Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Seradex White Paper


Published on

  • Be the first to comment

  • Be the first to like this

Seradex White Paper

  1. 1. Seradex White Paper A Discussion of Issues in the Manufacturing OrderStream Internal Controls, Fraud Detection and ERP Recently the SEC adopted Section transactions. The general approach 404 of the Sarbanes Oxley Act. This should be applicable to most ERP law requires each annual report of a systems. company to contain What is SERADEX ERP? 1. A statement of management's responsibility for establishing Seradex is an ERP application and maintaining an adequate processing data from a database. It internal controls and offers flexible configuration and security options. Seradex links data in 2. Management's assessment of real time across the traditional the effectiveness of the business functions such as sales- company's internal control production-inventory-procurement and structure and procedures for finance financial reporting. An important point to note is to realize that Seradex ERP is an 3. The company's auditor to attest application program, like Microsoft to, and report on Excel or Word. It typically sits between management's assessment of the end user and a database the effectiveness of the management system (such as SQL company's internal controls and Server) and controls the adding, procedures changing and deleting of data from that database. Sarbanes Oxley requires that Seradex ERP is a very flexible internal controls be extensively system that is configured to meet the documented and this is a significant organizational needs and exercise. This brief review will look at requirements. This adds to the some issues that should be considered complexity of auditing the system in setting up internal controls in an because not only do you need to know ERP environment. how Seradex ERP works but also how your company is using Seradex. Internal Controls: reviewing the One important feature practices, transactions, procedures and characteristic of the Seradex ERP processes used to control the financial system is that user access is transactions and protecting a dependent on the Windows network company's property and assets. security setting for each user and group. By setting up groups with This paper will examine how highly detailed access parameters the internal auditor working users can be easily setup and added to specifically with the Seradex ERP the appropriate group reducing system can implement internal security administration efforts. controls and detect fraudulent Page 1
  2. 2. Seradex ERP and Internal Controls • Reconciliations of data to external information – bank Seradex ERP dictates that reconciliation, accounts payable operational data and financial data are statement reconciliations totally integrated. More people are • Cost centre and responsibility able to enter transactions without accounting review or checking by a supervisor. • Management review and Many organizations give users very budgetary control wide access to data without • Review and authorization of necessarily analyzing specific work non-routine transactions requirements. • Validation checks • Validation of data input in particular transactions Note: Without careful consideration • Properly designed and validated this wide access can weaken internal reports with authority checks controls by violating the segregation of • Matching of documents prior to duties concept. “closing out” e.g. purchase order – receiving documentation – invoice ERP systems change the role of • Master file control middle management for transaction • Independent review of master review and authorization. Questioning file changes and follow up formerly done by middle • Independent master file managers is commonly reduced when creation to transactional an ERP system is implemented. responsibilities Identifying redundant master There are several implications and considerations to the internal Auditing for Fraud controls possible in Seradex ERP. These can be segregated into the Auditors have a responsibility following categories: to minimize opportunities by ensuring that adequate internal controls are in • Network Security and User place. If internal controls are weak in a Identities particular area the next step would be • User and Group Setup to consider red flags. A red flag is an • Security authorization issues indicator that some kind of irregularity • Use of Active Directory is occurring and that something may • Administrative user be wrong. It does not prove that fraud management has occurred but if a red flag is • Password control identified more detailed transaction • Customer / Supplier Access examination is required. User Controls • Server, Network and Firewall controls • Patch policy on Servers and Workstations • System Controls • Reconciliation of control accounts to subsidiary ledgers – Accounts Payable, Accounts Receivable, Inventory, Invoicing, Vendor Invoicing Page 2
  3. 3. Identifying Red Flags segregation of duties. An invoice voucher can be printed and reviewed Some example of red flags for each check over a threshold could include: amount to additional review. • Actual expenses far exceeding An invoice voucher can be budgeted or prior years printed for any purchase from a one expenses time vendor or any PO for a “Special” • Expenses out of historic norms item. Establish procedures on when a • Significant manual entries vendor master is required. made to asset and expense Requiring a PO offers more control accounts than entering a miscellaneous payable • Addresses, telephone numbers directly into A/P as more people have and other data that link to be involved in the transaction. employees to vendor master These transactions need more records thorough controls and testing. • Ratios are not making sense: ex. ratio of overtime expenses Vendor Master File changes to sales, should be a separate function from • Unexplained price increases in Purchasing to ensure segregation of material costs (kickback duties scheme) Duplicate invoice control - the system • Excessive Inventory quantity will review invoices posted to a and cost adjustments particular vendor code and highlight whether the current invoice is the Manual database queries can be same as a previous one. developed to examine the inventory audit trail, adjustment details, phone Fraud Tests in the Accounts number and address comparisons of Payable Cycle employees and vendors to provide identify further transactions for Some things to test for in this examination. All transactions in cycle include developing queries for Seradex record the network user who identifying high risk vendors and created or changed the transaction as payments: well as time and date stamps. • Transactions where the same Accounts Payable in SERADEX ERP user created the PO, Receipt and Approved the Vendor Purchasing and accounts Invoice payable represents a major area for • PO’s where the person changing fraud because it results in the physical the PO is different that the disbursement of cash to suppliers. person issuing the PO • Any PO for a non inventory item Seradex ERP offers excellent or service item that is >$XXX. built in tools to avoid fraudulent • Service expenditures don’t activity in the accounts payable involve asset that has to be function: produced later. This includes expenditures for consulting, Seradex offers three ways advertising or marketing matching between Purchase Order, • Any PO to a one time vendor Receiving and Vendor Invoicing. This is that is >$XXX followed by check preparation. Ideally • Transactions where the Vendor each of these transactions should be was created by the user issuing done by separate individuals to ensure the PO Page 3
  4. 4. Password Control Seradex ERP has challenged the role of The system can enforce minimum internal auditors and it requires password lengths and enforce auditors to learn new skill sets - some password expiry on a regular basis. of which are fairly technical and involve directly accessing data in the Patch Management Policy system. Document the frequency of patch updates for servers and workstations. Security Authorizations Data Access At the heart of internal control In these days of DVD burners, USB is security access to the ERP system. keys that can hold 1 Gigabyte of data, Defined policies on who sets users up stringent control over corporate data and what groups they belong to is needs to be established. Unauthorized critical. Make sure network logs are users could easily take customer lists, switched on for full tracking. This sales history, product information and allows you to check who logged on at pricing home in their shirt pockets. what workstation. Queries can be developed to list all users that logged Remote Users on to each workstation and at what Remote users accessing the system time. Information on which through VPN connections need to be workstations logged onto Seradex is securely authenticated. easily available. These can be correlated to the time of individual transactions in Seradex ERP. These logs will also identify which data files were copied to the local workstations. Most users are not aware that these capabilities exist. Severely limit users who are granted administrative rights and ensure users only have access to the information they require. Often a short cut is taken and the easiest answer is to give all personnel very wide access if authorizations are set too narrow, users will require significant Help Desk resources. Seradex Inc. 4460 Harvester Rd. Burlington, ON L7L 4X2 Tel: 905-332-5051 Page 4
  5. 5. Page 5