1 / 46

Audit Considerations for your 11i implementation

Audit Considerations for your 11i implementation. Richard Byrom Oracle Applications Consultant UKOUG November 2004. Agenda. Objectives Why an ERP audit? Some common mistakes Audit considerations Conclusion Questions & Answers. Objectives.

janae
Download Presentation

Audit Considerations for your 11i implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Audit Considerations for your 11i implementation Richard Byrom Oracle Applications Consultant UKOUG November 2004

  2. Agenda • Objectives • Why an ERP audit? • Some common mistakes • Audit considerations • Conclusion • Questions & Answers

  3. Objectives • To highlight how Sarbanes Oxley Act of 2002 and Corporate Governance initiatives are requiring enhanced levels of internal control • To point out common audit and review errors • To outline how Oracle can assist in establishment of strong internal controls and facilitate the audit and review process

  4. Why an ERP audit? • Increased risk • Higher Levels of Regulation • Sarbanes Oxley 2002 • Increased adoption of IAS

  5. Required Action – Internal Control • Institute controls which mitigate the risks posed. The objectives of such controls should be to: - • 1.Safeguard all the assets of the enterprise • 2.Ensure accurate and reliable accounting (and other) information • Validity - only valid items are allowed to enter a system (authorisation) • Completeness - all valid items are captured and entered into system (number of items) • Input accuracy - data that is entered into the system is correct (data fields)

  6. Required Action – Internal Control • Improve operational effectiveness, efficiency and security • Effectiveness - fulfils intended objective. • Efficiency - prevents unnecessary waste of resources. • Security - protection of resources from misuse or destruction. • Promote adherence to managerial policies

  7. Required Action - Guidelines • Audit and Review guidelines should be developed which provide a management-oriented framework and proactive control self-assessment specifically focused on: - • Performance measurement—How well is the IT function supporting business requirements? • IT control profiling—What IT processes are important? What are the critical success factors for control? • Awareness—What are the risks of not achieving the objectives? • Benchmarking—What do others do? How can results be measured and compared?

  8. Required Action – Assess Controls • Level 1: Unreliable • Unpredictable environment where controls are not designed or in place. • Level 2: Informal • Controls are designed an in place but are not adequately documented • Controls mostly dependent on people • No formal training or communications of controls. Internal Controls Maturity Framework:Source: PricewaterhouseCoopers paper on Sarbanes Oxley Act of 2002

  9. Required Action – Assess Controls • Level 3: Standardised • Controls are designed and in place • Controls have been documented and communicated to employees. • Deviations from controls may not be detected. • Level 4: Monitored • Standardised controls with periodic testing for effective design and operation with reporting to management • Automation and tools may be used in a limited way to support controls Internal Controls Maturity Framework:Source: PricewaterhouseCoopers paper on Sarbanes Oxley Act of 2002

  10. Required Action – Assess Controls • Level 5: Optimised • An integrated internal control framework with real-time monitoring by management with continuous improvement (Enterprise-Wide Risk Management). • Automation and tools are used to support controls and allow the organisation to make rapid changes to the controls if needed. Internal Controls Maturity Framework:Source: PricewaterhouseCoopers paper on Sarbanes Oxley Act of 2002

  11. Some Common Mistakes • Poor Planning • Lack of Focus • Competency of Auditors • Independence • Reliance on Technology for the Solution • Silo approach • Reports and Reviews not taken seriously.

  12. Audit Considerations • Who should review? • What should be reviewed? • How to effectively utilise your software

  13. Who should review • Internal Audit • External Audit • Implementation Consultants/Partners • Departmental/Functional Level Management • Senior Management • Third Party Review

  14. Software Layers and Linkages Source: Information Systems Audit and Control Association, 2003. ERP Systems review guideline. What should be reviewed • Hardware • Network • Software

  15. What should be reviewed • Processes • People • Implementation approach or strategy

  16. How to effectively manage your software • The Oracle Information Architecture • Efforts to meet new regulatory requirements • Global Audit and Review Capability • Modular/Detailed Audit and Review Capability

  17. The Oracle Information Architecture • Unified data model • Accessible by anyone, with any device • Global • Configurable • Open

  18. Efforts to meet new regulatory requirements The Oracle Solution to Sarbanes-Oxley Act of 2002:Source: oracle.com

  19. The Oracle Corporate Governance Solution Set

  20. Global Audit and Review Capability – Daily Business Intelligence • Daily Business Intelligence (DBI) can be defined as a reporting framework that enables senior managers and executives to see an accurate and integrated daily summary of their business. DBI provides the technology components that enable cross-functional analysis, daily summarisation, and optimised reporting performance.

  21. Global Audit and Review Capability – Daily Business Intelligence

  22. Global Audit and Review Capability – Daily Business Intelligence • The following intelligence products utilise the daily business intelligence reporting and analysis framework to give users a cross functional view of their business: - • Contracts Intelligence • Human Resource Intelligence • Financials Intelligence • Interaction Centre Intelligence • Marketing Intelligence • Projects Intelligence • Purchasing Intelligence • Quoting Intelligence • Sales Intelligence • Supply Chain Intelligence

  23. Global Audit and Review Capability – Daily Business Intelligence

  24. Global Audit and Review Capability – Internal Controls Manager • Oracle Internal Controls Manager is a comprehensive tool for executives, controllers, internal audit departments, and public accounting firms to use to document and test internal controls and monitor ongoing compliance

  25. Global Audit and Review Capability – Internal Controls Manager

  26. Internal Controls Manager Benefits • More efficient internal control testing • Higher Certainty in your Risk Assessment • Lower external audit verification costs.

  27. More efficient internal controls testing

  28. More efficient internal controls testing

  29. More efficient internal controls • Audit Program office/project management • Risk assessment questionnaires • Confidential feedback mechanism • Reviewing reconciliation status of all subsystems • Reviewing policy compliance

  30. Higher certainty in your risk assessment • Internal audit system is part of your operational system – this ensures accurate, real time business information. • Risk library and associated controls developed by Oracle working with world leaders in Audit and Risk Assurance.

  31. Lower external audit verification costs • Internal control manager ensures internal & external auditors understand your business systems risks and associated controls, hence reducing time taken to understand the system and saving you money.

  32. Modular/Detailed audit and review capability • Modular integration • Reporting Capability • Scripts • Network Test • Audit Trail

  33. Modular Integration

  34. Reporting – on line • Two way drill • Transaction status

  35. Reporting - On line • T- accounts

  36. Reporting - on line • Activity Summaries

  37. Reporting • Web reports • Standard Reports • Transactional Data • Master Data • Roles and Responsibilities • Setup parameters at modular and system level • Sequentially numbered documents • Security Rules and Cross Validation

  38. Scripts • Oracle Diagnostics Support pack - runs detailed analysis of setup parameters. Ref Note 167000.1 per Metalink (will demo the results) • SQL Script adutconf.sql • Applications Collection Tool – Metalink note 183274.1

  39. Network Test

  40. Audit Trail • Report History

  41. Audit Trail • Record History

  42. Audit Trail • Table Audit • Sign on Audit • Monitor Users

  43. Audit Trail • Sign on audit reports • Sign on Audit Forms Report – who is navigating what form and when • Sign on Concurrent Requests Report – to view information about concurrent requests. • Sign on Audit Responsibilities Report – view who is selecting what responsibility and when • Sign on Audit Unsuccessful Logins Report – view who attempted unsuccessfully to log in to Oracle. • Sign on Audit Users Report – view who signs on and for how long.

  44. Internal Controls Maturity Framework:Source: PricewaterhouseCoopers paper on Sarbanes Oxley Act of 2002 Conclusions • Risks of implementing ERP systems requires special attention to mitigating controls especially considering new regulatory requirements • Audit and review of ERP systems should be carried out by skilled professionals • The Oracle E-Business Suite functionality outlined will enable an organisation to optimise their controls and move to level 5 in the Internal Controls Maturity Framework

  45. Q & A

  46. Speaker Information • Name: Richard Byrom • e-mail: richard.byrom@thales-is.com • richard@richardbyrom.com • Company: Thales Information Systems • Web Site: http://www.thales-is.com • http://www.richardbyrom.com • Mobile: +44-7976123106

More Related