Auditing in the ERP Environments

10-June2006

AGENDA
1. 2. 3. GENERAL OVERVIEW - ERP - Any Business,ERP solutions,SAP R/3 Architecture & Application components MODULES IN ERP-Logistics,Accounting Navigation of Screen,Core Business Cycle in Manufacturing unit RISK ASSESMENT IN ERP -Methology Quantification Model , Impact-Severity X Detection,exposure,Statements SD/MM/FI/ Common-Examples,Registers and Heat Maps Module wise, Revenue, expenditure & Inventory cycles-Summing up TECHANICAL RISK IN ERP - Basis application infrastructure,Risks-in Installation management,ABAP/4 work bench & transport (se38/sa38) computing center management systems,Profile Generator ( PGFC). AUDIT IMPLEMENTATION IN ERP - Learning for auditors, Excellence Model/ Global best practices (COBIT /COSO) and New Directions in ERP Auditing

4.

5.

General Overview -Any Business

Purchase Qty. Value Vendor Payable Sales Order Bill Customer

HR
FA Wages
Salary

Receivable

Other Business Associate s

Statut. Bodies

Share Holders

Production/Service Enterprise

ERP solutionsWhat do they enable

1-Managing & Supporting the resources of organisation efficiently -Employees -Customers -Vendors -Share Holders -Production Process

-Material & Services

ERP solutions-what do they enable 2-.Increasing Competitiveness 3-.Reducing Costs

4.-Improving operational reporting

5.-Improving Quality decision making 6-.Enhancing customer service 7-. Improving profitability 8- Providing integrity of data

9-Enhancing productivity of value chain

10-Speed

ERP solutions-what do they enable

-ERP solutions are integrated ,Configurable,Real time and often available as Cross Industry solutions -Todays presentation is primarily based on SAP Although many ERP solutions are in use :e.g.- Oracle , J.D edward,Baan,Mfg Pro etc with similar concepts. -SAP = Systems ,Applications,Products in Data processing

ERP cost/user-Licence - Info-users Rs. 60K +

(Approximate) Operational-users Rs. 90K+ Developers Rs. 350K+

AMC
ERP at Eicher = SAP 4.7c (375 users)

- Rs. 17 ~ 20%

SAP R/3 Architecture -3 Layers

Presentation Layer Application Layer Data Base Layer

- SAP R/3-S/W-GUI ( Enterprises 4.7c/ECC5) with which users interact - Application Servers-with SAP R/3 Kernel that run ABAP/4 programms(WIN 2003/Server Pack 1) -RDBMS (eg Oracle 9i with (Patch level 4)-ABAP/4 Dictionary,source &executable program. -TCodes-se16/tstct=120314 nos - Tables(DB02) =35650 nos

SAP -R/3 Enterprises - Application components

MM CO

SD

PP
FI

AM
PS

ERP
PM

QM

WF
IS HR

Modules in Logistics Navigation of Screen

1. Logistic General (LO) 2. Product Life cycle Management (PLM) 3. Sales & Distribution (SD) 4. Material Management (MM) 5. Logistics Execution (LE) 6. Production Planning & Control ( PP) 7. Plant Maintenance (PM) 8. Customer Service (CS) 9. Quality Management (QM) 10. Project System (PS) 11. Environment Health & Safety ( EH&S) 12. Retail 13. Agency Business (LO-AB) 14. Global Trade 15. Country Versions

Modules in Accounting - Navigation of Screen 1. Accounting General (AC) 2. Financial Accounting (FI) 3. My SAP Banking 4. Corporate Finance Management(CFM) 5. Treasury (TR) 6. Controlling (CO) 7. Investment Management(IM) 8. Project System (PS) 9. Incentive & Commission Management 10. Enterprises Controlling 11. Rural Estate Management 12. Public Sector Management 13. Flexible real Estate Management (RE-FX) 14. Production sharing accounting systems 15. Country version

Core Business Cycle in Manufacturing

Create Customer Relationship MRP Producing Inventory Create Production Order Create Vendor Relationship

Sales Qty.
Production Sales Order Goods issue Delivery Note Our Invoice A.R. Collection Reporting

Purchase requisition
Purchase Order/ Scheduling Agreement Goods Receipt Vendor Invoice Verification AP Payment

Handling FGS

Inventory Management

Raw Material Management

RISK ASSESMENT METHODOLOGY BY A QUANTIFICATION MODEL

Key business processes in Sales and Distribution (SD), Materials Management (MM) and Financial Accounting (FI) need to be studied in detail to identify their vulnerability to threats from within and outside. Based on this and experience of internal audit team, risk statements relevant to businesses are to be captured. For each risk statement, risk impact and risk exposure is to be assessed as under

Risk Registers and Heat Maps Module wise

Using the risk impact and risk exposure scores as worked out above,all possible risk statements ( like 3 examples given for each SD/MM/FI ) need to be prepared in the form of a RISK REGISTER of many pages and ultimately ,all risk statement Sr nos to be plotted on 1 page HEAT MAP.
HIGH
100

Y1

R2

R1

R I S K

40

MEDIUM

G1

Y2

R3

I M P A C T

20

LOW

G3

G2

Y3

10

LOW

MEDIUM

HIGH

RISK

EXPOSURE

Risk impact-Severity X Detection

Risk impact ( Severity x Detectability) to be assessed on a scale of 1 100 (100 being the highest adverse impact. A-Risk Severity ( on a scale of 1- 10 ) is determined based on weighted average affect on 5 parameters ie i- PBT, ii- Statutory / regulatory compliance iiiStrategic value iv- Financial statement accuracy , v- Reliability/ operational effectiveness . B- Risk Detectability ( on a scale of 1 10 ) is determined based on the stage of detectability of adverse event ie with in the co.or from outside customers.

Risk exposure
Risk exposure (likelihood of occurrence) to be assessed on a scale of 1-10 (10 being most likely). Risk exposure is determind based on weighted average effect of 10 parameters,responsible for the exposure ie I-Incorrect source data/ data entry ii Incorrect incomplete execution iii-Incorrect/ non verification of output iv-Skill/ resource constraint v-Inadequate segregation of duties vi-Lack of system documentation vii-Authority norms not defined/ followed viii- Inappropriate configuration/ process logic ix-Weak internal/ compensating controls xOthers (i.e.: process complexity, frequency of changes, software limitation, unassignable causes etc.)

RISK STATEMENTS SD-Examples

Risk
S. N o Risk statement Severit y Impa ct Risk exposur e Heat zone

DetectabIlity

Invoice may be raised without effecting physical delivery of the goods from depot/ plant (bill and hold)

56

R1

Sales order may not be executed in time and in full

24

Y2

Debit / credit notes sent to customers may not contain adequate supporting details

G2

RISK STATEMENTS MM-Examples

Risk
S. N o Risk statement Severit y DetectabIlity Impa ct Risk exposur e Heat zone

Financial authority norms for release of PO may not be mapped into SAP

R3

32

GR may be prepared for a quantity lower/ higher than vendor delivery challan CENVAT credit availed may be lower than CENVATABLE excise duty credited to vendor through invoice verification

24

Y2

18

G2

RISK STATEMENTS FI-Examples

Risk
S. N o

Risk statement
Severit y DetectabIlity Impa ct

Risk exposur e

Heat zone

Depreciation rates may have been incorrectly set up

30

R3

Vendors account may not have been reconciled/ confirmed as per laid down frequency

30

Y2

Line items (individual entries) clearing may not have been carried out in vendor accounts

18

G2

RISK STATEMENTS Common to all functions Examples

Risk

S . N o

Risk statement Severi ty DetectabIlit y Impa ct

Risk exposu re

Heat zone

SAP transaction authorizations granted to users may not relate to their assigned role/responsibility

64

R1

SAP transactions may be carried out using group IDs resulting in non traceability of transactions to any specific individual (employee)

64

R1

Audit trails (chronological log of changes) may not be reviewed/ analyzed by process owners

40

R3

Imp-table mappings &Concepts

SD-Sales orders=vbak/vbap/vbpa-different types SD-Shipping=vblk/likp/lips-different types SD-Billing=konv/vbrk/vbrp/vbukdifferent types,PRICING procedures SD-Cust mast used in AR=knvp/knvv/kna1/knb1,sales organisation MM-Purc requisition=eban/ebkn MM-PO/SA=ekko/ekpo MM-Deliv sch=eket/ekkn MM-GR=mkpf/mseg/ekbe MM-Mat Mast=marc/mlan/makt/mara/mbew MM-PO inf record=konh/konp/eina/eine MM-BOM-STKO/STOP MM-Mat-types ,Material Movements,Material groups,Material types,purchase groups FI-Paym=payr, Acctg=bkpf/bseg,-open/closed itemsCust=bsid/bsad,Vend=bsik/bsas,G/L=bsik/bsas FI-Mast-G/L=skb1/ska1/skat,CC=csks/cskt,profit c=cepc/cskt FI-Vend mast-used in AP=pur-lfm1/lfm2/gen-lfa1/lfb1/lfbk FI-Document types-30 types- AB-acctg, BR-bank recp,KR-vend inv, RV-sale inv FI-Acct types-5-A-Assets,D-Cust, K-Vend,M-Material, S-G/L , FI-COA-Chart of accts

Risks in Revenue, expend,inventory cycles-overview -400+

Configuration :- SAP System land scope ,R/3 customizing ,organ objects,currencies, Tax procedures,charges in customer /vendor master.Document types ,depreciation keys, overhead cost allocation,PO release,Payment terms ,Pricing procedures in SD, credit controls,outgoing invoice posting/Free goods ,Automatic account determination. Authorisation :Authorization objects ,user management,Tolerance groups,Work flows,Conflicting combinations,owned developed transactions,super user ,change management. GL Masters-,Customer Masters,Vendor Masters, Material masters, Selling price,Tax codes,Quota arrangement,BOM. Risk based queries (SD,MM,FI) Using SAP +MS access /AIS/Critical tools/tables/LDB-SAPeg At Eicher SAP-Querries=106+133+25, MSAcc-Querries=103+135+39 Audit Trails :Configuration control,Authorization ( change management,Master & Application ( PO/Sales order credits /FI documents)

Masters :Procedure manuals:-

Technical - Basis application infrastructure in SAP R/3.

4 Key Basis Tools + Utilities A. Installation Management guide-IMG- SPRO B. ABAP/4 Work Bench &Transportation System ( Development + Test + Production.) C. Computing center management system (CCMS) - Utililities to monitor ,Control & Config. R/3 . Start up ,shut down,NW monitoring,security ,back ups,alerts trouble shooting,system Config.& system profile management,DBA, Profile security.) D. Profile generator & security Adm.(PG&SA) ( SUIM-Authorisation ,Information System,SU03.Maintainence& Authorisation.

Risks-in Installation management

1-The organisation Models :SPRO & SCC4 control production client settings.---Risks are: - Incorrect consolidation /Inadequate reporting /Incorrect MIS/Manual work around. 2-Critical no . Range:3-Modif of critical tables

Assigned to individual DB record Internal No by SAP & external no by users (snro+suim+spro).

SAP Tables Other than X* Y* -Tables fields (SE16/SE11/DD03M)

Risks in ABAP/4 work bench & transport(se38/sa38).

Change Control Procedure(Programme,Queries).

Development & Testing Servers.

Transport system testing. Logs.

Emergency change procedures.

Risks in - computing center management systems

Batch processing control :Batch input (SM35) ,Administration SM(64) Processing (SM36) Application server parameters:- a) Login IPW expiration 180 day b) Min pw length 6-8 (C) Login /fails to session end (incorrect pw-3 times) Locking transaction codes :SM 01 (Users who have access to lock /unlock T.code)

Restricted Password. :SAP Router :On Line Support systems :-

Default PW , Name
Permission table authorization with valid IP address (port 3200) Remote Access to SAP vendor Programme inter faces (SM59) Use of E-SCORE , /EPIC /DMS/ITS/ etc

(SAP Market place ,Web)

Remote function call :-

Risks in -Profile Generator ( PGFC) : Security Admin

probel ( Create /change/display)

Super user SAP* ,SAP all Authorisation documentation (Biggest risks ) Log + Trace file

ERP implementation- Learnings for auditors

Managing Incharge :- Higher no of IS auditors than traditional profile auditors. ERP trained Auditors ( Functionally /Query) Audit Methodology :- Risk assessment of audit universe (H/M/L) Audit Manuals ( Query ) Excel ,M.S.Access Segregation of duties. User authorisation ( object level security) Customized to fit each organisations unique needs. Role of Auditor :- Integrated approach ( involvement in project early stage for design + Controls of systems ) Pre implementation review Before go live ( Business case , project risks,Application security design). Post implement review (Application) Quality assurance BPR Programme. Audit involvement During selection & implementation ( Contribute towards in project :establishing control environment ). Audit respons :Environment evaluation from risk prospective, Subject specials ( SD,MM,Tax) & ERP competent team Efficient audit Audit universe ( Business application + Basis appl.infrastructure) Use HELP

Audit Excellence Model/Global best practices (COSO)

Mapping in COSO (Committee of sponsoring Organisation of tread way commission) A :- 3 Objectives Identifications : 1 Operation 2 Financial Reporting 3 Compliances. B :- 5 Components of Internal Controls :1. Control Environments :- Ethics,Values,Standards,

2.
3. 4.

Risk Assessment Exposure).

Control Activities

:- Technology,Operation,Finance,Heat Maps( Risk Impact vs

:- KPI, Polices,Procedures,TQM,Physical,Safe guards.

Information & Communication :- Up & down , Adequacy ,Q,Timeliness

5.

Monitoring & controls :- Internal controls, Physical verification, Overheads, MIS, . , Feed backs,Forums etc

Audit Excellence Model/Global best practics (COBIT)

Mapping to COBIT (Control Objective for Information and related Technology ). MAIN PROCESSESS Planning and orgainsation Acquisition & Implementation Delivery & Support Monitoring No of Key Processes 11 6 13 4

LEVEL OF CONTROLS -ASSESMENT 0. Non Existance 1.Initial /Adhoc 2.Repeatable but person dependent 3.Defined Standardized & documented. 4. Managed Monitoring OK & Feed back system. 5. Optimized Control- Industry Best Practices

New Directions in ERP Auditing : Risk Based Auditing linked to COSO& Cobit Professional ethics& standards

AIS (Materiality )+ Queries development(Table down load+MS access)

Auditing tools- ACL/IDEA etc and many more On line continuous audit(Remote-desk top auditing) E enabled applications (vendors/Dlrs, P2P, B2C) Outsourcing Competence/costs benefit based

100 % transaction Audit/AUDIT thr computers

Continuous enhancing ERP competencies Qualified Auditiors-CIA/CISA.

References
www.theiia.org
Internal auditing :- Guidance for the profession :- Code of Ethics

:- International Standards for the professional practices of internal auditing

:- Practice Advisories :- Development & Practice Aids.

www.isaca.org

IS Auditing standards IS Auditing guidelines IS Auditing Procedures Standards for Professional information system control

http://www.sapgenie.com/ (google search based) http:/www.sap.com services / education http://www.sap.com/ Community Help ..sap.com

Thank you

Arvind Dang
98711 41333 Adang@eicher.co.in