Evaluating IT General Controls for an ERP System Integration

Implementing an Enterprise Resource Planning (ERP) system is a complex endeavor with far-reaching implications for a company’s operations. Throughout implementation and beyond, the company needs to verify that robust controls are in place to maintain financial and operational integrity, safeguard data, and ensure compliance.

When implementing a new ERP system, a comprehensive review of controls should be completed.  This review should cover three primary areas: business process controls, application controls and Information Technology (IT) general controls.  The evaluation of business process controls should include identification of changes to processes as a result of the implementation that may require implementation of additional controls or control modifications, as well as the evaluation of current controls to determine whether they are still relevant to the updated process.  With the implementation of a new ERP system, application controls built into the system should be evaluated as the automated controls may offer greater safeguards for the organization while also increasing efficiency within the process.  IT general controls should also be evaluated to verify that the implementation of the ERP system is following established change management controls and that additional controls, such as data security and system access, are applied to the new system during implementation and beyond. 

This article will focus on the evaluation of IT general controls.  Business process controls and application controls will be addressed in future articles. 

When looking specifically at IT general controls, the following topics should be considered as a part of the ERP implementation. Not every implementation will require all of the following actions to be taken, however, each of these areas should be evaluated to determine which are applicable to the environment prior to implementation.   

Access Controls:

  • User Roles and Permissions: Define user roles and assign appropriate permissions to restrict access to sensitive data and functionality within the ERP system
  • Segregation of Duties: Verify that no single user has too much control or access over critical processes
    • Business users should have proper segregation of duties to prevent fraud and errors (e.g. authorization and approval; custody of assets; recording transactions; reconciliation and control activities)
    • IT users should have proper segregation of duties to prevent unauthorized or inappropriate changes as well as inappropriate access to the system
  • System Authentication: Provide each user with unique credentials in order to securely authenticate to the system

Change Management:

  • Change Approval Workflow: Require approvals and documentation for any changes made to system configurations or data
  • Data Conversion Testing: Conduct testing to verify that data transfers from legacy systems are complete and accurate
  • User Acceptance Testing: Verify that all system functionality and data is performing as expected during user acceptance
  • System Interface Testing: Conduct testing to verify that data transmissions interfacing with other systems are complete, accurate and valid

Data Security:

  • Data Encryption: Use encryption to protect data in transit and at rest to prevent unauthorized access
  • Data Backup and Recovery: Implement regular data backups and a disaster recovery plan to verify data availability in case of system failures
  • User Access Review: Review and approval of user access prior to go live to ensure roles are appropriate based on business needs and to ensure proper segregation of duties
  • Final Approval: Approval to move to production is granted by key business and IT stakeholders

Logging and Monitoring:

  • Activity Logging: Management should evaluate logging capabilities and determine which logs should be turned on prior to go live and which logs should be utilized after implementation is complete. The principle of risk assessment and regulatory compliance should be applied to select and prioritize user activities to be logged within the ERP system. This helps to create an audit trail for monitoring and investigation
  • Change Logs: Maintain detailed logs of changes to the ERP system for auditing and tracking purposes
  • Review and Analysis: Regularly review audit logs to detect unusual or unauthorized activities

Data Validation and Accuracy:

  • Data Validation Rules: Implement data validation rules to confirm that data entered into the system is accurate and meets predefined criteria

Compliance:

  • Regulatory Compliance: Verify that the ERP system and related processes comply with industry regulations and legal requirements
  • Internal Policy Compliance: Verify that the ERP system aligns with the organization’s internal policies and procedures

Testing of the above controls may be achieved through multiple different methods.  Process walkthroughs may be utilized to understand the control environment and the design effectiveness of controls.  Inspection of a selection of transactions may be used to evidence control execution and operating effectiveness.  A review of implementation documentation or interviews of key personnel involved in the implementation may provide deeper understanding of the implementation project and steps taken to ensure accuracy. 

A thorough evaluation of IT general controls, tailored to the unique needs of the organization, is key to unlocking the ERP system’s full potential upon implementation. Designing IT controls while implementing an ERP system is not just a prudent measure; it is a critical aspect of ensuring the success and sustainability of the entire process. By carefully defining and implementing controls, organizations can mitigate risks, streamline operations, and maintain data integrity.

 

External Auditor Focus on User Access Reviews

Do you ever feel like just when you think you know what your external Sarbanes-Oxley (SOX) auditor is looking for, they change things? It has been happening since the inception of SOX. Just when management is getting comfortable with performing and documenting their controls, it seems like there is another obstacle to overcome.

A recent change we are seeing from some external auditors is an increased focus on user access reviews. External auditors are looking for documentation around system roles and permissions, training conducted for reviewers and documented analyses or risk assessments justifying why each role and associated permission is included or excluded from a review. In addition, some external auditors are performing interviews of a sample of reviewers to verify that reviewers fully understand the expectations of their review as well as their understanding of each role and associated permissions for the system access they review. There is also increased scrutiny on the completeness and accuracy of the user listing generated for the review. External auditors are documenting new deficiencies around user access reviews that have not been seen in the past, when nothing has changed in management’s process from previous years.

The trigger for the increased focus on user access reviews by external auditors is likely feedback that external audit firms have received from Public Company Accounting Oversight Board (PCAOB) inspections. The PCAOB is the organization that regulates audits of publicly traded companies. Registered public accounting firms undergo PCAOB inspections on an annual basis and once the inspection is completed, firms often communicate the high-level findings internally to ensure their staff are knowledgeable about the issues and focused on implementing procedures to mitigate the risks associated with the PCAOB findings.  Each firm’s inspection has different results and, therefore, each firm can have different areas of focus each year.

We can expect further changes from external auditors in the future. Initially these changes can seem burdensome but with collaboration between management, internal audit, and external audit, companies can prepare for the changes and have successful audits.

#ITGCtesting #Useraccessreviews #UAR

 

SOX Scope: IT Tools

In the ever-evolving landscape of information technology and Sarbanes-Oxley Act (SOX) compliance, IT tools are increasingly getting more attention and being included in the scope of SOX audits by external auditors. It is now critical for management and internal audit to understand the IT tools being used and how they are being used, in order to evaluate the impact on SOX scoping.  Once a tool is in scope for SOX, the next step is to determine the appropriate level of SOX testing based on the level of risk.

Traditionally, the scope for SOX IT General Control (ITGC) testing has been defined through risk assessment procedures that consider whether a system captures data that could impact financial reporting.  Recently, external audit risk assessment procedures are being expanded to evaluate tools used to support ITGCs.  Management and internal auditors should take inventory of the tools used in their IT environment and meet with the IT stakeholders to understand each tool’s purpose and how the company is using the tool. 

Once the tools are identified and understood, the auditor needs to assess the role of the tool and determine whether it has an impact on the accuracy, completeness or integrity of financial data.  Any tools that play a critical role in these aspects should be included in the SOX ITGC scope.  Tools to consider for scoping include tools used to: manage user access to financial systems, to manage changes to IT systems, monitoring system and user activity and generating audit trails.

Specific tools and how they are used may vary from one organization to the next based on their unique processes and technologies in use.  If a ticketing system is used to maintain requests for support, it may not be in scope; however if a ticketing system has an automated workflow to approve requests for access or program change, it may be considered in scope.

For in-scope tools, management and internal audit should evaluate the level of risk associated with the tool.  Based on the level of risk, management and internal audit may choose to apply all ITGCs to the tool or limited controls based on how the tool is being used and what controls would be sufficient to mitigate the risk to financial reporting. 

The trigger for the increased focus on IT tools by external auditors is likely feedback that external audit firms have received from Public Company Accounting Oversight Board (PCAOB) inspections. The PCAOB is the organization that regulates audits of publicly traded companies. Registered public accounting firms undergo PCAOB inspections on an annual basis and once the inspection is completed, firms often communicate the high-level findings internally to ensure their staff are knowledgeable about the issues and focused on implementing procedures to mitigate the risks associated with the PCAOB findings.  Each firm’s inspection has different results and, therefore, each firm can have different areas of focus each year.

Collaboration between management, internal audit and external audit can help in defining the appropriate scope and approach to testing and lead to successful audits.

#tools #ITGC #SOXscope #riskassessment #ITGCtesting