prev
next
out of 21

Ch 11 Auditing ERP

Tags:

Embed Size (px)

DESCRIPTION

Chapter 11 Modern ERP Marianne Bradford

Citation preview

Why ERP?

SELECT, IMPLEMENT & USE TODAYS ADVANCED BUSINESS SYSTEMSMODERN ERPSecond Edition Chapter 11: Auditing ERP

1What is Internal Control?Internal Control includes policies and procedures effected by an organizations management to monitor assets, prevent fraud, minimize errors, verify the correctness and reliability of accounting data, and promote operational efficiency Management uses these policies to provide reasonable assurance that only accurate, complete, and valid information is entered into company systems, and the information in the system is properly processed to produce reliable output Internal controls meets objectives in the following areas:Reliability of financial reportingEffectiveness and efficiency of operationsCompliance with applicable laws and regulationsThe report desired by management is an unqualified audit report that displays a clean bill of health from their auditors

22010 by Marianne Bradford. All rights reserved 2Internal Control Regulation Sarbanes-Oxley Act of 2002 (SOX) requires management of publically traded companies to:Establish, document, and maintain internal controls and procedures over financial reportingAudit their effectiveness of internal controls over financial reporting Assess the deficiencies to determine the effectiveness of its internal controls over financial reporting Public Company Accounting Oversight Board (PCAOB) private sector, non-profit organization to oversee the auditors of public accounting firms Auditing Standard No. 5 states that the objective of an audit of internal controls over financial reporting is to express an opinion on the effectiveness of the companys internal control over financial reporting 32010 by Marianne Bradford. All rights reserved 3The Integrated Audit Integrated Audit a holistic approach to auditing that entails more than just testing and verifying the accuracy of the balances in the financial statements Substantive test an audit procedure designed to test the validity, accuracy, and completeness of account balances in terms of dollar amountsTests of internal controls are looking for a yes/no answer as to whether of not a control is effective (e.g., is a control within SAP turned on and configured correctly?)42010 by Marianne Bradford. All rights reserved 4IT Application Controls IT Application Controls are performed automatically by systems ensuring accurate data entry, processing, and system output.Programmed controls automated controls configured within the application such as the three-way match.IT dependent manual controls procedures that are reliant on output from information systems Edit Checks occur at the point of data entry to verify that no errors are present and that the data adheres to specific standardsTransaction numbers unique for every transaction and provide an audit trail

Table 11 - 1: Examples of Application Controls over Typical Business ProcessesPurchase to PayThree-way match of purchase order, receiving report and vendor invoiceDuplicate vendor invoicesFinancial Closing & ReportingIntegration with other ERP modulesAutomated roll-up of financial statementsFixed AssetsDepreciation calculationGain/loss on fixed asset sale calculations PayrollIntegrated timekeeping with payroll Payroll deduction calculationsInventoryMonitoring of inventory levelsMatching of receipt to purchase ordersTolerance limits Integration of inventory with shippingOrder to CashAutomated credit checkingAutomated pricing of orders Integration with Electronic Data InterchangeOn-line approval of AR adjustmentsIntegration of orders with shippingInvoice and discount calculationsAll ProcessesOn-line edit checks of data entrySequential numbering of documentsOn-line approvals of entries52010 by Marianne Bradford. All rights reserved 5IT General Controls Figure 11 2: Relationship between IT General Controls and Application Controls Source: Deloitte and Touche

IT General Controls represent the foundation of the IT control structure. They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC support the application controls. They are the first line of defense. However, if they dont work, then you cant assume application controls work.

62010 by Marianne Bradford. All rights reserved Typical business processes More application controls6Program Change Controls Program Change Controls controls that govern the changes made to information systems and databases. These changes are configuration changes, customizations, patches, minor upgrades etc. We use various instances of ERP to effect these changesCommon deficiencies when making changes to programs:Program changes are not authorized by ERP steering committee, team, IT managers (depending on what is going on) prior to developmentProgram changes are not tested prior to moving to productionProgram changes are not authorized by management prior to moving to productionThe same person or person that developed the change is allowed to move the change to production (bad!)Insufficient documentation exists to show proper approvals and procedures in the change control process

72010 by Marianne Bradford. All rights reserved 7Program Change Controls Program changes initiated only with a valid IT or business justificationAn IT manager or management in the business area requesting the program change approves changes prior to developmentApplication programmers should make changes in the development environment Once work is completed, programmers (e.g., SAP Basis) move changed programs in the testing area for users or IT staff to test IT and/or management of business area perform an impact analysis prior to moving the change to production The change moved to production is scheduled, and users impacted by the change are notifiedAfter testing and sign-off of quality assurance are complete, an IT staff member not involved in the change moves the change to productionProgrammers should not have direct access to the production instance and should not make changes directly into production Firefighter role one-time use passwords can be used to make urgent changes82010 by Marianne Bradford. All rights reserved 8Information Security Controls Information security controls help prevent unauthorized access to information systems resources Common deficiencies in information security controls:Access to IS resources not properly managed, and rights are granted without adequate justificationAccess privileges to IS resources are not monitored to assure that they remain current, complete, and accurate Improper Segregation of Duties(SoD) is allowed within IS resources Improper SoD is present when setting up user accountsToo many super users (aka: system administrators, root) Authorization for access to IS resources is not evident, not adequately archived, or not retained Information security controls also called logical access controls

92010 by Marianne Bradford. All rights reserved 9Controls for Information Security Authentication verifying the identity of the users (you are who you say you are)Two-factor authentication combining two forms of IDMultifactor authentication combining more than two forms of IDRSA SecureID an authentication token that uses a built-in clock and factory encoded random key Biometric software links a users unique physical attributes to the data they are allowed to accessProper authorization of the nature and extent of user access privilegesData encryption and firewallsDefined roles and responsibilities, including notifications when roles are changed, transferred, or terminated Password controls Audit trail mechanisms are configured on

102010 by Marianne Bradford. All rights reserved 10Computer Operations Controls Computer Operations Controls focus on the physical access to IT resources that run a company; designed to protect against both environmental and man-made hazards Common deficiencies related to computer operations & data centers include:Poor job scheduling proceduresInsufficient system or back-up and recoveryUnmanaged third party service level agreements (e.g., maintenance, backup)Poor physical security over the data center 112010 by Marianne Bradford. All rights reserved 11Computer Operations Controls Some example controls in a data center are:Batch computer jobs are monitored by managementAutomated job scheduling toolsAutomated data retention toolsERP database is backed up at least once a week or an off-site locationObtain a SAS 70 for outsourced IS functions Uninterrupted power source/generator Minimize entry and exit points Monitor entry/exit points with surveillance cameras

122010 by Marianne Bradford. All rights reserved Evaluating Deficiencies in ITGCNature and significancePervasiveness of deficiencyComplexity of systems environmentProximity of control to applications and dataSusceptibility to fraud Cause and frequency of known exceptions History of misstatements Competency of business and IT management 132010 by Marianne Bradford. All rights reserved 13Controls over Outsourcing Business and IT FunctionsTypes: Application outsourcing contracting for a data center to host a companys ERP system Business process outsourcing service provider performs a function for the company (e.g., outsourcing a companys HR processes, such as benefits and compensation)IT outsourcing outsource maintenance of hardware Statement on Auditing Standards No. 70 (SAS 70) the authoritative guidance for service organizations and mandates that they disclose their internal control activities and processes to their customers in a uniform reporting format Must identify the applicable data centers, operating environments, and applications Service Auditors Report issued at the conclusion of a SAS 70 engagement to the service organization for distribution to its customers who request it for auditing purposes 142010 by Marianne Bradford. All rights reserved 14Statement on Auditing Standards No. 70Two types of SAS 70 Service Auditors Reports:Type 1 Service Auditors Report includes the service auditors opinion on the description of controls over the outsourced function evident at the service organization and the suitability of the designee of these controls to achieve the specified control objectivesDoes not present an opinion on the operating effectiveness of these controls Can not serve as first hand testing in conjunction with the financial statement audit

Type 2 Service Auditors Report includes the service auditors opinion on whether the specific controls were operating effectively during the period under reviewCan serve as first hand testing in conjunction with the financial statement audit 152010 by Marianne Bradford. All rights reserved 15ISACA Certifications for IT Audit, Security, and GovernanceCertified Information Systems Auditor (CISA) qualifies an individual as globally proficient in the areas of IS audit, control, and securityCertified Information Security Manager (CISM) targets the information security management audience and bridges the knowledge gap between business strategy and IT security

162010 by Marianne Bradford. All rights reserved 16ISACA Certifications for IT Audit, Security, and GovernanceCertified in the Governance of Enterprise IT (CGEIT) certification for professionals charged with satisfying the IT governance needs of an enterprise What is IT governance? leadership, organizational structures, and processes that ensure that an organizations technology sustains and extends the organizations strategies and objectives; aligns IT with organizational objectives IT Governance Institute (ITGI) ISACA formed this to focus on original research, publications, resources, and symposia on IT governance and related topics Certified in Risk and Information Systems Control (CRISC) newest certification; recognizes IT and business professionals for their knowledge of enterprise risk and their ability to design, implement, monitor, and maintain systems controls to reduce risk

172010 by Marianne Bradford. All rights reserved 17ISC2 Certification for IT Audit, Security, and GovernanceWhat is ISC2 ?- International Information Systems Security Certification Consortium, Inc., (ISC), is the global leader in educating and certifying information security professionals throughout their careers. They administer the CISSP. Certified Information System Security Professional (CISSP) certification encompassing information security and assurance tenets of confidentiality, integrity, and availabilityMore technical than the other certifications

182010 by Marianne Bradford. All rights reserved COBITControl Objectives for Information and related Technology (COBIT) governance framework and supporting toolset that provides best practices management guidelines for implementing IT governance as required by audits and SOX Section 404 COBIT is developed by ISACA and ITGIFigure 11 4: COBIT Cube Source: ISACA

192010 by Marianne Bradford. All rights reserved 19COBIT Domains and IT processesPlan and Organize provides management with tactics and strategy concerning how IT can best contribute to the achievement of the business objectives Examples of Processes: Define a Strategic IT Plan and direction; Define the Information ArchitectureAcquire and Implement includes identifying IT requirements, acquiring IT, and implementing IT within the companys current business processesExamples of Processes: Acquire and Maintain Application Software; Acquire and Maintain Technology InfrastructureDeliver and Support focuses on the delivery aspects of IT, as well as the support processes that enable the effective and efficient executing of systemsExamples of Processes: Manage Third-party Services; Manage the Configuration; Ensure Systems SecurityMonitor and Evaluate addresses performance management, monitoring of internal controls, regulatory compliance, and governance Examples of Processes: Monitor and Evaluate Internal Control; Ensure Regulatory Compliance; Provide IT Governance202010 by Marianne Bradford. All rights reserved 20Governance, Risk, and Compliance Governance, Risk, and Compliance (GRC) enables organizations to maximize strategic and operational performance by cost-effectively managing regulatory and policy compliance, while proactively mitigating all types of business risk Corporate governance the structure and relationships that dictate how a corporation is directed, administered, and controlled Risk management assesses the areas of exposure and potential impacts, Compliance is the tactical action to mitigate risk; conforming to stated requirementsGRC provides access control, risk management and regulatory compliance (for audits etc)User provisioning, de-provisioning, segregation of duties, continuous monitoring of SODs, analysis and management of risks etc212010 by Marianne Bradford. All rights reserved 21


Integrated Auditing of ERP Systems.[2002.ISBN0471235180]

Integrated Auditing of ERP Systems.[2002.ISBN0471235180]

Documents
Final eb ch p erp (ssgc.ltd)

Final eb ch p erp (ssgc.ltd)

Education
Auditing ERP Systems

Auditing ERP Systems

Documents
Principals of Auditing Ch 2

Principals of Auditing Ch 2

Documents
An Auditing Approach for ERP Systems Examining Human

An Auditing Approach for ERP Systems Examining Human

Documents
RTI, MUMBAI / CH 11 INTRODUCTION TO PERFORMANCE AUDITING DAY 1 SESSION NO.3 (THEORY) BASED ON CHAPTER 1 PERFORMANCE AUDITING GUIDELINES

RTI, MUMBAI / CH 11 INTRODUCTION TO PERFORMANCE AUDITING DAY 1 SESSION NO.3 (THEORY) BASED ON CHAPTER 1 PERFORMANCE AUDITING GUIDELINES

Documents
Auditing Ch 3 Audit Report

Auditing Ch 3 Audit Report

Documents
Auditing ERP for Manufacturing Fit and Functionality...2015/10/01  · The benefits of a native ERP solution are extensive, including visibility and traceability into every aspect

Auditing ERP for Manufacturing Fit and Functionality...2015/10/01  · The benefits of a native ERP solution are extensive, including visibility and traceability into every aspect

Documents
GENERAL & APPLICATION CONTROLS IN AN ERP ENVIRONMENT · AN ERP ENVIRONMENT Presentation by: Jona Owitti, ... 31 years of experience in IS Auditing, ... relate to the environment within

GENERAL & APPLICATION CONTROLS IN AN ERP ENVIRONMENT · AN ERP ENVIRONMENT Presentation by: Jona Owitti, ... 31 years of experience in IS Auditing, ... relate to the environment within

Documents
ERP systems introduction and internal auditing legitimacy

ERP systems introduction and internal auditing legitimacy

Documents
Spring 2010 Continuous Auditing in ERP System Environments ...€¦ · Continuous Auditing in ERP System Environments:The Current State ... an EAM in a hypothetical customer billing

Spring 2010 Continuous Auditing in ERP System Environments ...€¦ · Continuous Auditing in ERP System Environments:The Current State ... an EAM in a hypothetical customer billing

Documents
Implementation of ERP Systems: Accounting and Auditing Implications

Implementation of ERP Systems: Accounting and Auditing Implications

Documents
Continuous Auditing in ERP System Environments: The Current

Continuous Auditing in ERP System Environments: The Current

Documents
Auditing Ch 24 Completing Audit

Auditing Ch 24 Completing Audit

Documents
Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes

Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes

Documents
Poor Man’s Auditing - nocoug.org · Poor Man’s Auditing with Oracle Log Miner Caleb Small, ... • Application auditing ... ch. 17 Using LogMiner to Analyze Redo

Poor Man’s Auditing - nocoug.org · Poor Man’s Auditing with Oracle Log Miner Caleb Small, ... • Application auditing ... ch. 17 Using LogMiner to Analyze Redo

Documents
ERP Auditing Concepts for Financial Auditors · ERP Auditing Concepts for Financial Auditors ... This approach can severely limit the value ... Learn key concepts about a four-pronged

ERP Auditing Concepts for Financial Auditors · ERP Auditing Concepts for Financial Auditors ... This approach can severely limit the value ... Learn key concepts about a four-pronged

Documents
Auditing and Assurance Service Ch 8 TB

Auditing and Assurance Service Ch 8 TB

Documents
AUDITING IN ERP ENVIRONMENT - bangaloreicai.org

AUDITING IN ERP ENVIRONMENT - bangaloreicai.org

Documents
INTRODUCTION TO SAP ERP & HOW IT HELPS IN AUDITING

INTRODUCTION TO SAP ERP & HOW IT HELPS IN AUDITING

Documents
CH 10 auditing

CH 10 auditing

Documents
1 Crisis Management & Emergency Response Preparedness – 2014 TYPHOON SEASON – ERP Development and Auditing

1 Crisis Management & Emergency Response Preparedness – 2014 TYPHOON SEASON – ERP Development and Auditing

Documents
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8

Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8

Documents
Auditing ERP Applications and Cloud - TACS 2011

Auditing ERP Applications and Cloud - TACS 2011

Business
ERP Auditing Concepts for Financial Auditors - Chapters … Handouts/2012... · ERP Auditing Concepts for Financial Auditors Dallas IIA CAST Meeting ... phases of major ERP projects

ERP Auditing Concepts for Financial Auditors - Chapters … Handouts/2012... · ERP Auditing Concepts for Financial Auditors Dallas IIA CAST Meeting ... phases of major ERP projects

Documents
Auditing in Erp Environment

Auditing in Erp Environment

Documents
Auditing the Expenditure Cycle - Yola - Ruang Belajar Kitaakuntansiku.yolasite.com/resources/Auditing_IP/Ch 11 Expenditure... · Auditing the Expenditure Cycle. Transaction and Account

Auditing the Expenditure Cycle - Yola - Ruang Belajar Kitaakuntansiku.yolasite.com/resources/Auditing_IP/Ch 11 Expenditure... · Auditing the Expenditure Cycle. Transaction and Account

Documents
Ch 03 Solution Manual Information Technology Auditing 2nd Ed James Hall - EDP Auditing Class - Jakarta State University - Chairul Anwar

Ch 03 Solution Manual Information Technology Auditing 2nd Ed James Hall - EDP Auditing Class - Jakarta State University - Chairul Anwar

Documents
Audit planning and analytical procedures (jzanzig auditing ch 7 lecture)

Audit planning and analytical procedures (jzanzig auditing ch 7 lecture)

Education
Principals of Auditing Ch 17 Powerpoint

Principals of Auditing Ch 17 Powerpoint

Documents