ERP Systems

Auditing Controls in ERP Systems - 2019

ERP Systems

MIS 5121.401 ■ Fall 2019 ■ Jim Baranello, CISM, CRISC, MBA

Main Content

Week 14: Character vs. Controls Wrap-up

By

Continuing great job on the discussions.  I appreciate your responses and I learn from you.  You raised most of the important points but let me summarize my view.

Q1: How much automation of controls is best?  When should they be introduced?  Automated controls are ideal but not always possible or cost effective (e.g. complex scenarios or decision making).  My experience is leverage automation where possible and easily implemented.

As many of you pointed out ‘baking in’ the controls from the start is the easiest and most cost effective.  However they will added to as an organization grows, changes, etc.  Also, as the process matures and the external world changes you need to respond.

Q2: Describe the character of the leaders involved in the Real World control failures we reviewed.   The words you used I agree with: Arrogant, greedy, above control (‘absolute power corrupts absolutely’), self-interested, self-preservation response to pressures, etc.

These leaders were not necessary ‘bad’ leaders – many were very effective in accomplishing the goals of their organization.  However,  good leaders can have ‘bad’ character.  Creating a climate of controls need to balance (e.g. Sox type regulations) when this character drives illegal, immoral, or unethical behaviors.

Q3: A person’s character is very crucial in the audit industry.  How would you build your reputation and maintain a good ethical character in this industry?  This is something you have to do yourself.

I appreciate how Paul phrased it: Paul: ‘IT Governance: which is to “do the right thing, the right way”. Character is doing the right thing because it is the right thing to do.’  Integrity goes beyond the skills you have or knowledge of right things, but always doing the right things.

This integrity requires personal courage to stand up and be independent in our ‘end justifies the means’ world.

Q4: SAP’s GRC module may be important and effective, but can the cost of GRC be justified?

You all outlined in some detail what’s in this functional tool.  However in making the decision where to use you must weigh GRC’s costs vs. the cost of implementing controls other ways (often higher) plus the cost of not having needed controls or strength of controls in place.

 

Thanks for all your work in the participation blog this semester.   I trust it helped your learning.  Also remember to: do the right thing because it is the right thing to do.

Team Member Evaluation (Optional)

By Leave a Comment

All members of a team receive the same points for the exercise submissions. If you feel that one or more members are not doing their fair share, please do the following 2 things:

  1. Send email to all members of your team (.cc me) indicating that you will be submitting a team member evaluation form.  This step gives all members of the team the option of completing a form.
  2. Complete and submit the following form to me by email.

All responses will be kept confidential. 

 

Click Here for the Team Member Evaluation Form

Welcome to MIS-5121 – Beijing-BNAI!

By Leave a Comment

Introduction

Welcome to ITACS 5121, Auditing Enterprise Resource Planning Systems!

This course presents the fundamentals of ERP Systems, the business processes they enable and the controls necessary to assure they work properly. You will learn:

  • The basic business processes that ERP systems support
  • How these processes are implemented with ERP systems and
  • How to secure and control the processes and systems for the integrity, confidentiality, authenticity and reliability of information.

By examining how an organization can secure and control its ERP systems with an effective control environment, we understand how to enable and maintain the integrity, confidentiality and reliability of information required for regulatory, operational and financial expectations.

Before you begin the course, please take a few minutes to review the course format, and the syllabus items.

If you are new the MIS Community Site or the Canvas Learning Management Systems (LMS), you may want to begin with this video.

If you have any questions or concerns, please contact me: James.Baranello@temple.edu

http://community.mis.temple.edu/mis5121sec401fall2019/

Week 3 Questions

by 12 Comments

  1. The concept of ‘Assertions’ is important to accountants.  Who else is it important to?  Why?
  2. In class we discussed several dimensions of Management Assertions.  Which do you believe is the most important?  Why?
  3. Have you ever:
    – Been victim of Fraud?
    – Had evidence of, suspicions of fraud occurring?
    – Been pressured (e.g. by an employer) to commit an act that was morally or legally questionable?
     Explain
  4. Which portion / step of the Procure to Pay process do they see as the most vulnerable to theft, fraud or failure of some kind?  Explain

Week II – Lessons Learned

by Leave a Comment

WorldCom Organization

  • Corporate Shared Services
  • 4 Divisions:
    • North America [including: Canada], South America
    • Asia/Pacific
    • Eastern/Western Europe
    • Africa
  • Role of:
    • Board of Directors
    • Audit Committee
    • Internal Audit
      • Technology
      • Financial
      • Operational
    • External Audit [Arthur Anderson]
    • C-Level Suite [i.e. CEO, CFO, CIO, COO, etc.]
  • Big 4 [EY, PwC, KPMG, D&T] Services Rendered:
    • Audit Assurance
    • Taxes
    • Legal
    • Actuarial Services
    • Information Security
      • Due to Enron / WorldCom Big 4 cannot cross-sell
    • Corporate Fiduciary Responsibility
      • Role of Compliance / Operational Risk
      • Role of Audit
      • Role of General Counsel [Legal]
      • Todays Role of C-Level Suite
        • Post Sarbanes-Oxley, CIO signs off on Annual Report

Week 2 – Questions

by 10 Comments

  1. Describe a business process you have experienced (either as an external or internal participant) and what your role was.
  2. The Sabanes-Oxley Act in the US and many similar laws in other countries were enacted as result of high profile control failures. Are these laws a sufficient reaction to the failures or are they an overreaction? Explain.
  3. In your own words, how would you define a control environment?
  4. Describe a real life example of a companys profitability-driven controls. What arethe differences between a compliance-driven vs. aprofitability driven control?

What to do this week (and all future weeks)

by Leave a Comment

I want to go over your weekly activities a second time to make sure there is no confusion.

  • Via the Schedule menu watch the video lecture (if any), read the assignments and explore the additional materials for the week.
  • Each Tuesday (am) you will find a post of ~ 4 questions about that week’s readings and other content.
  • After finishing the videos, readings and other content, write a one or two paragraph comment on at least one (1) of the posted questions.  Comment by selecting Leave a Reply option at the bottom of my post on the course blog (Leave a Comment link also works).  Replies are due by 11:59 pm Sunday.
    (Note: I must approve your first reply or comment so don’t expect to see it right away. After that it will be automatic.)
  • Once everyone’s readings comments are on the blog, I expect you to read them over and comment on them.  Comments need to be posted on the class blog before 11:59 pm on Sunday.
    Note: Four (4) substantive comments each week considered a B.
  • Class (Monday)
  • I may post a summary note (if any) on Tuesday

To learn to the material well you need to be actively engaged in the online discussion.  Check it out and contribute everyday.  If you have questions, put them in a post or reply online so that everyone can see the answer.  If you find yourself confused, call me and we will talk about it (609.206.9783).

Discussion Week 1

by Leave a Comment

WELCOME TO MIS-5121 [SECTION 401] – ENTERPRISE RESOURCE PLANNING!!!

I’m Professor Jim Baranello [JB] and I look forward to a collaborative, inclusive, online learning environment for all.

Our class will be held each Wednesday beginning on August 29th in Room 606 [TUCC – 1515 Market Street, Philadelphia].

Safe Travels,

JB

Welcome to ITACS 5121, Auditing Enterprise Resource Planning Systems!

by Leave a Comment

Course Description:

This course presents the fundamentals of ERP Systems, the business processes they enable and the controls necessary to assure they work properly. You will learn:

  • The basic business processes that ERP systems support
  • How these processes are implemented with ERP systems
  • How to audit SAP through: techniques, methodology, and execution, and
  • How to secure and control the processes and systems for the integrity, confidentiality, authenticity and reliability of information.

Course Objectives:

  • Understand business processes and their role in the functioning of an organization.
  • Explain what ERP systems are and practice (using SAP) their use to support business processes.
  • Demonstrate the relationship between business process operational risks (including fraud) and the resulting integrity, confidentiality and reliability of information.
  • Demonstrate IT audit techniques, methodology and execution.
  • Appraise and prioritize real world business process operational risks and recommend compensating controls to address the risks. Includes the fundamentals of ERP system controls, security, analysis of segregation of duties (SOD) risks and specifying how to manage them.
  • Understand ERP System development and system operation risks and recommend compensating controls.