Use ERP Internal Control Exception Reports To Monitor and Improve Controls
Use ERP Internal Control Exception Reports To Monitor and Improve Controls
Control Exception
Reports to Monitor
and Improve Controls
B YL ESLIED . T URNER, C M A , C F M , D B A , ANDV INCENTO WHOSO, P H. D .
PERIODIC
T
he extensive use of enterprise resource to
plan- ning (ERP) systems provides
opportunities for continuous monitoring
and improvement of internal control
systems. This continual monitoring and
improvement of internal con-
trols, in turn, assures that management can comply
with relevant sections of the Sarbanes-Oxley Act of
2002 (SOX). In this article, we will describe critical
processes and systems that are necessary to monitor
internal con- trol compliance and the implications
for SOX compli- ance. Internal controls have been
integrated into accounting software systems for
many years, and ERP systems have enabled
monitoring of internal controls that was not possible
with legacy systems. For example, ERP systems can
provide control reports that highlight inappropriate
segregation of duties from an enterprise- wide
perspective.
The focus here will be on such newer approaches
ACHIEVES
EXCEPTION REPORTS
Access Administrator
Segregation of Duties User Access
ACCESS ADMINISTRATOR
The role of the access administrator in the model
is a critical one because the access administrator is
responsi- ble for monitoring and granting user
access. The pur- pose of this role is to ensure
that all users have the appropriate system access
that allows them to work effi- ciently and within
boundaries that minimize the risk of fraud,
inappropriate access, or the loss of data. The
access administrator is responsible for delivering
control reports to each business unit manager,
who is then responsible for reviewing the
capabilities of individual employees’ authorized
roles for compliance and conflict resolution. (The
access administrator only delivers the reports;
the responsibility to review and validate the
correctness is with the business—i.e., the users’
managers.)
Persons appointed as access administrators
should be well trained in their field and be
responsible for admin- istering user access to the
ERP system, including the ability to create,
suspend, remove, and maintain user accounts as
defined for a specific class or group of users and
manage and reset credentials and services as autho-
rized by management. In addition, access
administrators should possess the ability to
define and update key business process
information or transactions, monitor the status of
key transactions, validate processes and data
periodically, review errors and control reports, and
document standards, guidelines, and procedures.
include: Perform something that they should not have the
Determining business and information
security requirements that are based on
management objectives.
Ensuring information and systems are protected
in line with their importance to the enterprise.
Granting user access based on each unit
manager determining which users are
authorized to access particular information and
systems.
Developing service-level agreements.
“Signing off” on specifications for business require-
ments (including security requirements).
Authorizing new or significantly changed systems.
Ensuring users are aware of their security
responsi- bilities and are able to fulfill them.
Being involved with security audits/reviews.
SECTION DESCRIPTION
Conflicting Ability descriptions Conflicting Ability IDs & descriptions
Potential Risk to XYZ Co. Description of the potential risk to XYZ Co. that this conflict ID is
Method for identifying transactions that utilized Ability 1
Identification of transactions using Ability 1
Identification of transactions using Ability 2
Comparison of transactions to identify potential fraud or damage to XYZ Co.
Other considerations Method for identifying transactions that utilized Ability 2
FORTUNE 50 0 COMPANY
This company implemented SAP as its ERP of choice
and maintains a database of conflicting abilities for
vari- ous business processes. Conflicting abilities are
those activities performed by one individual that
violate the rules of segregating incompatible duties
(SoD) as a form of internal control. When SoD is
violated, an organiza- tion may be subject to fraud
and loss of resources through embezzlement and
theft of assets and deletion or destruction of company
data. Business unit adminis- trators and systems
security supervisors can use the inventory of
conflicting capabilities to monitor and update
internal control violations through periodic reports
on conflicting abilities in various operations.
Proper management of these conflicting abilities
involves the correct establishment of user profiles.
User profiles are the tasks within the ERP system
that are assigned to the user. When determining which
conflict- ing abilities must be identified, business
areas must consider not only those conflicts
composed of abilities that their business area owns,
but also those conflicts that are the result of one of
their abilities combined with an ability from another
business area. Therefore, conflicting abilities may be
composed of two abilities owned by one business
area or two abilities, each owned by separate
business areas. The company uses these conflicting
capability documents in the following manner:
Develop potential list of key control conflicts
for business processes/operations.
Identify each control activity’s control conflicts.
Establish a matrix of control activities and
control conflicts.
tions of control activities and control conflicts: transactions are performed only by employees with
When employees change roles (are proper authority.
transferred, promoted, etc.). The internal and external auditors should review
When incompatible activities are flagged the process for managing and changing passwords
dur- ing business process/operations. and test the effectiveness of password management
When functional departments delay or processes.
fail to periodically seslf-report activities
of control conflicts.
Audit units’ compliance with control
activities.
Provide report to appropriate supervisor
on sta- tus of control activities and
control conflicts.
A C C O U N T S P AYABLE
DETAILS OF THE PROCESS
Various other reports are generated to ensure that
The first necessary step is the identification of the
the accounts payable process has integrity. To
con- flicting capabilities that will be the subject of
effectively generate these reports in a timely
the report. In this case, the conflicting abilities are:
manner, the SAP Security Contacts and Business
Ability 1: Creating a new vendor master
Administrators in each business unit at the example
account, and
company also review and use these SAP control
Ability 2: Posting an invoice to the vendor.
reports (see Table 4).
REPORTING CHAIN
As noted earlier, the use of these various reports is
itera-
Table 3: Conflicting Transaction Report for Purchasing and Payables
tive and ongoing in the review of segregation of ed, including checks and price changes. Similarly,
duties, proper user access, SAP profile review, the review of the SAP Profile report on a quarterly
conflicting capa- bilities, global business warehouse basis ensures that business unit managers have
spending, purchase order (PO) list display, invoice nonconflict- ing profiles for SAP or compensating
changes report, and blocked invoice reports, to controls. The quarterly review of the conflicting
name a few. capability report ensures that no one person has
Specifically, the blocked invoice report is conflicting abilities that could enable fraud, such as
generated and reviewed twice a week to detect the ability to create requisi- tions and purchase
invoices blocked for whatever reason. By reviewing orders.
this report, the unit manager is able to identify By continuously reviewing these periodic reports
reasons why invoices are blocked and then track the and updating the system for observed
system so that overdue items are promptly identified weaknesses, the organization is committed to
and attended to. Second, by reviewing the PO ensuring data and system integrity in both its IT
changes report monthly, the busi- ness manager can and business process operations.
review everything that is being creat-