Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Internal Controls and ERP

Internal Controls and ERP

Ratings: (0)|Views: 1,062|Likes:
Published by api-3748088

More info:

Published by: api-3748088 on Oct 18, 2008
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See More
See less





 Page 1
Seradex White Paper
 A Discussion of Issues in the Manufacturing OrderStream
 Internal Controls, Fraud Detection and ERP 
Recently the SEC adopted Section404 of the Sarbanes Oxley Act. Thislaw requires each annual report of acompany to contain1.
A statement of management'sresponsibility for establishingand maintaining an adequateinternal controls and2.
Management's assessment of the effectiveness of thecompany's internal controlstructure and procedures forfinancial reporting.3.
The company's auditor to attestto, and report onmanagement's assessment of the effectiveness of thecompany's internal controls andproceduresSarbanes Oxley requires thatinternal controls be extensivelydocumented and this is a significantexercise. This brief review will look atsome issues that should be consideredin setting up internal controls in anERP environment.
 Internal Controls
reviewing thepractices, transactions, procedures andprocesses used to control the financialtransactions and protecting acompany's property and assets.This paper will examine howthe internal auditor workingspecifically with the Seradex ERPsystem can implement internalcontrols and detect fraudulenttransactions. The general approachshould be applicable to most ERPsystems.
Seradex is an ERP applicationprocessing data from a database. Itoffers flexible configuration andsecurity options. Seradex links data inreal time across the traditionalbusiness functions such as sales-production-inventory-procurement andfinanceAn important point to note is torealize that Seradex ERP is anapplication program, like MicrosoftExcel or Word. It typically sits betweenthe end user and a databasemanagement system (such as SQLServer) and controls the adding,changing and deleting of data fromthat database.Seradex ERP is a very flexiblesystem that is configured to meet theorganizational needs andrequirements. This adds to thecomplexity of auditing the systembecause not only do you need to knowhow Seradex ERP works but also howyour company is using Seradex.One important featurecharacteristic of the Seradex ERPsystem is that user access isdependent on the Windows networksecurity setting for each user andgroup. By setting up groups withhighly detailed access parametersusers can be easily setup and added tothe appropriate group reducingsecurity administration efforts.
 Page 2
Seradex ERP and Internal Controls
Seradex ERP dictates thatoperational data and financial data aretotally integrated. More people areable to enter transactions withoutreview or checking by a supervisor.Many organizations give users verywide access to data withoutnecessarily analyzing specific workrequirements.Note: Without careful considerationthis wide access can weaken internalcontrols by violating the segregation of duties concept.ERP systems change the role of middle management for transactionreview and authorization. Questioningand follow up formerly done by middlemanagers is commonly reduced whenan ERP system is implemented.There are several implicationsand considerations to the internalcontrols possible in Seradex ERP.These can be segregated into thefollowing categories:
Network Security and UserIdentities
User and Group Setup
Security authorization issues
Use of Active Directory
Administrative usermanagement
Password control
Customer / Supplier AccessUser Controls
Server, Network and Firewallcontrols
Patch policy on Servers andWorkstations
System Controls
Reconciliation of controlaccounts to subsidiary ledgers –Accounts Payable, AccountsReceivable, Inventory,Invoicing, Vendor Invoicing
Reconciliations of data toexternal information – bankreconciliation, accounts payablestatement reconciliations
Cost centre and responsibilityaccounting
Management review andbudgetary control
Review and authorization of non-routine transactions
Validation checks
Validation of data input inparticular transactions
Properly designed and validatedreports with authority checks
Matching of documents prior to “closing out” e.g. purchaseorder – receivingdocumentation – invoice
Master file control
Independent review of masterfile changes
Independent master filecreation to transactionalresponsibilities Identifyingredundant master
Auditing for Fraud
Auditors have a responsibilityto minimize opportunities by ensuringthat adequate internal controls are inplace. If internal controls are weak in aparticular area the next step would beto consider red flags. A red flag is anindicator that some kind of irregularityis occurring and that something maybe wrong. It does not prove that fraudhas occurred but if a red flag isidentified more detailed transactionexamination is required.
 Page 3
Identifying Red Flags
Some example of red flagscould include:
Actual expenses far exceedingbudgeted or prior yearsexpenses
Expenses out of historic norms
Significant manual entriesmade to asset and expenseaccounts
Addresses, telephone numbersand other data that linkemployees to vendor masterrecords
Ratios are not making sense:ex. ratio of overtime expensesto sales,
Unexplained price increases inmaterial costs (kickbackscheme)
Excessive Inventory quantityand cost adjustmentsManual database queries can bedeveloped to examine the inventoryaudit trail, adjustment details, phonenumber and address comparisons of employees and vendors to provideidentify further transactions forexamination. All transactions inSeradex record the network user whocreated or changed the transaction aswell as time and date stamps.
Accounts Payable in SERADEX ERP
Purchasing and accountspayable represents a major area forfraud because it results in the physicaldisbursement of cash to suppliers.Seradex ERP offers excellentbuilt in tools to avoid fraudulentactivity in the accounts payablefunction:Seradex offers three waysmatching between Purchase Order,Receiving and Vendor Invoicing. This isfollowed by check preparation. Ideallyeach of these transactions should bedone by separate individuals to ensuresegregation of duties. An invoicevoucher can be printed and reviewedfor each check over a thresholdamount to additional review.An invoice voucher can beprinted for any purchase from a onetime vendor or any PO for a “Special” item. Establish procedures on when avendor master is required.Requiring a PO offers more controlthan entering a miscellaneous payabledirectly into A/P as more people haveto be involved in the transaction.These transactions need morethorough controls and testing.Vendor Master File changesshould be a separate function fromPurchasing to ensure segregation of dutiesDuplicate invoice control - the systemwill review invoices posted to aparticular vendor code and highlightwhether the current invoice is thesame as a previous one.
Fraud Tests in the AccountsPayable Cycle
Some things to test for in thiscycle include developing queries foridentifying high risk vendors andpayments:
Transactions where the sameuser created the PO, Receiptand Approved the VendorInvoice
PO’s where the person changingthe PO is different that theperson issuing the PO
Any PO for a non inventory itemor service item that is >$XXX.
Service expenditures don’tinvolve asset that has to beproduced later. This includesexpenditures for consulting,advertising or marketing
Any PO to a one time vendorthat is >$XXX
Transactions where the Vendorwas created by the user issuingthe PO

Activity (7)

You've already reviewed this. Edit your review.
1 hundred reads
studants_ma liked this
Kc Ho liked this
Kc Ho liked this
9987838125 liked this
awais liked this
monikaneepu liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->