300 likes | 486 Views
Risks in an ERP environment:. The use of ERP systems clearly introduces additional risks into the system environment. These additional risks include problems associated with: Improper use of technology. Inability to control technology.
E N D
Risks in an ERP environment: The use of ERP systems clearly introduces additional risks into the system environment. These additional risks include problems associated with: • Improper use of technology. • Inability to control technology. • Inability to translate user needs into technical requirements. • Illogical processing.
Inability to react quickly (to stop processing). • Cascading of errors. • Repetition of errors. • Incorrect entry of data. • Concentration of data. • Inability to substantiate processing. • Concentration of responsibilities.
Improper Use of Technology: • One of the more common misuses of technology is the introduction of new technology prior to the clear establishment of its need. • For example, many organizations introduce database technology without clearly establishing the need for that technology.
The conditions that lead to the improper use of technology include: • Premature user of new hardware technology. • Early user of new software technology. • Minimal planning for the installation of new hardware and software technology. • Systems analyst/programmer improperly skilled in the use of technology.
Inability to Control Technology: • Controls are needed over the technological environment. These controls ensure that the proper version of the proper program is in production at the right time, and that the operators perform the proper instructions. • Adequate procedures must be developed to prevent, detect, and correct problems in the operating environment. The proper data must be maintained and retrievable when needed.
The conditions that result in uncontrolled technology include: • Selection of vendor-offered system control capabilities by systems programmers without considering audit needs. • Inadequate restart/recovery procedures. • Inadequate control over different versions of programs.
Inadequate control over system operators, print capabilities, and data transmission capabilities. • Inadequate review of outputs.
Inability to Translate User Needs into Technical Requirements: One of the major failures of information technology has been a communication failure between users and technical personnel. In many organizations, users cannot adequately express their needs in terms that facilitate the implementation of ERP applications. And the technical people are often unable to appreciate the concerns and requirements of their users.
Conditions that can lead to the inability to translate user needs into technical requirements include: • Users without technical IT skills. • Technical people without sufficient understanding of user requirements. • User’s inability to specify requirements in sufficient detail. • Multi-user systems with no user in charge of the system.
Failure to implement needs because users were unaware of technical capabilities. • Improperly implemented needs because the technical personnel did not understand user requirements. • Building of redundant manual systems to compensate for weaknesses in ERP applications.
Illogical Processing: • Illogical processing is the performance of an automated event that would be highly unlikely in a manual processing environment. • for example, producing a payroll check for a clerical individual for over $1 million. This is possible in an automated system due to programming or hardware errors, but highly unlikely in a manual system.
Inability to React Quickly: ERP applications are valuable because they are able to satisfy user needs on a timely basis. Some of these needs are predetermined and reports are prepared on a regular basis to meet these needs. Other needs occur periodically and require special actions to satisfy.
If the ERP application is unable to satisfy these special needs on a timely basis, redundant systems may be built for that purpose. One of the measures of an ERP application’s success is the speed with which special requests can be satisfied. Some of the newer online database applications that include a query language can satisfy some requests within a very short time span.
The conditions that make ERP applications unable to react quickly include: • Computer time is unavailable to satisfy the request, or computer terminals/microcomputers are not readily accessible to users. • General-purpose extract programs are not available to satisfy the desired request. • The cost of processing exceeds the value of the information requested.
Cascading of Errors: • An error in one part of the program or application triggers a second yet unrelated error in another part of the application system. This second error may trigger a third error, and so on. • The cascading of error riskis frequently associated with making changes to application systems.
A change is made and tested in the program in which the change occurs. However, some condition has been altered as a result of the change, which causes an error to occur in another part of the application system. • Cascading of errors can occur between applications. This risk intensifies as applications become more integrated.
For example, a system that is accepting orders may be tied through a series of applications to a system that replenishes inventory based upon orders. Thus, an insignificant error in the order-entry program can “cascade” through a series of applications resulting in a very serious error in the inventory replenishment program.
The types of conditions that lead to cascading of errors include: • Inadequately tested applications. • Failure to communicate the type and date of changes being implemented. • Limited testing of program changes.
Repetition of Errors: • In a manual processing environment, errors are made individually. Thus, a person might process one item correctly, make an error on the next, process the next twenty correctly, and then make another error. • In ERP systems, the rules are applied consistently.
Thus, if the rules are correct, processing is always correct. But, if the rules are erroneous, processing will always be erroneous. • Errors can result from application programs, hardware failures, and failures in vendor-supplied software. For example, a wrong percentage may have been entered for tax deductions. Thus, every employee for that pay period will have the wrong amount deducted for tax purposes.
The conditions that cause repetition of errors include: • Insufficient program testing. • Inadequate checks on entry of master information. • Failure to monitor the results of processing.
Incorrect Entry of Data: In ERP applications, there is a mechanical step required to convert input data into machine-readable format. In the process of conducting this task, errors can occur. Data that was properly prepared and authorized may be entered into ERP applications incorrectly.
Conditions that can cause incorrect entry of data include: • Human errors in keying data. • Mechanical failure of hardware devices. • Misinterpretation of characters or meaning of manually recorded input. • Misunderstanding of data entry procedures. • Inadequate data verification procedures.
Concentration of Data: With ERP media, unauthorized individuals can browse files using computer programs. This may be difficult to detect without adequate safeguards. In addition, the data can be copied quickly without leaving any visible trail or destroying the original data.
Database technology increases the risk of data manipulation and compromise. The more data that is stored in a single place, the greater the value of that data to an unauthorized individual. For example, the information about an individual in the payroll application is restricted
The conditions that can create problems due to the concentration of data in ERP applications include: • Erroneous data and its impact on multiple users of that data. • Impact of hardware and software failures that ordinarily make the data available to multiple users. • Inadequate access controls enabling unauthorized access to data.
Inability to Substantiate Processing: • ERP applications should contain the capability to substantiate processing. This substantiation includes both the ability to reconstruct the processing of a single transaction and the ability to reconstruct control totals.
Application systems need to substantiate processing to correct errors and to prove that processing is correct. • The cost of substantiating processing exceeds the benefits derived from the process may causes the inability to substantiate processing.
Concentration of Responsibilities • Responsibilities that had been divided among many people for control purposes may be concentrated into a single application system. • The responsibilities in an ERP environment may be concentrated in both the application system and IT personnel. For example, the database administrator may absorb data control responsibilities from many areas in the organization. • A single ERP system project leader may have the processing responsibility for many areas in the organization.