MODERN ERP

SELECT, IMPLEMENT & USE TODAYS ADVANCED

BUSINESS SYSTEMS
Second Edition

Chapter 11: Auditing ERP

What is Internal Control?

Internal Control includes policies and procedures

effected by an organizations management to monitor

assets, prevent fraud, minimize errors, verify the
correctness and reliability of accounting data, and
promote operational efficiency

Management uses these policies to provide

reasonable assurance that only accurate, complete,

and valid information is entered into company
systems, and the information in the system is
properly processed to produce reliable output
Internal controls meets objectives in the following
areas:
Reliability of financial reporting
Effectiveness and efficiency of operations
Compliance with applicable laws and regulations
2010 by Marianne Bradford. All rights reserved

The report desired by management is an

Internal Control Regulation

Sarbanes-Oxley Act of 2002 (SOX) requires

management of publically traded companies to:

Establish, document, and maintain internal controls and

procedures over financial reporting

Audit their effectiveness of internal controls over
financial reporting
Assess the deficiencies to determine the effectiveness
of its internal controls over financial reporting
Public Company Accounting Oversight Board

(PCAOB) private sector, non-profit organization to

oversee the auditors of public accounting firms
Auditing Standard No. 5 states that the objective of

an audit of internal controls over financial reporting is

to express an opinion on the effectiveness of the
companys
internal control over financial reporting
2010 by Marianne
Bradford. All rights reserved

The Integrated Audit

Integrated Audit a holistic approach to

auditing that entails more than just testing and

verifying the accuracy of the balances in the
financial statements
Substantive test an audit procedure

designed to test the validity, accuracy, and

completeness of account balances in terms of
dollar amounts
Tests of internal controls are looking for a
yes/no answer as to whether of not a control is
effective (e.g., is a control within SAP turned on
and configured correctly?)

2010 by Marianne Bradford. All rights reserved

IT Application Controls
IT Application Controls
are performed
automatically by systems
ensuring accurate data
entry, processing, and
system output.
Programmed controls

automated controls configured

within the application such as
the three-way match.
IT dependent manual controls
procedures that are reliant on
output from information systems

Table 11 - 1: Examples of Application Controls over Typical Business Processes

Purchase to Pay
Three-way match of purchase order,
Duplicate vendor invoices
receiving report and vendor invoice
Financial Closing & Reporting
Integration with other ERP modules

Fixed Assets

Depreciation calculation

point of data entry to verify that

no errors are present and that
the data adheres to specific
standards
2010 by Marianne Bradford. All rights reserved
Transaction numbers unique

Gain/loss on fixed asset sale calculations

Payroll

Integrated timekeeping with payroll

Payroll deduction calculations

Inventory

Monitoring of inventory levels

Matching of receipt to purchase orders

Tolerance limits

Integration of inventory with shipping

Order to Cash

Automated credit checking

Automated pricing of orders

Integration with Electronic Data

Interchange
Integration of orders with shipping

On-line approval of AR adjustments

Invoice and discount calculations
All Processes

On-line edit checks of data entry

Edit Checks occur at the

Automated roll-up of financial statements

Sequential numbering of documents

On-line approvals of entries

IT General Controls
Figure 11 2: Relationship between IT General Controls and Application Controls

Typical business
processes

Source: Deloitte and Touche

More
application
controls

IT General Controls represent the foundation of the IT control structure.

They help ensure the reliability of data generated by IT systems and
support the assertion that systems operate as intended and that output is
reliable. ITGC support the application controls. They are the first line of
defense. However, if they dont work, then you cant assume application6
2010 by Marianne Bradford. All rights reserved
controls work.

Program Change Controls

Program Change Controls controls that govern the changes

made to information systems and databases. These changes are

configuration changes, customizations, patches, minor upgrades
etc. We use various instances of ERP to effect these changes
Common deficiencies when making changes to programs:
Program changes are not authorized by ERP steering committee,

team, IT managers (depending on what is going on) prior to

development
Program changes are not tested prior to moving to production
Program changes are not authorized by management prior to moving
to production
The same person or person that developed the change is allowed to
move the change to production (bad!)
Insufficient documentation exists to show proper approvals and
procedures in the change control process

2010 by Marianne Bradford. All rights reserved

Program Change Controls

Program changes initiated only with a valid IT or business

justification
An IT manager or management in the business area requesting
the program change approves changes prior to development
Application programmers should make changes in the
development environment
Once work is completed, programmers (e.g., SAP Basis) move
changed programs in the testing area for users or IT staff to test
IT and/or management of business area perform an impact
analysis prior to moving the change to production
The change moved to production is scheduled, and users
impacted by the change are notified
After testing and sign-off of quality assurance are complete, an IT
staff member not involved in the change moves the change to
production
Programmers should not have direct access to the production
2010 instance
by Marianne Bradford.
All rightsshould
reserved
and
not make changes directly into production

Information Security Controls

Information security controls help prevent

unauthorized access to information systems

resources
Common deficiencies in information security
controls:
Access to IS resources not properly managed, and

rights are granted without adequate justification

Access privileges to IS resources are not monitored to
assure that they remain current, complete, and
accurate
Improper Segregation of Duties(SoD) is allowed within
IS resources
Improper SoD is present when setting up user
accounts
2010 by Marianne Bradford. All rights reserved
Too many super users (aka: system administrators,

Controls for Information Security

Authentication verifying the identity of the users (you

are who you say you are)

Two-factor authentication combining two forms of
ID
Multifactor authentication combining more than two
forms of ID
RSA SecureID an authentication token that uses a
built-in clock and factory encoded random key
Biometric software links a users unique physical
attributes to the data they are allowed to access
Proper authorization of the nature and extent of user
access privileges
Data encryption and firewalls
Defined roles and responsibilities, including notifications
when roles are changed, transferred, or terminated
10
2010 by Marianne Bradford. All rights reserved
Password controls

Computer Operations Controls

Computer Operations Controls focus on the

physical access to IT resources that run a company;

designed to protect against both environmental and
man-made hazards
Common deficiencies related to computer operations &

data centers include:

Poor job scheduling procedures
Insufficient system or back-up and recovery
Unmanaged third party service level agreements (e.g.,

maintenance, backup)
Poor physical security over the data center

2010 by Marianne Bradford. All rights reserved

11

Computer Operations Controls

Some example controls in a data center are:

Batch computer jobs are monitored by management

Automated job scheduling tools
Automated data retention tools
ERP database is backed up at least once a week or an
off-site location
Obtain a SAS 70 for outsourced IS functions
Uninterrupted power source/generator
Minimize entry and exit points
Monitor entry/exit points with surveillance cameras

2010 by Marianne Bradford. All rights reserved

12

Evaluating Deficiencies in ITGC

Nature and significance
Pervasiveness of deficiency

Complexity of systems environment

Proximity of control to applications and data
Susceptibility to fraud
Cause and frequency of known exceptions
History of misstatements
Competency of business and IT management

2010 by Marianne Bradford. All rights reserved

13

Controls over Outsourcing Business and

IT Functions
Types:
Application outsourcing contracting for a data center to host
a companys ERP system
Business process outsourcing service provider performs a
function for the company (e.g., outsourcing a companys HR
processes, such as benefits and compensation)
IT outsourcing outsource maintenance of hardware
Statement on Auditing Standards No. 70 (SAS 70)

the authoritative guidance for service organizations and

mandates that they disclose their internal control activities
and processes to their customers in a uniform reporting
format
Must identify the applicable data centers, operating

environments, and applications

Service Auditors Report issued at the conclusion of a SAS
14
2010 by Marianne Bradford. All rights reserved
70 engagement to the service organization for distribution to its

Statement on Auditing Standards No. 70

Two types of SAS 70 Service Auditors Reports:
Type 1 Service Auditors Report includes the

service auditors opinion on the description of controls

over the outsourced function evident at the service
organization and the suitability of the designee of these
controls to achieve the specified control objectives
Does not present an opinion on the operating

effectiveness of these controls

Can not serve as first hand testing in conjunction with the
financial statement audit
Type 2 Service Auditors Report includes the

service auditors opinion on whether the specific

controls were operating effectively during the period
under review
Can serve as first hand testing in conjunction with the

2010 by Marianne Bradford. All rights reserved

financial statement audit

15

ISACA Certifications for IT Audit,

Security, and Governance
Certified Information Systems Auditor (CISA)

qualifies an individual as globally proficient in the

areas of IS audit, control, and security
Certified Information Security Manager (CISM)
targets the information security management
audience and bridges the knowledge gap between
business strategy and IT security

2010 by Marianne Bradford. All rights reserved

16

ISACA Certifications for IT Audit,

Security, and Governance
Certified in the Governance of Enterprise IT (CGEIT)

certification for professionals charged with satisfying the

IT governance needs of an enterprise
What is IT governance? leadership, organizational
structures, and processes that ensure that an
organizations technology sustains and extends the
organizations strategies and objectives; aligns IT with
organizational objectives
IT Governance Institute (ITGI) ISACA formed

this to focus on original research, publications,

resources, and symposia on IT governance and
related topics
Certified in Risk and Information Systems Control

(CRISC) newest certification; recognizes IT and

2010 by Marianne Bradford. All rights reserved
business professionals for their knowledge of enterprise

17

ISC2 Certification for IT Audit,

Security, and Governance
What is ISC2 ?- International Information Systems

Security Certification Consortium, Inc., (ISC), is

the global leader in educating and certifying
information security professionals throughout their
careers. They administer the CISSP.
Certified Information System Security
Professional (CISSP) certification encompassing
information security and assurance tenets of
confidentiality, integrity, and availability
More technical than the other certifications

2010 by Marianne Bradford. All rights reserved

18

COBIT
Control Objectives for

Information and
related Technology
(COBIT) governance
framework and
supporting toolset that
provides best practices
management guidelines
for implementing IT
governance as required
by audits and SOX
Section 404
COBIT is developed by
ISACA and ITGI
2010 by Marianne Bradford. All rights reserved

Figure 11 4: COBIT Cube

Source: ISACA

19

COBIT Domains and IT processes

Plan and Organize provides management with tactics and strategy

concerning how IT can best contribute to the achievement of the

business objectives
Examples of Processes: Define a Strategic IT Plan and
direction; Define the Information Architecture
Acquire and Implement includes identifying IT requirements,
acquiring IT, and implementing IT within the companys current
business processes
Examples of Processes: Acquire and Maintain Application
Software; Acquire and Maintain Technology Infrastructure
Deliver and Support focuses on the delivery aspects of IT, as well
as the support processes that enable the effective and efficient
executing of systems
Examples of Processes: Manage Third-party Services; Manage
the Configuration; Ensure Systems Security
Monitor and Evaluate addresses performance management,
monitoring of internal controls, regulatory compliance, and governance
Examples of Processes: Monitor and Evaluate Internal Control;
20
2010 by Marianne Bradford. All rights reserved
Ensure Regulatory Compliance; Provide IT Governance

Governance, Risk, and Compliance

Governance, Risk, and Compliance (GRC)

enables organizations to maximize strategic and

operational performance by cost-effectively managing
regulatory and policy compliance, while proactively
mitigating all types of business risk
Corporate governance the structure and relationships

that dictate how a corporation is directed, administered,

and controlled
Risk management assesses the areas of exposure
and potential impacts,
Compliance is the tactical action to mitigate risk;
conforming to stated requirements
GRC provides access control, risk management and

regulatory compliance (for audits etc)

21
User provisioning, de-provisioning, segregation of duties,

2010 by Marianne Bradford. All rights reserved