ERP Security Risks and Audi?ng

Similar documents
San Jacinto College Banner & Enterprise Applica5on Review Task Force Report. November 01, 2011 FINAL

MAXIMIZING THE SUCCESS OF YOUR E-PROCUREMENT TECHNOLOGY INVESTMENT. How to Drive Adop.on, Efficiency, and ROI for the Long Term

IT Change Management Process Training

Effec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step. Arbela Technologies

Online Enrollment Op>ons - Sales Training Benefi+ocus.com, Inc. All rights reserved. Confiden>al and Proprietary 1

Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protec/ng Informa/on Assets Greg Senko

PROJECT PORTFOLIO SUITE

Cost Effec/ve Approaches to Best Prac/ces in Data Analy/cs for Internal Audit

Fixed Scope Offering (FSO) for Oracle SRM

Founda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework

Case Study. The SACM Journey at the Ontario Government

Council Monitoring & Assessment Program Development

Informa.on Systems in Organiza.ons

UAB Cyber Security Ini1a1ve

Capitalize on your carbon management solu4on investment

Modernizing EDI: How to Cut Your Migra6on Costs by Over 50%

Best Prac*ces in Corporate Card Expense Management May 2012

Risk Management in Role-based Applications Segregation of Duties in Oracle

B2B Offerings. Helping businesses op2mize. Infolob s amazing b2b offerings helps your company achieve maximum produc2vity

DTCC Data Quality Survey Industry Report

The Road To Project Governance at Utah State University

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

Consolida9ng Compliance Audits in Order to Improve Efficiency and Improve Risk and Compliance Posture Andrew Williams, Lead, Coalfire

BPO. Accerela*ng Revenue Enhancements Through Sales Support Services

Poten&al Impact of FDA Regula&on of EMRs. October 27, 2010

Project Por)olio Management

Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

Legacy Archiving How many lights do you leave on? September 14 th, 2015

Panorama Consulting Group. PERFECT Fit ERP Selection Framework

So#ware quality assurance - introduc4on. Dr Ana Magazinius

Disaster Recovery Planning and Implementa6on. Chris Russel Director, IT Infrastructure and ISO Compu6ng and Network Services York University

Program Model: Muskingum University offers a unique graduate program integra6ng BUSINESS and TECHNOLOGY to develop the 21 st century professional.

Help Framework. Ticket Management Ticket Resolu/on Communica/ons. Ticket Assignment Follow up Customer - communica/on System updates Delay management

Privileged Administra0on Best Prac0ces :: September 1, 2015

Five Factors Driving Businesses to Rethink EDI on IBM i

Developing a Full- Spectrum Security Training Program

What s Driving Adop2on of IT Governance? ISACA North Texas Chapter. Aus2n Hu@on Hu@on Consul2ng October 11, 2012

Range of Organiza7onal Approaches

Project Management Introduc1on

Exchange of experience from a SuccessFactors LMS Implementa9on

Mission. To provide higher technological educa5on with quality, preparing. competent professionals, with sound founda5ons in science, technology

First Na)on Project Management Boot Camp

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Business Analysis Center of Excellence The Cornerstone of Business Transformation

DEFINING COMPONENTS OF NATIONAL REDD+ FINANCIAL PLANNING

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

An Econocom Group company. Your partner in the transi4on towards Mobile IT

The Shi'ing Role of School Psychologists within a Mul7-7ered System of Support Framework. FASP Annual Conference October 29, 2015

Developing Your Roadmap The Association of Independent Colleges and Universities of Massachusetts. October 3, 2013

Connec(ng to the NC Educa(on Cloud

Reali9es of Being PCI Compliant

So#ware Development Methodologies Project Management Phases Agile Methodology Agile Manifesto Roles. Team Roles and Responsibili?

Auditing Applications. ISACA Seminar: February 10, 2012

Big Data. The Big Picture. Our flexible and efficient Big Data solu9ons open the door to new opportuni9es and new business areas

Strategy and Architecture to Establish 'Smart Plants'

The Pros and Cons of Organiza2on

How To Perform a SaaS Applica7on Inventory in. 5Simple Steps. A Guide for Informa7on Security Professionals. Share this ebook

Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications

How To Use Splunk For Android (Windows) With A Mobile App On A Microsoft Tablet (Windows 8) For Free (Windows 7) For A Limited Time (Windows 10) For $99.99) For Two Years (Windows 9

Center for Mining Safety & Health Excellence Risk & Change Management in Mining

Computer Security Incident Handling Detec6on and Analysis

MPS & VPS: Not Just for Hos1ng!

Automating New Market Entry Rollout

Beyond Strategy: Building Your Mobile Capabili6es

SUMMIT. November 2010

Fixed Scope Offering Fusion Financial Implementation

Update on the Cloud Demonstration Project

Identity and Access Positioning of Paradgimo

Phone Systems Buyer s Guide

ORION Retail Systems. Orion Digital Integration Inc. Point of Sale Reinvented for a Mobile World

Bank of America Security by Design. Derrick Barksdale Jason Gillam

Advanced Invoice Processing: One Step at a Time. Sam Abadir Solu.on Manager Accoun.ng Percep.ve So7ware

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

How To Protect Virtualized Data From Security Threats

The Real Score of Cloud

Pro Billing for Legal Time, Billing & Financial Systems for Law Firms and Legal Departments

Website Design. A Crash Course. Monique Sherre, monique@boxcarmarke4ng.com

Enterprise Financial Management: ERP for Small and Mid-market Companies

Leverage T echnology: Move Your Business Forward

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH

Here to Stay: How to Effec.vely Manage Capital Assets

IT Governance in Organizations Experiencing Decentralization. Jelena Zdravkovic

Digital Communication Agency

Consolidate, Organize, Search, and Visualize: ZED Report Catalog provides a single point of entry across mul9ple repor9ng tools and pla:orms

Armedia Capabili-es Brief Enterprise Content and Informa1on Management Professionals

Innovation Quality Flexibility

Founded in 1993 OSI has grown to become a leading technology consulting and services firm with over 450 professionals both from US and India

SharePoint Capacity Planning Balancing Organiza,onal Requirements with Performance and Cost

OS/Run'me and Execu'on Time Produc'vity

Challenges of PM in Albania and a New. Professional Perspec8ve. Prepared by: Dritan Mezini, MBA, MPM B.S. CS

How JetBlue is Reaping the Rewards of Dynamic Discoun:ng. Joni Geurts - JetBlue Paul Kerins - ipayables

Application of Supply Chain Concepts to the Analysis Process

Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management. TSCP Symposium November 2013

How To Implement Fusion Hcm

A R o a d t o y o u r C l o u d. Professional Service. C R M a n d C l o u d C o n s u l t i n g

Change Management Strategies to Increase Adop5on of Systems, Programs and Processes

ITS Strategic Plan Enabling an Unbounded University

Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

The presentation will begin in a few moments

Qubera Solu+ons Access Governance a next genera0on approach to Iden0ty Management

Transcription:

ERP Security Risks and Audi?ng Irina Majstrova, Director, PwC In- Depth Seminars D32 CRISC CGEIT CISM CISA

Agenda 1. Introduc?on 2. ERP audit scoping considera?ons 3. Execu?on of ERP audits 4. ERP implementa?on audits 5. Summary 6. Ques?ons 2

INTRODUCTION CRISC CGEIT CISM CISA 3 9/20/13 3

ERP AUDIT SCOPING CONSIDERATIONS CRISC CGEIT CISM CISA 9/20/13 4

Typical Audit Execu?on Framework Project Governance - Monitoring and regular repor?ng on status, issues, and resolu?ons Scoping Planning and audit strategy Processes and controls design assessment Opera?ng effec?veness assessment Remedia?on and Evalua?on Determine the scope of audit based on the following: - Risk - Materiality - Magnitude of impact - Specific area of focus - Other requirements/ focus areas Plan your audit: - Requirements - Timing - Resources - Dependencies Plan your audit approach Determine level of documenta?on and templates Determine communica?on strategy Understand processes and controls Conduct walkthroughs to confirm understanding of processes and controls Perform assessment of process and controls design to confirm it sufficiently covers risks Iden?fy design issues Finalize areas/ controls for tes?ng Perform opera?ng effec?veness tes?ng of controls iden?fied for tes?ng Iden?fy opera?ng effec?veness issues Perform remedia?on tes?ng on ineffec?ve controls Evaluate impact of iden?fied design and opera?ng effec?veness issues Agree on managements ac?on plan to address unremediated issues 5

Scoping an ERP Audit Ini?al ques?ons to start with to iden?fy ERP related risks 1. What ERP modules are being used and which ones support significant business processes or business processes under assessment? 2. What Ledgers/Opera?ng units/ Organiza?ons/ Sets of Books are significant or under assessment? 3. What is the level of automa?on of business processes introduced through the use of ERP? 4. Do business process owners rely on automated applica?on controls (e.g., system configura?ons, customiza?ons), or ERP- dependant manual controls to perform their du?es/ controls and what those are? 5. Do business owners rely on ERP to mi?gate segrega?on of du?es (SOD) risk and segregate access and what those SOD cases are? 6. What key reports would the audit team like you to validate? And what afributes? 7. How is access to ERP provisioned? 8. How are changes to ERP promoted? 9. How are ERP batch jobs and interfaces monitored? 10. How is ERP backed up and restored?... 6

Business Processes Typical ERP Audit Areas Scope of business processes Business processes in scope Subledgers/ modules Organiza?ons/ Ledgers/ Sets of books/ Opera?ng or Business units Automated applica?on controls within ERP Significant configura?ons and customiza?ons within each subledger/module and within each Organiza?on/ Ledger/ Set of books/ Opera?ng or Business unit in scope ERP- dependent manual controls Significant transac?on processing controls (i.e. complex calcula?ons, built- in checks, etc ) Reports and Interfaces Significant SODs and restricted access enforcement Master data maintenance 7

Typical ERP Audit Areas - Con?nued IT General Controls Program development/ System Development Life Cycle and Program changes: Code development Applica?on code changes Configura?on changes Data changes Users access (ERP security): Privileged users access (applica?on, database and OS levels) Back- end access (DBA or Applica?on developer- like access) Segrega?on of du?es (SOD) Computer opera?ons: Batch processing Backups and restora?on Physical access 8

Timing of ERP audit: Establishing ERP Audit Strategy Based on compliance requirements Based on availability of resources to support the audit Based on internal repor?ng requirements or milestones Consider dependencies that will impact ERP audit execu?on: ERP Implementa?on phases Business/ ERP transforma?ons and changes in the controls Consider audit and documenta?on requirements: Frequency of tes?ng (2?mes a year, quarterly, change driven, etc ) Documenta?on (evidence reten?on, level of documenta?on, etc ) Audit techniques (inquiry, observa?on, examina?on, reperformance) Consider resources: Resources skills, subject mafer exper?se in your ERP and availability to execute the audit Resources availability to support the audit (par?cipate in mee?ngs, answer audit ques?ons, provide evidence, etc ) 9

Establish ERP Audit Execu?on Plan Type of ERP is important ensure you understand specifics of ERP such as: IT solu?on and architecture (dependencies, security model, etc ) Func?onality and lack of it (business processes, repor?ng, configura?on specifics, etc ) Weak areas from security and func?onality perspec?ve Involve subject mafer experts for ERP, Database, OS, security and func?onal specialists (per module and/or overall) Consider tools that automate audit and analysis Leverage technical resources, ERP design documents, business process narra?ves, other documenta?on Understand all ERP modules implemented and Ledgers/Opera?ng units/ Organiza?ons/ Sets of Books in scope for review Understand all processes and controls in scope for review Understand?ming of the review and deliverables/ outcome 10

EXECUTION OF ERP AUDITS CRISC CGEIT CISM CISA 9/20/13 11

Execu?ng the ERP Audit Plan Start with understanding risks, business and IT processes and controls and how the ERP supports them (review design documenta?on, perform walkthroughs, etc ) Understand the areas of automa?on, customiza?ons, complex calcula?ons, workflows, SOD, reports and interfaces Assess whether design of processes and controls is sufficient to cover the risks and whether there is lack of control points in the process Perform tes?ng of opera?ng effec?veness of iden?fied control points within ERP as well as SOD, reports and interfaces. Inherent func?onality ERP controls are usually not tested unless there is a specific requirement (example: users cannot post a JE to a closed period) 12

Execu?ng the ERP Audit Plan - Con?nued Perform tes?ng of opera?ng effec?veness of iden?fied IT general controls suppor?ng your ERP Iden?fy issues with ERP control points Iden?fy issues with excessive access and/or segrega?on of du?es issues Iden?fy issues with reports completeness and accuracy Document tes?ng with required level of evidence retained Discuss with control owners, IT and system administrators, process owners, data owners, etc. your findings Discuss remedia?on plans and?ming Perform assessment of the impact: Consider mi?ga?ng controls to reduce the exposure 13

ERP Audits Lessons Learned Remember that analysis of ERP controls is point- in-?me, hence IT general controls are important for con?nuous opera?on False posi?ves in SOD typically are not false Consider access to powerful accounts (all layers ERP, DB, OS) and developers access to produc?on Lack of completeness or accuracy of reports or interfaces may result in significant failures of dependent controls and expose the company Each ERP has its own areas of weakness that should be a focus of your audit Collabora?on with business process owners and security administrators is cri?cal 14

Common ERP Risk and Audit Areas General Ledger Sub- ledger to GL interfaces Financial statement consolida?on logic Intercompany elimina?ons FX conversion/transla?on/revalua?on Journal setups and processing Order to Cash Revenue recogni?on Pricing procedures / tolerances Credit checking AR aging/bucke?ng Cash receipts Purchasing to Payables PO/PR approvals / hierarchy Tolerances Matching Fixed Assets Deprecia?on calcula?on Inventory Cos?ng Cycle coun?ng Segrega?on of Du?es Master Data setup Interfaces 15

Areas of Increased Focus by PCAOB (ERP related) Journal Entries: Ini?a?on, authoriza?on, approval, recording in GL SOD for create, post and perform accounts reconcilia?on Completeness of popula?on of manual journal entries Income taxes Understanding of the process and controls in the income tax cycle Excessive reliance on super controls Appropriateness of underlying data (i.e. reports) Level of ERP controls tes?ng Overreliance on inquiry and insufficient tes?ng procedures Lack of understanding of how controls are configured/ designed IT dependent controls (reports and interfaces) and EDI Completeness and accuracy of reports, interfaces, EDI feeds 16

ERP IMPLEMENTATION AUDITS CRISC CGEIT CISM CISA 9/20/13 17

Benefits of ERP Implementa?on Review Support a no surprises approach for subsequent audits via advance involvement before GO- LIVE Make an annual audit more efficient through leveraging ERP implementa?on review work and results performed upfront Provide an independent point- of- view on how ERP helps automate business processes and setups and support a robust business process controls environment Provide real?me and acdonable feedback on business & IT processes and controls improvement Provide an independent view to the Execu?ve Stakeholders on how the ERP upgrade project is mee?ng project objec?ves and progressing compared to expecta?ons 18

ERP Implementa?on Review The ERP Implementa?on review may be performed as pre- implementa?on and post- implementa?on. Pre- implementa?on review helps iden?fy project, business, and control risks early and address them before go- live Typically the pre- implementa?on is preferred as it occurs earlier in the process and touches on more areas: (1) Project Diagnos?c, (2) Business and IT Process, and (3) Controls outcomes ERP Pre-Implementation Review Business & IT/ Project/ Controls outcomes ERP Post-Implementation Review Controls outcomes Project Diagnostics IT Audit Procedures Business Process Controls Review GO-LIVE Post GO-LIVE - Project management - Scope management - Contingency plans - Issue management - SDLC - Readiness for GO-LIVE - Data conversion/ Interfaces - IT general controls - Application controls and SoD assessment - Business process & controls effectiveness - Reporting requirements - IT general controls - Data conversion/ Interfaces - Application controls and SoD analysis - Business process controls efficiencies - Reporting requirements 19

Common Areas of ERP Implementa?on Review Project diagnos?cs (op?onal) System development life cycle IT general controls and processes Business processes and applica?on controls Segrega?on of du?es 20

Typical Areas of Focus System development life cycle (SDLC) Assess the design and opera?onal effec?veness of SDLC controls based on the leading prac?ce over the implementa?on with the focus on the following areas: Design sign off, Data Conversion/Migra?on, Key Interfaces/ Integra?on with Legacy Systems, UAT Tes?ng, Go- live and Cutover procedures Post go- live issues tracking IT general controls and processes Assess the design and opera?ng effec?veness of IT general controls with the focus on change management, security and access areas for the applica?on, database, and OS. 21

Typical Areas of Focus - Con?nued Business processes and applicadon controls review Assess the impact of ERP implementa?on on the business processes and applica?on controls: Understand business processes and controls through the review of the business process documenta?on, risk and controls matrices, applica?on design documenta?on and mee?ngs with business owners Assess design and opera?ng effec?veness of ERP automated controls and key reports SegregaDon of dudes review Assess segrega?on of du?es within business process taking into considera?on exis?ng SOD policies/ rules of the company, industry good prac?ces, ERP func?onality 22

ERP Implementa?on Review Accelerators Tools for SOD and Access assessment Oracle/ SAP GRC Approva Logical Apps, etc Tools for ERP configura?on assessment Oracle/ SAP GRC Custom developed scripts, etc Risks and Controls Libraries per ERP Proprietary libraries of audit firms 23

ERP Implementa?on Review Typical Piralls Neglec?ng to scope ERP implementa?on review correctly Failing to understand the impact of new func?onality Incorrectly evalua?ng security & segrega?on of du?es Failing to evaluate the impact of new reports and interfaces Star?ng the review late in the process or post- go live Performing a key control impact assessment too late If the following is true, there is a heightened risk related to ERP implementa?on: User acceptance tes?ng designed for prior version of ERP Complex data conversion/migra?on strategies Business requirements and design documents completed un?mely Ineffec?ve issues log and defect tracking Inaccurate project governance & status repor?ng to support the go- live decision 24

ERP IMPLEMENTATION AUDIT ORACLE EBS R12 IMPLEMENTATION REVIEW CRISC CGEIT CISM CISA 9/20/13 25

Oracle R12 Implementa?on Audit Company Background US- based private technology company with SaaS offering model Oracle R12 modules installed: iprocurement, Purchasing, Payables, iexpense, Order Management, Receivables, Service Contracts, Advanced Collec?ons, Cash Management, General Ledger, Fixed Assets, System Administra?on Third party applica?on installed for revenue recogni?on along with Oracle implementa?on residing on the same Oracle R12 database Custom home- grown applica?ons for customer portal, subscrip?ons, tracking of usage, etc 26

Oracle R12 Implementa?on Review Plan Review Oracle R12 design Review Business Process and IT controls for Oracle R12 and Revenue system Assess SDLC and Oracle R12 implementa?on project execu?on Provide recommenda?ons 27

Oracle R12 Implementa?on Review Execu?on Reviewed Oracle R12 design documenta?on along with the to- be business process narra?ves and flowcharts Interviewed business process owners to understand the future process state Assessed design of business processes and controls along with Oracle R12 configura?ons from design documenta?on for all Orace R12 modules and revenue system Iden?fied risks and areas of insufficient controls and configura?ons for business processes as well as SOD Provided recommenda?ons for improvement of ERP control points, missing controls and associated configura?ons Provided recommenda?ons for SOD controls Assessed design of IT controls over Oracle environment and provided recommenda?ons for IT controls 28

Oracle R12 Implementa?on Review Execu?on - Con?nued Assessed Oracle R12 implementa?on project execu?on and SDLC focusing on the following: Project structure, roles and communica?on Design sign off Data conversion CRP and UAT tes?ng Produc?on approval and cut- over to produc?on Issues tracking and resolu?on Provided recommenda?ons for improvement (mostly around stake holder involvement,?mely sign offs on design and tes?ng, issues tracking) 29

Oracle R12 Implementa?on Review - Findings Business process & policies were not clearly defined for a number of areas and hence not configured in Oracle R12: Process/policy for use of customer discounts, requisi?on, purchasing, invoice and JE approval limits were not defined Business requirements for revenue recogni?on were not defined (i.e. revenue treatments for product offerings, revenue triggers, stra?fica?on criteria for BESP/ VSOE, etc ) Process for handling invoices on hold was not clearly defined Roles and responsibili?es were not defined for a number of processes (customer management, credit and collec?ons, etc ) and the client planned to use seeded responsibili?es that would create a large number of SOD conflicts 30

Oracle R12 Implementa?on Review - Findings Design was signed off with significant areas missing: GL structure such as # of legal en??es, primary ledgers, secondary ledgers, repor?ng currencies were not defined or agreed upon in the design Financial repor?ng and consolida?on requirements have not been defined Lack of key stakeholders oversight of the ERP implementa?on execu?on CRP and UAT tes?ng did not test for end to end scenarios and did not have detailed test scripts with expected results or input data to conduct tes?ng User training was limited and combined with UAT Disorganized UAT process and issues resolu?on slowed down the tes?ng and pushed out the go- live date by 1 month Lack of streamlined issues resolu?on process required the company to extend the post- go live support period 31

Example of Findings and Recommenda?ons Module: Purchasing Definitions: Design Gap - Areas where there is an absence or insufficiency of controls or their design. Control Point - Potential operational or financial control. Observation - These are activities we noted from our design assessments that could be modified to help improve efficiency. Categories: Requisitions, Purchase Orders, Blanket Agreements, Receipts/ Accruals, Reports, Workflow/Notifications/Alerts, Data Migration, Controls & Compliance, Purchasing Business Process Category Design Gap/ Control Point/ Observation Purchasing Orders Payables Invoices Ref # Description Impact/ Control Control Point POYY, POZZ Recommend to define a control addressing 3-Financial APXX, APVV way and 2-way match. Invoices should be matched to purchase orders (2-way matching) and receipts (3-way matching) and systematically validated. For Purchasing options global setting to be 3- way consider the following: - The "Match Approval Level" configuration is set to 3-way. - The "Received Flag" should be enabled. Rationale/ Comments Supplier may over-bill and invalid or inaccurate invoices may be paid that could increase the risk of unauthorized transactions and misstatement of accounts. This control should be configured together with a control around matching tolerances and other controls in place that mitigate the risk of changing the matching on different levels. For Supplier level: - The "Invoice Match Option" configuration is set to "Receipt". - The "Hold Unmatched Invoice" configuration is Enabled. "Match Approval Level" (2-way, 3-way or 4- way) can be overridden at the following levels: Purchasing options (global setting)>supplier level>po line shipment level>item master. Consider a monitoring control over changes from 3 to 2 way match on the above levels. 32

Remedia?on Efforts The company agreed with all findings auer discussion Iden?fied issues were priori?zed and high priority ones (business policy and recommended ERP configura?ons) were addressed before go- live A number of issues related to controls implementa?on in business processes were par?ally addressed auer go- live There is s?ll a number of recommenda?ons that the company considers to implement in wave 2 of business process op?miza?on ini?a?ve In response to access and SOD issues, the company decided to implementa?on Oracle GRC 33

SUMMARY CRISC CGEIT CISM CISA 9/20/13 34

Recap Technical and ERP subject mafer exper?se knowledge is cri?cal to a successful ERP audit Use of tools and accelerators significantly speeds up the audit process and analysis Proper scoping of the audit is cri?cal to the success of the project Stakeholders support of ERP audit is key to make an impact and contribute to improvement of ERP environment Early involvement to perform ERP implementa?on review will save company funds remedia?ng control issues post go- live 35

Ques?ons? 36

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information