230 likes | 423 Views
Audit Risks In An ERP Environment. John Dionne. IT Auditor DCAA Northeastern Region. ERPs In The News. Autodesk reduced its customer delivery time from two weeks to 24 hours
E N D
Audit Risks In An ERP Environment John Dionne. IT Auditor DCAA Northeastern Region
ERPs In The News • Autodeskreduced its customer delivery time from two weeks to 24 hours • IBM Storage Systemsreduced the time required to re-price all of its products from 5 days to 5 minutes, the time to ship a replacement part from 22 days to 3 days and the time to complete a credit check from 20 minutes to 3 seconds • Fujistsu Micro-electronicsreduced the cycle time for filling orders from 18 days to 1 and 1/2 days and cut the time to close its financial books from 8 days to 4 days
“To err is human, but to really foul things up requires a computer.” Anonymous
ERPs In The News • “Failed ERP Gamble Haunts Hershey” - Candy maker bites off more than it can chew and 'Kisses' big Halloween sales goodbye -A $112 million ERP project has blown up in the face of Hershey Foods Corp. • “ERP Project Problems Plague City Payroll” - Oakland CA - 1,100 of 5,000 checks incorrect Oracle setup and training blamed • “ERP Problems Plague College” Cleveland State can’t process Financial Aid using PeopleSoft applications
ERPs In The News • “Payroll Systems Flunk First Exams” • Philadelphia School Systemissues paychecks to dead or retired school teachers after implementing $26 Million system • Orlando School System 1,000 employees did not receive paychecks after SAP implementation • “ERP Problems Put Brakes on Volkswagen Parts Shipments” German warehouse having trouble with modified version of SAP R/3
Audit Risks In An ERP Environment What Has Changed ?
What Has Changed ? • Business Environment • Reengineering • Employee Responsibilities • “More With Less” • Business Processes • Account Structure
What Has Changed ? • Internal Controls • Traditional Batch Controls and Audit Trails May No Longer Be Available • Employees “Empowered” • IT Architecture • Client Server Environment Multiple Servers vs Single Mainframe • Single Database
Audit Risks In An ERP Environment So Where's The Risk ?
Internal Controls • Prime Objectives • Does the process work as intended? • Are proposed and/or actual costs reasonable, allowable and allocable • Is the process vulnerable to unauthorized transactions and/or changes
Audit Risks In An ERP EnvironmentControl Environment • Going From A “Well Proven System” To “New Technology” • Impact of Reengineering & Downsizing on Employee Loyalty • Employees are given much greater responsibilities • Pressure to complete installation on time • Increased Risk and Vulnerability !!
Implementation Risks • Abbreviated due dates “Get It Done At Any Costs” • Use of “generic” IDs • Poorly defined user profiles or classes • Poorly defined business process controls • Poorly defined edits • Inadequate workflow controls
Implementation Risks • GAPS Where do things that don’t fit into new system go?? • Accuracy of Data Conversion • Poor testing methodologies • Increased Risk and Vulnerability !!
Compliance Risks • Accounting Changes (CAS) • Overhead Rates Allocations - Savings in Forward Pricing Rates? • Allowable, Allocable, Reasonable, etc. • MMAS Implications • Earned Value Management System (EVMS) • Single Process Initiative • Property Management • Quality Assurance • Increased Risk and Vulnerability !!
Access Control Risks • Poor audit trail requires increased access controls and additional reliance upon adequate segregation of duties • Single entry affects multiple transactions • Most traditional input and processing controls now reside within the application • Going from few users to many • Single mainframe to multiple servers
Access Control Risks • Some users able to bypass controls within the application and directly access the database • Default passwords not changed due to rush to implement • Increased Risk and Vulnerability !!
Input Control Risks • Most traditional input controls, such a review and approval of source documentation, separation of duties, etc. now reside within the application. (Profiles, classes, workflow etc.) These controls are only as effective as the access controls within the application • Complexity of applications and “rush to implement” may result in shortcuts (inadequate controls) • Increased Risk and Vulnerability !!
Processing Control Risks • High Risk during implementation and conversion (was all data converted accurately?) • Once implemented, all data processed within a single database eliminating need for run to run totals, Input Batch Controls, Tape library management etc. • Need to test that system is processing data as intended • Increased Risk and Vulnerability !!
Error Correction Control Risks • Errors resolved immediately since edit and control procedures within the input screens and the ERP prevent the input of erroneous data (eg cannot charge a job with either labor or materials unless it is already in the system - no suspense accounts) • Decreased Risk and Vulnerability
Summary • Remember Prime Objectives • Does the system work as intended? • Are proposed and/or actual costs reasonable, allowable and allocable • Is the system vulnerable to unauthorized transactions and/or changes • Systems are large and complex Easy to become bogged down in the “nuts and bolts” of the system and fail to recognize significant risks to the government
Summary • Significant Government Risk • High implementation cost - Expect Payback in Rates • Changes in the Control Environment • Data Conversion & Accuracy • No Paper Trail • Accounting Changes • MMAS
Summary • Significant Government Risk • Earned Value Management System (EVMS) • Single Process Initiative • Property Management • Quality Assurance