Internal Controls, Fraud Detection and ERP



Similar documents
Chapter 15 Auditing the Expenditure Cycle

How to set up a people based. accounting system that makes your. small business work for you. Thomas G. Post. Certified Public Accountant

Accounts Payable Best Practices

Connecting the dots: IT to Business

INTERNAL CONTROL QUESTIONNAIRE OFFICE OF INTERNAL AUDIT UNIVERSITY OF THE VIRGIN ISLANDS

Case Study Top-Down, Risk-Based Approach Purchase to Pay Process

Table of Contents. Transmittal Letter Executive Summary Background Objectives and Approach Issues Matrix...

THE ABC S OF DATA ANALYTICS

Circular to All Licensed Corporations on Information Technology Management

FINANCIAL AND PURCHASING RECORDS. Includes records showing a summary of receipts, disbursements and other activity against each account.

Segregation of Duties

City of Berkeley. Accounts Payable Audit

ACCOUNTS PAYABLE AUDIT RECOVERING LOST DOLLARS AT NO COST

Accounts Payable. Best Practices: Existing Control: Control Gap: Controls Evaluation and Gap Analysis. Purchasing

P-Card Fraud Controls. Introduction

Internal Control Systems

Chapter 15: Accounts Payable and Purchases

Auditing for Value in the Procure to Pay Cycle Dallas IIA Chapter. October 1, 2009

by: Scott Baranowski, CIA

Final. Internal Audit Report. Creditors System

Checks and Balances Internal Controls. West Virginia State Auditor s Office Chief Inspector Division

INFORMATION TECHNOLOGY CONTROLS

Chapter 13. The Expenditure Cycle. Because this cycle involves the outflow of cash, it is the counterpoint to the revenue cycle

Accounts Payable Outsourcing

AGA CGFM Examinations Sample Questions

ISACA PROFESSIONAL RESOURCES

Microsoft Dynamics AX 2012 Financial Management

February 2, 2012 ACCOUNTS PAYABLE BEST PRACTICES

5:31-7 Appendix B LOCAL AUTHORITIES - ACCOUNTING AND AUDITING IF ANY ARE NOT APPLICABLE, INSERT N/A AS YOUR ANSWER. FIRE DISTRICT YEAR UNDER AUDIT

Copyright 2006 Business Management Systems. Web Based ERP/CRM Software

Course Duration: 3.5 Days. CPE Hours Available: 32 CPE. Knowledge Level: Intermediate. Field of Study: Auditing. Prerequisites: None

Internal Controls. A short presentation from Your Internal Audit Department

Retention & Destruction

The policy and procedural guidelines contained in this handbook are designed to:

Process Control Optimisation with SAP

How To Prevent Fraud On A Credit Card

City of Berkeley. Prepared by:

MEMORANDUM INTERNAL CONTROL REQUIREMENTS FOR NON-PROFITS

Sarbanes-Oxley Compliance A Checklist for Evaluating Internal Controls

BUSINESS PROCESS (SAS 112 Compliance)

Office of the State Controller. Self-Assessment of Internal Controls. Purchasing/Accounts Payable Cycle. Objectives and Risks

Payment Procedures. Corruption Prevention Department

HOWARD UNIVERSITY POLICY

THE EXPENDITURE CYCLE Part I

three TESTS OF CONTROLS AND TESTS OF DETAILS

OFFICE OF AUDITS & ADVISORY SERVICES ACCOUNTS PAYABLE VENDOR MASTER FILE AUDIT FINAL REPORT

Network and Security Controls

Audit Program for Accounts Payable and Purchases

AGA Kansas City Chapter Data Analytics & Continuous Monitoring

Manual of Accounting Policies and Procedures Bridgewater State College Foundation Bridgewater Alumni Association

CREST. Bank and Cash Financial Procedures

B Resource Guide: Implementing Financial Controls

Accounts Payable Capture and Approval

Table of Contents: Chapter 2 Internal Control

Fraud and internal controls, Part 3: Internal fraud schemes

Accounts Payable. Cash Projections Reports - 3-tiered Pay on Dates show what is due in the next 30/60/90 days.

Product. Prologue Accounts Payable Automate Your Accounts Payable Processing

Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor

ES ACCOUNTING QUICK START GUIDE

Abila MIP Fund Accounting

Sage Accpac ERP 5.6A. SageCRM 6.2 I Integration Guide

ManageEngine Desktop Central Training

FINANCIAL MANAGEMENT POLICIES AND PROCEDURES

PROCURE-TO-PAY TRANSFORMATION FOR CFOs. Achieving Control, Visibility & Cost Savings.

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Welcome to the topic on managing delivery issues with Goods Receipt POs.

idelpi Software Quick Install and Basic Configuration Guide

BDO Consulting. Segregation of Duties Checklist

INTUIT PROFESSIONAL EDUCATION. QuickBooks Files: Sharing, Managing, and Maintaining Data Integrity

How To Prevent Fraud In The United States

Mitigating Risks and Monitoring Activity for Database Security

Financial Accounting. John J. Wild. Sixth Edition. McGraw-Hill/Irwin. Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Leverage Your Financial System to Enable Sarbanes-Oxley Compliance: An Evaluator s Guide

MEMORANDUM. Municipal Officials. From: Karen Horn, Director, Public Policy and Advocacy; and Abby Friedman, Director, Municipal Assistance Center

Internal Control Requirements December 11, 2002

7 Capabilities Your Software Vendor Should Offer to Support your Business Operations in China.

Accounts Payable Automation

Chapter 6: Developing a Proper Audit Trail for your EBS Environment

INFORMATION SECURITY OVERVIEW

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

MD AOC Project Introduction to PeopleSoft

Dynamics GP 50 Tips in 50 Minutes

Numerous missing invoices, receipts, and purchase justifications.

KANSAS CITY, MISSOURI RESPONSES TO THE FISCAL YEAR 2013 AUDIT MANAGEMENT LETTER

MANAGE. Sarbanes-Oxley Readiness with Microsoft Dynamics NAV. Microsoft Dynamics NAV 5.0. White Paper

TRAVERSE version 11 Point of Sale

PROJECT in a box version 2.4 Server. Install guide

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Tips to Prevent and Detect Workplace Fraud

Software Monthly Maintenance (Non Accounting Use) Quick Reference Guide

Introductions, Course Outline, and Other Administration Issues. Ed Ferrara, MSIA, CISSP Copyright 2015 Edward S.

Risk Management Advisory Services, LLC Capital markets audit and control

Transcription:

Internal Controls, Fraud Detection and ERP Recently the SEC adopted Section 404 of the Sarbanes Oxley Act. This law requires each annual report of a company to contain 1. A statement of management's responsibility for establishing and maintaining an adequate internal controls and 2. Management's assessment of the effectiveness of the company's internal control structure and procedures for financial reporting. 3. The company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures Sarbanes Oxley requires that internal controls be extensively documented and this is a significant exercise. This brief review will look at some issues that should be considered in setting up internal controls in an ERP environment. Internal Controls: reviewing the practices, transactions, procedures and processes used to control the financial transactions and protecting a company's property and assets. This paper will examine how the internal auditor working specifically with the Seradex ERP system can implement internal controls and detect fraudulent transactions. The general approach should be applicable to most ERP systems. What is SERADEX ERP? Seradex is an ERP application processing data from a database. It offers flexible configuration and security options. Seradex links data in real time across the traditional business functions such as sales-production-inventoryprocurement and finance An important point to note is to realize that Seradex ERP is an application program, like Microsoft Excel or Word. It typically sits between the end user and a database management system (such as SQL Server) and controls the adding, changing and deleting of data from that database. Seradex ERP is a very flexible system that is configured to meet the organizational needs and requirements. This adds to the complexity of

auditing the system because not only do you need to know how Seradex ERP works but also how your company is using Seradex. One important feature characteristic of the Seradex ERP system is that user access is dependent on the Windows network security setting for each user and group. By setting up groups with highly detailed access parameters users can be easily setup and added to the appropriate group reducing security administration efforts. Seradex ERP and Internal Controls Seradex ERP dictates that operational data and financial data are totally integrated. More people are able to enter transactions without review or checking by a supervisor. Many organizations give users very wide access to data without necessarily analyzing specific work requirements. Note: Without careful consideration this wide access can weaken internal controls by violating the segregation of duties concept. ERP systems change the role of middle management for transaction review and authorization. Questioning and follow up formerly done by middle managers is commonly reduced when an ERP system is implemented. There are several implications and considerations to the internal controls possible in Seradex ERP. These can be segregated into the following categories: Network Security and User Identities User and Group Setup Security authorization issues Use of Active Directory Administrative user management Password control Customer / Supplier Access User Controls Server, Network and Firewall controls Patch policy on Servers and Workstations System Controls Reconciliation of control accounts to subsidiary ledgers Accounts Payable, Accounts Receivable, Inventory, Invoicing, Vendor Invoicing

Reconciliations of data to external information bank reconciliation, accounts payable statement reconciliations Cost centre and responsibility accounting Management review and budgetary control Review and authorization of non-routine transactions Validation checks Validation of data input in particular transactions Properly designed and validated reports with authority checks Matching of documents prior to closing out e.g. purchase order receiving documentation invoice Master file control Independent review of master file changes Independent master file creation to transactional responsibilities Identifying redundant master Auditing for Fraud Auditors have a responsibility to minimize opportunities by ensuring that adequate internal controls are in place. If internal controls are weak in a n particular area the next step would be to consider red flags. A red flag is an indicator that some kind of irregularity is occurring and that something may be wrong. It does not prove that fraud has occurred but if a red flag is identified more detailed transaction examination is required. Identifying Red Flags Some example of red flags could include: actual expenses far exceeding budgeted or prior years expenses Expenses out of historic norms significant manual entries made to asset and expense accounts addresses, telephone numbers and other data that link employees to vendor master records Ratios are not making sense: ex. ratio of overtime expenses to sales, Unexplained price increases in material costs (kickback scheme) Excessive Inventory quantity and cost adjustments Manual database queries can be developed to examine the inventory audit trail, adjustment details, phone number and address comparisons of employees and vendors to provide identify further transactions for

examination. All transactions in Seradex record the network user who created or changed the transaction as well as time and date stamps. Accounts Payable in SERADEX ERP Purchasing and accounts payable represents a major area for fraud because it results in the physical disbursement of cash to suppliers. Seradex ERP offers excellent built in tools to avoid fraudulent activity in the accounts payable function: Seradex offers three way matching between Purchase Order, Receiving and Vendor Invoicing. This is followed by check preparation. Ideally each of these transactions should be done by separate individuals to ensure segregation of duties. A invoice voucher can be printed and reviewed for each check over a threshold amount to additional review. An invoice voucher can be printed for any purchase from a one time vendor or any PO for a Special item. Establish procedures on when a vendor master is required. Requiring a PO offers more control than entering a miscellaneous payable directly into A/P as more people have to be involved in the transaction. These transactions need more thorough controls and testing. Vendor Master file changes should be a separate function from Purchasing to ensure segregation of duties Duplicate invoice control - the system will review invoices posted to a particular vendor code and highlight whether the current invoice is the same as a previous one. Fraud Tests in the Accounts Payable Cycle Some things to test for in this cycle includes developing queries for identifying high risk vendors and payments: Transactions where the same user created the PO, Receipt and Approved the Vendor Invoice PO s where the person changing the PO is different that the person issuing the PO Any PO for a non inventory item or service item that is >$XXX. Service expenditures don t involve asset that has to be produced later. This includes expenditures for consulting, advertising or marketing Any PO to a one time vendor that is >$XXX Transactions where the Vendor was created by the user issuing the PO

Seradex ERP has challenged the role of internal auditors and it requires auditors to learn new skill sets - some of which are fairly technical and involve directly accessing data in the system. Security Authorizations At he heart of internal control is security access to the ERP system. Defined policies on who sets users up and what groups they belong to is critical. Make sure network logs are switched on for full tracking. This allows you to check who logged on at what workstation. Queries can be developed to list all users that logged on to each workstation and at what time. Information on which workstations logged onto Seradex is easily available. These can be correlated to the time of individual transactions in Seradex ERP. These logs will also identify which data files were copied to the local workstations. Most users are not aware that these capabilities exist. Severely limit users who are granted administrative rights and ensure users only have access to the information they require. Often a short cut is taken and the easiest answer is to give all personnel very wide access If authorizations are set too narrow, users will require significant Help Desk resources. Password Control The system can enforce minimum password lengths and enforce password expiry on a regular basis. Patch Management Policy Document the frequency of patch updates for servers and workstations. Data Access In these days of DVD burners, USB keys that can hold 1 Gigabyte of data stringent control over corporate data needs to be established. Unauthorized users could easily take customer lists, sales history, product information and pricing home in their shirt pockets. Remote Users Remote users accessing the system through VPN connections need to be securely authenticated.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information