories.  I hope you agree with me that fraud is real in our world today and adequate controls are necessary  to address the risks.  The fraud triangle is a effective tool for analyzing risk scenarios – especially those of high risk.

Q4: Which step of the P2P is the most vulnerable?  Risks exist in every step of the process.  However, I believe the early and payment steps are the most vulnerable.  The vulnerability exists because the early steps relate to the value of the transaction and the payment step is where the $$ changes hands.  Because of the wide variety of different P2P scenarios, it’s a challenge to identify all the risks and effectively put controls in place to address.

I trust from our discussions in class and these questions, how important assertions and their related controls are.  We’ll be exploring for the remainder of class risks and related controls in various processes and scenarios.

Week 4 Questions

by 13 Comments

  1. As customers we experience various company’s order to cash process (OTC) whenever we buy something.  Which company do you believe has a ‘great’ OTC process?   Why? 
  2. Which portion of the Order to Cash (OTC) process do they see as the most vulnerable to theft, fraud or failure of some kind? Explain.
  3. Who in a company should be responsible for the controls of that company’s Order to Cash (OTC) Process?  Why?
  4. What key (1-2) competencies does the person responsible in a company for the Order to Cash (OTC) need to have?  Why?

Week 2 Wrap-up: Business Processes, Assertions

by Leave a Comment

Great job on the discussion.  This is what I want to see every week.   I think you raised all the salient points but let me summarize and share my views.

Q1: Business Process Experiences:  You have experience with a lot of different processes across a large number of industries, markets and settings.  A couple observations common to each example:

  • Processes are almost always comprised of a number of steps – sometimes a lot of steps (depending on level of detail provided)
  • The steps are usually executed by different people and usually different functions within an organization.  It’s often the handoffs between people and organizations that cause problems and inefficiencies.

Q2: SOX Laws – are they sufficient reaction or overreaction?  Great discussion.   My view is that the laws & regulations have had an effect because there have been fewer major control failures like Enron, Worldcom, etc. in the past.   The laws have sharpened the accountability of top level executives and management.  However, organizations must spend lots of $$ and it’s a lot, lot of work to develop and maintain the control system and discipline necessary to execute them.

Q3: Define a control environment:  Some great definitions – although I suspect internet search tools helped.  Couple of my comments related to the discussions:

  • The company culture and the tone set by senior management has a role in establishing a company’s control environment.  I’ll share a personal story from my experience about this in class.
  • The proper culture, tone and discipline necessary to support the control environment can’t just some from the top brass / executives.  It has to flow through to front line managers to be truly effective.  The challenge is how to maintain the alignment between senior management and front line managers.
  • We’ll learn more about this topic (in some detail) later in this class and your final exercise.

Q4: Differences between a compliance-driven vs. a profitability driven controls:  Both types of controls are important to the success of an organization.  Compliance controls are basic requirements for a company (necessary to operate legally) while profit controls support the ultimate goals and level of ‘success’ for a company.  Although the focus of compliance vs. profit controls is different, sometimes the same methods / means can be used to support both.

This coming week we will look more deeply at the Procure to Pay (P2P, PtP, Procurement process – I use the terms interchangeably) as well and the link between risks and financial assertions.