1. ERP Systems: Audit and Control Risks Jennifer HahnDeloitte & ToucheISACA Spring ConferenceApril 26, 1999

2. Session Learning Objectives ERP Systems: Audit and Control RiskssAt the end of this session, the participant shouldbe able to: Understand key risks and control issues surroundingthe ERP systems Understand the impact of ERP implementation on theinternal audit organization Explore alternatives for reengineering the auditapproach 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt2 3. Session Topics ERP Systems: Audit and Control Risks sKey Risks and Control Issues sImpact on Internal Audit sReengineering the Audit Approach sQuestions & Comments 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt3 4. ERP Systems: Audit and Control RisksKey Risks and Control Issues 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt4 5. ERP Systems: Audit and Control Risks Why ERP Audit is Different 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt5 6. Technical Complexity ERP Systems: Audit and Control Risks sSystem usually resides on multiple computerssOptimum coordination is a challengesReliability and availability of data Effective use of on-line reportingsSystem allows flexible configuration, cutomization and maintenance 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt6 7. Event Driven Processing ERP Systems: Audit and Control RiskssOn-line real-time processing All databases updated simultaneously Rely on transaction balancing Demands data validation before acceptance of data Highly dependent on system-based controls sTraditional batch controls and audit trails are nolonger available Data entry accuracy is improved through the use ofdefault values, cross-field checking and alternativeviews into the data 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt7 8. Integrated Database ERP Systems: Audit and Control Risks sAll transactions are stored in one common databasesModules automatically create entries in the database for each othersAuditors need to understand the interactions and flow of informationsDatabases can be accessed by any modulesSystem modules (applications) are transparent to users 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt8 9. Security and Access ERP Systems: Audit and Control RiskssRequires extensive, well thought out definition ofsecurity access capabilities sAuthorizations occur within the application, notat the database level sDelivered system security is not necessarilystrong sNetwork and database access security is alsorequired sSignificant rise in users who have access sIncreased access from field personnel, vendorsand customers 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt9 10. Implementation Impact ERP Systems: Audit and Control Risks sTypically, an ERP implementation is combined with a business reorganization/ reengineeringsOrganizational changes and new business processes may be extensivesResulting controls should also be different from traditional ones 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt10 11. Other Changes ERP Systems: Audit and Control RiskssLack of hard copy documents sControls are sometimes an afterthought sTraditional general computer controls areimplemented within the application in somecases: Security Change Control sSome ERP Systems are table driven: Tables determine how transactions are processed As table values change, system processing alsochanges 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt11 12. ERP Systems: Audit and Control Risks Key Exposures 1998 Deloitte Touche Tohmatsu. All rights reserved.fico.ppt12 13. Key Business Exposures ERP Systems: Audit and Control Risks Organizations face several new business risks when they migrate to a real- time, integrated ERP System: sSingle point of failure since all of theorganizations data and transaction processing iswithin one application sComplexity of architecture, applications and datastructures makes it difficult to understand andoperate effectively sReengineering or business process redesignnormally included in implementation sNew Technology environment sUser acceptance of the system influenceslikelihood of success 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt13 14. Key Business Exposures ERP Systems: Audit and Control Riskss Extensive expertise required to effectively operate s Significant personnel and organizational structure changes s Transition of traditional user roles to empowered- based roles s On-line, real-time system environment requires continuous business environment s Effort of training a large number of users s Challenging to embrace a tightly integrated environment when different business processes exist among business units 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt14 15. Key Technical Exposures ERP Systems: Audit and Control RiskssInexperience with implementing and managingdistributed computing technology may posesignificant challenges sIncreased remote access by users and outsiders sExtensive interfaces and data conversions fromlegacy systems and other commercial softwareoften necessary sIS must transition to an organization that cansupport a distributed computing environment 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt15 16. Key Control Exposures ERP Systems: Audit and Control RiskssOpportunity to establish control environment isduring system implementation since extensivecontrol is within the configuration sComplexity makes it difficult to understand andaudit effectively sHigh integration allows increased access toapplications and data sNecessity for temporary and permanentinterfaces increases exposures of data integrityand security sExtensive expertise required to effectively auditand control sAudit may need to change audit approach 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt16 17. ERP Systems: Audit and Control Risks Impact on Internal Audit 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt17 18. Summary of Audit ChallengesERP Systems: Audit and Control Risks Level of Understanding of ERP System Process Audits Interface Between Internal Audit & Audit External Audit Challenges Electronic Information Data Issues Computer Interfaces Managing Expectations 1998 Deloitte Touche Tohmatsu. All rights reserved.fico.ppt18 19. Audit Challenges ERP Systems: Audit and Control RiskssLevel of Understanding of ERP System 1st Year Audits are opportunities Management Perception ERP does it all Use of a Subject Matter Expert sProcess Audits Many companies will reengineer business processes Auditing the business process/internal controls willlikely become the focus of the audit tests 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt19 20. Audit Challenges (contd.) ERP Systems: Audit and Control RiskssInterface Between Internal Audit and ExternalAudit Partnering with One Another Leveraging Each Others Skill Set sElectronic Information Electronic Information vs.. Hardcopy Auditor Profile to obtain information electronically 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt20 21. Audit Challenges (contd.) ERP Systems: Audit and Control RiskssData Issues Data Retention Data Entry Segregation of Duties sComputer Interfaces Number of Interfaces Data Analysis and Drill-Down 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt21 22. Audit Challenges (contd.) ERP Systems: Audit and Control RiskssManaging Expectations Self-sufficient in identifying and drilling down intoinformation Change in Audit Sharing of best practice information Adding Value Reduction in Hours Effective and efficient audits with little start-up costs All processes and computing on one system, therefore hoursare expected to be lower 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt22 23. Audit Organization Impact ERP Systems: Audit and Control RiskssInternal Audit Must Address the New Environmentin Several Respects: sTraining sStaffing sImplementation Approach sAudit Methodology sRoles for the Auditor 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt23 24. Staffing ERP Systems: Audit and Control RiskssComplexity of system environment requiresstaffing model with higher ratios of: Information Systems Auditors Integrated Auditors sTraditional Financial and Operational Auditorsmust transform to Integrated Auditors sAudits of complex and technical areas may needto be supplemented by experienced resources 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt24 25. Training ERP Systems: Audit and Control Risks sDetailed knowledge of ERP Systems necessaryin order to effectively understand security andcontrol issues over: application areas technical environment sSignificant training necessary to adequatelyunderstand the new environment sMust learn a security and controls implementationmethodology sMay need to learn new tools (e.g., ABAP/4 forSAP) in order to effectively audit ERP sConsider vendor training and joining user groups 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt25 26. Implementation Approach ERP Systems: Audit and Control RiskssAudit should take an active role during theimplementation sReengineered business processes require achange in the method of control sNew security, audit and control tools should bedeveloped to facilitate the effectiveimplementation and operation of the controlenvironment sOn-going involvement with R/3 implementationsrequired 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt26 27. Audit Methodology ERP Systems: Audit and Control RiskssTraditional audit methodologies and approachesmust be modified to effectively audit R/3 in a cost-effective manner sIntegrated audits necessary for the newenvironment sNew audit tools should be developed to facilitateefficient and effective audits 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt27 28. Roles for the Auditor ERP Systems: Audit and Control Risks Integrated Approach Pre-implementation Review Focus on the Design and Focus on the Controls Design for New Implementation of Controls for NewSystems Systems Give consideration to Give consideration to Review of Business Case Project Risk Project Risk Business Process Risk Business Process Risk Assessment Assessment Perform tests to Ensure Review of Performance Measurement Implementation of ControlsCriteria 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt28 29. Roles for the Auditor ERP Systems: Audit and Control Risks Post-implementation Review Quality Assurance Audit Focus on the Implementation of Participation throughout Project Controls for New Systems Focus on overall quality of Business Give consideration toProcess Reengineering Program Risk Assessment of Business Give consideration to Ability toProcess Impact Project Achievement of Project Consider specific deliverables atObjectives and Business Caseeach key project milestone Review of Implemented Performance Measurements 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt29 30. ERP Systems: Audit and Control Risks Reengineering the Audit Approach 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt30 31. Audit Scope ERP Systems: Audit and Control RiskssEvaluate the complexity of the technologyenvironment sIdentify which ERP modules have beenimplemented sEvaluate the existence of distributed applications sDetermine whether legacy systems are used sObtain an understanding of the organizationalmodel sObtain a high level understanding of the controlsin place over: General Computer Controls Business Process Controls 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt31 32. Testing Considerations ERP Systems: Audit and Control Risks sDifficult to perform financial audits without relyingon internal controls: Clients using ERP are usually large multi-nationalcorporations with complex structure and reporting More internal control testing, less substantive testing sDocumentation of testing sDesign of effective tests of controls Audit steps are different Audit issues are different 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt32 33. Operational Audit Considerations ERP Systems: Audit and Control RiskssIncreased difficulty and importance in definitionof the scope of the audit sA detailed understanding of client processes isrequired sAn increased level of Operational Audit technicalknowledge and computer-related controls isrequired sThe roles and responsibilities of OperationalAudit and Computer Audit becomes moreintegrated 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt33 34. Computer Audit Considerations ERP Systems: Audit and Control RiskssAn increase in the level of technical EnterpriseResource Planning (ERP) system knowledge sA detailed understanding of ERP specificGeneral Computer Controls, especially Security Authorization Structure Correction and Transport System sAn increased understanding of businessprocesses and the related ERP controls sAn increase in the integration of Computer Auditand Financial Audit 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt34 35. Audit Process ERP Systems: Audit and Control RisksGeneral Computer Controls AssuranceOperation and Process Assurance Planning and Functional/Process FinalScopingReviewsDeliveryOperations Audit Computer AuditOperations andComputer Audit 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt35 36. Roles and Responsibilities ERP Systems: Audit and Control Risks sIdentify all the team members that will serve the client:Operations Audit, Computer Audit and Other Specialists sNo hard and fast rule to split roles and responsibilitiesbetween audit groups sActual differentiation of roles and responsibilities isdetermined on a client-to-client basis sAn evaluation needs to be made by the audit team as tohow the roles and responsibilities should be defined sThe important issue is that the client should have a seamless and efficient audit from a well integrated and knowledgeable team 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt36 37. ERP Systems: Audit and Control Risks Questions & Comments 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt37