|
Article Excerpt
The extensive use of enterprise resource planning (ERP) systems provides opportunities for continuous monitoring and improvement of internal control systems. This continual monitoring and improvement of internal controls, in turn, assures that management can comply with relevant sections of the Sarbanes-Oxley Act of 2002 (SOX). In this article, we will describe critical processes and systems that are necessary to monitor internal control compliance and the implications for SOX compliance. Internal controls have been integrated into accounting software systems for many years, and ERP systems have enabled monitoring of internal controls that was not possible with legacy systems. For example, ERP systems can provide control reports that highlight inappropriate segregation of duties from an enterprise-wide perspective.
The focus here will be on such newer approaches to monitoring internal control compliance--specifically, the use of control reports to monitor and improve user access controls and segregation of duties.
Control reports can be defined in many ways. Our use of control reports will refer to standard or specialized reports available in ERP systems to report authorization or user access violations. Some reports may have an enterprise-wide focus, while others may be within specific business processes, such as purchasing. For example, a report of conflicting capabilities can show users with conflicts across various business processes. A report examining a history of changes to a record for control violations would focus on a specific business process. These reports are used for several purposes. The appropriate manager or internal auditor can review such reports for internal control self-assessment and control improvement.
Monitoring internal control compliance is important in ERP systems because core business processes such as purchasing, accounts payable, cost accounting, banking/ treasury functions, and human resource systems are integrated into an enterprise-wide system. The ERP platforms allow companies to reduce costs, become more efficient, and respond faster to changes in the marketplace. This increased functionality, however, creates different risk profiles that, if not monitored properly, can result in control breakdowns and potentially significant losses for a company. ERP systems also push initiation or authorization of transactions to lower levels of the organization, thereby causing increased control problems. These control risks and problems must be counterbalanced by effective internal controls that should be monitored constantly to ensure organizational effectiveness, efficiency, and safeguarding of processes.
IMPORTANCE OF INTERNAL CONTROLS
Managers, accountants, and internal auditors bear responsibility for developing, monitoring, and improving internal control systems. Their responsibilities include preventing, detecting, and correcting control weaknesses and risks that may cause a failure to achieve operational and information-processing objectives. The key risks of which each of these parties must be aware as they develop and monitor internal controls include:
* The risk of fraud, particularly for systems with payment-generation capability, when a single person has ERP authorizations that allow control of two parts of a transaction. This inappropriate segregation of duties can lead to fraudulent activity.
* Noncompliance with privacy guidelines. ERP systems store enormous amounts of data, including customer, vendor, and employee data. Without proper internal control, privacy can be violated intentionally or unintentionally.
* Inappropriate disclosure of time-sensitive business data.
* Malicious or accidental damage to data. If weak internal controls allow inappropriate access to data, it is possible for data to be altered or destroyed.
* A potential loss of competitive advantage.
* The potential for incorrect management decisions to be made.
* A potential loss of business.
* Potential damage to customer or shareholder confidence, public image, and reputation.
* The possibility of incurring additional costs.
* A breach of legal, regulatory, or contractual obligations.
* The potential disruption of business activity.
o lessen these risks, internal controls should be properly established, monitored, and improved.
The use of control reports to monitor authorization or user access violations is important in continuous monitoring and improvement of internal control. As an analogy, the use of cost accounting systems with variance reports can be useful in continual monitoring and improvement of manufacturing efficiency and effectiveness. Yet such variance reports are not useful unless an underlying structure has been established with a proper accounting system to monitor costs against standards and unless management regularly reviews variance reports and uses the reports to improve manufacturing control. Likewise, control reports in an ERP system can be useful if a proper underlying structure is established and management uses the resulting control reports properly to monitor and improve internal controls.
CONTINUOUS MONITORING USING ERP EXCEPTION REPORTS
A model of continuous monitoring using ERP exception reports presents a dynamic, iterative,...
|
