Use ERP Internal

Control Exception
Reports to Monitor
and Improve Controls
B YL ESLIED . T URNER, C M A , C F M , D B A , ANDV INCENTO WHOSO, P H. D .

ORGANIZATIONS WITH ERP SYSTEMS CAN USE INTERNAL REPORTS TO

CONTINUOUSLY MONITOR AND IMPROVE THEIR INTERNAL CONTROLS THROUGH

PERIODIC

ON-DEMAND OR SPECIALIZED REPORTS. USING THESE REPORTS TO MONITOR AND

IMPROVE USER ACCESS CONTROLS AND SEGREGATION OF DUTIES CAN REDUCE COSTS

AND THE LIKELIHOOD OF UNNECESSARY EXPOSURE WHILE IMPROVING EFFICIENCY,

RESPONSIVENESS, AND COMPLIANCE PROCEDURES.

T
he extensive use of enterprise resource to
plan- ning (ERP) systems provides
opportunities for continuous monitoring
and improvement of internal control
systems. This continual monitoring and
improvement of internal con-
trols, in turn, assures that management can comply
with relevant sections of the Sarbanes-Oxley Act of
2002 (SOX). In this article, we will describe critical
processes and systems that are necessary to monitor
internal con- trol compliance and the implications
for SOX compli- ance. Internal controls have been
integrated into accounting software systems for
many years, and ERP systems have enabled
monitoring of internal controls that was not possible
with legacy systems. For example, ERP systems can
provide control reports that highlight inappropriate
segregation of duties from an enterprise- wide
perspective.
The focus here will be on such newer approaches

MANAGEMENT ACCOUNTING QUARTERL 1 SPRING 2009, VOL. 10, NO. 3

Y
monitoring internal control compliance—
specifically, the use of control reports to monitor
and improve user access controls and
segregation of duties.
Control reports can be defined in many ways.
Our use of control reports will refer to standard
or special- ized reports available in ERP
systems to report autho- rization or user access
violations. Some reports may have an
enterprise-wide focus, while others may be
within specific business processes, such as
purchasing. For example, a report of conflicting
capabilities can show users with conflicts across
various business processes. A report examining a
history of changes to a record for control
violations would focus on a specific business
process. These reports are used for several
purposes. The appropriate manager or internal
auditor can review such reports for internal
control self- assessment and control
improvement.
Monitoring internal control compliance is
important

MANAGEMENT ACCOUNTING QUARTERL 2 SPRING 2009, VOL. 10, NO. 3

Y
in ERP systems because core business processes such  The potential for incorrect management decisions to be
as purchasing, accounts payable, cost accounting, made.
banking/ treasury functions, and human resource  A potential loss of business.
systems are inte- grated into an enterprise-wide
system. The ERP plat- forms allow companies to
reduce costs, become more efficient, and respond
faster to changes in the market- place. This increased
functionality, however, creates dif- ferent risk profiles
that, if not monitored properly, can result in control
breakdowns and potentially significant losses for a
company. ERP systems also push initiation or
authorization of transactions to lower levels of the
organization, thereby causing increased control prob-
lems. These control risks and problems must be coun-
terbalanced by effective internal controls that should
be monitored constantly to ensure organizational
effective- ness, efficiency, and safeguarding of
processes.

IMPORTANCE OF INTERNAL CONTROLS

Managers, accountants, and internal auditors bear
responsibility for developing, monitoring, and improv-
ing internal control systems. Their responsibilities
include preventing, detecting, and correcting control
weaknesses and risks that may cause a failure to
achieve operational and information-processing
objectives. The key risks of which each of these
parties must be aware as they develop and monitor
internal controls include:
 The risk of fraud, particularly for systems with
payment-generation capability, when a single person
has ERP authorizations that allow control of two
parts of a transaction. This inappropriate
segregation of duties can lead to fraudulent
activity.
 Noncompliance with privacy guidelines. ERP
systems store enormous amounts of data, including
customer, vendor, and employee data. Without prop-
er internal control, privacy can be violated
intention- ally or unintentionally.
 Inappropriate disclosure of time-sensitive
business data.
 Malicious or accidental damage to data. If weak
internal controls allow inappropriate access to data,
it is possible for data to be altered or destroyed.
 A potential loss of competitive advantage.
 Potential damage to customer or shareholder levels. Business unit administrators periodically run
confi- dence, public image, and reputation. and review exception reports for control deficiencies.
 The possibility of incurring additional costs. This allows administra- tors to improve affected
 A breach of legal, regulatory, or controls. At the enterprise lev- el, the model ensures
contractual obligations. that generated reports are used
 The potential disruption of business activity.

To lessen these risks, internal controls

should be properly established, monitored,
and improved.
The use of control reports to monitor
authorization or user access violations is important
in continuous moni- toring and improvement of
internal control. As an analo- gy, the use of cost
accounting systems with variance reports can be
useful in continual monitoring and improvement
of manufacturing efficiency and effective- ness. Yet
such variance reports are not useful unless an
underlying structure has been established with a
proper accounting system to monitor costs
against standards and unless management
regularly reviews variance reports and uses the
reports to improve manufacturing control.
Likewise, control reports in an ERP system can
be useful if a proper underlying structure is
established and management uses the resulting
control reports properly to monitor and improve
internal controls.

CONTINUOUS MONITORING USING ERP

EXCEPTION REPORTS
A model of continuous monitoring using ERP excep-
tion reports presents a dynamic, iterative, and
interac- tive process whereby a properly
configured ERP system generates reports for the
purpose of monitoring and improving internal
control (see Figure 1).
The use of a system based on this model
improves control over business goals and
objectives, business processes, and control
activities. The controls moni- tored include
controls over user access, segregation of duties,
operations, policies and procedures, information
technology, and external compliance. The model
ensures that internal control weaknesses within
core business processes routinely are prevented,
detected, and corrected at the business unit
 Figure 1: A Model of Internal Control Compliance Through Exception

Improved Organizational Efficiency

Safeguard Assets Data Integrity SOX Compliance

ACHIEVES

EXCEPTION REPORTS

Feedback to improve Feedback to improve

ERP SYSTEM

Access Administrator
Segregation of Duties User Access

for the purpose of monitoring internal controls over unauthorized changes to

strategic goals and external compliance.

ASSUMPTIONS OF THE MODEL

The model assumes the existence of a proper
organiza- tional structure that is integrated with the
operational or business processes, information
technology objectives, and the various internal players.
It also assumes that the organization is committed to a
culture that encourages regular monitoring and
control of user access through segregation of duties
and avoidance of conflicting capa- bilities. The model
further assumes the existence of a properly
configured ERP system with access adminis- trators
at each major unit within the organization to assist in
the development, continuous monitoring, and
improvements of internal controls. The access adminis-
trators should provide updates of user profiles as
changes in duties occur, should schedule regular
control reports of conflicts in user profiles and
changes to mas- ter data, and should use control
reports regularly to reduce profile conflicts and
master data. The model also assumes that there
is a well-established reporting chain in the
organization to ensure that upper management
follows up exception reports on safeguarding of
assets, improvement of orga- nizational
effectiveness, data integrity, and compliance with
SOX (and other laws and regulations) and con-
tracts. The model expects the organizational
structure to include well-defined information
technology and operations and control
objectives, policies, and proce- dures that are
available to the access administrators for setting up
the ERP for appropriate user access, segrega- tion
of duties, and the required control objectives and
control activities at each business process or
departmen- tal unit.
The model begins with the performance of
control activities by the internal players. These
control activi- ties create dynamic and iterative
processes for monitor- ing and improving
internal controls through the generation of
control reports. The control reports allow business
unit managers to identify potential deficien-
cies in the user access profiles and conflicting
capabili-
ties and then make timely improvement to the maintenance of data integrity.) This outcome also helps
control profiles. ensure that external compli- ance such as SOX
The access administrator is a key internal player compliance requirements are also
who first implements the control objectives (as
agreed to by management) and control activities
within the informa- tion technology area of the
organization. He or she sets up the ERP properly to
allow for the generation of on- demand and periodic
reports for continued monitoring and improvement of
the setup. Some of the critical set- up areas are user
access and segregation of duties. User access is the
determination of which data and modules a user is
authorized to access, and segregation of duties
prevents a single person from controlling two ends
of a transaction. These activities are determined and
con- trolled by the access administrator, who assigns
segrega- tion of duties profiles to each and every user
according to the policies and procedures of the
organization.
These specific user profiles in the ERP system also
allow the organization to implement the policies and
procedures regarding segregation of duties, access con-
trols, delivery and support services, IT solutions and
services, and other business processes. The access
administrator feeds these policies, procedures, and con-
trol activities into the ERP and the enterprise-wide
sys- tems and restricts each user to specific control
activities. Then the appropriate unit managers (or
other autho- rized individuals) monitor these
activities for the desired outcomes in their
departments through on- demand or regular control
reports related to safeguard- ing assets, organization
efficiency, data integrity, and SOX compliance. By
reviewing these reports for excep- tions or
violations, the business unit managers and IT
administrators are able to identify weaknesses in the
various control activities. Upon evaluating the implica-
tions of the weakness, the managers respond to the
deficiencies by designing improvements that, in
turn, are fed into the ERP systems. This ends an
iteration process for one period and begins another
iterative step in a dynamic process of monitoring
internal controls. (We want to note that the outcome
of the iterative and feedback process also results in
reports that are generat- ed and used for ensuring
that goals relate to organiza- tion efficiencies and the
being met in a timely, continuous manner. These responsibilities suggest that the role of access
In summary, the iterative steps in the model adminis- trator should be assigned to business unit
of ERP control reports are proper setup of the managers.
organizational structure and the ERP system, Some of the duties that access administrators perform
management review of control reports, and
improvement of the organizational and ERP
setup.
Now we examine the major critical issues in the
model and its application and analysis in a real
Fortune 500 company. As it is not possible to
cover the entire array of internal controls in a single
article, we will focus on a set of extremely critical
internal controls. Our focus is on user access and
the prevention of conflicting capabilities.

ACCESS ADMINISTRATOR
The role of the access administrator in the model
is a critical one because the access administrator is
responsi- ble for monitoring and granting user
access. The pur- pose of this role is to ensure
that all users have the appropriate system access
that allows them to work effi- ciently and within
boundaries that minimize the risk of fraud,
inappropriate access, or the loss of data. The
access administrator is responsible for delivering
control reports to each business unit manager,
who is then responsible for reviewing the
capabilities of individual employees’ authorized
roles for compliance and conflict resolution. (The
access administrator only delivers the reports;
the responsibility to review and validate the
correctness is with the business—i.e., the users’
managers.)
Persons appointed as access administrators
should be well trained in their field and be
responsible for admin- istering user access to the
ERP system, including the ability to create,
suspend, remove, and maintain user accounts as
defined for a specific class or group of users and
manage and reset credentials and services as autho-
rized by management. In addition, access
administrators should possess the ability to
define and update key business process
information or transactions, monitor the status of
key transactions, validate processes and data
periodically, review errors and control reports, and
document standards, guidelines, and procedures.
include:  Perform something that they should not have the
 Determining business and information
security requirements that are based on
management objectives.
 Ensuring information and systems are protected
in line with their importance to the enterprise.
 Granting user access based on each unit
manager determining which users are
authorized to access particular information and
systems.
 Developing service-level agreements.
 “Signing off” on specifications for business require-
ments (including security requirements).
 Authorizing new or significantly changed systems.
 Ensuring users are aware of their security
responsi- bilities and are able to fulfill them.
 Being involved with security audits/reviews.

Access administrators should be accountable to a

supervisor who is in upper management in line with
the responsibilities specified and documented for
protect- ing the organization’s information as well as its
informa- tion technologies. The supervisor may
engage IT auditors to monitor and review the
activities of the access administrator to ensure that
he or she abides by sound policies and procedures
regarding separation of duties and performs only those
activities that are autho- rized by management.

USER ACCESS CONTROLS

An effective model of continuous monitoring should
include a process to ensure that system access of all
ter- minated and/or transferred employees is revoked
imme- diately upon a change. More specifically, the
process should ensure that users’ access is restricted
to their required job activities to avoid having
inappropriate ability to:
 Commit fraud.
 Edit or modify financial statement information or
data that directly impacts financial statements
(i.e., consolidated information, journal entry
posting, price lists, formula cards, etc.).
 Edit or view highly restricted data that is
important operationally but not from a financial
reporting per- spective (i.e., budgeting files,
personnel files, etc.).
 access to execute and therefore might cause consid-  Assign independent person(s) to review the super-
erable rework or system availability issues. user audit trail (i.e., a record of sources of
informa- tion and changes made by date and by
In summary, monitoring user access in an an
ERP sys- tem will ensure that breaches of
unauthorized access to the system are found and
that procedures and employ- ees with
conflicting roles are quickly identified and those
authorizations are terminated in a timely manner.

SUPER -USER OVERSIGHT

We cannot overemphasize the need for super-
users in ERP environments. Super-users must have
user profiles that allow conflicting capabilities
access. Specifically, a super-user is a user who has
unrestricted access to the entire system whether
it is the system commands or system files,
regardless of their permission levels.
These super-users require such access to manage
risks across the enterprise by enforcing
segregation-of-duty profiles and preventing
security and control violations before they occur in
core business processes. For exam- ple, super-users
are able to address segregation-of-duty issues by
detecting, removing, and preventing access
authorizations risks within and across business
process- es. In this regard, super-users typically
have access to the systems files and setup and
have the highest level of privilege for
applications.
Because super-users possess “unlimited”
access to the systems root, commands, and
applications, they can cause damage to the system
and expose the organiza- tion to untold hardship
and embarrassment. For exam- ple, they can
mount and dismantle file systems, change
another user’s password without knowing the
password, remove any file directory, and even
shut down the entire system. As a result, the
activities of super-users should be controlled by
management. Management should:
 Review super-user access privileges and align
them with IT auditors for highly critical and
conflicting capabilities.
 Control super-users’ activities through audit
trail documentation of creation,
modification, distribu- tion, and usage.
 accountable individual or organization). These need
SEGREGATION OF DUTIES
to be reviewed frequently to identify suspicious or
To accomplish internal control objectives, any organiza-
dubious activities and responsibility for particular
tion must segregate user duties properly. ERP
events.
systems allow segregation of duties via user
authorizations. User profiles determine the type of
An independent manager should review audit trails
access and authority each user has within the
frequently and follow up on issues arising such as:
system. A user profile should not allow any user to
 Instances of access to applications by super-users.
have incompatible duties. An organi- zation must
These should be examined by event logs that have
develop, maintain, and monitor appropriate
been configured properly to generate appropriate
segregation of duties properly. This requires a
event types, including time spent while logged on,
detailed analysis of individual job functions and a
tasks performed—creation of data, deletions, modifi-
determination of which functions are incompatible
cation of named files, event attributes in event
activities. A contin- uous reporting system should be
entries (e.g., IP address, user identity, time and
able to report and use these reports to avoid
date, protocol and port used, files or system
segregation-of-duty violations by performing a test of
utilities accessed, method of connection, name of
the entire ERP system, control activities, or specified
device, and object name).
business processes at unit levels. For instance, by
 Any activities performed by a super-user with anoth-
testing the systems process, the exam- ples
er user’s ID must be tracked, monitored, and
presented in Table 1 show a detailed analysis of
logged. This should be established to allow the
incompatible duties. Individual organizations may refer
tracking of inputs into the system down to the
to incompatible duties by different names. At this
field value level, including any sorting, filtering,
Fortune 500 company, incompatible duties are called
and downloading of information from the system.
conflicting abilities. This specific example provides
detailed information about the conflicting ability of
“new vendor account” and “post an MM Document”
in
 Table 1: Contents of a Detailed Conflicting Ability Ana

SECTION DESCRIPTION
Conflicting Ability descriptions Conflicting Ability IDs & descriptions
Potential Risk to XYZ Co. Description of the potential risk to XYZ Co. that this conflict ID is
Method for identifying transactions that utilized Ability 1
Identification of transactions using Ability 1
Identification of transactions using Ability 2
Comparison of transactions to identify potential fraud or damage to XYZ Co.
Other considerations Method for identifying transactions that utilized Ability 2

Method for comparing transactions to identify potential fraud or

Any additional considerations that the business expert would like

an SAP environment. The ability to create a new ven-  Use software (SAP) to monitor and correct viola-
dor account, coupled with the ability to post a credit
memo or invoice, can allow the user to generate a
fraud- ulent payment because the two are incompatible
duties.
These descriptions of conflicting abilities are main-
tained, stored, and accessed through the company
intranet. Thus access administrators and managers
can easily review potential conflicting abilities within
their subunit.

AN EXAMPLE APPLICATION OF THE MODEL AT A

FORTUNE 50 0 COMPANY
This company implemented SAP as its ERP of choice
and maintains a database of conflicting abilities for
vari- ous business processes. Conflicting abilities are
those activities performed by one individual that
violate the rules of segregating incompatible duties
(SoD) as a form of internal control. When SoD is
violated, an organiza- tion may be subject to fraud
and loss of resources through embezzlement and
theft of assets and deletion or destruction of company
data. Business unit adminis- trators and systems
security supervisors can use the inventory of
conflicting capabilities to monitor and update
internal control violations through periodic reports
on conflicting abilities in various operations.
Proper management of these conflicting abilities
involves the correct establishment of user profiles.
User profiles are the tasks within the ERP system
that are assigned to the user. When determining which
conflict- ing abilities must be identified, business
areas must consider not only those conflicts
composed of abilities that their business area owns,
but also those conflicts that are the result of one of
their abilities combined with an ability from another
business area. Therefore, conflicting abilities may be
composed of two abilities owned by one business
area or two abilities, each owned by separate
business areas. The company uses these conflicting
capability documents in the following manner:
 Develop potential list of key control conflicts
for business processes/operations.
 Identify each control activity’s control conflicts.
 Establish a matrix of control activities and
control conflicts.
 tions of control activities and control conflicts: transactions are performed only by employees with
 When employees change roles (are proper authority.
transferred, promoted, etc.). The internal and external auditors should review
 When incompatible activities are flagged the process for managing and changing passwords
dur- ing business process/operations. and test the effectiveness of password management
 When functional departments delay or processes.
fail to periodically seslf-report activities
of control conflicts.
 Audit units’ compliance with control
activities.
 Provide report to appropriate supervisor
on sta- tus of control activities and
control conflicts.

To prevent internal control breaches, each

individual profile is listed with a corresponding
set of conflicting activities that those individuals
are not expected to per- form. For example, in
Table 2, individual profiles are presented with
the relevant conflicting abilities. Indi- viduals
possessing these profiles should be precluded
from performing the conflicting abilities.
Because the company is concerned with
maintaining internal control integrity, it analyzes,
documents, and updates the inventory of
conflicting abilities in its intranet and makes
them available to managers and access
administrators. The availability of the incompati-
ble abilities allows managers and internal
auditors to mitigate the risks of one or more of
these conflicts occurring by using continuous
reporting to review the profiles assigned to each
user. For example, during internal transfer of one
individual from one department to another,
managers, access administrators, and internal
auditors can identify if the individual possesses
conflict- ing abilities that must be addressed.
Periodic reporting also may reveal whether an
individual attempted to vio- late his or her user
profiles by inappropriately accessing a file for
which he/she had no authorization to access.
In summary, a system should be in place to
monitor system and business processes and be
designed to keep passwords confidential. This
may involve having poli- cies requiring
passwords to be changed frequently and not be
shared. This policy has the potential to protect
the employee and ensure that system
 Table 2: Conflicting Abilities of Individual Profiles

PROFILE MUST NOT HAVE THIS PROFILE AS WELL

Create and change general ledger accounts and cost Make
elements.
journal entry postings to the general ledger.
Setting pay rates. Maintaining employee personnel records.
Enter invoices. Pay vendors. Vendor master maintenance. Cash application.
Sales order/credit memo entry. Entering time data. Cutting checks and/or direct deposit.
Customer Master Maintenance.
Purchasing. Receiving. Enter invoices. Pay vendors.
Sales order/credit memo entry. Billing. Billing.
Billing. Delivery/Distribution. Sales Order Entry. Payment

CONTROL REPORTS AND REPORTING CHAIN

Without a separation of these abilities, a
Based on the user profiles and conflicting abilities data-
fraudster could assign personal information to a
base, the User SAP Security Contact (USSC) of each
vendor account and generate a fraudulent payment
business unit runs a conflicting transactions report
to the vendor.
from SAP at the end of each month. The USSC
After identifying the conflicting capabilities, a report
reviews the report and forwards it to the business
must be requested from SAP. In this case, an SAP
administrator (BU AD) of that business unit. The BU
report of vendor master changes is run. The report is
AD signs the report to indicate it has been reviewed,
sorted by the logon ID of the SAP user with conflicting
and the report is main- tained and filed for audit
capabilities. The “Changed By” field in the report
purposes. If the USSC or BU AD notes any problems
contains logon ID. This report shows which users
to be addressed, the USSC requests those changes to
created or changed vendor information. (See Table 3
user profiles or conflicting abilities database.
for an example.)
The outlined process has several important
Next, a second table must be reviewed to
internal control components. First, accountability and
determine which invoices the SAP user posted. This
responsi- bility are assigned to the USSC and BU AD.
table identi- fies particular invoices entered by user
Second, a regular, monthly report is reviewed for
ID. A compari- son of the Create/Change Vendor
continuous mon- itoring of segregations. Third, signed
report and the invoices by user ID allow the USSC
documentation in the form of the conflicting
to determine any conflicting transactions that
transactions report is pre- served as audit evidence
occurred. Then the USSC can request appropriate
of the existence and efficacy of internal controls.
changes to user access to avoid future conflicting
Finally, there is a defined, regular process for
capability transactions.
improvements to the control process via the USSC
requesting changes.
OTHER CRITIC AL CONTROL REPORTS IN

A C C O U N T S P AYABLE
DETAILS OF THE PROCESS
Various other reports are generated to ensure that
The first necessary step is the identification of the
the accounts payable process has integrity. To
con- flicting capabilities that will be the subject of
effectively generate these reports in a timely
the report. In this case, the conflicting abilities are:
manner, the SAP Security Contacts and Business
Ability 1: Creating a new vendor master
Administrators in each business unit at the example
account, and
company also review and use these SAP control
Ability 2: Posting an invoice to the vendor.
reports (see Table 4).
REPORTING CHAIN
As noted earlier, the use of these various reports is
itera-
Table 3: Conflicting Transaction Report for Purchasing and Payables

tive and ongoing in the review of segregation of ed, including checks and price changes. Similarly,
duties, proper user access, SAP profile review, the review of the SAP Profile report on a quarterly
conflicting capa- bilities, global business warehouse basis ensures that business unit managers have
spending, purchase order (PO) list display, invoice nonconflict- ing profiles for SAP or compensating
changes report, and blocked invoice reports, to controls. The quarterly review of the conflicting
name a few. capability report ensures that no one person has
Specifically, the blocked invoice report is conflicting abilities that could enable fraud, such as
generated and reviewed twice a week to detect the ability to create requisi- tions and purchase
invoices blocked for whatever reason. By reviewing orders.
this report, the unit manager is able to identify By continuously reviewing these periodic reports
reasons why invoices are blocked and then track the and updating the system for observed
system so that overdue items are promptly identified weaknesses, the organization is committed to
and attended to. Second, by reviewing the PO ensuring data and system integrity in both its IT
changes report monthly, the busi- ness manager can and business process operations.
review everything that is being creat-

Table 4: SAP Control

Reports
REPORT NAME FREQUENCY PURPOSE
SAP profile review Quarterly To ensure nonconflicting profiles
Conflicting capabilities report Quarterly To ensure no conflicting capabilities
POs without reference to a Monthly To ensure all materials are
requisition requisitioned
POs created after the invoice Monthly To ensure no POs are created after
the invoice
Open purchase documents Monthly To detect POs not fully
received or invoiced
Blocked invoice report Twice per week To resolve invoice discrepancies
COMPLIANCE WITH SOX SECTION 302 tinue to improve internal controls over their ERP and
SOX Section 404 requires public companies to organizational processes to remain effective, efficient,
publish information within the annual report
concerning the scope and adequacy of internal
controls. In addition, the statement on internal
controls must assess their effec- tiveness. An effective
system of internal controls must include policies and
procedures to provide reasonable assurance that:
1. Detailed records accurately reflect the underlying
transactions.
2. Transactions are recorded in accordance with Gener-
ally Accepted Accounting Principles (GAAP).
3. Transactions are being carried out only in
accordance with management’s authorization.
4. Unauthorized transactions are being prevented
or detected.

The iterative process and the use of control

reports described in this article will assist
management in ensuring it has achieved, to the
extent possible, the third and fourth items. This
iterative process of improv- ing internal controls is
extremely important to the CEOs and CFOs of public
companies because of the requirements of SOX
Section 302. Section 302 describes signed
certifications required of the CEO and CFO in
corporate financial reports. It also includes a
requirement that these signing officers certify that
they are responsible for internal controls and that
they have evaluated the internal controls within the
last 90 days. The continuous reporting and monitoring
described in this article allow the CEO and CFO to
have some assurance that controls have been
evaluated within the last 90 days.
The current versions of ERP software also will
allow real-time notification of problems in internal
control.
For example, the system can be configured to send
an e-mail notification to the appropriate unit
administrator if a user conducts transactions with
conflicting abilities. The Fortune 500 company
described in this article does not yet use such real-
time notification.

CONTROLS ARE VITAL

In the post Sarbanes-Oxley era, organizations must con-
and in compliance with regulations. Although
different organizations might pursue different
internal control strategies, organizations with an
ERP system can lever- age the current system to
continuously monitor and improve their internal
controls through periodic or on- demand controls
or specialized reports. These reports easily can be
created from an ERP system, and they can help
alert managers and supervisors about authorization
or user access violations.
Through these control reports, conflicting
capabilities across various business processes can
be detected and corrected in a timely manner,
either by a business unit manager or an access
control administrator. By utilizing these control
reports, organizations can reduce costs, become
more efficient, respond faster to changes in the
marketplace, safeguard assets, and avoid
unnecessary business exposures.
Organizations utilizing these control reports also
can expect to comply with the requirements of
SOX more effectively by having available
detailed records that accurately reflect the
underlying transactions and by having reports
that show unauthorized transactions and raise
alerts when access to critical areas of the
compa- ny’s system are being prevented or
detected. 

Leslie D. Turner, DBA, CMA, CFM, is a professor

of accounting in the Rinker School of Business at
Palm Beach Atlantic University in West Palm Beach,
Fla. He is a mem- ber of the Palm Beach Area
Chapter. You can reach him at
(561) 803-2470 or LESLIE [email protected].

Vincent Owhoso, Ph.D., is a professor in the

Department of Accountancy in the Haile/US Bank
College of Business at Northern Kentucky University in
Highland Heights, Ky. You can reach him at (859) 572-
7548 or [email protected].