Back Up Next

AUDITING IN AN ERP ENVIRONMENT

In the recent past there has been a proliferation of many entities deploying an ERP solution. These ERPs has changed the manner in which business transactions are recorded and books of account get compiled. The trail of activity that was visible in a manual environment or even in stand alone computerized system gets significantly blurred to the naked eye in an ERP environment. The control aspects; the inherent checks & balances within an entity’s processes and the general accuracy of the accounting records are to be evaluated by auditors in this apparently blurred environment.

As auditors our challenge lies in executing our tasks in this new environment with the same high standards expected of our profession. Considering the timelines that are available for completion of an audit it is necessary that we achieve what the auditing standards expect of us within the same. To that extent we can reinvent ourselves and use the technology to meet our audit objectives. The following points are just a helpful hint to achieve this objective and decide the extent of other audit procedures.

FIRST ENQUIRIES

This has to be done by an interview of the systems in charge and the CFO with a purpose of getting an overall understanding of the ERP solution:-

  • What is the ERP environment?
  • Which software is implemented across the entity?
  • Whether the software is bought out or customized?
  • Is it installed at all locations of the entity
  • Details of the hardware installed
  • How is the network managed? Do the locations have any role to play in the same?
  • What softwares other than the ERP solution?
  • Does the ERP have any interface with these softwares?

A few general control issues need to be discussed; such as

  • Whether the entity has a IS Policy in place?
  • How is the IS Policy requirement disseminated amongst the users?
  • What is the mechanism to ensure that the policy guidelines are complied with and deviations, if any are thrown up for appropriate actions?
  • Are physical & environmental controls adequate?
  • Is the password policy robust? And is it adhered to?
  • What is the control mechanism to ensure that outputs from the ERP are distributed only amongst valid users
  • Whether system audit has been done during the year?
  • What are the findings? And what are the remedial actions taken?
  • Similarly, whether other technical (including the network) and non-technical aspects of the ERP subjected to audit.

In case there has been a migration into a new ERP environment during the year then we need to get the following information:-

  • Whether a migration audit was done?
  • If so, peruse the audit report and get satisfied that all the balances have been duly carried forward and there are no issues which would affect the database in the new environment
  • If no audits were done, how has the entity management satisfied itself that all the data, balances etc. have seamlessly migrated into the new ERP environment?

Next steps

Having obtained the above information, we need to understand how the ERP behaves and what are the procedures and practices involved in the various nuances of the software vis-à-vis business operations. The following aspects need to be understood:–

  • How are the EOD and SOD procedures handled?
  • Every ERP environment requires an End of Day (EOD) & Start of Day (SOD) procedure to be done at each location as well as at the data centre. Typically at the close of business hours the location has to "handover" the system to the data centre. At the data centre there are scheduled programmes/utilities which manage the data updated with the transactions for the day. These include (but not restricted to) updation of balances, generation of exception reports etc. This EOD activity at the data centre can take up to several hours
  • An SOD procedure entails flushing into the branches environment the various MIS and exception reports. The locations may or may not have to (depending upon the manner of configuration of the ERP) give commands for accessing these reports and the updated database.
  • Inquire whether there is a system for the process owners to give sign-offs on the various reports that are generated, especially the exception reports. Does the entity experience significant down time? There are occasions when the communication lines can be down and the locations may not be able to function. We, as auditors need to understand the business impact of such down time, in particular the manner in which transactions that take place in the down time period are recorded at the location and ultimately uploaded onto the ERP.
  • Peruse the Access Control Matrix of the branch. Compare the matrix with the actual users.
  • Review the matrix to be satisfied that conflicting duties are not given to any one or group of individuals.

The above steps will enable us as auditors to be satisfied that the cardinal principle of controls in a computerized environment is implemented. This is called the CIA principle wherein

C = Confidentiality

I = Integrity

A = Availability.

Once the above information is obtained and the auditor gets comfort that the system is designed as implemented and there have been no incidents whereby the data is adversely affected vis-à-vis the CIA principle then it would be reasonable to place reliance on the records produced from the ERP environment for audit.

  • We should request for a read alone access to the ERP. This is akin to a request for the ledger in a non-computerized environment. The read alone access will enable us to peruse the transactions, accounts at his pace and style.
  • There would, of course be a need for us to gain an orientation on how the ERP is configured. For this it makes imminent sense to request that the SE or some other knowledgeable person to accompany us while we navigate through the system. We use this official’s help to run queries of various situations on the entities data. The queries could be of such nature that would help us accomplish our audit objectives.

Back Home Up Next