- As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
- As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
- Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
- How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
Tamekia P. says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
You need to ensure that the non-Financial function jobs are appropriately restricted and provide access to only the functions and elements necessary within SAP for them to complete their jobs without impacting certain elements.
Scott Radaszkiewicz says
Tamekia, I agree. Restricting access to only the essential things needed to do your job is key. If employees have access to everything in the system, then they can really cause issues. I thinks it’s also very important to review user roles and rights often. Bob might have worked at one position, then moved to another, but still maintains his rights from the old job function.
Tamekia P. says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
While it would be beneficial for IT personnel supporting the business applications to know finance and accounting, it might be not be practical to expect that they have a background in accounting/finance. If the business can get them up to speed with the knowledge that is absolutely necessary then the IT personnel can use that training when they need to assist the business.
Tamekia P. says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
An example of a control that would need to be different in a purely domestic versus international organization is compliance with local regulations. In the US, the accounting must follow GAAP and international entities would follow IFRS.
Tamekia P. says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
They should know how the ERP system is expected to be configured whether the application will be utilized on the internet or on the desktop. They should also know if the application will be available using single sign on.
Tamekia P. says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
Another control would be monitoring of shipping rates. There should be a range in place for shipments within the US versus what the shipping would cost in various international locations.
Nathan A. Van Cleave says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
For non-financial business functions such as procurement and sales and marketing segregation of duties, change and access management controls are essential to ensuring risks are appropriately managed. Segregation of duties can mitigate risks by preventing a single person (or a few people) can create a customer, place an order, generate an invoice and pay an invoice. Generally a company would want all separate individuals to be involved in those activities.
Change management controls can ensure that any changes in the system or data is approved, implemented, validated, and recorded. Access management controls can be an effective tool in preventing unauthorized access to areas of a system or to specific data by applying the principle of least privilege according to user roles.
Xiaozhou Yu says
Hi,Nathan
I think change management is a good idea, and that works in all departments across the organization. As you mentioned, departments share same data and documents, access and modification problem should be in concern. Duplicated documents used in different departments might also help, and this can reflect the SOD as well.
Scott Radaszkiewicz says
Nathan, great answer. Change management controls are a key part that I missed when thinking about this. That’s a very important element to this entire process. Often, rights are given to users and no one is double checking why or what they need it for. This can cause some serious issues.
Nathan A. Van Cleave says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
IT personnel supporting business applications should be well-versed in financial or accounting related terms and concepts. It is critical that those IT professionals supporting business applications such as ERP or CRM have a sound understanding of the business processes that form the logic for the IT systems. It is involved from the proof of concept, requirements gathering, RFI, design/build/development, implementation, deployment, on through to service and support management. If there isn’t business function knowledge in place on the IT side, the systems designed and implemented will not function effectively and likely will not return value back to the business.
Nathan A. Van Cleave says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
The differences in controls between a purely domestic and international company would likely be local laws and regulations. For example, in the US, there may be a specific amount of product (say chemicals) that is allowed to be shipped within the US. However, that same amount (or the chemical altogether may be banned ) may be prohibited in a European or Asian country. The would need to be controls in place to trigger if a product has any local regulatory restrictions and to prevent an order accidentally being placed and shipped.
Pascal Allison says
Nathan, great thought.
Having controls to trigger or alert for any violation (regulation and law ) is important.
Say packaging/distribution processes a customer order for Liberia where they excepts ONLY 500,000 gallons of chemical per shipment; but distribution processes 5,000,000 gallons – typo. After packaging, it is realized that Liberia ONLY except 500,000 gallons per shipment, it will be a reason to counter check the order.
Time, money, and other resources will be saved. There must some controls to monitor regulatory laws of different country to avoid violation as law and regulations are not common everywhere.
Nathan A. Van Cleave says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
It is very important for those responsible for general IT controls to understand how the ERP system works. The significance is reflected in mapping out access management and segregation of duties controls. The more the IT organization supporting ERP understand which roles in the organization should have access to what areas and what level of access each individual should have based on those roles, the stronger and more effective those controls function. Additionally, if access management controls are in an effective state, then there will likely be less segregation of duties issues or at least issues could be identified and remediated more quickly.
James T. Foggie says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records.
If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
I would develop detailed corporate and business unit policies and procedures. The policies will be designed based upon industry standards and guidelines set by organizations such as ISACA, AACA, and PCAOB. Policies and procedures are a good start, however senior leadership support is impetrative to ensure adherence to the designed guidelines. Once the policies have been implemented and communicated, annual compliance training should be required to ensure employees sign-off on their understanding of all policies. Lastly, performance appraisals should factor in employees’ comprehension and compliance to these policies and procedures.
Pascal Allison says
James like the approach – policy. That is a great way to set the foundation for business alignment, governance, transformation in meeting the business goals. Everybody understands where they stand and what needs to be done for success.
As I read your response, I thought about segregation of duties and privilege level. Some people can access the information, but cannot modify them. Some people can access and modify, while some people cannot view at all. All these can be policy implementation.
Mahugnon B. Sohou says
James great post. I agree with you. Nice approach by starting with policies and procedures first. In my post I mostly focused on segregation of duty and access control (role based access controls). meaning the level of access one person has is based on his role and thus on the level of confidential data needed by someone in that role.
James T. Foggie says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
It helps for IT personnel who support the business to have a “working knowledge” of the business. Data center personnel, DBAs, Application Developers and IT Auditors should all either possess a working knowledge of the business they are supporting/auditing; or they should be able to go out and review
documentation to develop the level of knowledge needed to complete the tasks they a asked to perform. The absence of “working knowledge” of the business the IT professional is supporting often leads to unpredictable results with respect to the end goal.
James T. Foggie says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
The base business unit controls for accounting processes are most likely identical; however, there are most likely additional international controls that need to be added to the baseline control set. For example, when doing business with international companies, additional controls will need to be in place to account for logistics regulations that could lead to fines if not adhered to. Similarly, controls for import/export tariffs will need to be in place to ensure compliance to regulatory requirements.
Another example of controls that must be added solely relating to international business transactions is the European General Data Protection Regulations (EU GDPR). The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas.
Nathan A. Van Cleave says
James,
Way to think about Privacy risk and specifically GDPR! With such a huge, potential impactful fines to organizations, companies must take into consideration of the EU regulation. A bit off-subject, I heard that the latest Facebook breach will likely net the average UK FB user about £10k, not sure that is 100% true or will be the actual result, but should make companies really focus on privacy.
Mengqiao Liu says
Hi James,
Nice point! The General Data Protection Regulation (GDPR) standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents. There are many essential items in the regulation, including increased fines, breach notifications, opt-in consent and responsibility for data transfer outside the EU.
Heiang Cheung says
I didn’t even think of GDPR but for accounting and finance US use a different accounting standard from the rest of the world. We use GAAP and the rest of the world use IFRS. there are differences in accounting for inventory and other things that would affect the controls you put in place.
Mahugnon B. Sohou says
Hi James,
Great comment. Great point about the General Data Protection Regulation (GDPR). I didn’t think of that as well as your point regarding the fines to organizations for regulation violations. This regulation standardizes data protection law in all European countries and there rules are very strict, so yes this is definitilly something that an international company would have to thing about.
James T. Foggie says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
Once again, professionals who are responsible for IT controls need to have an understanding of the requirements of all applications, systems that depend upon information technology. It is very important that IT professions have a working knowledge about ERP systems that reside within a company’s IT environment. The main reason I can think of is change control. IF IT professionals understand the basic workings, requirements and functionality of ERP systems in their environment, possible conflicts with changes can be identified before implementation; and testing can be made a part of the change process.
The one thing an IT professional should know about an ERP system is its configuration info. It is important to know where an ERP system resides; what backend data repository it utilizes (Oracle, DB2, SQL Server..); what critical files exist; what are the key business resiliency/disaster recovery key configuration items within …
Xiaozhou Yu says
Hi,James
I agree with you IT people need to understand erp systems for better support, since ERP is relatively complicated, throughout knowledge and experiences will improve the efficiency lot. And I like the aspects you mentioned, they are basic but essential. Another thing I want to point out is the business knowledge connected with ERP, IT people generally have less understanding of business. Business operations today rely much on ERP and IT people should be updated.
Pascal Allison says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
Business (Finance/Accounting) controls need to be aligned for success. All other sections of the business must work together to achieve the business goal. They might work with different mindset and functionalities; the must be technology and process improvement (alignment, governance, transformation, etc.) to achieve the business goals.
If I am responsible for Finance/Accounting controls, I will spend time on segregation of duties. All non-financial business functions that are involved with the ERP system transaction that post to accounting record will be accessed by ONLY departments that need access for business operations.
2. As we continue to learn about business processes and ERP systems we often discuss financially or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
IT is a completely different world, but IT forms an integral part of an ERP system. It will be good for IT personnel supporting the business application to have some accounting and finance knowledge. It is better to have a knowledge of anything you are working with (developing or maintaining). IT personnel will need general concepts, terminology, etc. to support the business goal. But, it is important that IT personnel develop accounting/finance knowledge as the functionalities deem necessary. The organization can be proactive, but if the need never arises, that will be a waste of resources.
In short, IT personnel should have general knowledge of accounting/finance; and develop/trained as business need arises.
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
Purely domestic US company and International company might do something in common, but some somethings must be treated differently when it comes to controls.
• Financial: currencies are not the same every. Because of the currency difference, the must be an exchange rate for commonality. A transaction between Ohio and Pennsylvania, there would not be a reason for currency monitoring (controls) as the currency is USD in both states. Ohio and Liberia, there must be some controls for transaction completion as the currencies are not the same and the exchange fluctuates.
• Law and Regulations – some laws are common among domestic and international companies, but every country or region has its regulation and law. During an international transaction, there must be controls in place to observe laws, regulations, and conformity.
• In Liberia, there is nothing such as legalizing marijuana. Some part of the world, it exists. If you were to ship Marijuana to Liberia, it could be criminal.
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
It is very important for people responsible for general I/T controls to know and understand the entire ERP – functionalities. One thing that they must know about the ERP system is the environment of the users. Will the ERP system be used internally ONLY? Will there be external users? Can the user access the system form any location? If so, how much information can internal and external user access from outside the physical location of the system?
Mengqiao Liu says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
There may have an operational risk (fraud, misconduct, failure of internal controls or audit systems, natural disasters) or regulatory risk. Improving the segregation of duties and internal control to achieve risk mitigation. Strengthen the policy and procedures can also manage the risks effectively, effectively reduce social engineering incidents and similar incidents by security awareness training.
Mengqiao Liu says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
IT personnel should know about the basic accounting equation, three financial statements (balance sheet, cash flow statement, and income statement), and learn what information is presented in the financial statements. They also need to understand how to use these statements to improve the financial and operational performance for their areas of responsibilities.
Derrick A. Gyamfi says
Beryl,
I agree that IT personnel should know the basic accounting equations, three financial statements (balance sheet, cash flow statement, and income statement), and learn what information is presented in the financial statements. Moreover, as mentioned in my comment -given the frequent interaction with other departments, today’s IT professionals need sound decision-making and strategic-thinking skills. It is also important for IT professionals to be able to see the big picture and understand how the accounting role impacts the overall organization.
Mengqiao Liu says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
The difference between a purely domestic US company and an international company is an international company needs to take care of the exchange rate when trading, the commodity prices are more volatile. To mitigate loss when doing international trading, organizations can follow revenue recognition steps. Identifying the separate performance obligations is important. And then determine the transaction price. Allocating the transaction price to the separate performance obligations.
Mengqiao Liu says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
Normally ERP systems use the same database throughout an entire company to store various types of data for different computerized functions. The people responsible for general IT controls need to take a step back and think about all of the various processes that are essential to running a business, including inventory and order management, accounting, human resources, customer relationship management (CRM), and beyond. At its most basic level, ERP software integrates these various functions into one complete system to streamline processes and information across the entire organization.
Robert Conard says
1. The most appropriate controls around differentiating between non-financial and financial entries are access controls for authorized employees. To ensure safe use, employees should only be given access to manipulate data in their corresponding departments. Finance employees should be given authorization to manipulate pricing and reporting items while supply chain employees be given authorizations around the shipment and transactional pieces. These authorizations should be mutually exclusive.
Robert Conard says
2. Ideally, IT personnel should know how all the items correspond to each other and the financial sheets they feed into. Since this is not a realistic expectation, these employees should have a relative understanding as to how the items in SAP interact with each other. For example, how the cost and pricing of materials are related. Payment information may be an important piece as well. Since the IT personnel are likely just involved with the maintenance and continual use of the system, the knowledge does not have to mirror the expertise in accounting and finance departments.
Robert Conard says
3. GAAP and IFRS come to mind in terms of the controls around financial pieces domestic and international. For example, companies using IFRS report the income statement according to the size and value of items ass opposed to their location and centrality to the organization. This may demand controls around how certain financial pieces are fed into SAP. Specifically, values may combine differently when the software is being used for IFRS reporting vs GAAP.
Derrick A. Gyamfi says
Rob,
GAAP and IFRS came to mind as well when thinking about the differences in the controls of a purely domestic US company vs. an international company. One of the first things that drew my attention was the difference in inventory recording FIFO and LIFO and how this impacts controls in place. Moreover, in doing the SAP assignment I noticed the application control put in the place to identify the different holidays in various countries. I think this will be a control in place for international companies that will not be worried about for a domestic company.
Robert Conard says
4. This knowledge is very important as the IT personnel are responsible for including controls around how the departments and systems interact with each other. For example, if an employee implementing controls is not aware of a certain business process (e.g. marketing) it is possible their roles are not defined to a point that is acceptable for them to be considered secure. A marketing employee may find themselves with access to financial items with which they have no familiarity, and could cause an mistake, accidental or intentional.
Folake Stella Alabede says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
The best ways to manage such risks is through segregation of duties or compensating controls for smaller organizations. When duties are properly segregated and managed/controlled, the risk that comes from non-Financial function jobs can be contained
Heiang Cheung says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
There would be controls in place for all task. At the company, I work at we use PeopleSoft. The people that does the requisition and purchase orders don’t really do anything with accounting but enter the expense account for the item they are purchasing and then it goes to the account payable group to have a three-way match making sure it was the invoice amount matches the PO and the item has been received in. Once account payable is done vouching the invoice they make sure it hit the correct expense account. I think it just comes down to segregation of duties.
Folake Stella Alabede says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
One specific example I can think of from studying chapter 8.2 of the AGAS is Foreign Currencies. From an ICS view, most especially for an international company, the maintenance of exchange rates is associated with high risks and therefore deserves special attention. Manual maintenance is viewed as an exception. The import of the file with the currency exchange rate should be sufficiently protected. The scope of the assignment of authorizations for direct maintenance of the exchange rates should also be handled strictly.
Another example I can think of is taxes. Some international merchandise/ orders have heavy duty tariffs on them and are taxed heavily. The controls of an international company should be well designed to calculate proper taxes on import/export duties. From an ICS perspective, the correct valuation and reporting of tax liabilities due to the state or tax authorities is very important.
Scott Radaszkiewicz says
Folake, so very true. Dealing with different currencies and fluctuations in rates is a daunting task. And as I’m reading this, I’m curios on how companies deal with conversion rates, if they have too. I’m sure, many times, the numbers don’t add up. Like converting a dollar and getting $1.124 as an answer. you rond to $1.12, and lose $0.004 cents. I’m sure that can add up overtime. There must be controls in place to deal with such scenarios.
Heiang Cheung says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think IT personnel that deals with financials should know the basic of accounting or at least know what the accounting function they support do to the financials. If they don’t know anything than somebody in accounting could just tell them what to do and they’ll just do it. They need to know how it works and the controls that need to be placed.
Heiang Cheung says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
The regulations are different sometimes even more strict like the European Union. There are different accounting standards around the world. The US use GAAP and the rest of the world use IFRS. There is a different way for accounting for inventory and other stuff. I attached a link showing the differences.
https://www.investopedia.com/ask/answers/041715/how-accounting-united-states-different-international-accounting.asp
Folake Stella Alabede says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
IT personnel supporting business applications should know enough about financial or account related terms and concepts and then some.
At my organization for example, we have a split Audit team where we have the IT Auditors as well as the business Auditors. IT and business come together and work together to identify business-critical applications and decide on the controls and processes that are critical to the organization and ultimately to avoid material mis-statements, but we also exist and work independently on Audits. As an IT Auditor, I rarely every come across audits that require me to know in-depth knowledge of financial or account related terms, we (IT audit team) work on application audits, but these I would also not classify as an intensive knowledge of financial/ accounting terms.
However, I know some Auditors who are required to perform both IT and financial/business audits. I think they would need an in-depth knowledge of financial and accounting terms.
How much finance and accounting knowledge IT personnel supporting business applications should know and learn is relative, depending on the structure of a particular organization and its needs.
A lot of IT Audit vacancy/job postings advertise the need for “ An IT Auditor with a bachelor’s degree (preferably in Computer Science, information systems, accounting, or finance)”. I have often thought about how someone with a degree in accounting and another in Computer science is related to the same job vacancy, it is 2 extremely polar opposites degree, so there has to be some form of inter-related knowledge somewhere
Heiang Cheung says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
I think it’s really important for them to know how the ERP system works because everything is all connected in a way. If a server goes down they need to know how it’s going to affect the people that use that server. The one thing they should know would be the controls that are and should be in place.
Akiyah Baugh says
Hi Heiang,
I agree. It is important that IT personnel know how an ERP system works and have a basic understanding about the data housed into the system.If the server goes down they need to know what information/ part of the system is absolutely crucial to the employees’ jobs and the best way to resolve the situation.
Mahugnon B. Sohou says
In order to manage the risk coming from these non-Financial functions jobs I will make sure to implement change and access management controls.
Change management controls will ensure that system changes are properly approved, documented and monitored.
Access management controls would prevent unauthorized access to specific parts of a system by applying a role based access. I will make sure the non-Financial function jobs are appropriately restricted to ensure risks are appropriately managed. I will also make sure that there is Segregation of duties by preventing one person from creating a customer, placing an order, and generating an invoice.
Mahugnon B. Sohou says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
In order to manage the risk coming from these non-Financial functions jobs I will make sure to implement change and access management controls.
Change management controls will ensure that system changes are properly approved, documented and monitored.
Access management controls would prevent unauthorized access to specific parts of a system by applying a role based access.
I will make sure the non-Financial function jobs are appropriately restricted to ensure risks are appropriately managed. I will also make sure that there is Segregation of duties by preventing one person from creating a customer, placing an order, and generating an invoice.
Mahugnon B. Sohou says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
It would be beneficial for IT personnel to have some finance and accounting knowledge, it is not necessary that they have a background in accounting/finance as long as they are all caught up with the knowledge required to perform their job and assist the business. In addition to that, it would not be a realistic expectation.
Since the IT personnel’s job is mostly to maintain and ensure continual use of the system, the knowledge of the financial data being processed if required does not have to be at the same Level with wat is expected from an expert in accounting or finance.
Mahugnon B. Sohou says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
One control that would be different in a purely domestic versus international organization is controls related to compliance with local laws and regulations, GAAP for the US and IFRS for international businesses.
For exemple a certain products for exemple there would be controls if it has any local regulatory restrictions and if company violates those it could be fined.
There could also be additional international controls that need to be added regarding logistics regulations as well as for import/export tariffs regulatory requirements.
Mahugnon B. Sohou says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
It is very important for those responsible for general IT controls to know and understand the functionalities of a ERP system works.
The main reason being change control and the importance of mapping out access management and segregation of duties controls. If the people responsible for IT controls understand the functionality of ERP systems, they could identify issues related to changes, and effectively control access management and segregation of duty
The one thing that I think IT professionals should know about an ERP system is its configuration information.
Xiaozhou Yu says
1. As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
There are many non-financial functions, but they definitely have connections with financial functions for the proper business operations. Policies and controls should be involved to ensure the alignment of non-financial and financial functions.
As I found in the SAP exercise, same documents contain same information are duplicated for different departments, this is an effective practice of SOD, and connects different business functions. Also, another internal control I think should work well in this situation is the reporting procedure. Departments in charge of financial and non-financial functions should all report of their operation process periodically for auditors’ review. This will help auditors perform effective auditing and problem detecting.
Xiaozhou Yu says
2. As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
Business financial and accounting functions are strongly supported by technology. IT personnel as operators of technology should understand business knowledge to provide effective supports.
For example, general terms used, key functions, basic rationale, and overall business concepts. IT people cannot just be experts in technology, but also need to understand how business is operated, how finance and accounting functions processed.
Xiaozhou Yu says
3. Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
For US domestic firms, they need to follow specific standards such as FASB and GAAP for finance and accounting operations, also the controls are easy to apply and manage across different organizations, when company is doing business domestically.
However, while doing business with international company, they need to operate business functions under different standards depends on the country of the company they are working with. For example, in China, there are Chinese Accounting Standards (CAS). The good thing is CAS is now largely replaced by IFRS which is easier for US companies to work with. Still there are many conflicts like time zone, exchange rate and custom regulations, that companies are hard to apply any controls.
Xiaozhou Yu says
4. How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know
ERP system is operated based on technology across the departments within an organization. IT people need to understand structure and functions of ERP to provide effective support of the general operation of ERP system. For example, key module, departments connected with, key process operated. It will help them provide efficient and effective solution when specific part goes wrong, and save the business function execution.
Akiyah Baugh says
As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
You can help lessen the risks coming from the non-financial functions jobs by putting more controls (checks & validation) in place, ensuring employees are properly trained, and by enforcing proper security access/clearance.
Akiyah Baugh says
As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think IT personnel supporting business applications should know enough about the business process/ application to secure the application and prevent employee fraud as much as possible. They should be trained on how information is entered (basic controls) and problems areas.
Akiyah Baugh says
Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
– Invoicing practices would be different for domestic and international companies. They would box have to take into account taxes and time zones, but an international company would also have to take tariffs and currency into account as well.
–Domestic companies may have to honor an international country’s accounting (billing, collecting debt, etc..) rules if they differ from the US
Akiyah Baugh says
How important is it for people responsible for general I/T controls (e.g. Network, workstation, Server and data base security) to know about how the ERP system works? What is one (1) specific thing they should know?
As I touched upon in question #2 , I think it is important for IT personnel to know how an ERP system works. I think IT personnel should be familiar with the business process and have at least a basic understanding of how the ERP system works. How can they support the system and lessen the security risks to the ERP system if they don’t understand how it works?
Scott Radaszkiewicz says
Question 1: As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?
I would ensure good controls are in place to account for these transactions, and that there were sufficient segregation of duties. While the accounting department might not be involved with picking stock off the shelf, packaging and shipping, it would be good for them to audit the inventory, so that nothing is being stolen. A second review of the numbers always helps to deter theft.
Scott Radaszkiewicz says
Question 2: As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain
I think the answer could vary, depending on what area of IT you are working in, but I think at the very least every IT person supporting and ERP system should have a basic understanding of finance and accounting principals. If you an IT support person responsible for assisting employees with the use of the software, then you would probably require a much more in depth knowledge of these principals. Is Scott calls with an issue that an invoice is not posting correctly, then you’ll need the expertise to understand the issue and solve the problem. If you’re the network administrator of the company, you might not need as much knowledge. But it will be helpful to understand the roles of people i.e. what they actually do at their job. So when Bob from accounting is hired, you understand all of the resources that he will need to be given in order to accomplish his job.
Scott Radaszkiewicz says
Question 3: Controls are important to financial and accounting processes. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.
A purely domestic company would only have to ensure compliance with US laws and regulations. An international company would have to ensure compliance with laws and regulations of each country they conduct business with. Something as simple as shipping, you have to ensure that you are not shipping something that is illegal to import into a country. Let’s take China for example. Let’s say you have a small online Cigar store. China prohibits the import of matches, so you would need to have controls in place to ensure that you did not send one of your company logo matchbooks to any orders to China.
Scott Radaszkiewicz says
Question 4: How important is it for people responsible for general IT controls (e.g. Network, workstation, Server and database security) to know about how the ERP system works? What is one (1) specific thing they should know?
It is very important for IT personnel to understand how the ERP system is setup and works. For instance, let’s say you’re the database administrator. You will most likely be responsible for provisioning the resources needed for an employee to do their job. Hopefully, the organization sets security profiles up so that the least amount of access is given. Meaning, only the necessary security access rights are given for the person to complete their job function, no more, no less. This helps to prohibit a user from intentionally or accidentally accessing data they should not have rights too. In order to accomplish this correctly, the IT person must have a very in depth knowledge of the system.
Nauman Shah says
1: There are certain business functions and user IDs for those functions that are considered very high risk. In case of SAP, associates that are part of the basis team have privileged accounts that enable them to add, remove or edit the user access for current users. One way to manage the risk from privileged IDs is to log their activities and review the logs periodically, because just logging itself doesn’t mean anything, if nobody is reviewing those logs.
Nauman Shah says
2. The degree of financial knowledge needed obviously depends on the type of IT job, but most IT folks have to be somewhat educated in Finance and business to properly perform their job functions. Every IT function is driven by a business process, as a matter of fact the purpose of IT is to the serve business objectives and you can’t serve the business if you don’t understand it.
Nauman Shah says
3. The main difference would be in internal controls. In US Internal controls over financial reporting are driven by SOX, in other countries there could be other regulations that provides guidance on internal controls over financial reporting (ICFR). Other security regulations like Gramm Leach Bliley act (GLBA) in US that regulates the way financial institutions deal with the private information of consumers, might not exist in other countries or may be drive by a different regulation. On a similar note, privacy regulations like GDPR does not apply to US nationals and so US companies that are purely domestic would not have to worry about it.
Nauman Shah says
4. People responsible for IT general controls should know the authentication method for ERP, whether it’s single sign on or requires dual layer of authentication. On a more granular level, IT professionals need to know what function can be performed from different user roles, so that they are able to do their due diligence when provisioning these user roles to people. Provisioning of user roles obviously have to be authorized by the user’s manager, but it just adds an extra layer of assurance.
Derrick A. Gyamfi says
Internal controls play an integral role in a company’s success. Internal controls are the processes, checks, and balances that need to be put in place as a business grows. Internal controls can relate to any aspect of your business, from human resources to IT. Internal controls in accounting are critical and are used for safeguarding assets.
If I was responsible for Finance/Accounting controls, I would mitigate risks presented by non-financial roles by implementing robust internal controls specifically segregation of duties.
Having a system of internal controls, including a segregation of duties, matters because as much as you trust these other functions to do their work efficiently, it allows for that extra level of security if something was to go wrong.
Derrick A. Gyamfi says
IT personnel supporting business applications should have a moderate understanding of finance and accounting knowledge. Given the frequent interaction with other departments, today’s IT professionals need sound decision-making and strategic-thinking skills. It is also important for IT professionals to be able to see the big picture and understand how the accounting role impacts the overall organization.
Moreover, every role requires accounting and finance skills to some degree, whether it’s understanding of how these applications impact the bottom skills or finding ways to improve business processes specific to accounting application functions. If you’re looking to climb the career ladder, then developing general business management skills should be an absolute priority. Practical training and coaching are particularly effective, especially if the learner is supported when they come to apply those skills, either through one-to-one coaching or via a supervised network.
Derrick A. Gyamfi says
It is very important for people responsible for general IT controls to know about how the ERP system works. There is no arguing — nor should there be — that the IT department plays an integral role in ERP implementations. These are the men and women who are the masters of the technical side of the system, handling configuration, customization and all the other complicated stuff that the corporate suits have incredibly little to do with — and that the system can’t run without.