Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ERP Systems: Audit and Control Risks

6,197 views

Published on

  • Be the first to comment

ERP Systems: Audit and Control Risks

  1. 1. ERP Systems: Audit and Control Risks Jennifer Hahn Deloitte & Touche ISACA Spring Conference April 26, 1999
  2. 2. Session Learning Objectives ERP Systems: Audit and Control Risks s At the end of this session, the participant should be able to: – Understand key risks and control issues surrounding the ERP systems – Understand the impact of ERP implementation on the internal audit organization – Explore alternatives for reengineering the audit approach © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 2
  3. 3. Session Topics ERP Systems: Audit and Control Risks s Key Risks and Control Issues s Impact on Internal Audit s Reengineering the Audit Approach s Questions & Comments © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 3
  4. 4. ERP Systems: Audit and Control Risks Key Risks and Control Issues © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 4
  5. 5. ERP Systems: Audit and Control Risks Why ERP Audit is Different © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 5
  6. 6. Technical Complexity ERP Systems: Audit and Control Risks s System usually resides on multiple computers s Optimum coordination is a challenge s Reliability and availability of data – Effective use of on-line reporting s System allows flexible configuration, cutomization and maintenance © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 6
  7. 7. Event Driven Processing ERP Systems: Audit and Control Risks s On-line real-time processing – All databases updated simultaneously – Rely on transaction balancing – Demands data validation before acceptance of data – Highly dependent on system-based controls s Traditional “batch” controls and audit trails are no longer available – Data entry accuracy is improved through the use of default values, cross-field checking and alternative views into the data © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 7
  8. 8. Integrated Database ERP Systems: Audit and Control Risks s All transactions are stored in one common database s Modules automatically create entries in the database for each other s Auditors need to understand the interactions and flow of information s Databases can be accessed by any module s System modules (applications) are transparent to users © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 8
  9. 9. Security and Access ERP Systems: Audit and Control Risks s Requires extensive, well thought out definition of security access capabilities s Authorizations occur within the application, not at the database level s Delivered system security is not necessarily strong s Network and database access security is also required s Significant rise in users who have access s Increased access from field personnel, vendors and customers © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 9
  10. 10. Implementation Impact ERP Systems: Audit and Control Risks s Typically, an ERP implementation is combined with a business reorganization/ reengineering s Organizational changes and new business processes may be extensive s Resulting controls should also be different from traditional ones © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 10
  11. 11. Other Changes ERP Systems: Audit and Control Risks s Lack of hard copy documents s Controls are sometimes an afterthought s Traditional general computer controls are implemented within the application in some cases: – Security – Change Control s Some ERP Systems are table driven: – Tables determine how transactions are processed – As table values change, system processing also changes © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 11
  12. 12. ERP Systems: Audit and Control Risks Key Exposures © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 12
  13. 13. Key Business Exposures ERP Systems: Audit and Control Risks Organizations face several new business risks when they migrate to a real- time, integrated ERP System: s Single point of failure since all of the organization’s data and transaction processing is within one application s Complexity of architecture, applications and data structures makes it difficult to understand and operate effectively s Reengineering or business process redesign normally included in implementation s New Technology environment s User acceptance of the system influences likelihood of success © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 13
  14. 14. Key Business Exposures ERP Systems: Audit and Control Risks s Extensive expertise required to effectively operate s Significant personnel and organizational structure changes s Transition of traditional user roles to empowered- based roles s On-line, real-time system environment requires continuous business environment s Effort of training a large number of users s Challenging to embrace a tightly integrated environment when different business processes exist among business units © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 14
  15. 15. Key Technical Exposures ERP Systems: Audit and Control Risks s Inexperience with implementing and managing distributed computing technology may pose significant challenges s Increased remote access by users and outsiders s Extensive interfaces and data conversions from legacy systems and other commercial software often necessary s IS must transition to an organization that can support a distributed computing environment © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 15
  16. 16. Key Control Exposures ERP Systems: Audit and Control Risks s Opportunity to establish control environment is during system implementation since extensive control is within the configuration s Complexity makes it difficult to understand and audit effectively s High integration allows increased access to applications and data s Necessity for temporary and permanent interfaces increases exposures of data integrity and security s Extensive expertise required to effectively audit and control s Audit may need to change audit approach © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 16
  17. 17. ERP Systems: Audit and Control Risks Impact on Internal Audit © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 17
  18. 18. Summary of Audit Challenges ERP Systems: Audit and Control Risks • Level of Understanding of ERP System • Process Audits • Interface Between Internal Audit & Audit External Audit Challenges • Electronic Information • Data Issues • Computer Interfaces • Managing Expectations © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 18
  19. 19. Audit Challenges ERP Systems: Audit and Control Risks s Level of Understanding of ERP System – 1st Year Audits are opportunities – Management Perception – ERP “does it all” – Use of a Subject Matter Expert s Process Audits – Many companies will reengineer business processes – Auditing the business process/internal controls will likely become the focus of the audit tests © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 19
  20. 20. Audit Challenges (cont’d.) ERP Systems: Audit and Control Risks s Interface Between Internal Audit and External Audit – Partnering with One Another – Leveraging Each Other’s Skill Set s Electronic Information – Electronic Information vs.. Hardcopy – Auditor Profile to obtain information electronically © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 20
  21. 21. Audit Challenges (cont’d.) ERP Systems: Audit and Control Risks s Data Issues – Data Retention – Data Entry – Segregation of Duties s Computer Interfaces – Number of Interfaces – Data Analysis and Drill-Down © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 21
  22. 22. Audit Challenges (cont’d.) ERP Systems: Audit and Control Risks s Managing Expectations – Self-sufficient in identifying and drilling down into information – Change in Audit  Sharing of best practice information  Adding Value – Reduction in Hours  Effective and efficient audits with little start-up costs  All processes and computing on one system, therefore hours are expected to be lower © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 22
  23. 23. Audit Organization Impact ERP Systems: Audit and Control Risks s Internal Audit Must Address the New Environment in Several Respects: s Training s Staffing s Implementation Approach s Audit Methodology s Roles for the Auditor © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 23
  24. 24. Staffing ERP Systems: Audit and Control Risks s Complexity of system environment requires staffing model with higher ratios of: – Information Systems Auditors – Integrated Auditors s Traditional Financial and Operational Auditors must transform to Integrated Auditors s Audits of complex and technical areas may need to be supplemented by experienced resources © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 24
  25. 25. Training ERP Systems: Audit and Control Risks s Detailed knowledge of ERP Systems necessary in order to effectively understand security and control issues over: – application areas – technical environment s Significant training necessary to adequately understand the new environment s Must learn a security and controls implementation methodology s May need to learn new tools (e.g., ABAP/4 for SAP) in order to effectively audit ERP s Consider vendor training and joining user groups © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 25
  26. 26. Implementation Approach ERP Systems: Audit and Control Risks s Audit should take an active role during the implementation s Reengineered business processes require a change in the method of control s New security, audit and control tools should be developed to facilitate the effective implementation and operation of the control environment s On-going involvement with R/3 implementations required © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 26
  27. 27. Audit Methodology ERP Systems: Audit and Control Risks s Traditional audit methodologies and approaches must be modified to effectively audit R/3 in a cost- effective manner s Integrated audits necessary for the new environment s New audit tools should be developed to facilitate efficient and effective audits © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 27
  28. 28. Roles for the Auditor ERP Systems: Audit and Control Risks Integrated Approach Pre-implementation Review • Focus on the Design and • Focus on the Controls Design for New Implementation of Controls for New Systems Systems • Give consideration to • Give consideration to • Review of Business Case • Project Risk • Project Risk • Business Process Risk • Business Process Risk Assessment Assessment • Perform tests to Ensure • Review of Performance Measurement Implementation of Controls Criteria © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 28
  29. 29. Roles for the Auditor ERP Systems: Audit and Control Risks Post-implementation Review Quality Assurance Audit • Focus on the Implementation of • Participation throughout Project Controls for New Systems • Focus on overall quality of Business • Give consideration to Process Reengineering Program • Risk Assessment of Business • Give consideration to Ability to Process Impact Project • Achievement of Project • Consider specific deliverables at Objectives and Business Case each key project milestone • Review of Implemented Performance Measurements © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 29
  30. 30. ERP Systems: Audit and Control Risks Reengineering the Audit Approach © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 30
  31. 31. Audit Scope ERP Systems: Audit and Control Risks s Evaluate the complexity of the technology environment s Identify which ERP modules have been implemented s Evaluate the existence of distributed applications s Determine whether legacy systems are used s Obtain an understanding of the organizational model s Obtain a high level understanding of the controls in place over: – General Computer Controls – Business Process Controls © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 31
  32. 32. Testing Considerations ERP Systems: Audit and Control Risks s Difficult to perform financial audits without relying on internal controls: – Clients using ERP are usually large multi-national corporations with complex structure and reporting – More internal control testing, less substantive testing s Documentation of testing s Design of effective tests of controls – Audit steps are different – Audit issues are different © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 32
  33. 33. Operational Audit Considerations ERP Systems: Audit and Control Risks s Increased difficulty and importance in definition of the scope of the audit s A detailed understanding of client processes is required s An increased level of Operational Audit technical knowledge and computer-related controls is required s The roles and responsibilities of Operational Audit and Computer Audit becomes more integrated © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 33
  34. 34. Computer Audit Considerations ERP Systems: Audit and Control Risks s An increase in the level of technical Enterprise Resource Planning (ERP) system knowledge s A detailed understanding of ERP specific General Computer Controls, especially – Security Authorization Structure – Correction and Transport System s An increased understanding of business processes and the related ERP controls s An increase in the integration of Computer Audit and Financial Audit © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 34
  35. 35. Audit Process ERP Systems: Audit and Control Risks General Computer Controls Assurance Operation and Process Assurance Planning and Functional/Process Final Scoping Reviews Delivery Operations Audit Computer Audit Operations and Computer Audit © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 35
  36. 36. Roles and Responsibilities ERP Systems: Audit and Control Risks s Identify all the team members that will serve the client: Operations Audit, Computer Audit and Other Specialists s No hard and fast rule to split roles and responsibilities between audit groups s Actual differentiation of roles and responsibilities is determined on a client-to-client basis s An evaluation needs to be made by the audit team as to how the roles and responsibilities should be defined s The important issue is that the client should have a – seamless and efficient audit – from a well integrated and knowledgeable team © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 36
  37. 37. ERP Systems: Audit and Control Risks Questions & Comments © 1998 Deloitte Touche Tohmatsu. All rights reserved. fico.ppt 37

×