Auditing ERP Systems

Download as pdf or txt
Download as pdf or txt
You are on page 1of 63
At a glance
Powered by AI
The document discusses the importance of integrating business processes and sharing common data across an enterprise using an ERP system.

Some of the main ERP systems discussed include SAP, Oracle, PeopleSoft, Microsoft Navision, BAAN/Infor, and JDE-JD Edwards.

Implementing an ERP system can help automate and integrate business processes, share common data practices, and access information in real-time.

EDUCATION, LEARNING AND TEACHING

I have never let my schooling interfere with


my education. Mark Twain (1835-1910)
American writer.

EDUCATION, LEARNING AND TEACHING

Men are born ignorant, not stupid; they


are made stupid by education.
-----Bertrand Russell (1872-1970) English
philosopher, mathematician and writer.
Learning is finding out what you already
know. Doing is demonstrating that you
know it. Teaching is reminding others
that they know just as well as you. You
are all learners, doers, teachers ... .
Richard Bach

AUDITING

Enterprise Resource Planning


Systems

What is an ERP
An Enterprise Resource Planning system is a packaged
business software system that allows a company to:
Automate and integrate the majority of its business
processes, producing efficient consistency across the
organization
Share common data and practices across the entire
enterprise, supported by one-time data entry
Produce and access information in a real-time
environment

What is an ERP ?
ERP Solutions
1. SAP
2. Oracle
3. People-soft
4. Microsoft Navision
5. BAAN / Infor
6. JDE JD Edwards
7. SSA Global
8. Ramco Marshal
9. Tally

Agenda

ERP & Impact on Business


ERP & Impact on Enterprise Assurance
SAP Perspective (SAP P2P Scenario)

ERP & Impact on Business

There are essentially four questions that Goldratt asks in order to


address the question of whether you will need an ERP, and these
are:
1.What is the power of ERP. (What can it do? What benefits
can I derive from its use?)
2.What limitations does ERP diminish. (Will the motorbike get
me there safer, faster, or sooner than I really need to? Can I
afford the petrol?)
3.What rules did we obey that enabled us to function without
ERP?.(Will I need to a driver's license?)
www.goldratt.com/

ERP & Impact on Business

4. What new rules should we obey after installing ERP?. (do we


still live in information silo's - ignoring the fundamental
benefit of ERP which integration?)

The fifth question would probably be,


5. What will happen after Oracle buys PeopleSoft, and better
still if SAP buys Oracle or visa versa? MicroSAP - maybe?
maybe not. If not, why not?
www.goldratt.com/

ERP & Impact on Business


Why ERP ?
Legacy environment

Multiple systems

Non integrated

Disperse & diversified

In-house developed

Batch Processing oriented

Closed Systems

Demand for In-house IT programming skills

ERP & Impact on Business


Wikipedia
on
Implementation:

Legacy

environment

before

ERP

Prior to the concept of ERP, departments within an organization


would have their own computer systems. For example, the
Human Resources (HR) department, the Payroll (PR)
department, and the Finance department. The HR computer
system (Often called HRMS or HRIS) would typically contain
information on the department, reporting structure, and
personal details of employees. The PR department would
typically calculate and store paycheck information. The Finance
department would typically store financial transactions for the
organization.

ERP & Impact on Business


Legacy
Environment

Often they are duplicated


in each division

ERP & Impact on Business


Why ERP ?
ERP environment
Few Systems
Common integrated database
Integrated Business Solutions
Standard or best practices
Vendor Developed (specialist)
Strategic & Decision Supporting (OLAP)
Open for Collaboration
Complex and requires new set of Skills

ERP & Impact on Business


ERP environment

ERP & Impact on Business

ERP & Impact on Business


Business processes

Automated/ Semi Automated Processes.

Inbuilt Business Process Controls.

Defined (Configured) & subject to change management controls.

System enforced procedures.

Access to best practices.

Scalability & Flexibility to change.

Better business process controls.

ERP & Impact on Business


Business processes

Source:
ISACA-Security, Audit and Control Features SAP ERP: A Technical and Risk Management Reference Guide

ERP & Impact on Business

Business processes

Work-flow enabled.

Real time transaction processing.

Better MIS for decision support.

Better exception monitoring & review

Increased working capital efficiency.

Business intelligence & OLAP.

ERP & Impact on Business

Information Technology

Paradigm shift from other layers to Application Layer.

Relevance of Security

Access Rights Management

BCP or DRP

System Administration & Management.

New skills requirement

Agenda

ERP & Impact on Business


ERP & Impact on Enterprise Assurance
SAP Perspective (SAP P2P Scenario)

ERP & Impact on Enterprise Assurance.

Significant reengineering of the audit approach


needs to be undertaken to adjust to the new ERP
environment. The enterprises concept of the audit
universe may need to change to audit the new
system effectively. A risk assessment should be
performed and the audit approach should be
modified accordingly.

Integrated audits covering business process and


security aspects are necessary in the ERP
environment.
Source:
ISACA-Security, Audit and Control Features SAP ERP: A Technical and Risk Management Reference Guide

ERP & Impact on Enterprise Assurance.


Common Myths

Its a Systems Auditor's job.

FS audit can be Business as usual.

ERP audits are expensive.

ERP audit is a separate domain by itself.

IT auditors should know every thing.

Auditors can not understand ERP.

ERP review is a one time exercise

ERP & Impact on Enterprise Assurance.


Common Questions
There were systems before.......

Why ERP audit became so important, all of a sudden?

Why is IT security more important now?

Why Audit became more costly now?

Should every auditor understand ERP?

What modules & how many systems?

How many ERPs to understand?

Cant we ignore the system and do the audit?

ERP & Impact on Enterprise Assurance.


Corporate Governance & ERP

More reliable.

Visibility of data

Implement governance tools (whistle blower, SEM, GRC etc)

Access to FS & Other data to Board

Future real time on line accounting & publishing

Integrated system for corporate & regulators?

Integrity and traceability of data.

Captured identity at transactional level

ERP & Impact on Enterprise Assurance.


EDP vs ERP Audit

EDP stands for Electronic Data Processing and ERP is


Enterprise Resource Planning.

ERP is strategic in Managing the Business. EDP was just


another improved way of processing the data.

ERP & Impact on Enterprise Assurance.

EDP vs ERP Audit


The controls tested as part of EDP audit:

Input Controls

Processing Controls

Output Controls

ERP & Impact on Enterprise Assurance.


EDP vs ERP Audit
The controls tested in ERP environment:

Inherent Controls

Configurable Controls

Security Controls

Reporting Controls

ERP & Impact on Enterprise Assurance.


EDP vs. ERP Audit
Does it mean the concepts learned in EDP audit
are no more valid?

Yes/No

The concepts remain valid but ERP environment


demands the knowledge of the system to leverage the
ERP functionality to bring the efficiency.

Some of the tests designed for legacy or EDP


environments are no more valid or required.

Instead some new tests need to be conducted or new


methods to be adapted.

ERP & Impact on Enterprise Assurance.

ERP Risks

Implementation Risk

Inappropriate Configurations (Org.structure or processes


in SAP)

Under utilization

Complexity, BCP/DRP

Integrated database & event driven processing

Access Rights & SOD

Need for continuous monitoring

ERP & Impact on Enterprise Assurance.


Redefined IS Audit Skills

Understanding of IT in general.

Understanding of Business processes.

Knowledge of systems functionality.

Generalist in technology & Specialist in product?

Knowledge of EAI (Enterprise Application Integration)


enablers/products.

Interface Technologies & Controls.

Understanding of open-source collaborations.

ERP & Impact on Enterprise Assurance.


Industry solutions

SAP- AIS/GRC/MIC/SEM Risk Management/SEM Cockpit.

Oracle ICM

People soft ICE (Internal Controls Enforcer)

JDE

Approva

CSI Auditor

Other solutions by the third parties

ACL

ERP & Impact on Enterprise Assurance.


Industry solutions
Characteristics of solutions:

Data extracting & Analyzing

Integrated with Mother Applications (ERP)

Document Management Software

Audit life cycle management solutions

Continuous monitoring & Audit tools

Forward Looking

Effective & Efficient but costly.

Basic framework for Control objectives & Control activities etc.

Agenda

ERP & Impact on Business


ERP & Impact on Enterprise Assurance
SAP Perspective

SAP perspective.

Overview

SAP
Systems,
Applications, and
Products in Data processing.
Founded in 1972

SAP perspective.
Overview
Is world's largest ERP software company, and the world's
third-largest independent software supplier overall
Has 10+ million users, 80,000+ installations, 1,500 +
partners
Revenue $8 billion software, consulting and
maintenance roughly a third each
Employs over 29,600 people in more than 50 countries
Invests an average of 25% of revenue in R&D
Achieves high customer and employee satisfaction

SAP Solutions
Original product was SAP R/2 on the mainframe introduced in
1974
SAP R/3 introduced for smaller platforms in October 1992
Developed using a fourth generation proprietary language
developed by SAP called ABAP/4
Major application versions:
2.2h
3.0d, 3.0e, 3.0f, 3.1g, 3.1h, 3.1i
4.0b
4.5b
4.6b, 4.6c
Enterprise 4.7
mySAP ERP 2004 (ECC 5.0)
mySAP ERP 2005 (ECC 6.0)

Current Solutions
mySAP Business Suite
Set of application solutions for automating business processes

Industry Solutions
Specific functionality tailored for industry specific business
requirements
SAP xApps
Cross-application components that span multiple solutions and
business units
SAP NetWeaver
Technical platform for SAP and other solutions that provides a
flexible infrastructure and seamless integration

mySAP Business Suite

Formerly referred to as mySAP.com


Set of software solutions
mySAP Customer Relationship Management
mySAP ERP (R/3)

mySAP Supplier Relationship Management


mySAP Supply Chain Management

mySAP ERP

Formerly referred to as R/3


Set of integrated modules in four main areas:
Financials
Human Capital Management
Operations
Corporate Services

mySAP ERP Features and Effects

Features

Highly integrated
Comprehensive functionality
Complex data structures
Availability of data
Single point of entry
On-line data capture and real-time update

Effects
Requires strong application knowledge
Causes personnel and organizational structure changes
Causes business process changes

SAP Modules Functional Category

Functional Category
Financials

Financials
FI, CO, AA, PS, ECCS

Operations

Operations

Human Capital

SD, MM, PM, PP, QM, LO

Human Capital
PA, PD

Corporate Services

Corporate Services
T&E, EHS

Financials

General Ledger
Accounts Receivable

FI

Accounts Payable
Tax and Financial Reports
Special Purpose Ledger

Consolidations

Controlling

Cost Center Accounting


Profit Center Accounting

CO

Product Cost Controlling

Profitability Analysis
Activity Cost Management
Internal Orders

Asset Accounting

Depreciation

AA

Property Values
Insurance Policies
Capital Investment Grants

Project System

Project Tracking
Work Breakdown Structure

PS

Budget Management
Cost and Revenue Planning
Networks and Resources

Sales and Distribution

Computer Aided Sales

Quotations

SD

Sales Order Management


Pricing
Delivery
Invoicing

Plant Maintenance

Plant Maintenance

PM

Equipment and Technical Objects


Preventive Maintenance
Service Management
Maintenance Order Management

Quality Management

Quality Certificates

QM

Inspection Processing

Planning Tools
Quality Control
Quality Notifications

Human Capital Management

Personnel Administration

HR

Payroll, Benefits
Time Management
Planning and Development
Organization Management

Corporate Services

Travel Management

CS

Real Estate Management


Environment, Health, and
Safety
Incentive and Commission
Management

Comprehensive Industry Solutions


SAP Consumer Products

SAP High Tech & Electronics


SAP Engineering & Constr.

SAP Insurance

SAP Oil & Gas

SAP
Human
Resources

SAP Utilities
SAP Service Provider

SAP Health Care


SAP Automotive

SAP
Logistics

R/3
SAP
Financials

SAP Public Sector


SAP Telecomm.

SAP Chemicals
SAP Pharmaceuticals
SAP Retail

SAP Media
SAP Aerospace & Defense
SAP Mill Products

SAP Banking

SAP perspective.

Client Server Architecture

SAP perspective.

SAP perspective.
SAMPLE- Procurement as a Business Process

SAP perspective.
Invoice Processing or Invoice Verification (Semi
Automated)

SAP perspective.
Impact on IT Controls

IS operations
IS security
Database administration
Networking
Change Management

Others (single sign on, trusted systems, RFC,


Interface controls, User monitoring)

SAP perspective
Audit & Risk management

AIS- Audit Information System


MIC- Management of Internal Controls
GRC- Governance Risk & Compliance
SEM- Strategic Enterprise Management

SAP perspective.
Audit Information System
The Audit Information System (AIS), transaction code SECR, is a
centrally organized location for the audit features and functions
developed in SAP ERP. It can be used in all versions since 3.0D. Not
all functions are available in each version, as functionality is based on
the release level. AIS does not provide any new SAP features, it
merely consolidates and draws upon existing SAP information
available within SAP standard transactions, tables and reports.

AIS is an auditing tool designed to:


Improve the quality of an audit
Rationalize the audit process

Source:
ISACA-Security, Audit and Control Features SAP ERP: A Technical and Risk Management Reference Guide

SAP perspective.
Audit Information System
AIS consists of an audit report tree structured around a range of
auditing functions, including:
Auditing procedures and documentation
Auditing evaluations
Downloading audit data
AIS is specifically targeted toward:

External auditing
Internal auditing/data protection
Controlling
System auditing
Source:
ISACA-Security, Audit and Control Features SAP ERP: A Technical and Risk Management Reference Guide

SAP perspective
GRC- New Approach
Definition of Governance, Risk, and Compliance
Heres a simple way to think about GRC:
Governance manages the strategic directives a company
wants to follow.
Risk management assesses the areas of exposure and
potential impacts.
Compliance is the tactical action to mitigate risk.
SAP Snaps Up Virsa Systems to Enhance Compliance Story, AMR Research,
April 3, 2006.

SAP perspective.

Final Word

Leveraging the technology & solutions.


New Skills.

Proactive & forward looking solutions.


Integrated enterprise level approach for Audit.

Automated solutions, Continuous monitoring & Audits.


Changing traditional Risk Management for Business value.

Hacking Hint !!!!

AUDITNG ERP SYSTEMS

Contact:
Email: [email protected]
Phone: +91-9930939977

You might also like