Enterprise Resource Planning audit

Any software system designed to support and automate the business processes of medium and large businesses. This may include manufacturing, distribution, personnel, project management, payroll, and financials. ERP systems are accounting-oriented information systems for identifying and planning the enterprise-wide resources needed to take, make, distribute, and account for customer orders. ERP systems were originally extensions of MRP II systems, but have since widened their scope. The basic premise of ERP systems is to implement a single information warehouse that will service all of the functional areas of a business: marketing and sales, production and materials management, accounting and finance, and human resources. Information is updated real-time in the ERP database, so that employees in all business units are using the same information, and all information is up-to-date.

The interaction and flow of information, issues with data and the processing of data, controls and security of the data and the systems, and training of employees are the four major areas in which ERP’s have impacted the nature of auditing. The increased implementation and use of ERP systems in today’s business environment, and especially in financial reporting, means auditors must become knowledgeable about ERP’s. When a company uses an ERP system, the audit focus shifts from substantive testing of the books of account to understanding the business processes, testing the systems and applications controls, as well as controls over system access. The technical complexity of ERP systems has required auditors to increase their knowledge of information technology and more often supplement their audits with outside technical expertise. At the same time, auditors must retain a firm grasp of how accounting entries and processes are performed manually, so that they can ensure that the computer is automating the process correctly.

The root of ERP systems began in the manufacturing industry, where software was developed during the 1960’s and 1970’s to track inventory. The first software incarnation, called Materials Requirements Planning (MRP) software, was introduced in 1975 and allowed plant managers to coordinate the planning of production and raw material requirements. MRP software worked backwards from sales forecasts, factoring in lead times and then determining the order size and timing. MRP was the first attempt at an integrated information system (Brady 20).

MRP was made possible by mainframe computers handling the basic functions through sequential file processing and electronic data interchange (EDI), which increased the availability of up-to-date information (Brady 20). With improvements in mainframe computers during the 1980’s, the idea of MRP was expanded into Manufacturing Resource Planning (MRP II) systems. Instead of using the information system to run the manufacturing unit of a business, the goal of MRP II was to have a companies manufacturing, engineering, marketing, and finance units run on the same information system, thus using the same set of data (Tibben-Lembke).

The first true ERP system began development in 1972 when five former IBM systems analysts formed a company that was to become Systems, Applications and Products in Data Processing (SAP). With the goal of developing standard software to integrate business processes and make data available in real time, the founders began developing a standard financial accounting package. Soon after, a Materials Management program, with modules for Purchasing, Inventory Management and Invoice Verification, followed. In 1978, SAP developed a more integrated version of its software products, called the R/2 system. R/2 took full advantage of the current mainframe computer technology, allowing for interactivity between modules and additional capabilities like order tracking (Brady 20-21).

In 1992, SAP released its R/3 system, which took four years to develop. The main feature of R/3 that distinguished it from previous ERP systems is its use of client-server hardware architecture. This setup allows the system to run on a variety of computer platforms such as Unix and Windows NT. R/3 was also designed with an open-architecture approach, allowing third-party companies to develop software that will integrate with SAP R/3 (Brady 22). During the 1990’s, ERP competition increased dramatically, with companies such as Oracle, PeopleSoft, J.D. Edwards and Baan producing such systems. Currently, SAP and Oracle are the two leading ERP system developers.

There are few rules that can be applied to all ERP auditing situations. As each system serves the client in a different capacity and has been altered to fit the client’s business model, ERP auditors must be flexible and creative in designing an audit plan. On the same note, there are no hard rules on splitting roles and responsibilities between audit groups. Role differentiations are determined on a client-to-client basis, as a function of auditor experience, expertise and training. A common distinction is made between financial auditors and information systems auditors. However, with ERP, financial reporting and especially internal accounting controls, must be audited working through the computer; therefore, it is important that auditors have knowledge of both accounting and technology, learning new skills sets in the process (Moulton). Specialists are also commonly hired to determine if complex technology is working correctly. The concept of an “integrated auditor,” who has enough accounting and IT knowledge to work both sides of the audit, has emerged as workable solution to the complexities of ERP auditing (Hahn).

ERP systems are technically complex, with the system residing on multiple computers and the flexibility to support multiple configurations and customizations (Hahn). To begin understanding a client’s ERP system, auditors must evaluate how the technology relates to the business environment. To determine the scope of the audit, they must take into consideration:

• how the technology is used in the organization
• the number of people using the technology
• which ERP models have been implemented
• the existence of distributed applications
• whether legacy systems are used and to what capacity (Hahn)

Auditors must go through a significant amount of training to acquire the knowledge necessary to adequately understand the functioning of an ERP system and how it intakes data and produces financial reports. Auditors must also consider learning new tools to take advantage of functions in ERP systems. SAP’s language, ABAP/4, would be useful for an auditor to know so that he can examine the programming code when there is a question about the functioning of the system (Hahn). As another example, Oracle’s database comes with its own set of basic auditing actions designed to detect unauthorized access and internal abuse of the data being stored (Finnigan).

ERP’s have specifically influenced the auditing profession in four main ways: the interaction and flow of information, issues with data and the processing of data, controls and security of the data and the systems, and training of employees who use the ERP systems.

Interaction and the Flow of InformationWith an ERP system, operational and financial data are tied together through a complex information flow. Transactions can be automatically entered without review or pre-checking. Therefore, ERP’s make it difficult to perform financial audits without relying on system controls. Such controls should be designed, in part, to prevent inaccurate or false information from entering the system. As many transactions are automated functions of modules creating information entries for other modules, it is impossible to audit “around the computer” (i.e. comparing input to output). Rather, auditing must be done “through the computer” (i.e. testing the system process that the input went through to create the output), using such methods as test decks and parallel simulation. In order to conduct a proper audit through the computer, the auditor must have a certain level of understanding about technology and how the system functions.

The ideal of a “paperless office” is facilitated through an ERP system, because the system is centralized and communicates data from a common internal source, the database. Instead of hardcopy evidence, ERP’s create event history logs for a visible trail of evidence to trace information to the original input source (Adint). These audit trails allow an auditor to both detect when an undesirable event has occurred and reconstruct an event by what happened. At a minimum, the trails should contain the user ID, the data and time of the event, and the action taken. Other information could include previous and current field values (Adint). Auditors of ERP systems need to be cognizant of how to use these audit trails and the appropriateness of their design because it impacts the ability to rely on system controls or the output created.

Because ERP’s are customizable and often changed by an organization’s internal programmers, auditors must pay attention to how these changes take place. The production code forms the basis of running the ERP system. To protect this valuable asset, changes in the production code should be:

• authorized by the business owner (if functional) or IT manager (if technical)
• tested thoroughly
• approved by the business owner or IT manager
• performed by an authorized person
• documented

To verify the controls of authorization and approval are valid, any change to the code should be traceable to a request. Access to the production code should be limited and traceable to the authorized individual who made changes. To check these, auditors must look for hard-copy documentation, such as change request forms, as well as documentation embedded in the code itself (Adint).

Controls and Security It is important for any entity to segregate the duties of authorization of transactions, recording of transactions, and custody of transactions. Auditors should examine the business process flows to identify where authorization, recording, and custody of a business transaction takes place, and compare it to how the user responsibilities have been designed. Often user responsibilities are given wide-open access for the initial installation, but rarely are access restrictions introduced once the system has proven functional. Also, the auditors should check to see if the segregation of duties is accomplished with a combination of system and off-line controls. Segregation of duties should be designed into user responsibilities and functions, and documented in the business requirements stage. The auditor should determine which users were given access to what functions by examining documentation from the implementation stage (Cooke).

The same segregation rule needs to be applied to IT functions to ensure system integrity. For example, IT personnel should not have user responsibilities. This serves the purpose of segregating development and production activities. IT personnel are responsible for maintaining the production software, including the associated controls, while production data is owned by the business users and serves as a record for business activities (Adint). If these duties were not segregated, a transaction could be processed with circumvented controls compromising data integrity.

Auditors must now be aware of the logical security of data used by the ERP system. Logical security includes user ID’s and passwords. Auditor’s must make sure that user ID’s are unique, because unique ID’s ensure accountability and the ability to trace actions to individuals. The ability to sign on with a generic ID needs to be tightly controlled. This requires changing all the default passwords for generic ID’s that the ERP comes with and allowing few employees to know what the new password is. As an example, Oracle databases come programmed with generic ID passwords such as CHANGE_ON_INSTALL, MANAGER, and ORACLE (Adint). The problem with retaining the default passwords in prepackaged systems is that these passwords are open to the public and anyone who has network access can use them to gain access to the system.

Auditors also must look at corporate policy regarding application and database password. Passwords form the basis of logical security and strong passwords protect the data from unauthorized access. Clear policies stress the importance of employee’s creating strong, complex passwords. Password policies should encompass minimum length, complexity requirements, expiration periods and lock out times. An example policy would include:

• Minimum of 8 characters
• Cannot be one of the users previous four passwords
• Contains at least one letter or number
• Contains at least one special character
• Not based on words found in the dictionary or on proper names
• Expires in 14 days (Adint)

A process must exist for business owners to review the user access lists, as well as who monitors day-to-day administration of controls and how often controls are reviewed (Cooke). Business owners are in the best position to determine if access to the system or an application is needed to perform an employee’s task (Adint). Restricting employee access to certain fields and windows of the ERP system prevents inappropriate changes in the data. For example, an accounts payable clerk should not be given access to the purchase order module, since access to this module is not required to perform his job. The company should also have a review process in place to identify when people have changed positions or left the company and no longer need access to the system. In order to remove the task from IT, business owners should be enabled to pull their own access report (Adint).

Data Processing and Data Issues ERP systems are designed to automatic updates of data throughout the system once a transaction has been entered, so the implementation of an ERP system shifts the focus of an audit from substantive testing to a largely controls-based audit. Since a logical system is performing the updating and reporting, routine transactions can be checked by the presence of proper controls. If strong controls are in place, auditors can do little substantive testing when performing an audit, while instead focusing on manual and non-routine transactions, and get reasonable assurance that the financial statements are free of material misstatements.

Since ERP’s use on-line, real-time processing, information is updated simultaneously. Every transaction of every function is stored in one common database, and the various modules in an ERP system automatically create entries in the database for each other, thus creating simultaneous updates to the system that are transparent to all users (Hahn). Traditional “batch” controls and audit trails are no longer available for the auditor. Data entry accuracy is maintained through the use of default values, cross-field checking and transaction balancing rather than batch processing (Hahn).

Because the information is updated, maintained and stored electronically, auditors need to understand how the modules interact with each other and with the database. Additionally, the flow of information must be understood. Because of the high degree of automation present in ERP systems, understanding the logical flow of information that is produced will help ensure that the information is correct.

With the use of a single database, data entry is more important because an erroneous piece of information will permeate through the entire company’s records (Brady 120). ERP systems shift the burden of correctness to the front-line workers, while higher end processes of data transfer and report creation is done automatically. Auditors must spend more time with lower-level employees to determine if those entering the data understand what they are doing, and especially what to do if a problem arises or a mistake is made. In non-integrated information systems, an error in data input is less harmful than an ERP, because the error will not be spread to the records of other departments and can be caught when auditors compare records. However, with ERP systems there is no way to discover a mistake by checking it against another system since it relies on a common database.

Employee Training ERP systems require extensive training to use. Auditors of ERP systems need to assess the business environment and how it communicates to users of the ERP the proper uses and processes of the system (Arlinghaus). Training manuals and documents should be reviewed, as well as training course outlines. The training should be designed for the end user’s job, and stress to employees how the data they control affects the entire business operation. If proficiency tests are in place, the auditor should examine the difficulty of the questions (Brady 120-121). Continual training, especially in the use of new modules and functions, should also be examined.

Auditors should also examine how the client’s management deals with the changes that ERP systems bring to the business. A company’s managers and employees will often resist ERP systems, because it requires changing the way they have performed their jobs in the past. Typical ERP training costs between $10,000 and $20,000 per employee (Brady 32). Because of the high price and the lack of immediate results, many companies do not properly training employees on how to use the ERP system.