ERP Audit

THE INDIAN
EXPERIENCE
R . M.Johri
Principal Director ( Information Systems & IT Audit)
SAI INDIA
 WHAT IS AN ERP ?

 An Enterprise Resource Planning (ERP) System is a fully integrated business management

system covering functional areas of an enterprise like Logistics, Production, Finance,
Accounting and Human Resources. It organizes and integrates operation processes and
information flows to make optimum use of resources such as man, material, money and
machine.
 In simple words, Enterprise Resource Planning (ERP) promises one database, one
application, and one user interface for the entire enterprise, where once disparate systems
ruled manufacturing, distribution, finance and sales. Taking information from every
function it is a tool that assists employees and managers plan, monitor and control the entire
business.
 A modern ERP System enhances the ability of the manufacturer to accurately schedule
production, fully utilize capacity, reduce inventory and meet promised shipping dates.
General model of an ERP system
ERP SYSTEM ARCHITECTURE
GENERAL FEATURES OF AN ERP
SYSTEM

An ERP System is not the integration of various organization processes. Any system has to
possess few key characteristics to qualify for a true ERP System. These features are:
 Flexibility
 Modular and open
 Comprehensive
 Beyond the company
 Best business practices
 MAJOR FEATURES OF AN ERP
SYSTEM

 Provides multi-platform, multi-facility, multi-mode manufacturing, multi-currency and multi-

lingual facilities.
 Supports strategic activities, operational planning and execution of activities.
 Facilitates end to end Supply Chain Management (SCM) to optimize the overall demand and
supply data.
 Facilitates companywide Integrated Information System covering all functional areas like
manufacturing, sales and delivery, payables, receivables, inventory, accounts and human
resource etc.
 MAJOR FEATURES OF AN ERP
SYSTEM
 Bridges the information gap across the business.

 Provides complete integration of systems not only across departments but also across
companies under the same management.

 Facilitates better project management.

 Provides intelligent business tools like Decision Support System, Executive Information
System, data mining etc. to enable better decisions.
 Audit Objectives in an ERP Environment

 The fundamental objectives of an audit of controls do not change in an ERP environment.

 When evaluating controls over ERP systems, decisions must be made regarding the relevance of
operational internal control procedures to Information Technology (IT) controls.
 Specific control procedures for audit objectives must be tested.
 In addition to primary audit responsibilities, auditors should be able to provide advice on effective
design of control procedures.
 Audit should communicate significant weaknesses that come to their notice to the Management.
 Auditors should also be alert to weaknesses that require special reviews and be capable of
assessing computer systems under development, in addition to the existing systems.
 NEED FOR AN ERP RISK ASSESSMENT

 ERPs have substantially altered the method by which administrative processes, such as payroll,
accounts payable, inventory, sales and accounts receivable, operate, are controlled and audited.
 Opportunities for personal review and clerical checking have declined as the collection and
subsequent uses of data have changed.
 The changes are the result of moving from manual procedures performed by individuals familiar
with both the data and the accounting process; to high volume, automated processes performed
by individuals unfamiliar with either the data or the accounting practices.
 It is imperative, therefore, that these systems are reviewed, as they are being implemented; to
ensure that adequate controls and security are designed into the ERP system from the outset.
ERP Audit - Focus Areas

 Auditing in an EDP environment can be divided into two broad areas.

First is the audit of ERP systems under implementation and the
second is the audit of operational ERP systems
 Under implementation audit there is no operational system or output
data. The auditor evaluates controls without the benefit of observing
processing results. Here auditor is concerned with ensuring that the
implementation procedures and standards have been properly
followed.
 Operational audit of ERP systems evaluates the results of the
automated processes. It is normally data oriented and looks at
processed transactions. The adequacy and effectiveness of the system
controls can be evaluated by examining the results of operation ( i.e
did the application produce the anticipated outcome.
REASONS FOR ERP FAILURES
 RISKS IN AN ERP ENVIRONMENT

The risks in an ERP environment include both those present in a manual processing environment
and those that are unique or increased in an ERP environment. These risks may pertain to any of the
following:
 Improper Use of Technology
 Inability to Control Technology
 Inability to Translate User Needs into Technical Requirements
 Illogical Processing
 Inability to React Quickly
 Cascading of Errors
 RISKS IN AN ERP ENVIRONMENT – contd.

 Repetition of Errors
 Incorrect Entry of Data
 Concentration of Data
 Inability to Substantiate Processing
 Concentration of Responsibilities
 Program Errors
 Misuse by Authorized End Users
 Ineffective Security Practices for the Application
 INTERNAL CONTROL

Internal control systems are set up to help mitigate against the risks discussed above. The purpose of
internal control systems is to reasonably ensure that :

 Obligations comply with applicable laws.

 All assets are safeguarded against waste, loss, unauthorized use, and misappropriation.

 Revenues and expenditures arising as a result of organisational operations are properly recorded
and fairly reflected in financial statements so that accounts and reliable .
 Control Objectives

 Control objectives are high-level statements of intent by the management to ensure that
departmental programs designed to fulfill the organization’s strategic plans are carried out
effectively and efficiently.
 These statements of intent embody the plan of organization and all the related systems established
by management to safeguard assets, check the accuracy and reliability of financial data, promote
operational efficiency and encourage adherence of prescribed management policies.
 Control objectives may differ, depending upon the type, scope, and purpose of the audit.
 There could be several internal control objectives for a given business risk, so that the risk is
adequately addressed.
 Common Internal Control Objectives

 Transactions are properly authorized (Authorized).

 Transactions are recorded on a timely basis (Timeliness).
 Transactions are accurately processed (Accuracy).
 All existing transactions are recorded (Completeness).
 All recorded transactions are valid (Validity).
 Transactions are properly valued (Valuation).
 Transactions are properly classified and posted to proper accounts and subsidiary records
(Classification).
 Transactions are properly summarized and reported (Reporting).
 Common Internal Control Objectives- contd.

 Assets, including software programs, data, human resources, computer facilities, etc. are
safeguarded against damage, theft, and so forth (Security).
 System and data integrity is maintained (Integrity).
 System availability is assured (Availability).
 System controllability and auditability is maintained (Controllability and Auditability).
 System maintainability is assured (Maintainability).
 System usability is assured (Usability).
 System economy and efficiency are maintained (Efficiency).
 Key Controls Techniques

Each control objective is met by one or more control techniques. These techniques are the ways and
means by which the management controls the operations. They are varied in nature and exist as:
 Procedures and policies. For example, independent balancing, cancellation of documents after
processing, independent signing for approval of prepared source documents, competent and
trustworthy personnel, segregation of duties, mandatory vacations and rotation of duty
assignments.
 Information systems design. For example, numerically pre-numbered forms, message
authentication, console logs, encryption, range and limit checks on input fields.
 Physical controls. For example, combination locks for vaults, card acceptor devices for restricted
access areas.
 Segregation of duties.
 Indian auditing experience in ERP Audit

 There is not doubt that ERP has been gaining popularity all over the world. However, its growth
in India has taken place more rapidly in the Private sector than the Public or Government sector.

 Still one can find a number of of public sector enterprises which have implemented ERP. The
coming slides discusses some of the audit findings of a few selected public sector enterprises.
 Indian Oil Corporation Limited
(ranks at 83 rd
in the list of FORTUNE 500 COMPANIES having a turnover of $ US 20

billion )

 Indian Oil Corporation Limited undertook an IT re-engineering project named ‘Manthan’ in 1997 and
selected SAP R/3, ERP package with IS-OIL (specific ERP solution that caters to the needs of SAP R/3
users amongst the oil industry). The project was implemented in April 2004.
 The Company has around 10,000 users and 700 sites spread across the country working on SAP.
 Users from distant parts of the country are able to access and make transactions in SAP on a real-time
basis.
 The Company has kept its Database and Application servers at the corporate data centre, Gurgaon and
they are accessible through leased line and / or VSAT from all State Offices, Refineries and Pipeline
Unit Networks. Other units such as Terminals, Depots and Bottling Plants etc., are connected to SAP
through the nearest State Office / Refinery. Along with the e-security audit of the system the finance
module of SAP was also selected for audit.
 Indian Oil Corporation Limited
( Audit Observations)
 The user profile was not properly defined.

 Out of 13,451 user IDs, 955 user IDs were common i.e. used by more than one user. It was found
that Common User IDs were still carrying create / change / cancel / delete authorisations .

 In the absence of corporate IT policy, different virus, malware, spyware protection software
were being used at different offices and sites. Further, internet content could not be filtered
through a uniform firewall policy.
 Indian Oil Corporation Limited ( Audit
Observations)

A security review of the company revealed following deficiencies:

 It was noticed that 29 combinations of two or more conflicting critical transaction codes involving
processing sale orders / invoices / deliveries, payments, creation, settlement, change, deletion etc
were extended to users ranging from 18 to 4,808. It was observed that Users’ roles
rationalisation , authorisation and segregation of duties was deficient .
 88 users other than the BASIS team was given access to the sensitive Transaction Codes.
 Password policy of the Company allowed simple, trivial and non-alphanumeric passwords to be
entered which made the system vulnerable to security threats internally.
 Indian Oil Corporation Limited ( Audit
Observations)

 Finance module : Finance Module (FI) was designed for management of the processes involved in
preparation of the accounts. The FI Module has inter-linkages with all the modules in the ERP
system and consolidates all the financial information to generate the financial statements of the
Company.

 The IT audit was conducted keeping in view the importance , criticality and efficacy of FI module
in the preparation and generation of the accounts of the Company.

 The deficiencies as illustrated in next slide were observed in the finance module due to which the
reports generated from the system could not be relied upon. Persistence of these deficiencies
resulted in not meeting the regulatory requirements.
 . Indian Oil Corporation Ltd( Audit Observations)

 The date of commencement of depreciation was 3 to 14 months prior to the date of capitalisation
in respect of 15,805 assets and it was 1 to 15 months after the date of capitalisation in respect of
4,391 assets.
 It was found that the provisions of Schedule XIV of the Companies Act 1956 were not adopted in
the accounts of the company which led to unreliability of the information.
 The quantity was indicated as zero in 27,011 assets worth Rs. 6520 million and, thus, the
correctness of depreciation provided could not be ensured.
 Analysis of purchase orders/Work orders released through the system showed that in respect of
service contracts, POs/WOs were created (19,406 in 2007-08 and 12,705 in 2008-09) in the system
only at the time or after the receipt of goods/invoices for the services rendered (details given to the
Company).
 Indian Oil Corporation Limited ( Audit
Observations)

 GR/IR is an intermediary account used for payments against goods received. Analysis showed that more
than three lakh entries amounting to Rs. 20911.2 million were pending clearance ranging from one to
four years indicating lack of proper monitoring by the Company.
 It was observed that, though the stock balances are maintained in the system the valuation of stocks is
done outside the system which defeated the purpose of the ERP system.
 The Company decides and assigns credit limits to various categories of customers which are accordingly
entered into the system. Analysis of data on credit limit extended to customers showed that, there were
inadequate validation checks with the credit limits maintained in the system that resulted in overdue
amount of Rs. 2948.9 million in respect of 293 customers who had exceeded their credit limit.
 Each customer is allotted a unique code. However, there was more than one customer code assigned to
the same customer in 1,552 cases in the customer master.
 GAIL (India) Limited ( A company having
turnover of $ US 8 billion)

 GAIL (India) Limited (Company) was incorporated in 1984 as a principal gas transmission and
marketing company of India and has since expanded its activities into exploration, production,
processing, transmission, distribution and marketing of petrochemicals, Liquefied Petroleum Gas
and telecommunications.
 The Company implemented SAP ERP solution in August 2005 at an estimated cost of Rs.550
million.
 The Company covered its entire business through nine integrated SAP Modules. The SAP R/3
release version 4.7C has been installed on Solaris 9 operating system and platform and Oracle is
used as database management system.
 GAIL (India) Limited (Audit Observations)

 FICO module of SAP handles all the financial transactions of the Company. This module is used
for maintaining books of accounts, Asset management and preparation of final accounts
including balance sheet, profit & loss accounts, etc. Test check of transactions, balances and
reports revealed following observations on accounts receivables, accounts payable, general ledger
accounting and asset management.
 Vendor master: The Company was maintaining 44039 vendor master records.
Review of these records revealed :
(a) Purchase orders were placed on vendors with incomplete details
(b) Duplicate vendors
 GAIL (India) Limited (Audit Observations)
Contd..

 Missing credit master data: The Company was maintaining credit data of its customers, which
includes credit limit and actual credit extended there against. It was seen that the credit data was
not available for 5188 customers out of 9839 customers. Out of the above, 797 customers were
carrying outstanding balance of Rs.13023.7 million.
 Multiple vendors with same bank account: It was seen that there were 76 vendor records attached
with 37 bank accounts; indicating risks of irregular payments.
 Incorrect posting in GL accounts:
 GAIL (India) Limited (Audit Observations)
Contd..

 Assets carrying negative value: As per the general principles of asset accounting, assets should not
carry negative balances, since that will turn them into liabilities rather then assets. During review
of assets for the year 2008-09, it was found that some assets were carrying negative balances.
 Credit extended beyond credit limit: A review of credit management data of customers was carried
out and it was seen that the credit extended was not validated from the respective credit limit
prescribed. As a result, 307 customers, for whom the credit limit was defined as zero, were
extended credit of Rs.3080.6 million.
 Payments trail in SAP: To facilitate a trail on payment cycle it is necessary that date of vendor
invoice and date of receipt of invoice are captured in the system. It was observed that the system
had not been customised to capture these dates.
 GAIL (India) Limited (Audit Observations)
Contd..

 Users with critical combination of procurement functions: The major functions in a procurement cycle
include placing of Purchase Requisition (PR), release i.e. approval of PR, creation of PO, release of PO
indicating approval of the same, creation of vendor masters, modification in vendor masters, receive
goods, receive invoice and process payments. Since, all these functions have a bearing on outflow of
funds; the rationalisation of combination of transactions assigned to users was important.
During review it was found that users enjoyed various combinations of critical transactions,
the details of which are as follows:
(i) Eight hundred users were authorised to create PR and release i.e. approve the PR;
(ii) Nineteen users were authorised to create PO and release i.e. approve the PO; and  
(iii)
Thirteen users were assigned roles to receive goods (Make Goods Receipt Voucher) and process
vendor invoices.
 Bharat Sanchar Nigam Limited ( having a
turnover of $US 5 billion)

 Bharat Sanchar Nigam Limited introduced SAP R/3 version 4.7 in Gujarat Telecom Circle (GTC).
The SAP-ERP server is installed at ERP Data Centre at Ahmedabad and LAN (Local Area
Network) / WAN (Wide Area Network) were used for connecting R/3 environment to the nodes at
Secondary Switching Areas (SSAs). The work of implementation of ERP in GTC was awarded to
Siemens Information Systems Limited (SISL), Mumbai at a cost of Rs. 201.4 million .
 The objectives of implementation of ERP were to:
(i) Improve the information flow to facilitate better decision making leading to overall
improvement in the performance of the organisation by way of improvements in productivity,
cycle time, financial performance and information transparency,
(ii) Convert GTC into a paperless working environment and
(iii) Reduce manpower requirement.
 Bharat Sanchar Nigam Limited ( Audit
Observations)
However, it was observed that the desired objectives did not accrue to the Company due to
following:
 Implantation of ERP without finalization of Business Process Re-engineering (BPR)
 No interface with the telephone revenue billing packages
 Non-digitisation of service details and records
 Declaration of ‘Go Live’ status even before achieving online status in various modules
 Improper customisation and mapping of rules on delegation of financial powers
 Lack of effective monitoring of functioning of ERP
 Bharat Electronics Limited ( A company with a
turnover of $ US 1 billion)

 The Company entered into an agreement (December 2004) with SAP INDIA SYSTEMS at a fee
of Rs.38.7 million for Enterprise Resource Planning (ERP) software and with WIPRO for
implementation of ERP at a total contract price of Rs.56.5 million.
 The system is based on 3-tier architecture (R/3). Application is centrally run in servers at
Information System–Corporate Office {IS (CO)}. Clients are connected to the server through
Local Area Network for Bangalore Complex and through Wide Area Network for units outside
Bangalore.
 Audit conducted a general review of the acquisition, implementation and utilisation of ERP
system.
 Bharat Electronics Limited - Audit
Observations
 System design/customisation deficiencies:
(i) The system was configured to value the inventory at different rates with reference to
corresponding sale orders. This led to valuation of inventory against the Company’s accounting
policy.
(ii) Lack of relational integrity was observed between the materials shown under work in progress
(WIP) in material management module and the corresponding status of the material in the
production planning module.
(iii) The system was not designed to adjust the advance payment made immediately on receipt of
material. This resulted in over lapping of accounting entries of both debiting and crediting
inventory account and wrong depiction of accounting status of payment as advances.
 Bharat Electronics Limited – Audit
Observations
The absence of referential integrity between sale order and production order resulted in data inconsistency,
incorrect valuation of raw material and manual intervention. This increased the risk of incorrect data
being processed and accounted as illustrated below:-
 The value of the raw materials differed among account schedules, purchase price, store ledger and
pricing entry.
 The status of material worth Rs.10.2 million were shown as ‘finished goods’ as on 31 March 2008 even
though the materials had been sold in March 2007.
 Test check of major completed sale orders revealed that out of six sale orders selected, against three sale
orders the production orders were not closed (May 2008). Hence, these were still shown under WIP and
manual entries were resorted to effect value reduction (Rs.23.6 million) in WIP as at 31 March 2008.
 Out of 3702 production orders reviewed, 177 were created without linking to any authorised orders.
 Bharat Electronics Limited – Audit
Observations

 Absence of uniform pattern for coding of material built into the system resulted in inconsistent
material codes in the system.
 Incomplete capturing of details in columns like profit centre, purchasing group etc., affected the
cost allocation.
 The non-incorporation of data in respect of net value, material code, vendor code and quantity
etc. affected allocation of cost and the accounts of the units.
 The system was designed to block duplicate entries of vendors. However, inconsistency in pattern
of data entry led to duplicate vendor codes, which led to risk of inconsistent order placements and
deficient payment tracking for the vendors.
 Konkan Railway Corporation Limited ( a company
having turnover of $ US 32 million)

 KRCL developed an ERP system known as RAP containing seventeen modules which was
developed by Tata Infotech Limited (TIL) in 1995 and implemented in 2001.

 The main objectives of RAP were to increase the efficiency in various financial and operational
functions of the organisation and timely generation of various MIS reports to aid the Board of
Directors of the Company in decision making.

 During 2004, KRCL decided to re-engineer RAP system to java based system known as JRAP
 KRCL - System Design Deficiency

 The system was not designed to calculate rates as a percentage above or below the accepted
tender rates. This resulted in not only duplication of work but full dependence on manual
controls.
 The system did not exhibit the opening balance of the ledger resulting in this being incorporated
through manual intervention to prepare Trial balance.
 After creation of the master database, the system did not display relevant pop-ups at the time of
entering the data which was required to ensure data integrity. This led to multiple party codes for
the same party, in respect of supply contract, works contract and miscellaneous contracts.
 KRCL - Audit Observations

The JRAP-FA module is the back bone of ERP System. Considering the significance of the financial and
accounting module and its linkages with other modules, the working of JRAP-FA Module was audited and
it was observed that:
 Critical activities had not been envisaged during system development and consequently certain
activities that were part of the user’s requirement had not been designed/ developed;
 Certain activities were designed/developed but with deficiencies;
 The linkages and interfaces of FA module with other modules were yet to be implemented (September
2007);
 The validation checks were inadequate, critical changes in business rules were not
incorporated/updated; and
 The business continuity and disaster recovery system were deficient.
 KRCL -Critical requirements not envisaged

 The system was not envisaged to generate region wise trial balances although separate regional cost centres
were maintained. Thus, the system could not monitor and evaluate performance of different regions.
 Simple functions like calculation of tax deducted at source, sales tax, other taxes, etc. were not envisaged to
be performed through the system. Thus, recovery/short recovery of the above items had to be calculated and
monitored manually.
 The system was not envisaged to capture the accounting period to which the bill were related. Thus,
important information like outstanding liabilities, prepaid expenses of the respective accounting period could
not be generated. For example, a contactor’s/supplier’s bill which related to the accounting period 2006-07
could be accounted for in 2007-08 and vice versa, prepaid insurance for the period 2007-08 could be booked
as expenditure in 2006-07.
 Critical information relating to contracts such as, date of completion, number of extensions, penalty waived,
interest levied/waived for delayed completion/supply were not envisaged to be captured to enable the system
based monitoring and evaluation of the execution of contracts.
Thank You