How do you Audit an ERP System?

There are few rules that can be applied to all ERP auditing situations. As each system serves the client in a different capacity and has been altered to fit the client?s business model, ERP auditors must be flexible and creative in designing an audit plan. On the same note, there are no hard rules on splitting roles and responsibilities between audit groups. Role differentiations are determined on a client-to-client basis, as a function of auditor experience, expertise and training. A common distinction is made between financial auditors and information systems auditors. However, with ERP, financial reporting and especially internal accounting controls, must be audited working through the computer; therefore, it is important that auditors have knowledge of both accounting and technology, learning new skills sets in the process (Moulton). Specialists are also commonly hired to determine if complex technology is working correctly. The concept of an ?integrated auditor,? who has enough accounting and IT knowledge to work both sides of the audit, has emerged as workable solution to the complexities of ERP auditing (Hahn).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~
ERP systems are technically complex, with the system residing on multiple computers and the flexibility to support multiple configurations and customizations (Hahn). To begin understanding a client’s ERP system, auditors must evaluate how the technology relates to the business environment. To determine the scope of the audit, they must take into consideration:

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

  • How the technology is used in the organization
  • the number of people using the technology
  • which ERP models have been implemented
  • the existence of distributed applications
  • whether legacy systems are used and to what capacity (Hahn)

Auditors must go through a significant amount of training to acquire the knowledge necessary to adequately understand the functioning of an ERP system and how it intakes data and produces financial reports. Auditors must also consider learning new tools to take advantage of functions in ERP systems. SAP?s language, ABAP/4, would be useful for an auditor to know so that he can examine the programming code when there is a question about the functioning of the system (Hahn). As another example, Oracle?s database comes with its own set of basic auditing actions designed to detect unauthorized access and internal abuse of the data being stored (Finnigan).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

ERPs have specifically influenced the auditing profession in four main ways: the interaction and flow of information, issues with data and the processing of data, controls and security of the data and the systems, and training of employees who use the ERP systems.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Interaction and the Flow of Information – With an ERP system, operational and financial data are tied together through a complex information flow. Transactions can be automatically entered without review or pre-checking. Therefore, ERP?s make it difficult to perform financial audits without relying on system controls. Such controls should be designed, in part, to prevent inaccurate or false information from entering the system. As many transactions are automated functions of modules creating information entries for other modules, it is impossible to audit ?around the computer? (i.e. comparing input to output). Rather, auditing must be done ?through the computer? (i.e. testing the system process that the input went through to create the output), using such methods as test decks and parallel simulation. In order to conduct a proper audit through the computer, the auditor must have a certain level of understanding about technology and how the system functions.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

The ideal of a paperless office? is facilitated through an ERP system, because the system is centralized and communicates data from a common internal source, the database. Instead of hardcopy evidence, ERP?s create event history logs for a visible trail of evidence to trace information to the original input source (Adint). These audit trails allow an auditor to both detect when an undesirable event has occurred and reconstruct an event by what happened. At a minimum, the trails should contain the user ID, the data and time of the event, and the action taken. Other information could include previous and current field values (Adint). Auditors of ERP systems need to be cognizant of how to use these audit trails and the appropriateness of their design because it impacts the ability to rely on system controls or the output created.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Because ERPs are customizable and often changed by an organization?s internal programmers, auditors must pay attention to how these changes take place. The production code forms the basis of running the ERP system. To protect this valuable asset, changes in the production code should be:

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

  • authorized by the business owner (if functional) or IT manager (if technical)
  • tested thoroughly
  • approved by the business owner or IT manager
  • performed by an authorized person
  • documented

To verify the controls of authorization and approval are valid, any change to the code should be traceable to a request. Access to the production code should be limited and traceable to the authorized individual who made changes. To check these, auditors must look for hard-copy documentation, such as change request forms, as well as documentation embedded in the code itself (Adint).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Controls and Security – It is important for any entity to segregate the duties of authorization of transactions, recording of transactions, and custody of transactions. Auditors should examine the business process flows to identify where authorization, recording, and custody of a business transaction takes place, and compare it to how the user responsibilities have been designed. Often user responsibilities are given wide-open access for the initial installation, but rarely are access restrictions introduced once the system has proven functional. Also, the auditors should check to see if the segregation of duties is accomplished with a combination of system and off-line controls. Segregation of duties should be designed into user responsibilities and functions, and documented in the business requirements stage. The auditor should determine which users were given access to what functions by examining documentation from the implementation stage (Cooke).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

The same segregation rule needs to be applied to IT functions to ensure system integrity. For example, IT personnel should not have user responsibilities. This serves the purpose of segregating development and production activities. IT personnel are responsible for maintaining the production software, including the associated controls, while production data is owned by the business users and serves as a record for business activities (Adint). If these duties were not segregated, a transaction could be processed with circumvented controls compromising data integrity.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Auditors must now be aware of the logical security of data used by the ERP system. Logical security includes user ID?s and passwords. Auditor?s must make sure that user ID?s are unique, because unique ID?s ensure accountability and the ability to trace actions to individuals. The ability to sign on with a generic ID needs to be tightly controlled. This requires changing all the default passwords for generic ID?s that the ERP comes with and allowing few employees to know what the new password is. As an example, Oracle databases come programmed with generic ID passwords such as CHANGE_ON_INSTALL, MANAGER, and ORACLE (Adint). The problem with retaining the default passwords in prepackaged systems is that these passwords are open to the public and anyone who has network access can use them to gain access to the system.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Auditors also must look at corporate policy regarding application and database password. Passwords form the basis of logical security and strong passwords protect the data from unauthorized access. Clear policies stress the importance of employee?s creating strong, complex passwords. Password policies should encompass minimum length, complexity requirements, expiration periods and lock out times. An example policy would include:

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

  • Minimum of 8 characters
  • Cannot be one of the users previous four passwords
  • Contains at least one letter or number
  • Contains at least one special character
  • Not based on words found in the dictionary or on proper names
  • Expires in 14 days (Adint)

A process must exist for business owners to review the user access lists, as well as who monitors day-to-day administration of controls and how often controls are reviewed (Cooke). Business owners are in the best position to determine if access to the system or an application is needed to perform an employee?s task (Adint). Restricting employee access to certain fields and windows of the ERP system prevents inappropriate changes in the data. For example, an accounts payable clerk should not be given access to the purchase order module, since access to this module is not required to perform his job. The company should also have a review process in place to identify when people have changed positions or left the company and no longer need access to the system. In order to remove the task from IT, business owners should be enabled to pull their own access report (Adint).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Data Processing and Data Issues – ERP systems are designed to automatic updates of data throughout the system once a transaction has been entered, so the implementation of an ERP system shifts the focus of an audit from substantive testing to a largely controls-based audit. Since a logical system is performing the updating and reporting, routine transactions can be checked by the presence of proper controls. If strong controls are in place, auditors can do little substantive testing when performing an audit, while instead focusing on manual and non-routine transactions, and get reasonable assurance that the financial statements are free of material misstatements.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Since ERP?s use on-line, real-time processing, information is updated simultaneously. Every transaction of every function is stored in one common database, and the various modules in an ERP system automatically create entries in the database for each other, thus creating simultaneous updates to the system that are transparent to all users (Hahn). Traditional ?batch? controls and audit trails are no longer available for the auditor. Data entry accuracy is maintained through the use of default values, cross-field checking and transaction balancing rather than batch processing (Hahn).

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Because the information is updated, maintained and stored electronically, auditors need to understand how the modules interact with each other and with the database. Additionally, the flow of information must be understood. Because of the high degree of automation present in ERP systems, understanding the logical flow of information that is produced will help ensure that the information is correct.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

With the use of a single database, data entry is more important because an erroneous piece of information will permeate through the entire company?s records (Brady 120). ERP systems shift the burden of correctness to the front-line workers, while higher end processes of data transfer and report creation is done automatically. Auditors must spend more time with lower-level employees to determine if those entering the data understand what they are doing, and especially what to do if a problem arises or a mistake is made. In non-integrated information systems, an error in data input is less harmful than an ERP, because the error will not be spread to the records of other departments and can be caught when auditors compare records. However, with ERP systems there is no way to discover a mistake by checking it against another system since it relies on a common database.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Employee Training – ERP systems require extensive training to use. Auditors of ERP systems need to assess the business environment and how it communicates to users of the ERP the proper uses and processes of the system (Arlinghaus). Training manuals and documents should be reviewed, as well as training course outlines. The training should be designed for the end user?s job, and stress to employees how the data they control affects the entire business operation. If proficiency tests are in place, the auditor should examine the difficulty of the questions (Brady 120-121). Continual training, especially in the use of new modules and functions, should also be examined.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Auditors should also examine how the client?s management deals with the changes that ERP systems bring to the business. A company?s managers and employees will often resist ERP systems, because it requires changing the way they have performed their jobs in the past. Typical ERP training costs between $10,000 and $20,000 per employee (Brady 32). Because of the high price and the lack of immediate results, many companies do not properly training employees on how to use the ERP system.

~ ~ ~ ~ ~ ~ ~ ~

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Adobe Flash player