Chapter 11:

Enterprise Resource
Planning System
IT Auditing, Hall, 4e

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Learning Objectives
• Understand the general functionality and key elements of
enterprise resource planning (ERP) systems.
• Understand the various aspect of ERP configuration
including servers, databases, and the use of bolt-on
software.
• Understand the purpose of data warehousing as a strategic
tool and recognize the issue related to the design,
maintenance, and operations of a data warehouse.
• Recognize the risk associated with ERP implementation.
• Be aware of key considerations related to ERP
implementation.
• Understand the internal control and auditing implications
associated with ERPs.

07/01/2017 1
Traditional Information System
• Closed database architecture, similar in concept to
basic flat-file model.
• Data remains the property of the application.
• Distinct, separate, independent databases result in
high degree of data redundancy.
• Paper-based orders result in rekeying information
multiple times.
• Delays, lost orders and data errors can result.
• Status of order may be unknown.

2
Traditional Information System

3
What is an ERP?
• Provides a smooth and seamless flow of
information across organization:
• Standardized environment with shared database and
integrated applications that support communication.
• Data remain independent of any specific
application.
• Extensive data sharing occurs through application-
sensitive views that present data to meet user needs.

4
ERP Systems

5
ERP Applications

o Core applications operationally support day-to-day business

activities.
o Sales and distribution, business and production planning, shop
floor control and logistics.
o Also called online transaction processing (OLTP).
o On-line Analytical Processing (OLAP) is a decision support
tool that supplies real-time information.
o Decision support, modeling, information retrieval, ad-hoc
reporting/analysis, and what-if analysis.
o Data warehouse is a database constructed for quick searching,
retrieval, ad hoc queries and ease of use.

07/01/2017 6
ERP System Configurations
• Most based on the client-server model.
• Typical two-tier model:
• Server handles application and database duties.
• Used in LAN applications where server demand is
limited to a small population of users.
• Three-tier model:
• Database and application functions separated.
• Typical of large systems that use WANs.
• Client initially establishes communication with the
application server which initiates a second connection
to the database server.

7
Two-Tier Client Server

8
Three-Tier Client Server

9
OLTP vs. OLAP Servers
• OLTP events consist of large numbers of simple
online transactions that:
• Access large amounts of aggregated data.
• Analyze relationships among business elements and
compare data over time periods.
• Present data in different perspectives.
• Involve complex calculations.
• Respond quickly to user requires.
• Support mission critical tasks through simple
queries of operational databases.

10
OLTP vs. OLAP Servers
• OLAP supports management-critical tasks through
analytical investigation of complex data
associations captured in data warehouses:
• Consolidation is the aggregation or roll-up of data.
• Drill-down allows the user to see data in selectively
increasing levels of detail.
• Slicing and dicing enables the user to examine data from
different viewpoints to uncover trends and patterns.
• Allow users to analyze complex data relationships.

11
OLTP and OLAP Client Servers

12
ERP System Configurations:
Databases and Bolt-On Software
• Thousands of database tables.
• Each associated with business processes.
• Company typically changes processes to accommodate the
ERP.
• Bolt-on software provided by third-party vendors to
provide specialized functionality.
• Least risky is software endorsed by ERP vendor.
• Rapid convergence between ERP and bolt-on software
functionality.
• Supply chain management (SCM) software links
vendors, carriers, logistics companies, and IS providers.

13
Data Warehousing
• Data warehousing involves extracting, converting and
standardizing data from ERP and legacy systems and
loading it into a central archive – the data warehouse.
• Loaded data are accessible via various query and analysis
tools used for data mining (selecting, exploring and modeling
large amounts of data to uncover relationships).
• Involves sophisticated techniques that use database queries
and artificial intelligence to model real-world phenomena.
• Most large ERP implementations include separate
operational and data warehouse databases.

14
Modeling Data for the Data
Warehouse
• Due to vast size, data warehouse database consists
of denormalized data.
• Inefficiency can be devastating.
• Relationship among attributes does not change.
• Data is static so nothing gained by constructing
normalized tables with dynamic links.
• Relational theory does not apply to a data
warehousing system.
• Normalized tables pertaining to selected events may be
consolidated into denormalized tables.

15
Extracting Data from Operational
Databases
• Typically occurs when databases out of service to
avoid data inconsistencies.
• Changed data capture reduces extraction time by only
capturing newly modified data.
• Snapshots vs. stabilized data.
• Key feature of a data warehouse is that the data
contained in it are in a non-volatile (stable) state.
• Potentially important relationships may be absent from
stable data.
• Extracting data in slices of time provide snapshots of
business activity which assists in depicting trends.

07/01/2017 16
Cleansing Extracted Data
• Involves filtering out or repairing invalid data prior
to being stored in the warehouse.
• Operational data are “dirty” for many reasons: clerical,
data entry, computer program errors, misspelled names
and blank fields.
• Also involves transforming data into standard
business terms with standard data values.
• Expensive and labor intensive but critical in establishing
data integrity.

07/01/2017 17
Transforming and Loading Data
into the Warehouse Model
• To improve efficiency, data can be transformed into
summary views before being loaded.
• Unlike operational views, which are virtual in nature
with underlying tables, data warehouse views are
physical tables. OLAP permits users to construct virtual
views from detail data when one does not exist.
• Data warehouses must be created & maintained
separately from the operational databases.
• Needed for internal efficiency, integration of legacy
systems and consolidation of global data.

18
Data Warehouse System

19
Application of Data Mining

20
Risks Associated with ERP
Implementation
• Big bang implementation occurs when organizations
switch operations from legacy systems to ERP in a
single event.
• Some advantages, but numerous failures.
• Initial opposition and changes cause disruption.
• Phased-in implementation approach as emerged as a
popular alternative.
• Independent ERP units installed over time, assimilated, and
integrated without disrupting operations.
• Can be used by organizations that are not diversified, with
legacy system retired over time. Process reengineering will
still need to occur.

21
Risks Associated with ERP
Implementation
• Opposition to changes in the business’s culture.
• Choosing the wrong ERP:
• Goodness of fit: No one ERP product is best for all
industries.
• Scalability: System’s ability to grow in terms of size,
speed, workload and transaction cost.
• Choosing the wrong consultant:
• Thoroughly interview potential consultants and establish
explicit expectations.

22
Risks Associated with ERP
Implementation
• High cost and cost overruns:
• Training costs usually higher than estimated due to need
for employees to learn new procedures.
• Testing and integration costs are difficult to estimate.
• Database conversion requires testing, manual
reconciliation and sometimes manual input.
• Management should establish key performance
measures to help determine ERP success.
• Disruptions to operations:
• ERP implementations usually involve business process
reengineering (BPR).

23
Implications for Internal Control
and Auditing
• Transaction authorization:
• Controls needed to validate transactions before they are
accepted by other modules.
• ERPs are more dependent on programmed controls than on
human intervention.
• Segregation of duties:
• Manual processes that normally require segregation of duties
are often eliminated. Important access is the assignment of
roles.
• Supervision:
• Employee-empowered philosophy should enhance, not
eliminate supervision.

24
Implications for Internal Control
and Auditing
• Accounting records:
• Corrupted data may be passed from external sources
and from legacy systems making strict data cleaning an
important control.
• Access controls
• Key is to maintain data confidentiality, integrity and
availability.
• Access control lists specify permissions for individual
users but must keep up with changes.
• Role-based access control (RBAC) assigns permissions
based on system resources needed for specific tasks.

25
Access Control List vs. RBAC

26
Implications for Internal Control and
Auditing: Issues Related to ERP Roles
• Creation of unnecessary roles.
• Policies needed to prevent creation of unnecessary new
roles and ensure temporary role assignments are
deleted when the reason for them terminate.
• Rule of least access:
• Access privileges should be granted on a need-to-know
basis only but users tend to accumulate unneeded
permissions over time.
• Monitor role creation and permission-granting.
• Role-based governance allow managers to view and
verify current and historical rules.
27