June 23, 2010 in Article by EnJ

How do you Audit an ERP System?

There are few rules that can be applied to all ERP auditing situations. As each system serves the client in a different capacity and has been altered to fit the client?s business model, ERP auditors must be flexible and creative in designing an audit plan. On the same note, there are no hard rules on splitting roles and responsibilities between audit groups. Role differentiations are determined on a client-to-client basis, as a function of auditor experience, expertise and training. A common distinction is made between financial auditors and information systems auditors. However, with ERP, financial reporting and especially internal accounting controls, must be audited working through the computer; therefore, it is important that auditors have knowledge of both accounting and technology, learning new skills sets in the process (Moulton). Specialists are also commonly hired to determine if complex technology is working correctly. The concept of an ?integrated auditor,? who has enough accounting and IT knowledge to work both sides of the audit, has emerged as workable solution to the complexities of ERP auditing (Hahn).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~
ERP systems are technically complex, with the system residing on multiple computers and the flexibility to support multiple configurations and customizations (Hahn). To begin understanding a client’s ERP system, auditors must evaluate how the technology relates to the business environment. To determine the scope of the audit, they must take into consideration:

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

• How the technology is used in the organization
• the number of people using the technology
• which ERP models have been implemented
• the existence of distributed applications
• whether legacy systems are used and to what capacity (Hahn)

Auditors must go through a significant amount of training to acquire the knowledge necessary to adequately understand the functioning of an ERP system and how it intakes data and produces financial reports. Auditors must also consider learning new tools to take advantage of functions in ERP systems. SAP?s language, ABAP/4, would be useful for an auditor to know so that he can examine the programming code when there is a question about the functioning of the system (Hahn). As another example, Oracle?s database comes with its own set of basic auditing actions designed to detect unauthorized access and internal abuse of the data being stored (Finnigan).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

ERPs have specifically influenced the auditing profession in four main ways: the interaction and flow of information, issues with data and the processing of data, controls and security of the data and the systems, and training of employees who use the ERP systems.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Interaction and the Flow of Information - With an ERP system, operational and financial data are tied together through a complex information flow. Transactions can be automatically entered without review or pre-checking. Therefore, ERP?s make it difficult to perform financial audits without relying on system controls. Such controls should be designed, in part, to prevent inaccurate or false information from entering the system. As many transactions are automated functions of modules creating information entries for other modules, it is impossible to audit ?around the computer? (i.e. comparing input to output). Rather, auditing must be done ?through the computer? (i.e. testing the system process that the input went through to create the output), using such methods as test decks and parallel simulation. In order to conduct a proper audit through the computer, the auditor must have a certain level of understanding about technology and how the system functions.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

The ideal of a paperless office? is facilitated through an ERP system, because the system is centralized and communicates data from a common internal source, the database. Instead of hardcopy evidence, ERP?s create event history logs for a visible trail of evidence to trace information to the original input source (Adint). These audit trails allow an auditor to both detect when an undesirable event has occurred and reconstruct an event by what happened. At a minimum, the trails should contain the user ID, the data and time of the event, and the action taken. Other information could include previous and current field values (Adint). Auditors of ERP systems need to be cognizant of how to use these audit trails and the appropriateness of their design because it impacts the ability to rely on system controls or the output created.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Because ERPs are customizable and often changed by an organization?s internal programmers, auditors must pay attention to how these changes take place. The production code forms the basis of running the ERP system. To protect this valuable asset, changes in the production code should be:

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

• authorized by the business owner (if functional) or IT manager (if technical)
• tested thoroughly
• approved by the business owner or IT manager
• performed by an authorized person
• documented

To verify the controls of authorization and approval are valid, any change to the code should be traceable to a request. Access to the production code should be limited and traceable to the authorized individual who made changes. To check these, auditors must look for hard-copy documentation, such as change request forms, as well as documentation embedded in the code itself (Adint).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Controls and Security – It is important for any entity to segregate the duties of authorization of transactions, recording of transactions, and custody of transactions. Auditors should examine the business process flows to identify where authorization, recording, and custody of a business transaction takes place, and compare it to how the user responsibilities have been designed. Often user responsibilities are given wide-open access for the initial installation, but rarely are access restrictions introduced once the system has proven functional. Also, the auditors should check to see if the segregation of duties is accomplished with a combination of system and off-line controls. Segregation of duties should be designed into user responsibilities and functions, and documented in the business requirements stage. The auditor should determine which users were given access to what functions by examining documentation from the implementation stage (Cooke).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

The same segregation rule needs to be applied to IT functions to ensure system integrity. For example, IT personnel should not have user responsibilities. This serves the purpose of segregating development and production activities. IT personnel are responsible for maintaining the production software, including the associated controls, while production data is owned by the business users and serves as a record for business activities (Adint). If these duties were not segregated, a transaction could be processed with circumvented controls compromising data integrity.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Auditors must now be aware of the logical security of data used by the ERP system. Logical security includes user ID?s and passwords. Auditor?s must make sure that user ID?s are unique, because unique ID?s ensure accountability and the ability to trace actions to individuals. The ability to sign on with a generic ID needs to be tightly controlled. This requires changing all the default passwords for generic ID?s that the ERP comes with and allowing few employees to know what the new password is. As an example, Oracle databases come programmed with generic ID passwords such as CHANGE_ON_INSTALL, MANAGER, and ORACLE (Adint). The problem with retaining the default passwords in prepackaged systems is that these passwords are open to the public and anyone who has network access can use them to gain access to the system.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Auditors also must look at corporate policy regarding application and database password. Passwords form the basis of logical security and strong passwords protect the data from unauthorized access. Clear policies stress the importance of employee?s creating strong, complex passwords. Password policies should encompass minimum length, complexity requirements, expiration periods and lock out times. An example policy would include:

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

• Minimum of 8 characters
• Cannot be one of the users previous four passwords
• Contains at least one letter or number
• Contains at least one special character
• Not based on words found in the dictionary or on proper names
• Expires in 14 days (Adint)

A process must exist for business owners to review the user access lists, as well as who monitors day-to-day administration of controls and how often controls are reviewed (Cooke). Business owners are in the best position to determine if access to the system or an application is needed to perform an employee?s task (Adint). Restricting employee access to certain fields and windows of the ERP system prevents inappropriate changes in the data. For example, an accounts payable clerk should not be given access to the purchase order module, since access to this module is not required to perform his job. The company should also have a review process in place to identify when people have changed positions or left the company and no longer need access to the system. In order to remove the task from IT, business owners should be enabled to pull their own access report (Adint).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Data Processing and Data Issues – ERP systems are designed to automatic updates of data throughout the system once a transaction has been entered, so the implementation of an ERP system shifts the focus of an audit from substantive testing to a largely controls-based audit. Since a logical system is performing the updating and reporting, routine transactions can be checked by the presence of proper controls. If strong controls are in place, auditors can do little substantive testing when performing an audit, while instead focusing on manual and non-routine transactions, and get reasonable assurance that the financial statements are free of material misstatements.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Since ERP?s use on-line, real-time processing, information is updated simultaneously. Every transaction of every function is stored in one common database, and the various modules in an ERP system automatically create entries in the database for each other, thus creating simultaneous updates to the system that are transparent to all users (Hahn). Traditional ?batch? controls and audit trails are no longer available for the auditor. Data entry accuracy is maintained through the use of default values, cross-field checking and transaction balancing rather than batch processing (Hahn).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Because the information is updated, maintained and stored electronically, auditors need to understand how the modules interact with each other and with the database. Additionally, the flow of information must be understood. Because of the high degree of automation present in ERP systems, understanding the logical flow of information that is produced will help ensure that the information is correct.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

With the use of a single database, data entry is more important because an erroneous piece of information will permeate through the entire company?s records (Brady 120). ERP systems shift the burden of correctness to the front-line workers, while higher end processes of data transfer and report creation is done automatically. Auditors must spend more time with lower-level employees to determine if those entering the data understand what they are doing, and especially what to do if a problem arises or a mistake is made. In non-integrated information systems, an error in data input is less harmful than an ERP, because the error will not be spread to the records of other departments and can be caught when auditors compare records. However, with ERP systems there is no way to discover a mistake by checking it against another system since it relies on a common database.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Employee Training – ERP systems require extensive training to use. Auditors of ERP systems need to assess the business environment and how it communicates to users of the ERP the proper uses and processes of the system (Arlinghaus). Training manuals and documents should be reviewed, as well as training course outlines. The training should be designed for the end user?s job, and stress to employees how the data they control affects the entire business operation. If proficiency tests are in place, the auditor should examine the difficulty of the questions (Brady 120-121). Continual training, especially in the use of new modules and functions, should also be examined.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Auditors should also examine how the client?s management deals with the changes that ERP systems bring to the business. A company?s managers and employees will often resist ERP systems, because it requires changing the way they have performed their jobs in the past. Typical ERP training costs between $10,000 and $20,000 per employee (Brady 32). Because of the high price and the lack of immediate results, many companies do not properly training employees on how to use the ERP system.

~ ~ ~ ~ ~ ~ ~ ~

December 6, 2009 in Article by EnJ

Computer Jargon

BROADBAND: Broad bandwidth networking. High-speed Internet connections, like DSL (Digital Subscriber Line), Cable Internet, and 3G (Third
Generation) cellular services.

DSL: Digital Subscriber Line. One of the most common ways to bring Internet to homes and small businesses over a telephone line at up to
12 Megabits/second.

CABLE OR CABLE INTERNET: The other most common way to bring Internet to homes over cable TV lines at speeds ranging from 1.5 to 50
Megabits/second.

FiOS: Fiber-Optic Service. An emerging technology that provides Internet to homes and offices over fiber-optic cables at speeds from 15 to 50
Megabits/second.

WI-FI: Wireless Fidelity. The most common kind of short-range wireless networking–about 300 feet–at speeds of up to 108 Megabits/second.

EDGE or EVDO: An older kind of wide-area wireless networking-like a whole city–based on first and second generation cellphone technology
with speeds ranging from 300 to 400 kilobits/second.

3G: Third Generation cellular service. Enhanced wide-area wireless networking at speeds of up to 14 Megabits/second.

4G: Fourth Generation cellular service or WIMAX. An emerging wide-area networking technology that promises a range of 10 miles and speeds of
up to 100 Megabits/second.

ETHERNET: A way of connecting computers to networks using a cable at speeds ranging from 10 to 10,000 Megabits/second.

FIREWALL: Software or hardware that prevents outsiders from accessing a computer or network.

ROUTER: A device that finds the best route for sending information between networks.

IP ADDRESS: Internet Protocol Address. Every computer on the Internet is identified by a unique set of numbers known as an Internet Protocol
address–usually four numbers separated by dots, for example: 74.125.53.100. These numerical addresses are normally invisible to users and are translated into familiar Web addresses, like http://www.google.com.

VIRUS: A self-replicating program designed to cause damage or mischief that inserts itself into a software program on your computer. Viruses spread from computer to computer, most often through infected emails or websites.

WORM: Similar to a virus, but worms are self-contained, spread via networks, and do not need to become part of another program in order to spread. Worms infect your operating system and act like a program.

TROJAN HORSE: A malicious program that may appear harmless-or even useful-but can also conceal and download other malware that compromises
the security and functioning of your computer.

RANSOMWARE: A cyber-extortion scheme in which thieves use malware–like phony security programs–to take control of your computer and demand
that you pay a ransom to regain control.

SPYWARE and ADWARE: Spyware is a malicious program that installs itself on your computer surreptitiously and monitors and reports your activities and personal information to third parties. Adware is a kind of spyware that generates annoying popup ads.

KEYLOGGERS: Spyware that monitors your keystrokes surreptitiously and sends the information to a “Bad Guy.”

HACKERS AND CRACKERS: Individuals who break into systems with malicious intent, destroy data, steal copyrighted software or confidential
information, and perform other destructive or illegal acts with computers and networks.

VULNERABILITIES AND EXPLOITS: Your computer is vulnerable when a hardware or software flaw makes it possible to compromise its security
and smooth operation. An exploit is a software application or program that takes advantage of a vulnerability to attack your system.

SNIFFING: Listening in on a network in order to capture and steal sensitive information.

SPOOFING: An attack in which a person or program you shouldn’t trust masquerades as a person or program you do trust. For example, an
attacker forges an email address in order to make you believe it’s from someone you know and trust.

PHISHING: A widespread form of Internet fraud that aims to steal valuable information such as credit card and social security numbers and usernames and passwords, by sending you misleading emails designed to lure you into visiting phony or rigged websites.

IDENTITY THEFT: Cybercriminals steal identities by overhearing conversations on cellphones, intercepting faxes and emails, hacking into computers, employing telephone and email scams, and phishing the users of online services.

SOCIAL ENGINEERING: Deceptions by criminals posing as someone you trust in order to get you to divulge sensitive information.

November 9, 2009 in Article by EnJ

New Method to Block Rootkit

How to block stealthy malware attacks

Researchers from North Carolina State University have devised a novel way to block rootkits, one of the most insidious types of malware, preventing them from taking over computer systems.

Malware or computer viruses is a growing problem that can lead to crashed computer systems and stolen personal information.

A recent Internet security threat report showed a 1,000 percent increase in the number of new malware signatures extracted from the in-the-wild malware programs found from 2006 to 2008.

Rootkits typically work by hijacking a number of “hooks,” or control data, in a computer’s operating system. Read more »

August 15, 2009 in Article by EnJ

Repair Shops can Hack Your Laptops

Some computer repair shops are illegally accessing personal data on customers’ hard drives – and even trying to hack their bank accounts, a Sky News investigation has found.

In one case, passwords, log-in details and holiday photographs were all copied onto a portable memory stick by a technician. In other shops, customers were charged for non-existent work and simple faults were misdiagnosed.

An investigator from the Trading Standards Institute said he was “shocked” by the findings. The investigation was carried out using surveillance software loaded onto a brand-new laptop. Read more »

August 2, 2009 in Article by EnJ

19 Critical Security Terms You Must Know

Anti-virus : Software that scans your pc for viruses, worms, and trojans using up-to-date virus signatures. Once found, the program can remove, or quarantine the virus and (ideally) keep it from performing whatever malicious duties is was sent to do.

Attack: An attempt by an unauthorized individual or program to gain control over aspects of your pc for various purposes.
Backdoor: This is sometimes referred to as a trapdoor, and is a feature in programs that the original programmer puts into the code in order to fix bugs or make other changes that need to be made. However, if this information becomes known to anyone else it poses a potential security risk. Read more »