QUIZ 2

• Jelaskan maksud : Process Controls

• Jelaskan pula
– Run-to-run totals
– Audit trails
– Operator intervention controls

• Jelaskan maksud : Output Controls

• Jelaskan pula
– Batch system output controls
– Real time system output controls

4 January 2003
!@ #
 Technology and Security
Risk Services

ERP System

for Universitas Padjadjaran

EDP Audit – S1 Accounting
May 23, 2023

!@ #
IS Audit Syllabus
1. Introduction of IS Audit
2. IT Environment
3. IT Process
4. General Computer Control Review (1)
5. Kuliah Umum (IT Governance)
6. General Computer Control Review (2)
7. General Computer Control Case Study
8. Mid-semester Exam
9. Application Control Review (1)
10. Application Control Review (2)
11. Financial Audit – IT Audit Integration & Security Management
12. ERP Systems
13. Final Exam

4 January 2003
!@ #
Module Objectives

• Gain an understanding of ERP Systems

• Gain an understanding of an audit of ERP
systems
• Gain an understanding of an audit of an ERP
implementation

4 January 2003
!@ #
Agenda

• Introduction to ERP System

• Auditing ERP Systems

– Process Integrity

– Auditing ERP Implementation

4 January 2003
!@ #
 Technology and Security
Risk Services

Introduction to ERP
System

!@ #
What on earth is an ERP?
• Enterprise Resource Planning
• “One big system”
• May have many modules covering a wide
range of business processes
• Based on client / server technology
• SAP, Oracle, PeopleSoft, Baan, JD Edwards

!@ #
Page 7 4 January 2003
What is ERP?
 A business system which integrates finance, manufacturing, sales, procurement,
logistics and HR and targeted towards the optimization of enterprise resources.
 ERP is more than information system. For most organizations it can provide a
fundamental, more complete, way for them to view the business.
Business
Data Strategies/Competencies Business
Management Processes

Policies & Organizational

Procedures, ERP Dynamics
Training

Performance
Technology Measurement/
Application
Management
Systems
4 January 2003
!@ #
What’s makes an ERP different?
Traditional ERP
User at User at PC
terminal with ERP
(or PC with client
terminal software
emulation)

Application Server
Mainframe
ERP Application
ABC General Ledger

XYZ Purchasing App Database Server

QRS Stock System Database

!@ #
Page 9 4 January 2003
Legacy Systems vs. ERP
Legacy systems
 Non-Integrated Solution
 Batch Posting from Sub ledgers
to Ledgers
 Paper Documents
 Manual Approvals
 Configuration modified through
program code changes
 Multiple Chart of accounts
 Thousands of GL accounts
4 January 2003
ERP
 Fully Integrated Solution
 Real Time Posting
 Electronic Documents
 Online Approvals & Tolerances
 Users responsible for
configuration
 Single Chart of accounts
 Common Chart of accounts,
Reduced number of accounts
!@ #
Legacy Systems vs. ERP

Legacy systems ERP

 Manual Matching Source
Documents
 Batch Reporting
 Paper audit trail
 Batch Interfaces with
external systems
 Manual document flow
 Online Matching Source
Documents
 Real-time Reporting
 Built-in audit trail
 Real-time and Integrated
Interfaces
 Automated workflow
 eCommerce
 Web-enabled

4 January 2003
!@ #
 Why Implement ERP?

Business Drivers Technical Drivers

 Globalization
 Better integration / functionalities
 Improved information access
 Competitive advantage
 Cost reduction / Productivity
 Improved customer services -
quality, speed, flexibility and
consistency
 Configurability
 Aging legacy environments
 Technology shift — client server
 Year 2000
 Ability to management data -
including data warehousing tools
 System availability

4 January 2003
!@ #
Key Benefits of ERP System
• Centralized storage of company data
• Less applications / interfaces
• May be less manual paper flow
• May have centralized application
security
• Less ‘programming’ – more
‘customization

4 January 2003
!@ #
Key Risks of ERP System
• Increased reliance on application
controls
• Less human intervention in processes
• Multiple points of security failure (e.g,
client, application server, database)
• Implementation projects typically miss
deadlines and go over budget
• Functionality and controls may not be
adequately tested
4 January 2003
!@ #
Leading ERP Vendors

SAP

 PeopleSoft
 Oracle
 JD Edwards
 Baan

4 January 2003
!@ #
Example: Oracle Modules
Finance
Financial Analyzer Manufacturing
General Ledger Engineering
Cash Management Bills of Material
Treasury Financials Manufacturing Master Scheduling/MRP
Purchasing Capacity
Payables Work in Process
Receivables Quality
Fixed Assets Cost Management
eTravel Human Resources Process Manufacturing
Self-Service Expenses Project Manufacturing
Self-Service Purchasing Flow Manufacturing
Advanced Planning
Human Resources & Scheduling
Supply Chain Projects
Human Resources
Payroll
Training Administration
Time Management Projects
Advanced Benefits Project Costing
Self-Service Human Supply Chain Management Project Billing
Resources Order Entry Purchasing Project Time & Expense
Product Configurator Supplier Scheduling Activity Management Gateway
Supply Chain Planning Inventory Project Connect
Web Suppliers Advanced Planning Project Analysis Collection Pack
& Scheduling

4 January 2003
!@ #
Example: SAP R/3 Modules

SD FI
Sales & Financial
Distribution Accounting

MM CO
Materials Controlling
Mgmt.
PP AM
Production Fixed Assets
Planning Mgmt.

R/3
QA
Quality
Assurance
Client / Server PS
Project
System
PM OC
Plant Main- Office &
tenance Communi-
HR IS cation
Human Industry
Resources Solutions

4 January 2003
!@ #
Latest Trends
 Workflow
 E-commerce and Marketplaces
 Web Enablement
 CRM
 Data Warehouses
 Mobile Computing
 Industry Solutions
 One Integrated Software Solution (Oracle)

4 January 2003
!@ #
 Technology and Security
Risk Services

Auditing ERP System

!@ #
 Process Integrity Methodology

Process Control Risk

Process Integrity Application Security Infrastructure Security

• Control Evaluation & • Security Evaluation & • Security Evaluation &

Solutions Solutions (software) Solutions (Hardware)

• Control Review &

• Security Review & • Security Review &
Testing
Testing Testing
• Control Design and Best
Practices • Design, Develop & • Design, Develop &
Deploy Deploy

Project and Implementation Risk Management

4 January 2003
!@ #
 Technology and Security
Risk Services

Process Integrity

!@ #
Process Integrity: Services
 Ensuring process design facilitates effective control
implementation
 Controls take into account People, Process and Technology
aspects
 Authorization/Role Analysis
 Assess adequacy and design of security within the application
to
 Ensure it supports organizational policies
 Ensure proper access controls are maintained
 Ensure protection of sensitive data

4 January 2003
!@ #
Process Integrity:
Methodology Phases

 Phase 1: Project Scoping and planning

 Phase 2: Process Analysis / Decomposition
 Phase 3: Process Risk Assessment
 Phase 4: Analyze / Design Controls
 Phase 5: Controls Testing

4 January 2003
!@ #
Process Integrity: Phase 1

Phase 1: Project Scoping and Planning

- Engagement dependent
- Scope definition and agreement important
- Project plan necessary
- Expectations agreed

(This phase is not discussed in detail)

4 January 2003
!@ #
Process Integrity: Phase 2 – Process Analysis

- Analyze Company structure

- Identify key processes
- Identify Key sub processes
- Identify, understand and document
information and process flows

4 January 2003
!@ #
Process Integrity: Phase 2 – Process Analysis
What is a Business Process?

A specific ordering of work activities across time

and place, with a beginning, an end, and clearly
defined inputs and outputs.

Business processes are the structure by

which the organization physically does
what is necessary to produce value for its
customers.

4 January 2003
!@ #
Process Integrity: Phase 2 – Process Analysis
Examples of Business Process Characteristics

Supplier Input Process Output Customer

•Provider of input • Material, capital, • Transforms • Those things • The recipient of

human resources input through produced by a an output
and information a series of process for the
that a process activities into benefit of the
receives and acts a refined process
upon in order to product (output) customer or for
generate its
use as an input
output • Processes are
by a later
broadly defined
process or
across
activity
functions/depart
ments

4 January 2003
!@ #
Process Integrity: Phase 2 – Process Analysis
Typical Business Processes Usually Cross Organizational Units
Organizational Units

A B C D

Business
Process

4 January 2003
!@ #
Analysis of Business Processes

 Better understand business processes from the

perspective of how the business is operated

Why do it?  Key component of ERP Integrity

Methodology
 Translate knowledge from process analysis into
responsive, efficient & effective control
requirements
 Identify and benchmark performance indicators
used by the client to permit the generation of
valuable improvement ideas
 Today’s application software solutions
(integrated applications) demand a process
view.40

4 January 2003
!@ #
Objectives / Deliverables of Phase 2

High Level Process Understanding

Identify Key Company Contacts

Identification of sub processes

High Level Understanding of Risk

Flow Charts and Narratives
Sub Processes Identified in BPCF

4 January 2003
!@ #
Process Integrity: Phase 3 –
Perform Process Risk Assessment

High Level Risk Assessment (Process)

- performed in Phase 2

- inherent risk and other risk areas that stand out

Process Risk Assessment (Sub Process)

- Usually based on ‘standard’ risks
- Must incorporate Company specific risks

4 January 2003
!@ #
Process Integrity: Phase 3 –
Perform Process Risk Assessment
Four categories of process risks:
 User access risks
 Transaction Input Risk
 Transaction Processing Risk
 Transaction Output Risk
Note: Process risks include both IT and
manual process risks

4 January 2003
!@ #
Process Integrity: Phase 3 –
Perform Process Risk Assessment

User access risks

 Access to appropriate functionality
 Access to sensitive functionality
 Access to conflicting functionality
(segregation of duties)

4 January 2003
!@ #
Process Integrity: Phase 3 –
Perform Process Risk Assessment
Transaction Input Risks
 Completeness
 Accuracy / Correctness
 Appropriateness / Validity (Fraud)
 Timeliness
 Authorizations
 Procedures

4 January 2003
!@ #
Process Integrity: Phase 3 –
Perform Process Risk Assessment

Transaction Processing Risks

 Completeness
 Accuracy / Correctness / Validity
 Timeliness
 System Configuration / Rules
 Inherent System Risks

4 January 2003
!@ #
Process Integrity: Phase 3 –
Perform Process Risk Assessment

Transaction Output Risks

 Completeness
 Accuracy / Correctness / Validity
 Timeliness
 Identification of Rejected Transactions
 Appropriate Reporting

4 January 2003
!@ #
Process Integrity: Phase 4 –
Analyse / Design Controls

First Step: Identify ‘Control Objectives’

What is a control objective?

Effectively, a control objective is the opposite of a risk.

The control objective takes the identified risk and states
the objective of mitigating that risk.

4 January 2003
!@ #
Process Integrity: Phase 5 Controls Testing

Objective: Ensure the existence and operation of the

identified control to reduce / mitigate risk as designed.
Method:
• Inherent: No testing usually required but should document
• Configurable:
• Transaction trace (re-performance)
• View configuration
• System reports
• Manual:
• Observation and review
• Discussion

4 January 2003
!@ #
Process Integrity: Phase 5 Controls Testing

Some Difficulties with Testing

- Unavailability of information / audit trail

- ‘Sorry you can’t see that in the system, it just does it’!
- If controls design (implementation integrity) controls may not
yet be developed by the business people when you test
(particularly policies and procedures)
- Project team / implementation consultants sign off controls but
do not implement

4 January 2003
!@ #
 Technology and Security
Risk Services

Question and Answer

!@ #
 Technology and Security
Risk Services

Thank You

!@ #