Beruflich Dokumente
Kultur Dokumente
10-June2006
AGENDA
1. 2. 3. GENERAL OVERVIEW - ERP - Any Business,ERP solutions,SAP R/3 Architecture & Application components MODULES IN ERP-Logistics,Accounting Navigation of Screen,Core Business Cycle in Manufacturing unit RISK ASSESMENT IN ERP -Methology Quantification Model , Impact-Severity X Detection,exposure,Statements SD/MM/FI/ Common-Examples,Registers and Heat Maps Module wise, Revenue, expenditure & Inventory cycles-Summing up TECHANICAL RISK IN ERP - Basis application infrastructure,Risks-in Installation management,ABAP/4 work bench & transport (se38/sa38) computing center management systems,Profile Generator ( PGFC). AUDIT IMPLEMENTATION IN ERP - Learning for auditors, Excellence Model/ Global best practices (COBIT /COSO) and New Directions in ERP Auditing
4.
5.
HR
FA Wages
Salary
Receivable
Statut. Bodies
Share Holders
Production/Service Enterprise
AMC
ERP at Eicher = SAP 4.7c (375 users)
- Rs. 17 ~ 20%
- SAP R/3-S/W-GUI ( Enterprises 4.7c/ECC5) with which users interact - Application Servers-with SAP R/3 Kernel that run ABAP/4 programms(WIN 2003/Server Pack 1) -RDBMS (eg Oracle 9i with (Patch level 4)-ABAP/4 Dictionary,source &executable program. -TCodes-se16/tstct=120314 nos - Tables(DB02) =35650 nos
MM CO
SD
PP
FI
AM
PS
ERP
PM
QM
WF
IS HR
Modules in Accounting - Navigation of Screen 1. Accounting General (AC) 2. Financial Accounting (FI) 3. My SAP Banking 4. Corporate Finance Management(CFM) 5. Treasury (TR) 6. Controlling (CO) 7. Investment Management(IM) 8. Project System (PS) 9. Incentive & Commission Management 10. Enterprises Controlling 11. Rural Estate Management 12. Public Sector Management 13. Flexible real Estate Management (RE-FX) 14. Production sharing accounting systems 15. Country version
Sales Qty.
Production Sales Order Goods issue Delivery Note Our Invoice A.R. Collection Reporting
Purchase requisition
Purchase Order/ Scheduling Agreement Goods Receipt Vendor Invoice Verification AP Payment
Handling FGS
Inventory Management
Key business processes in Sales and Distribution (SD), Materials Management (MM) and Financial Accounting (FI) need to be studied in detail to identify their vulnerability to threats from within and outside. Based on this and experience of internal audit team, risk statements relevant to businesses are to be captured. For each risk statement, risk impact and risk exposure is to be assessed as under
Y1
R2
R1
R I S K
40
MEDIUM
G1
Y2
R3
I M P A C T
20
LOW
G3
G2
Y3
10
LOW
MEDIUM
HIGH
RISK
EXPOSURE
Risk exposure
Risk exposure (likelihood of occurrence) to be assessed on a scale of 1-10 (10 being most likely). Risk exposure is determind based on weighted average effect of 10 parameters,responsible for the exposure ie I-Incorrect source data/ data entry ii Incorrect incomplete execution iii-Incorrect/ non verification of output iv-Skill/ resource constraint v-Inadequate segregation of duties vi-Lack of system documentation vii-Authority norms not defined/ followed viii- Inappropriate configuration/ process logic ix-Weak internal/ compensating controls xOthers (i.e.: process complexity, frequency of changes, software limitation, unassignable causes etc.)
DetectabIlity
Invoice may be raised without effecting physical delivery of the goods from depot/ plant (bill and hold)
56
R1
24
Y2
Debit / credit notes sent to customers may not contain adequate supporting details
G2
Financial authority norms for release of PO may not be mapped into SAP
R3
32
GR may be prepared for a quantity lower/ higher than vendor delivery challan CENVAT credit availed may be lower than CENVATABLE excise duty credited to vendor through invoice verification
24
Y2
18
G2
Risk
S. N o
Risk statement
Severit y DetectabIlity Impa ct
Risk exposur e
Heat zone
30
R3
Vendors account may not have been reconciled/ confirmed as per laid down frequency
30
Y2
Line items (individual entries) clearing may not have been carried out in vendor accounts
18
G2
S . N o
Risk exposu re
Heat zone
SAP transaction authorizations granted to users may not relate to their assigned role/responsibility
64
R1
SAP transactions may be carried out using group IDs resulting in non traceability of transactions to any specific individual (employee)
64
R1
Audit trails (chronological log of changes) may not be reviewed/ analyzed by process owners
40
R3
Default PW , Name
Permission table authorization with valid IP address (port 3200) Remote Access to SAP vendor Programme inter faces (SM59) Use of E-SCORE , /EPIC /DMS/ITS/ etc
Super user SAP* ,SAP all Authorisation documentation (Biggest risks ) Log + Trace file
2.
3. 4.
5.
Monitoring & controls :- Internal controls, Physical verification, Overheads, MIS, . , Feed backs,Forums etc
LEVEL OF CONTROLS -ASSESMENT 0. Non Existance 1.Initial /Adhoc 2.Repeatable but person dependent 3.Defined Standardized & documented. 4. Managed Monitoring OK & Feed back system. 5. Optimized Control- Industry Best Practices
New Directions in ERP Auditing : Risk Based Auditing linked to COSO& Cobit Professional ethics& standards
References
www.theiia.org
Internal auditing :- Guidance for the profession :- Code of Ethics
www.isaca.org
IS Auditing standards IS Auditing guidelines IS Auditing Procedures Standards for Professional information system control
http://www.sapgenie.com/ (google search based) http:/www.sap.com services / education http://www.sap.com/ Community Help ..sap.com
Thank you
Arvind Dang
98711 41333 Adang@eicher.co.in