Warning: include(/home/smartonl/royalcustomessays.com/wp-content/advanced-cache.php): failed to open stream: No such file or directory in /home/smartonl/royalcustomessays.com/wp-settings.php on line 95

Warning: include(): Failed opening '/home/smartonl/royalcustomessays.com/wp-content/advanced-cache.php' for inclusion (include_path='.:/opt/alt/php56/usr/share/pear:/opt/alt/php56/usr/share/php') in /home/smartonl/royalcustomessays.com/wp-settings.php on line 95
Risk and Governance Issues for ERP Enterprise Applications – RoyalCustomEssays

Risk and Governance Issues for ERP Enterprise Applications

Chapter 3 Process Strategy
July 16, 2018
Capital budgeting involves planning and justifying how money is spent on short-term items like inventory, and payroll…
July 16, 2018
0

Risk
and Governance Issues for ERP Enterprise Applications
Enterprise resource
planning (ERP) applications such as SAP, Oracle Financials and PeopleSoft can
deliver significant change in enterprise information processing and significant
benefits for organizations astute in managing change. While ERP applications
can resolve a number of control issues associated with a fragmented legacy
systems environment, not surprisingly, they can introduce new risks of their
own. This article explains:
· Why ERP systems are different
· Risk and governance issues associated with the
implementation of ERP
· The fundamental changes in fiscal and
operational controls accompanying ERP implementations
Why ERP Systems Are
Different
Prior to ERP systems,
an organization’s legacy systems were typically organized around functions or
departments, e.g., sales, purchasing, inventory and finance (figure 1) and not
the business processes, e.g., purchase to pay, order to cash. Functions evolved
independently of other functions. Each function may have had an individual
computer system or a number of systems to support it, with interfaces between
systems. This resulted in time delays, additional cost, data redundancy and
noncurrent data. Business controls had a high manual component. Purchase orders
(POs), for example, were approved when generated. When the invoice arrived, the
PO was either printed out again or retrieved from filing and stapled to the
invoice. The invoice was then approved for payment. The documents may have,
once again, been scrutinized and approved during the check payment process.
Legacy systems also
suffer from a design problem. Typically they are designed around disparate and
independent modules that merely populate transaction data among them by
interfaces that are normally summarized in nature. In cases like these, further
details of transactions are often difficult to ascertain. This is unlike the
ability to drill down as provided by ERP systems.
ERP systems, on the
other hand, have a business process focus. Their relational database tables are
designed around a complete set of core functions rather than disparate modules
that merely pass transaction data from one module to another. The financial
accounting modules are tightly integrated into a logistical chain that begins
with purchasing and ends in sales and distribution. Every business transaction
is recorded in the financial accounting and controlling (or management
reporting) module automatically. For example, in SAP:
· A purchase requisition in the materials
management (MM) module creates a commitment in the controlling (CO) module
(figure 2). This purchase requisition also can be evaluated in the controlling
component.
· The placement of the purchase order will
confirm the commitment in the CO and cash management (CM) systems
simultaneously.
· Receipt of the goods ordered will generate an
accounting document in financial accounting (FI) and CO. The receipt also will
update the material masters (stock records) in MM.
· Receipt of the invoice generates an accounting
document in FI accounts payable and updates CO and CM.
It is clear the ERP
environment is operating online and in real time in line with the business.
Management has access to online, up-to-date information on how the business is
performing. That information is shared among application modules and among
users from different departments simultaneously. Following implementation of an
ERP, organizations typically report completion of period or year-end closes in
one or two days as opposed to two to three weeks under their legacy system
environment.
Risk and Governance
Issues with ERP
Organizations face
several new business risks when they migrate to a real-time, integrated ERP
system. Those risks include:
· Single point of failure–Since all of the organization’s data and
transaction processing is within one application system
· Structural changes–Significant personnel and organizational
structure changes associated with reengineering or redesigning business
processes
· Job role changes–Transition of traditional user roles to
empowered-based roles with much greater access to enterprise information in
real time and the point of control shifting from the back-end financial
processes to the front-end point of creation
· Online, real-time–An online, real-time system environment
requires a continuous business environment capable of utilizing the new
capabilities of the ERP application and responding quickly to any problem
requiring recovery or reentry of information (e.g., if field personnel are
unable to transmit orders from handheld terminals, customer service staff may
need the skills to enter orders into the ERP system correctly so the production
and distribution operations will not be adversely impacted).
· Change management–It is challenging to embrace a tightly
integrated environment when different business processes have existed among
business units for so long. The level of user acceptance of the system has a
significant influence on its success. Users must understand that their actions
or inactions have a direct impact upon other users and, therefore, must learn
to be more diligent and efficient in the performance of their day-to-day
duties. Considerable training is therefore required for what is typically a
large number of users.
· Distributed computing experience–Inexperience with implementing and managing
distributed computing technology may pose significant challenges.
· Broad system access–Increased remote access by users and
outsiders and high integration among application functions allow increased
access to applications and data.
· Dependency on external assistance–Organizations accustomed to inhouse legacy
systems may find they have to rely on external help. Unless such external
assistance is properly managed, it could introduce an element of security and
resource management risk that may expose the organization to greater risks.
· Program interfaces and data conversions–Extensive interfaces and data conversions
from legacy systems and other commercial software are often necessary. The
exposures of data integrity, security and capacity requirements for ERP are
therefore often much higher.
· Audit expertise–Specialist expertise is required to
effectively audit and control an ERP environment. The relative complexity of
ERP systems has created specialization such that each specialist may know only
a relatively small fraction of the entire ERP’s functionality in a particular
core module, e.g., FI auditors, who are required to audit the entire
organization’s business processes, have to maintain a good grasp of all the core
modules to function effectively.
More recently, some of
the additional risks and governance issues introduced by the e-enabled ERP
environments concern:
· Single sign on–It reduces the security administration
effort associated with administering web-based access to multiple systems, but
simultaneously introduces additional risk in that an incorrect assignment of
access may result in inappropriate access to multiple systems.
· Data content quality–As enterprise applications are opened to
external suppliers and customers, the need for integrity in enterprise data
becomes paramount.
· Privacy and confidentiality–Regulatory and governance issues surrounding
the increased capture and visibility of personal information, i.e., spending
habits
Fundamental Changes in
Controls
An ERP implementation,
and its associated business process changes, transforms critical elements of
the business. These changes affect the control environment. Some of the reasons
for the change include:
· Batch-oriented controls are inapplicable in an
online, real-time environment.
· Loss of traditional audit trails
· Access requirements have vastly expanded to
include field personnel and, increasingly, suppliers and customers.
As a result, the
integrity and control structure supporting ERP-enabled business processes must
be transformed. This is to ensure that changes in business processes do not
adversely affect the fiscal and operational control of the business.
Editor’s Note:
ISACF is planning to
commission a series of ERP Technical Reference Guides to provide information
systems audit professionals with control techniques that will assist them in
the management of these risk and governance issues.
Stephen Addison, CISA
is a Certified Information Systems Auditor and the national director of the ERP
audit and assurance services delivered by Deloitte Touche Tohmatsu, Australia.
The ERP audit and assurance team provides internal audit support services to
clients with enterprise applications, such as SAP, Oracle Financials,
PeopleSoft and JD Edwards. He has more than 10 years of experience in the
auditing and the implementation of controls, along with experience in IT
consulting, product management, marketing and systems engineering. Prior to
joining Deloitte Touche, Addison served as the head of internal audit for TNT
Australia and senior audit manager for Westpac Banking Corp.

Place Order