I have changed the due date for Exercise 3 (Journal Entries) from Thursday until Saturday October 28 at the end of the day.
Note: this is a group exercise. Only one submission file (spreadsheet) is due from each team.
Auditing Controls in ERP Systems - 2018
Auditing Controls in ERP Systems - 2018
I have changed the due date for Exercise 3 (Journal Entries) from Thursday until Saturday October 28 at the end of the day.
Note: this is a group exercise. Only one submission file (spreadsheet) is due from each team.
Continuing great job on the discussions. Keep up the good work. My summary view is:
Q1: Do businesses rely too much on security administrators vs. security of the entire network? Most of you highlighted the network being the highest risk. I tend to agree with you – as in today’s computer environments, the network get’s you in the door. Nevertheless, it’s important to manage all areas of security and make sure even the administrators are using state of the art practices and techniques. Risks are everywhere.
Q2: Why only have one posting period open at a time? As you pointed out, this is mainly to prevent errant postings in the wrong month. It also supports the discipline of making sure when events occur in the real or physical world, the corresponding transaction(s) occur in the ERP system.
Q3: What’s the most important finance / accounting control? …authorization control? Some good discussion on this question. I would have preferred you using my list to prioritize but most of you didn’t have that list due to my late posting of the video. My experience is that documented policies & procedures with strong reconciliation and auditing that they are followed is critical. Focus as usual on the high value and high risk items.
Q4: Have you experienced difficult, cumbersome, … security problems? Thanks for sharing some great stories of your real experiences. Most of you highlighted password headaches. Regardless, it’s important to understand the end results of what users are actually doing (law of unintended consequences). If you lock down the process tight so everyone writes the password down on their screen – in the end you have poor security. In the end, a balance is necessary – is the complexity worth the headache? However, who gets to set balance is usually someone at the top of the organization.
As a result of some questions raised in class I have added some clarifying comments in the assignment. The comments are on page 9 in the previous events section. Note the changes in bold below.
The updated Exercise 3 Guide is here and also posted on the assignment page.
Date Description of Event
January 1, 2008 | Production Machinery, Equipment and Fixtures were placed in service. They are expected to last 15 years with no salvage value. | |
July 30 | Payment for GBIs advertisement in the English language edition of Italian Cycling Journal. Advertisement to run in six consecutive monthly publications starting in August. Assume this is the extent of GBIs prepaid advertising. | |
December 22 | Windy City Bikes in Chicago, IL invoicied $22,000 for bicycle accessories from GBI. The terms of payment for Windy Citys order are 2 / 20 net 60 days (in laymans terms this means 2% discount if paid in 20 days and net open receivable is due in 60 days). |
Below is a brief bio of our guest lecturer on Monday (October 23)
“Steven Yannelli is a recognized leader in SAP application security who has worked in ERP security for the past 15 years. For six years, he managed the largest international SAP implementation to date (at Walmart) and has been a consultant with Deloitte & Touche and PriceWaterhouseCoopers. He is also a US Army combat veteran who served as a Captain and Commanding Officer within the 56thStryker Brigade Combat Team. He deployed to Iraq from 2008-2009 where he managed a secure communications network.
Steven holds a CISSP certification and a graduate degree from Drexel University. He is now a Senior Manager at CSL Behring and currently leads their global SAP security and consulting teams across four countries.”
Continuing great job on the discussions – I appreciate the growth you’ve shown in the quality and substance of the comments. Keep up the good work. You raised most of the important points but let me summarize my view.
Q1: How does Finance / Accounting manage non-finance people’s tasks that impact them? Some good comments about cross-training, controls and other ideas. After working as a non-finance person in processes that impacted financial results significantly, I firmly believe that every person performing a process task needs to know the basic impact of their efforts. The impact knowledge needs to include at minimum the dimensions of finance / account as well as business results.
Q2: How much Finance Account should I/T people know? If you’re and I/T professional who’s job involved applications with any financial content (e.g. ERP systems) I recommend you learn what you can. As a few or you pointed out – Finance is the language of business and business knowledge is critical to I/T success. It doesn’t mean you have to have an accounting or financial degree but I encourage I/T folk to be inquisitive and learn what you can. I particularly like the comment from one of the posts ‘How would IT personnel be able to design and implement solutions if he/she is not familiar with the business function he/she designing the solution for?’
Q3: Financial Controls domestic vs. International companies: just like other processes – differences of language and currencies are the critical differences. The financial and tax practices of other countries vary considerably and related controls are necessary. However, that doesn’t mean any less focus on the basic application and process controls.
Q4: Should I/T Professionals supporting general I/T (e.g. workstations, network, etc.) have knowledge of ERP? There is not reason all IT folks need to know the details of ERP systems. However, they do need to know the basics of what the systems do, their importance and how the IT work being performed supports the goals of the ERP systems.
In general, always ask questions and be inquisitive about the work you’re doing, especially along the dimensions of a) finance / accounting and b) the ultimate business / outcomes of the organization you’re working in / with.
Reminder: Exercise 3 – Journal Entries is due (via e-mail) on Thursday October 27 at 11:59 pm.
(My apologies for being late in updating this post – grading, etc. has been my focus). Continuing great job on the discussions. Keep up the good work. You raised most of the important points but let me summarize my view.
Q1: If an outside organization – where would attack the OTC process? – You suggested several innovative ways to attack the process. In the end a decision like this would depend on your motives, what you capabilities where vs. known vulnerabilities.
Q2: Who should care more about collections – Sales or Finance? Many of you pointed out that sales function often has a conflict of interest in dealing with collections because of their customer focus and loyalty. Therefore, I believe collections needs to be ‘owned’ by a finance related function. However, overzealous and callous collections process can erode customer satisfaction considerably. There needs to be a cooperative relationship between the finance ‘owner’ of collections and the business and sales organizations to assure appropriate collections policies are in place and to work cooperatively with customers who don’t pay well – there needs to be united messages to the customer.
Q3: Controls domestic vs. international: You pointed out many of the differences in your discussion. My experience is that currency, import/export regulations, customs authorities and different shipping modes drive the major differences and depending on a company’s business appropriate control differences are also needed.
Q4: Order to Cash (OTC) Process – what keeps you up at night: This depends some on the nature of the business you’re working with. Regardless – I recommend keeping focus on value, $$ related segments of the process (e.g. pricing, invoicing, cash collections)
Always when working with the OTC process, make sure you understand the nature and structure of the business. The OTC process must relate more than other processes to this nature and structure.
Each week as part of our learning, I’ve included at least one Real World control failure example. Starting in Week 7 (October 17) it will be your turn to continue this learning by contributing your own video presentation of a Real World Control Failure.
You are responsible to:
Note: 5% of the course grade is earned by this project. Evaluation is based on:
As discussed several of the questions on Exam 1 relate to this real-world like small business case. You are encouraged to pre-read, print, etc. prior to the Exam.