ERP Systems: Audit and Control Risks
Upcoming SlideShare
Loading in...5
×
 

ERP Systems: Audit and Control Risks

on

  • 4,725 views

 

Statistics

Views

Total Views
4,725
Views on SlideShare
4,723
Embed Views
2

Actions

Likes
0
Downloads
210
Comments
0

1 Embed 2

http://www.slideshare.net 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

ERP Systems: Audit and Control Risks ERP Systems: Audit and Control Risks Presentation Transcript

  • ERP Systems: Audit and Control Risks Jennifer Hahn Deloitte & Touche ISACA Spring Conference April 26, 1999
  • Session Learning Objectives ERP Systems: Audit and Control Risks s At the end of this session, the participant should be able to: – Understand key risks and control issues surrounding the ERP systems – Understand the impact of ERP implementation on the internal audit organization – Explore alternatives for reengineering the audit approach © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 2
  • Session Topics ERP Systems: Audit and Control Risks s Key Risks and Control Issues s Impact on Internal Audit s Reengineering the Audit Approach s Questions & Comments © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 3
  • ERP Systems: Audit and Control Risks Key Risks and Control Issues © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 4
  • ERP Systems: Audit and Control Risks Why ERP Audit is Different © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 5
  • Technical Complexity ERP Systems: Audit and Control Risks s System usually resides on multiple computers s Optimum coordination is a challenge s Reliability and availability of data – Effective use of on-line reporting s System allows flexible configuration, cutomization and maintenance © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 6
  • Event Driven Processing ERP Systems: Audit and Control Risks s On-line real-time processing – All databases updated simultaneously – Rely on transaction balancing – Demands data validation before acceptance of data – Highly dependent on system-based controls s Traditional “batch” controls and audit trails are no longer available – Data entry accuracy is improved through the use of default values, cross-field checking and alternative views into the data © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 7
  • Integrated Database ERP Systems: Audit and Control Risks s All transactions are stored in one common database s Modules automatically create entries in the database for each other s Auditors need to understand the interactions and flow of information s Databases can be accessed by any module s System modules (applications) are transparent to users © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 8
  • Security and Access ERP Systems: Audit and Control Risks s Requires extensive, well thought out definition of security access capabilities s Authorizations occur within the application, not at the database level s Delivered system security is not necessarily strong s Network and database access security is also required s Significant rise in users who have access s Increased access from field personnel, vendors and customers © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 9
  • Implementation Impact ERP Systems: Audit and Control Risks s Typically, an ERP implementation is combined with a business reorganization/ reengineering s Organizational changes and new business processes may be extensive s Resulting controls should also be different from traditional ones © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 10
  • Other Changes ERP Systems: Audit and Control Risks s Lack of hard copy documents s Controls are sometimes an afterthought s Traditional general computer controls are implemented within the application in some cases: – Security – Change Control s Some ERP Systems are table driven: – Tables determine how transactions are processed – As table values change, system processing also changes © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 11
  • ERP Systems: Audit and Control Risks Key Exposures © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 12
  • Key Business Exposures ERP Systems: Audit and Control Risks Organizations face several new business risks when they migrate to a real- time, integrated ERP System: s Single point of failure since all of the organization’s data and transaction processing is within one application s Complexity of architecture, applications and data structures makes it difficult to understand and operate effectively s Reengineering or business process redesign normally included in implementation s New Technology environment s User acceptance of the system influences likelihood of success © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 13
  • Key Business Exposures ERP Systems: Audit and Control Risks s Extensive expertise required to effectively operate s Significant personnel and organizational structure changes s Transition of traditional user roles to empowered- based roles s On-line, real-time system environment requires continuous business environment s Effort of training a large number of users s Challenging to embrace a tightly integrated environment when different business processes exist among business units © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 14
  • Key Technical Exposures ERP Systems: Audit and Control Risks s Inexperience with implementing and managing distributed computing technology may pose significant challenges s Increased remote access by users and outsiders s Extensive interfaces and data conversions from legacy systems and other commercial software often necessary s IS must transition to an organization that can support a distributed computing environment © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 15
  • Key Control Exposures ERP Systems: Audit and Control Risks s Opportunity to establish control environment is during system implementation since extensive control is within the configuration s Complexity makes it difficult to understand and audit effectively s High integration allows increased access to applications and data s Necessity for temporary and permanent interfaces increases exposures of data integrity and security s Extensive expertise required to effectively audit and control s Audit may need to change audit approach © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 16
  • ERP Systems: Audit and Control Risks Impact on Internal Audit © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 17
  • Summary of Audit Challenges ERP Systems: Audit and Control Risks • Level of Understanding of ERP System • Process Audits • Interface Between Internal Audit & Audit External Audit Challenges • Electronic Information • Data Issues • Computer Interfaces • Managing Expectations © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 18
  • Audit Challenges ERP Systems: Audit and Control Risks s Level of Understanding of ERP System – 1st Year Audits are opportunities – Management Perception – ERP “does it all” – Use of a Subject Matter Expert s Process Audits – Many companies will reengineer business processes – Auditing the business process/internal controls will likely become the focus of the audit tests © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 19
  • Audit Challenges (cont’d.) ERP Systems: Audit and Control Risks s Interface Between Internal Audit and External Audit – Partnering with One Another – Leveraging Each Other’s Skill Set s Electronic Information – Electronic Information vs.. Hardcopy – Auditor Profile to obtain information electronically © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 20
  • Audit Challenges (cont’d.) ERP Systems: Audit and Control Risks s Data Issues – Data Retention – Data Entry – Segregation of Duties s Computer Interfaces – Number of Interfaces – Data Analysis and Drill-Down © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 21
  • Audit Challenges (cont’d.) ERP Systems: Audit and Control Risks s Managing Expectations – Self-sufficient in identifying and drilling down into information – Change in Audit  Sharing of best practice information  Adding Value – Reduction in Hours  Effective and efficient audits with little start-up costs  All processes and computing on one system, therefore hours are expected to be lower © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 22
  • Audit Organization Impact ERP Systems: Audit and Control Risks s Internal Audit Must Address the New Environment in Several Respects: s Training s Staffing s Implementation Approach s Audit Methodology s Roles for the Auditor © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 23
  • Staffing ERP Systems: Audit and Control Risks s Complexity of system environment requires staffing model with higher ratios of: – Information Systems Auditors – Integrated Auditors s Traditional Financial and Operational Auditors must transform to Integrated Auditors s Audits of complex and technical areas may need to be supplemented by experienced resources © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 24
  • Training ERP Systems: Audit and Control Risks s Detailed knowledge of ERP Systems necessary in order to effectively understand security and control issues over: – application areas – technical environment s Significant training necessary to adequately understand the new environment s Must learn a security and controls implementation methodology s May need to learn new tools (e.g., ABAP/4 for SAP) in order to effectively audit ERP s Consider vendor training and joining user groups © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 25
  • Implementation Approach ERP Systems: Audit and Control Risks s Audit should take an active role during the implementation s Reengineered business processes require a change in the method of control s New security, audit and control tools should be developed to facilitate the effective implementation and operation of the control environment s On-going involvement with R/3 implementations required © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 26
  • Audit Methodology ERP Systems: Audit and Control Risks s Traditional audit methodologies and approaches must be modified to effectively audit R/3 in a cost- effective manner s Integrated audits necessary for the new environment s New audit tools should be developed to facilitate efficient and effective audits © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 27
  • Roles for the Auditor ERP Systems: Audit and Control Risks Integrated Approach Pre-implementation Review • Focus on the Design and • Focus on the Controls Design for New Implementation of Controls for New Systems Systems • Give consideration to • Give consideration to • Review of Business Case • Project Risk • Project Risk • Business Process Risk • Business Process Risk Assessment Assessment • Perform tests to Ensure • Review of Performance Measurement Implementation of Controls Criteria © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 28
  • Roles for the Auditor ERP Systems: Audit and Control Risks Post-implementation Review Quality Assurance Audit • Focus on the Implementation of • Participation throughout Project Controls for New Systems • Focus on overall quality of Business • Give consideration to Process Reengineering Program • Risk Assessment of Business • Give consideration to Ability to Process Impact Project • Achievement of Project • Consider specific deliverables at Objectives and Business Case each key project milestone • Review of Implemented Performance Measurements © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 29
  • ERP Systems: Audit and Control Risks Reengineering the Audit Approach © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 30
  • Audit Scope ERP Systems: Audit and Control Risks s Evaluate the complexity of the technology environment s Identify which ERP modules have been implemented s Evaluate the existence of distributed applications s Determine whether legacy systems are used s Obtain an understanding of the organizational model s Obtain a high level understanding of the controls in place over: – General Computer Controls – Business Process Controls © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 31
  • Testing Considerations ERP Systems: Audit and Control Risks s Difficult to perform financial audits without relying on internal controls: – Clients using ERP are usually large multi-national corporations with complex structure and reporting – More internal control testing, less substantive testing s Documentation of testing s Design of effective tests of controls – Audit steps are different – Audit issues are different © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 32
  • Operational Audit Considerations ERP Systems: Audit and Control Risks s Increased difficulty and importance in definition of the scope of the audit s A detailed understanding of client processes is required s An increased level of Operational Audit technical knowledge and computer-related controls is required s The roles and responsibilities of Operational Audit and Computer Audit becomes more integrated © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 33
  • Computer Audit Considerations ERP Systems: Audit and Control Risks s An increase in the level of technical Enterprise Resource Planning (ERP) system knowledge s A detailed understanding of ERP specific General Computer Controls, especially – Security Authorization Structure – Correction and Transport System s An increased understanding of business processes and the related ERP controls s An increase in the integration of Computer Audit and Financial Audit © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 34
  • Audit Process ERP Systems: Audit and Control Risks General Computer Controls Assurance Operation and Process Assurance Planning and Functional/Process Final Scoping Reviews Delivery Operations Audit Computer Audit Operations and Computer Audit © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 35
  • Roles and Responsibilities ERP Systems: Audit and Control Risks s Identify all the team members that will serve the client: Operations Audit, Computer Audit and Other Specialists s No hard and fast rule to split roles and responsibilities between audit groups s Actual differentiation of roles and responsibilities is determined on a client-to-client basis s An evaluation needs to be made by the audit team as to how the roles and responsibilities should be defined s The important issue is that the client should have a – seamless and efficient audit – from a well integrated and knowledgeable team © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 36
  • ERP Systems: Audit and Control Risks Questions & Comments © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 37