1 / 49

Audit considerations for your 11i implementation

Audit considerations for your 11i implementation. Richard Byrom Oracle Applications Consultant EOUG October 2003. Agenda. Objectives Why an ERP audit? Some common mistakes Audit considerations Conclusion Questions & Answers. Objectives.

mathilde
Download Presentation

Audit considerations for your 11i implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Audit considerations for your 11i implementation Richard Byrom Oracle Applications Consultant EOUG October 2003

  2. Agenda • Objectives • Why an ERP audit? • Some common mistakes • Audit considerations • Conclusion • Questions & Answers

  3. Objectives • To highlight how Sarbanes Oxley Act of 2002 and Corporate Governance initiatives are requiring enhanced levels of internal control • To point out common audit and review errors • To outline how Oracle can assist in establishment of strong internal controls and facilitate the audit and review process

  4. Why an ERP audit? • Increased risk • Higher Levels of Regulation • Sarbanes Oxley 2002 • Increased adoption of IAS

  5. Required Action – Internal Control Institute controls which mitigate the risks posed. The objectives of such controls should be to: - 1.Safeguard all the assets of the enterprise 2.Ensure accurate and reliable accounting (and other) information • Validity - only valid items are allowed to enter a system (authorisation) • Completeness - all valid items are captured and entered into system (number of items) • Input accuracy - data that is entered into the system is correct (data fields)

  6. Required Action – Internal Control • Improve operational effectiveness, efficiency and security Effectiveness - fulfils intended objective. Efficiency - prevents unnecessary waste of resources. Security - protection of resources from misuse or destruction. • Promote adherence to managerial policies

  7. Required Action - Guidelines Audit and Review guidelines should be developed which provide a management-oriented framework and proactive control self-assessment specifically focused on: - • Performance measurement—How well is the IT function supporting business requirements? • IT control profiling—What IT processes are important? What are the critical success factors for control? • Awareness—What are the risks of not achieving the objectives? • Benchmarking—What do others do? How can results be measured and compared?

  8. Required Action – Assess Controls Level 1: Unreliable Unpredictable environment where controls are not designed or in place. Level 2: Informal • Controls are designed an in place but are not adequately documented • Controls mostly dependent on people • No formal training or communications of controls. Internal Controls Maturity Framework:Source: PricewaterhouseCoopers paper on Sarbanes Oxley Act of 2002

  9. Required Action – Assess Controls Level 3: Standardised • Controls are designed and in place • Controls have been documented and communicated to employees. • Deviations from controls may not be detected. Level 4: Monitored • Standardised controls with periodic testing for effective design and operation with reporting to management • Automation and tools may be used in a limited way to support controls Internal Controls Maturity Framework:Source: PricewaterhouseCoopers paper on Sarbanes Oxley Act of 2002

  10. Required Action – Assess Controls Level 5: Optimised • An integrated internal control framework with real-time monitoring by management with continuous improvement (Enterprise-Wide Risk Management). • Automation and tools are used to support controls and allow the organisation to make rapid changes to the controls if needed. Internal Controls Maturity Framework:Source: PricewaterhouseCoopers paper on Sarbanes Oxley Act of 2002

  11. Some Common Mistakes • Poor Planning • Lack of Focus • Competency of Auditors • Independence • Reliance on Technology for the Solution • Silo approach • Reports and Reviews not taken seriously.

  12. Audit Considerations • Who should review? • What should be reviewed? • How to effectively utilise your software

  13. Who should review • Internal Audit • External Audit • Implementation Consultants/Partners • Departmental/Functional Level Management • Senior Management • Third Party Review

  14. Software Layers and Linkages Source: Information Systems Audit and Control Association, 2003. ERP Systems review guideline. What should be reviewed • Hardware • Network • Software

  15. What should be reviewed • Processes • People • Implementation approach or strategy

  16. How to effectively manage your software • The Oracle Information Architecture • Efforts to meet new regulatory requirements • Global Audit and Review Capability • Modular/Detailed Audit and Review Capability

  17. The Oracle Information Architecture • Unified data model • Accessible by anyone, with any device • Global • Configurable • Open

  18. Efforts to meet new regulatory requirements The Oracle Solution to Sarbanes-Oxley Act of 2002:Source: oracle.com

  19. Visibility • Access a complete and accurate view of financial data for quicker reporting and meaningful disclosure. • View global enterprise information that is timely, relevant, consistent, and available in real-time. • Obtain a complete view of your business with global information from a single source of truth.

  20. Control • Support the audit department in enforcing corporate compliance with documented policies and procedures, risk and process control management, visibility to business process workflow, and improved project management. • Keep your employees informed - document and track critical business processes, determine workflow, and develop and deploy applicable training to ensure compliance. • Manage and document corporate communications and data with an integrated suite of enterprise level applications that focus on managing all of the communications between individuals and teams, the content they create, as well as the information for supporting them. • Centralise and automate processes and controls for information consistency. Eliminate duplicate processes, reduce overhead, and cut costs.

  21. Efficiency • Eliminate bottlenecks and streamline the rollout of new internal processes and procedures with self-service. • Reduce the risk of malfeasance and accidental errors by streamlining inter-user approvals and participation in review processes. • Enable efficient execution of internal audits by providing project team members complete visibility into audit data. • Integrate enterprise data and business processes based on a unified data model to support global compliance.

  22. The Oracle Corporate Governance Solution Set

  23. Global Audit and Review Capability – Daily Business Intelligence Daily Business Intelligence (DBI) can be defined as a reporting framework that enables senior managers and executives to see an accurate and integrated daily summary of their business. DBI provides the technology components that enable cross-functional analysis, daily summarisation, and optimised reporting performance.

  24. Global Audit and Review Capability – Daily Business Intelligence

  25. Global Audit and Review Capability – Daily Business Intelligence The following intelligence products utilise the daily business intelligence reporting and analysis framework to give users a cross functional view of their business: - • Contracts Intelligence • Human Resource Intelligence • Financials Intelligence • Interaction Centre Intelligence • Marketing Intelligence • Projects Intelligence • Purchasing Intelligence • Quoting Intelligence • Sales Intelligence • Supply Chain Intelligence

  26. Global Audit and Review Capability – Daily Business Intelligence

  27. Global Audit and Review Capability – Internal Controls Manager Oracle Internal Controls Manager is a comprehensive tool for executives, controllers, internal audit departments, and public accounting firms to use to document and test internal controls and monitor ongoing compliance

  28. Global Audit and Review Capability – Internal Controls Manager

  29. Internal Controls Manager Benefits • More efficient internal control testing • Higher Certainty in your Risk Assessment • Lower external audit verification costs.

  30. More efficient internal controls testing

  31. More efficient internal controls testing

  32. More efficient internal controls • Audit Program office/project management • Risk assessment questionnaires • Confidential feedback mechanism • Reviewing reconciliation status of all subsystems • Reviewing policy compliance

  33. Higher certainty in your risk assessment • Internal audit system is part of your operational system – this ensures accurate, real time business information. • Risk library and associated controls developed by Oracle working with world leaders in Audit and Risk Assurance.

  34. Lower external audit verification costs • Internal control manager ensures internal & external auditors understand your business systems risks and associated controls, hence reducing time taken to understand the system and saving you money.

  35. Modular/Detailed audit and review capability • Modular integration • Reporting Capability • Scripts • Network Test • Audit Trail

  36. Modular Integration

  37. Reporting – on line • Two way drill • Transaction status

  38. Reporting - On line • T- accounts

  39. Reporting - on line • Activity Summaries

  40. Reporting • Web reports • Standard Reports • Transactional Data • Master Data • Roles and Responsibilities • Setup parameters at modular and system level • Sequentially numbered documents • Security Rules and Cross Validation

  41. Scripts CRM analysis tool runs detailed analysis of setup parameters. Ref Note 167000.1 per Metalink (will demo the results)

  42. Network Test

  43. Audit Trail Report History

  44. Audit Trail • Record History

  45. Audit Trail • Table Audit • Sign on Audit • Monitor Users

  46. Audit Trail • Sign on audit reports • Sign on Audit Forms Report – who is navigating what form and when • Sign on Concurrent Requests Report – to view information about concurrent requests. • Sign on Audit Responsibilities Report – view who is selecting what responsibility and when • Sign on Audit Unsuccessful Logins Report – view who attempted unsuccessfully to log in to Oracle. • Sign on Audit Users Report – view who signs on and for how long.

  47. Internal Controls Maturity Framework:Source: PricewaterhouseCoopers paper on Sarbanes Oxley Act of 2002 Conclusions • Risks of implementing ERP systems requires special attention to mitigating controls especially considering new regulatory requirements • Audit and review of ERP systems should be carried out by skilled professionals • The Oracle E-Business Suite functionality outlined will enable an organisation to optimise their controls and move to level 5 in the Internal Controls Maturity Framework

  48. Q & A

  49. Speaker Information Name: Richard Byrom e-mail: richard@rpcdata.com richard@richardbyrom.com Company: RPC Data Ltd Web Site: http://www.rpcdata.com http://www.richardbyrom.com Mobile: +256-77983245

More Related