Sie sind auf Seite 1von 41

ERP Audit


R . M.Johri
Principal Director ( Information Systems & IT Audit)

 An Enterprise Resource Planning (ERP) System is a fully integrated business

management system covering functional areas of an enterprise like Logistics,
Production, Finance, Accounting and Human Resources. It organizes and integrates
operation processes and information flows to make optimum use of resources such as
man, material, money and machine.
 In simple words, Enterprise Resource Planning (ERP) promises one database, one
application, and one user interface for the entire enterprise, where once disparate
systems ruled manufacturing, distribution, finance and sales. Taking information from
every function it is a tool that assists employees and managers plan, monitor and
control the entire business.
 A modern ERP System enhances the ability of the manufacturer to accurately
schedule production, fully utilize capacity, reduce inventory and meet promised
shipping dates.
General model of an ERP system

An ERP System is not the integration of various organization processes. Any

system has to possess few key characteristics to qualify for a true ERP System.
These features are:
 Flexibility
 Modular and open
 Comprehensive
 Beyond the company
 Best business practices

 Provides multi-platform, multi-facility, multi-mode manufacturing, multi-currency and

multi-lingual facilities.
 Supports strategic activities, operational planning and execution of activities.
 Facilitates end to end Supply Chain Management (SCM) to optimize the overall
demand and supply data.
 Facilitates companywide Integrated Information System covering all functional areas
like manufacturing, sales and delivery, payables, receivables, inventory, accounts
and human resource etc.

 Bridges the information gap across the business.

 Provides complete integration of systems not only across departments but

also across companies under the same management.

 Facilitates better project management.

 Provides intelligent business tools like Decision Support System, Executive

Information System, data mining etc. to enable better decisions.
Audit Objectives in an ERP Environment

 The fundamental objectives of an audit of controls do not change in an ERP

 When evaluating controls over ERP systems, decisions must be made regarding the
relevance of operational internal control procedures to Information Technology (IT)
 Specific control procedures for audit objectives must be tested.
 In addition to primary audit responsibilities, auditors should be able to provide advice
on effective design of control procedures.
 Audit should communicate significant weaknesses that come to their notice to the
 Auditors should also be alert to weaknesses that require special reviews and be
capable of assessing computer systems under development, in addition to the existing

 ERPs have substantially altered the method by which administrative processes, such as
payroll, accounts payable, inventory, sales and accounts receivable, operate, are
controlled and audited.
 Opportunities for personal review and clerical checking have declined as the
collection and subsequent uses of data have changed.
 The changes are the result of moving from manual procedures performed by
individuals familiar with both the data and the accounting process; to high volume,
automated processes performed by individuals unfamiliar with either the data or the
accounting practices.
 It is imperative, therefore, that these systems are reviewed, as they are being
implemented; to ensure that adequate controls and security are designed into the ERP
system from the outset.
ERP Audit - Focus Areas

 Auditing in an EDP environment can be divided into two broad areas.

First is the audit of ERP systems under implementation and the
second is the audit of operational ERP systems
 Under implementation audit there is no operational system or output
data. The auditor evaluates controls without the benefit of observing
processing results. Here auditor is concerned with ensuring that the
implementation procedures and standards have been properly
 Operational audit of ERP systems evaluates the results of the
automated processes. It is normally data oriented and looks at
processed transactions. The adequacy and effectiveness of the system
controls can be evaluated by examining the results of operation ( i.e
did the application produce the anticipated outcome.

The risks in an ERP environment include both those present in a manual processing
environment and those that are unique or increased in an ERP environment. These risks
may pertain to any of the following:
 Improper Use of Technology
 Inability to Control Technology
 Inability to Translate User Needs into Technical Requirements
 Illogical Processing
 Inability to React Quickly
 Cascading of Errors

 Repetition of Errors
 Incorrect Entry of Data
 Concentration of Data
 Inability to Substantiate Processing
 Concentration of Responsibilities
 Program Errors
 Misuse by Authorized End Users
 Ineffective Security Practices for the Application

Internal control systems are set up to help mitigate against the risks discussed above. The
purpose of internal control systems is to reasonably ensure that :

 Obligations comply with applicable laws.

 All assets are safeguarded against waste, loss, unauthorized use, and

 Revenues and expenditures arising as a result of organisational operations are

properly recorded and fairly reflected in financial statements so that accounts and
reliable .
Control Objectives

 Control objectives are high-level statements of intent by the management to ensure

that departmental programs designed to fulfill the organization’s strategic plans are
carried out effectively and efficiently.
 These statements of intent embody the plan of organization and all the related systems
established by management to safeguard assets, check the accuracy and reliability
of financial data, promote operational efficiency and encourage adherence of
prescribed management policies.
 Control objectives may differ, depending upon the type, scope, and purpose of the
 There could be several internal control objectives for a given business risk, so that the
risk is adequately addressed.
Common Internal Control Objectives

 Transactions are properly authorized (Authorized).

 Transactions are recorded on a timely basis (Timeliness).
 Transactions are accurately processed (Accuracy).
 All existing transactions are recorded (Completeness).
 All recorded transactions are valid (Validity).
 Transactions are properly valued (Valuation).
 Transactions are properly classified and posted to proper accounts and subsidiary
records (Classification).
 Transactions are properly summarized and reported (Reporting).
Common Internal Control Objectives- contd.

 Assets, including software programs, data, human resources, computer facilities, etc.
are safeguarded against damage, theft, and so forth (Security).
 System and data integrity is maintained (Integrity).
 System availability is assured (Availability).
 System controllability and auditability is maintained (Controllability and Auditability).
 System maintainability is assured (Maintainability).
 System usability is assured (Usability).
 System economy and efficiency are maintained (Efficiency).
Key Controls Techniques

Each control objective is met by one or more control techniques. These techniques are
the ways and means by which the management controls the operations. They are varied
in nature and exist as:
 Procedures and policies. For example, independent balancing, cancellation of
documents after processing, independent signing for approval of prepared source
documents, competent and trustworthy personnel, segregation of duties, mandatory
vacations and rotation of duty assignments.
 Information systems design. For example, numerically pre-numbered forms, message
authentication, console logs, encryption, range and limit checks on input fields.
 Physical controls. For example, combination locks for vaults, card acceptor devices for
restricted access areas.
 Segregation of duties.
Indian auditing experience in ERP Audit

 There is not doubt that ERP has been gaining popularity all over the world. However, its
growth in India has taken place more rapidly in the Private sector than the Public or
Government sector.

 Still one can find a number of of public sector enterprises which have implemented
ERP. The coming slides discusses some of the audit findings of a few selected public
sector enterprises.
Indian Oil Corporation Limited
(ranks at 83 rd in the list of FORTUNE 500 COMPANIES having a turnover of $ US

20 billion )

 Indian Oil Corporation Limited undertook an IT re-engineering project named ‘Manthan’ in

1997 and selected SAP R/3, ERP package with IS-OIL (specific ERP solution that caters to the
needs of SAP R/3 users amongst the oil industry). The project was implemented in April 2004.
 The Company has around 10,000 users and 700 sites spread across the country working on
 Users from distant parts of the country are able to access and make transactions in SAP on
a real-time basis.
 The Company has kept its Database and Application servers at the corporate data centre,
Gurgaon and they are accessible through leased line and / or VSAT from all State Offices,
Refineries and Pipeline Unit Networks. Other units such as Terminals, Depots and Bottling
Plants etc., are connected to SAP through the nearest State Office / Refinery. Along with the
e-security audit of the system the finance module of SAP was also selected for audit.
Indian Oil Corporation Limited
( Audit Observations)
 The user profile was not properly defined.

 Out of 13,451 user IDs, 955 user IDs were common i.e. used by more than one user. It
was found that Common User IDs were still carrying create / change / cancel /
delete authorisations .

 In the absence of corporate IT policy, different virus, malware, spyware protection

software were being used at different offices and sites. Further, internet content could
not be filtered through a uniform firewall policy.
Indian Oil Corporation Limited ( Audit

A security review of the company revealed following deficiencies:

 It was noticed that 29 combinations of two or more conflicting critical transaction

codes involving processing sale orders / invoices / deliveries, payments, creation,
settlement, change, deletion etc were extended to users ranging from 18 to 4,808. It
was observed that Users’ roles rationalisation , authorisation and segregation of duties
was deficient .
 88 users other than the BASIS team was given access to the sensitive Transaction
 Password policy of the Company allowed simple, trivial and non-alphanumeric
passwords to be entered which made the system vulnerable to security threats
Indian Oil Corporation Limited ( Audit

 Finance module : Finance Module (FI) was designed for management of the processes
involved in preparation of the accounts. The FI Module has inter-linkages with all the
modules in the ERP system and consolidates all the financial information to generate
the financial statements of the Company.

 The IT audit was conducted keeping in view the importance , criticality and efficacy of
FI module in the preparation and generation of the accounts of the Company.

 The deficiencies as illustrated in next slide were observed in the finance module due to
which the reports generated from the system could not be relied upon. Persistence of
these deficiencies resulted in not meeting the regulatory requirements.
. Indian Oil Corporation Ltd( Audit

 The date of commencement of depreciation was 3 to 14 months prior to the date of

capitalisation in respect of 15,805 assets and it was 1 to 15 months after the date of
capitalisation in respect of 4,391 assets.
 It was found that the provisions of Schedule XIV of the Companies Act 1956 were not
adopted in the accounts of the company which led to unreliability of the information.
 The quantity was indicated as zero in 27,011 assets worth Rs. 6520 million and, thus, the
correctness of depreciation provided could not be ensured.
 Analysis of purchase orders/Work orders released through the system showed that in
respect of service contracts, POs/WOs were created (19,406 in 2007-08 and 12,705 in
2008-09) in the system only at the time or after the receipt of goods/invoices for the
services rendered (details given to the Company).
Indian Oil Corporation Limited ( Audit

 GR/IR is an intermediary account used for payments against goods received. Analysis
showed that more than three lakh entries amounting to Rs. 20911.2 million were pending
clearance ranging from one to four years indicating lack of proper monitoring by the
 It was observed that, though the stock balances are maintained in the system the valuation
of stocks is done outside the system which defeated the purpose of the ERP system.
 The Company decides and assigns credit limits to various categories of customers which
are accordingly entered into the system. Analysis of data on credit limit extended to
customers showed that, there were inadequate validation checks with the credit limits
maintained in the system that resulted in overdue amount of Rs. 2948.9 million in respect of
293 customers who had exceeded their credit limit.
 Each customer is allotted a unique code. However, there was more than one customer
code assigned to the same customer in 1,552 cases in the customer master.
GAIL (India) Limited ( A company having
turnover of $ US 8 billion)

 GAIL (India) Limited (Company) was incorporated in 1984 as a principal gas

transmission and marketing company of India and has since expanded its activities
into exploration, production, processing, transmission, distribution and marketing of
petrochemicals, Liquefied Petroleum Gas and telecommunications.
 The Company implemented SAP ERP solution in August 2005 at an estimated cost of
Rs.550 million.
 The Company covered its entire business through nine integrated SAP Modules. The
SAP R/3 release version 4.7C has been installed on Solaris 9 operating system and
platform and Oracle is used as database management system.
GAIL (India) Limited (Audit Observations)

 FICO module of SAP handles all the financial transactions of the Company. This
module is used for maintaining books of accounts, Asset management and
preparation of final accounts including balance sheet, profit & loss accounts, etc. Test
check of transactions, balances and reports revealed following observations on
accounts receivables, accounts payable, general ledger accounting and asset
 Vendor master: The Company was maintaining 44039 vendor master records.
Review of these records revealed :
(a) Purchase orders were placed on vendors with incomplete details
(b) Duplicate vendors
GAIL (India) Limited (Audit Observations)

 Missing credit master data: The Company was maintaining credit data of its
customers, which includes credit limit and actual credit extended there against. It was
seen that the credit data was not available for 5188 customers out of 9839 customers.
Out of the above, 797 customers were carrying outstanding balance of Rs.13023.7
 Multiple vendors with same bank account: It was seen that there were 76 vendor
records attached with 37 bank accounts; indicating risks of irregular payments.
 Incorrect posting in GL accounts:
GAIL (India) Limited (Audit Observations)

 Assets carrying negative value: As per the general principles of asset accounting,
assets should not carry negative balances, since that will turn them into liabilities
rather then assets. During review of assets for the year 2008-09, it was found that some
assets were carrying negative balances.
 Credit extended beyond credit limit: A review of credit management data of
customers was carried out and it was seen that the credit extended was not validated
from the respective credit limit prescribed. As a result, 307 customers, for whom the
credit limit was defined as zero, were extended credit of Rs.3080.6 million.
 Payments trail in SAP: To facilitate a trail on payment cycle it is necessary that date of
vendor invoice and date of receipt of invoice are captured in the system. It was
observed that the system had not been customised to capture these dates.
GAIL (India) Limited (Audit Observations)

 Users with critical combination of procurement functions: The major functions in a

procurement cycle include placing of Purchase Requisition (PR), release i.e. approval of
PR, creation of PO, release of PO indicating approval of the same, creation of vendor
masters, modification in vendor masters, receive goods, receive invoice and process
payments. Since, all these functions have a bearing on outflow of funds; the rationalisation
of combination of transactions assigned to users was important.
During review it was found that users enjoyed various combinations of critical transactions,
the details of which are as follows:
(i) Eight hundred users were authorised to create PR and release i.e. approve the PR;
(ii) Nineteen users were authorised to create PO and release i.e. approve the PO; and
Thirteen users were assigned roles to receive goods (Make Goods Receipt Voucher)
and process vendor invoices.
Bharat Sanchar Nigam Limited ( having a
turnover of $US 5 billion)

 Bharat Sanchar Nigam Limited introduced SAP R/3 version 4.7 in Gujarat Telecom
Circle (GTC). The SAP-ERP server is installed at ERP Data Centre at Ahmedabad and
LAN (Local Area Network) / WAN (Wide Area Network) were used for connecting R/3
environment to the nodes at Secondary Switching Areas (SSAs). The work of
implementation of ERP in GTC was awarded to Siemens Information Systems Limited
(SISL), Mumbai at a cost of Rs. 201.4 million .
 The objectives of implementation of ERP were to:
(i) Improve the information flow to facilitate better decision making leading to overall
improvement in the performance of the organisation by way of improvements in
productivity, cycle time, financial performance and information transparency,
(ii) Convert GTC into a paperless working environment and
(iii) Reduce manpower requirement.
Bharat Sanchar Nigam Limited ( Audit
However, it was observed that the desired objectives did not accrue to the Company
due to following:
 Implantation of ERP without finalization of Business Process Re-engineering (BPR)
 No interface with the telephone revenue billing packages
 Non-digitisation of service details and records
 Declaration of ‘Go Live’ status even before achieving online status in various modules
 Improper customisation and mapping of rules on delegation of financial powers
 Lack of effective monitoring of functioning of ERP
Bharat Electronics Limited ( A company
with a turnover of $ US 1 billion)

 The Company entered into an agreement (December 2004) with SAP INDIA SYSTEMS
at a fee of Rs.38.7 million for Enterprise Resource Planning (ERP) software and with
WIPRO for implementation of ERP at a total contract price of Rs.56.5 million.
 The system is based on 3-tier architecture (R/3). Application is centrally run in servers
at Information System–Corporate Office {IS (CO)}. Clients are connected to the server
through Local Area Network for Bangalore Complex and through Wide Area Network
for units outside Bangalore.
 Audit conducted a general review of the acquisition, implementation and utilisation of
ERP system.
Bharat Electronics Limited - Audit
 System design/customisation deficiencies:
(i) The system was configured to value the inventory at different rates with reference to
corresponding sale orders. This led to valuation of inventory against the Company’s
accounting policy.
(ii) Lack of relational integrity was observed between the materials shown under work in
progress (WIP) in material management module and the corresponding status of the
material in the production planning module.
(iii) The system was not designed to adjust the advance payment made immediately on
receipt of material. This resulted in over lapping of accounting entries of both debiting
and crediting inventory account and wrong depiction of accounting status of
payment as advances.
Bharat Electronics Limited – Audit
The absence of referential integrity between sale order and production order resulted in data
inconsistency, incorrect valuation of raw material and manual intervention. This increased the
risk of incorrect data being processed and accounted as illustrated below:-
 The value of the raw materials differed among account schedules, purchase price, store
ledger and pricing entry.
 The status of material worth Rs.10.2 million were shown as ‘finished goods’ as on 31 March
2008 even though the materials had been sold in March 2007.
 Test check of major completed sale orders revealed that out of six sale orders selected,
against three sale orders the production orders were not closed (May 2008). Hence, these
were still shown under WIP and manual entries were resorted to effect value reduction
(Rs.23.6 million) in WIP as at 31 March 2008.
 Out of 3702 production orders reviewed, 177 were created without linking to any authorised
Bharat Electronics Limited – Audit

 Absence of uniform pattern for coding of material built into the system resulted in
inconsistent material codes in the system.
 Incomplete capturing of details in columns like profit centre, purchasing group etc.,
affected the cost allocation.
 The non-incorporation of data in respect of net value, material code, vendor code
and quantity etc. affected allocation of cost and the accounts of the units.
 The system was designed to block duplicate entries of vendors. However,
inconsistency in pattern of data entry led to duplicate vendor codes, which led to risk
of inconsistent order placements and deficient payment tracking for the vendors.
Konkan Railway Corporation Limited ( a
company having turnover of $ US 32 million)

 KRCL developed an ERP system known as RAP containing seventeen modules which
was developed by Tata Infotech Limited (TIL) in 1995 and implemented in 2001.

 The main objectives of RAP were to increase the efficiency in various financial and
operational functions of the organisation and timely generation of various MIS reports
to aid the Board of Directors of the Company in decision making.

 During 2004, KRCL decided to re-engineer RAP system to java based system known as
KRCL - System Design Deficiency

 The system was not designed to calculate rates as a percentage above or below the
accepted tender rates. This resulted in not only duplication of work but full
dependence on manual controls.
 The system did not exhibit the opening balance of the ledger resulting in this being
incorporated through manual intervention to prepare Trial balance.
 After creation of the master database, the system did not display relevant pop-ups at
the time of entering the data which was required to ensure data integrity. This led to
multiple party codes for the same party, in respect of supply contract, works contract
and miscellaneous contracts.
KRCL - Audit Observations

The JRAP-FA module is the back bone of ERP System. Considering the significance of the
financial and accounting module and its linkages with other modules, the working of JRAP-FA
Module was audited and it was observed that:
 Critical activities had not been envisaged during system development and consequently
certain activities that were part of the user’s requirement had not been designed/
 Certain activities were designed/developed but with deficiencies;
 The linkages and interfaces of FA module with other modules were yet to be implemented
(September 2007);
 The validation checks were inadequate, critical changes in business rules were not
incorporated/updated; and
 The business continuity and disaster recovery system were deficient.
KRCL -Critical requirements not envisaged

 The system was not envisaged to generate region wise trial balances although separate regional
cost centres were maintained. Thus, the system could not monitor and evaluate performance of
different regions.
 Simple functions like calculation of tax deducted at source, sales tax, other taxes, etc. were not
envisaged to be performed through the system. Thus, recovery/short recovery of the above
items had to be calculated and monitored manually.
 The system was not envisaged to capture the accounting period to which the bill were related.
Thus, important information like outstanding liabilities, prepaid expenses of the respective
accounting period could not be generated. For example, a contactor’s/supplier’s bill which
related to the accounting period 2006-07 could be accounted for in 2007-08 and vice versa,
prepaid insurance for the period 2007-08 could be booked as expenditure in 2006-07.
 Critical information relating to contracts such as, date of completion, number of extensions,
penalty waived, interest levied/waived for delayed completion/supply were not envisaged to
be captured to enable the system based monitoring and evaluation of the execution of
Thank You