Auditing in the ERP Environments - By Arvind Dang

• 1. Auditing in the ERP Environments 10-June2006

2. AGENDA

• GENERAL OVERVIEW - ERP - Any Business,ERPsolutions,SAP R/3 Architecture & Application components

• MODULES IN ERP- Logistics,Accounting Navigation of Screen,Core Business Cycle in Manufacturing unit

• RISK ASSESMENT IN ERP-Methology Quantification Model , Impact-Severity X Detection,exposure,Statements SD/MM/FI/ Common-Examples,Registers and Heat Maps Module wise, Revenue, expenditure & Inventorycycles-Summing up

• 4.TECHANICAL RISK IN ERP- Basis application infrastructure,Risks-in Installation management,ABAP/4work bench & transport (se38/sa38) computing center management systems,Profile Generator ( PGFC).

• 5.AUDIT IMPLEMENTATION IN ERP- Learning for auditors, Excellence Model/ Global best practices (COBIT /COSO) and New Directions in ERP Auditing

3. General Overview -Any BusinessPurchase Qty.Value Vendor PayableFA Sales Order Bill Customer ReceivableHR W ages Salary Statut. Bodies Share Holders OtherBusiness Associates Production/Service Enterprise 4. ERPsolutionsWhat do they enable1-Managing & Supporting the resources of organisation efficiently

• Employees

• Customers

• Vendors

• Share Holders

• Production Process

• Material & Services

5. 2-.Increasing Competitiveness3-.Reducing Costs 4.-Improving operational reporting 5.-Improving Quality decision making 6-.Enhancing customer service7-. Improving profitability8- Providing integrity of data 9-Enhancing productivity of value chain 10-SpeedERP solutions-what do they enable 6.

• -ERP solutions areintegrated ,Configurable,Real time and often available as Cross Industrysolutions

• -Todayspresentation isprimarilybased on SAP Although manyERP solutions are in use :e.g.- Oracle , J.D edward,Baan,Mfg Pro etc with similar concepts.

• SAP = Systems ,Applications,Products in Dataprocessing

• ERP cost/user-Licence -Info-users Rs. 60K +

• (Approximate)Operational-users Rs. 90K+

• Developers Rs. 350K+

• AMC- Rs. 17 ~ 20%

• ERP at Eicher = SAP 4.7c (375 users)

ERP solutions-what do they enable 7. SAP R/3 Architecture-3 Layers Presentation Layer Application Layer Data Base Layer - SAP R/3-S/W-GUI ( Enterprises 4.7c/ECC5) with which users interact - Application Servers-with SAP R/3 Kernel that run ABAP/4 programms(WIN 2003/Server Pack 1)

• RDBMS (eg Oracle 9i with (Patch level 4)-ABAP/4 Dictionary,source &executable program.

• TCodes-se16/tstct=120314 nos

• - Tables(DB02)=35650 nos

8. SAP -R/3 Enterprises - Application componentsERP AM PS CO SD QM PM HR IS WF FI MM PP 9. Modules in Logistics Navigation of Screen

• Logistic General (LO)

• Product Life cycleManagement (PLM)

• Sales & Distribution (SD)

• Material Management (MM)

• Logistics Execution (LE)

• Production Planning & Control ( PP)

• Plant Maintenance (PM)

• Customer Service (CS)

• Quality Management (QM)

• Project System (PS)

• Environment Health & Safety ( EH&S)

• Retail

• Agency Business (LO-AB)

• Global Trade

• Country Versions

10. Modules in Accounting - Navigation of Screen

• Accounting General (AC)

• Financial Accounting (FI)

• My SAP Banking

• Corporate Finance Management(CFM)

• Treasury (TR)

• Controlling (CO)

• Investment Management(IM)

• Project System (PS)

• Incentive & Commission Management

• Enterprises Controlling

• Rural Estate Management

• Public Sector Management

• Flexible real Estate Management (RE-FX)

• Production sharing accounting systems

• Country version

11. Core Business Cycle in Manufacturing Create Customer Relationship Sales Qty. Sales Order Goods issue Delivery Note Our Invoice A.R. Collection MRP Producing Inventory Create Production Order Create Vendor Relationship Production Inventory Manage-ment Handling FGS Raw Material Management Purchase requisition Purchase Order/ Scheduling Agreement Goods Receipt Vendor Invoice Verification AP Payment Reporting 12. Key business processes in Sales and Distribution (SD), Materials Management (MM) and Financial Accounting (FI) need to be studiedin detail to identify their vulnerability to threats from within and outside. Based on this and experience of internal audit team, risk statements relevant to businesses are to be captured. For each risk statement, risk impact and risk exposure is to be assessed as under RISK ASSESMENT METHODOLOGY BY A QUANTIFICATION MODEL 13. Risk Registers and Heat Maps Module wise Using the risk impact and risk exposure scores as worked outabove,all possible risk statements ( like 3 examples given for each SD/MM/FI ) need to be prepared in the form of a RISK REGISTER of many pages and ultimately ,all risk statement Sr nos to be plotted on 1 page HEAT MAP. R I SKIMPACT HIGH 100 Y1 R2 R1 MEDIUM 40 G1 Y2 R3 LOW 20 G3 G2 Y3 0 2 4 10 LOW MEDIUM HIGH RISKEXPOSURE -> 14. Risk impact(S everityxDetectability ) to be assessed on a scale of1 100 (100 being the highest adverse impact. A- Risk Severity( on a scale of 1- 10 ) isdetermined based onweighted average affect on 5 parameters ie i- PBT, ii- Statutory / regulatory compliance iii- Strategic valueiv- Financial statement accuracy ,v- Reliability/ operational effectiveness .B-Risk Detectability( on a scale of 1 10 ) is determined based on the stage of detectability of adverse event ie with in the co.or from outside customers.Risk impact - SeverityXDetection 15. Risk exposure (likelihood of occurrence) to be assessed on a scale of 1-10 (10 being most likely). Risk exposure is determind based on weighted average effect of 10 parameters,responsible for the exposureie I-Incorrect source data/ data entry ii Incorrect incomplete execution iii-Incorrect/ non verification of output iv-Skill/ resource constraint v-Inadequate segregation of duties vi-Lack of system documentation vii-Authority norms not defined/ followed viii- Inappropriate configuration/ process logic ix-Weak internal/ compensating controls x-Others (i.e.: process complexity, frequency of changes, software limitation, unassignable causes etc.) Risk exposure 16. RISK STATEMENTS SD-Examples S. No Risk statement Risk Risk exposure Heat zone Severity DetectabIlity Impact 1 Invoice may be raised without effecting physical delivery of the goods from depot/ plant (bill and hold) 7 8 56 5 R1 2 Sales order may not be executed in time and in full 4 6 24 3 Y2 3 Debit / credit notes sent to customers may not contain adequate supporting details 2 4 8 4 G2 17. RISK STATEMENTS MM-Examples S. No Risk statement Risk Risk exposure Heat zone Severity DetectabIlity Impact 1 Financial authority norms for release of PO may not be mapped into SAP 4 8 32 6 R3 2 GR may be prepared for a quantity lower/ higher than vendor delivery challan 4 6 24 4 Y2 3 CENVAT credit availed may be lower than CENVATABLE excise duty credited to vendor through invoice verification 3 6 18 4 G2 18. RISK STATEMENTS FI-Examples S. No Risk statement Risk Risk exposure Heat zone Severity DetectabIlity Impact 1 Depreciation rates may have beenincorrectly set up5 6 30 5 R3 2 Vendors account may not have been reconciled/ confirmed as per laid down frequency 5 6 30 4 Y2 3 Line items (individual entries) clearing may not have been carried out in vendor accounts 3 6 18 4 G2 19. RISK STATEMENTS Common to all functions Examples S. No Risk statement Risk Risk exposure Heat zone Severity DetectabIlity Impact 1 SAP transaction authorizations granted to users may not relate to their assigned role/responsibility 8 8 64 8 R1 2 SAP transactions may be carried out using group IDs resulting in non traceability of transactions to any specific individual (employee) 8 8 64 8 R1 3 Audit trails (chronological log of changes) may not be reviewed/ analyzed by process owners 5 8 40 7 R3 20. Imp-table mappings &Concepts

• SD-Sales orders=vbak/vbap/vbpa-different types

• SD-Shipping=vblk/likp/lips-different types

• SD-Billing=konv/vbrk/vbrp/vbukdifferent types,PRICING procedures

• SD-Cust mast used in AR=knvp/knvv/kna1/knb1,sales organisation

• MM-Purc requisition=eban/ebkn

• MM-PO/SA=ekko/ekpo

• MM-Deliv sch=eket/ekkn

• MM-GR=mkpf/mseg/ekbe

• MM-Mat Mast=marc/mlan/makt/mara/mbew

• MM-PO inf record=konh/konp/eina/eine

• MM-BOM-STKO/STOP

• MM-Mat-types ,Material Movements,Material groups,Material types,purchase groups

• FI-Paym=payr, Acctg=bkpf/bseg,-open/closed items-Cust=bsid/bsad,Vend=bsik/bsas,G/L=bsik/bsas

• FI-Mast-G/L=skb1/ska1/skat,CC=csks/cskt,profit c=cepc/cskt

• FI-Vend mast-used in AP=pur-lfm1/lfm2/gen-lfa1/lfb1/lfbk

• FI-Document types-30 types- AB-acctg, BR-bank recp,KR-vend inv, RV-sale inv

• FI-Acct types-5-A-Assets,D-Cust, K-Vend,M-Material, S-G/L ,

• FI-COA-Chart of accts

21. Risks inRevenue, expend,inventorycycles-overview -400+ Configuration:- Authorisation :- Masters :- Procedure manuals:- Audit Trails :- SAP System land scope ,R/3 customizing ,organ objects,currencies, Tax procedures,charges in customer /vendor master.Document types ,depreciation keys, overhead cost allocation,PO release,Payment terms ,Pricing procedures in SD, credit controls,outgoing invoice posting/Free goods ,Automatic account determination.Authorization objects ,user management,Tolerance groups,Work flows,Conflicting combinations,owneddeveloped transactions,super user ,change management. GL Masters-,Customer Masters,Vendor Masters, Material masters, Selling price,Tax codes,Quota arrangement,BOM. Risk based queries (SD,MM,FI) Using SAP +MS access /AIS/Critical tools/tables/LDB-SAPeg At Eicher SAP-Querries=106+133+25, MSAcc-Querries=103+135+39Configuration control,Authorization ( change management,Master &Application ( PO/Sales order credits /FI documents) 22. Technical - Basis application infrastructure in SAP R/3.

• 4 Key Basis Tools + Utilities

• Installation Managementguide-IMG- SPRO

• ABAP/4 Work Bench &TransportationSystem ( Development + Test + Production .)

• Computing center management system (CCMS)

• - Utililities to monitor ,Control & Config. R/3

• . Start up ,shut down,NW monitoring,security ,back ups,alerts trouble shooting,system Config.& system profilemanagement,DBA, Profile security.)

• D.Profile generator & security Adm.(PG&SA)

• ( SUIM-Authorisation ,Information System,SU03-.Maintainence& Authorisation.

23. Risks-in Installation management 1-The organisationModels :- 2-Criticalno.Range:- 3-Modif of critical tables SPRO & SCC4 control production client settings.---Risks are: - Incorrect consolidation /Inadequate reporting /Incorrect MIS/Manual work around. Assignedto individual DB record Internal No by SAP & external no by users (snro+suim+spro). SAP Tables Other than X* Y* -Tables fields (SE16/SE11/DD03M) 24. Risks in ABAP/4work bench & transport(se38/sa38).

• Change Control Procedure(Programme,Queries).

• Development & Testing Servers.

• Transport system testing.

• Logs.

• Emergency change procedures.

25. Risks in - computing center management systems Batch processing control :- Application server parameters:- Locking transaction codes :- Restricted Password. :- SAP Router :- On Line Support systems :-(SAP Market place,Web) Remote function call :- Batch input (SM35) ,Administration SM(64) Processing (SM36) a) Login IPW expiration 180 day b) Min pw length 6-8 (C) Login /fails to session end (incorrectpw-3 times)SM 01 (Users who have access to lock /unlock T.code) Default PW , NamePermission table authorizationwith validIP address (port 3200) Remote Access to SAP vendorProgramme inter faces(SM59) Use of E-SCORE , /EPIC /DMS/ITS/etc 26. Risks in -Profile Generator ( PGFC):-

• Security Admin probel ( Create /change/display)

• Super user SAP* ,SAP all

• Authorisation documentation (Biggest risks )

• Log + Trace file

27. ERP implementation- Learnings for auditorsManaging Incharge :-

• Higher no of IS auditors than traditional profile auditors.

• ERP trained Auditors ( Functionally /Query)

Audit Methodology :-

• Risk assessment of audit universe (H/M/L)

• Audit Manuals ( Query ) Excel ,M.S.Access

• Segregation of duties.

• User authorisation ( object level security)

• Customized to fit each organisations unique needs.

Role of Auditor :-

• Integrated approach ( involvement in project early stage for design + Controls of systems )

• Pre implementation review Before go live ( Business case , project risks,Applicationsecurity design).

• Post implement review (Application)

• Quality assurance BPR Programme.

Audit involvement in project :-

• During selection & implementation ( Contribute towards establishing control environment ).

Audit respons :-

• Environment evaluation from risk prospective,

• Subject specials ( SD,MM,Tax) &ERP competent team

• Efficient audit

• Audit universe ( Businessapplication + Basis appl.infrastructure)

• Use HELP

28. Audit Excellence Model/Global best practices (COSO)

• Mapping in COSO (Committee of sponsoring Organisation of tread way commission)

• A :- 3 Objectives Identifications : 1 Operation

• 2Financial Reporting

• 3 Compliances.

• B :- 5 Components of Internal Controls :-

• Control Environments :- Ethics,Values,Standards,

• Risk Assessment:- Technology,Operation,Finance,Heat Maps( Risk Impact vsExposure).

• Control Activities:- KPI, Polices,Procedures,TQM,Physical,Safe guards.

• Information & Communication :- Up & down , Adequacy ,Q,Timeliness

• Monitoring & controls:- Internal controls, Physical verification, Overheads, MIS, .,Feed backs,Forums etc

29. Audit Excellence Model/Global best practics (COBIT)

• Mapping to COBIT (Control Objective for Information and related Technology ).

• MAIN PROCESS ESSNo of Key Processes

• Planning and orgainsation11

• Acquisition & Implementation6

• Delivery & Support13

• Monitoring4

LEVEL OF CONTROLS -ASSESMENT 0. Non Existance 1.Initial /Adhoc 2.Repeatable but person dependent3.Defined Standardized & documented. 4. Managed Monitoring OK & Feed back system. 5. Optimized Control-Industry Best Practices 30. New Directions in ERP Auditing:-

• Risk Based Auditinglinked to COSO& Cobit

• Professional ethics& standards

• AIS (Materiality )+ Queries development(Table down load+MS access)

• Auditing tools- ACL/IDEA etcand many more

• On line continuous audit(Remote-desk top auditing)

• E enabled applications (vendors/Dlrs, P2P,B2C)

• Outsourcing Competence/costs benefit based

• 100 % transaction Audit/AUDIT thr computers

• Continuous enhancing ERPcompetencies

• Qualified Auditiors-CIA/CISA.

31. References www.theiia.org Internal auditing :- Guidance for the profession :- Code of Ethics :- International Standards for the professional practices of internal auditing :- Practice Advisories :- Development & Practice Aids. www.isaca.org IS Auditing standardsIS Auditing guidelinesIS Auditing ProceduresStandards for Professional information system controlhttp://www.sapgenie.com/ (google search based ) http:/www.sap.com services / educationhttp://www.sap.com/ CommunityHelp ..sap.com 32. Arvind Dang98711 41333 [email_address] Thankyou