CONDUCTING ERP SOFTWARE AUDITS

As organisations embrace technology at the center of their operations, so too must Internal Audit enhance their skills in order to provide assurance to Management on the governance, risk and compliance processes pertaining to Information Communication Technology. Most organisations are making use of various Enterprise Resource Planning (ERP) software (SAP, SAGE, Warehouse Expert etc.)?to make operations effective, economical and efficient.

?Internal Audit as per their mandate is expected to carry out audits of the ERP environment so as to provide the necessary assurance to management on the effectiveness of controls in the ERP environment. This article seeks to highlight some areas and procedures internal audit must focus on in conducting an ERP audit.

First and foremost, like all audits of systems, the first step audit must take is to understand the specific ERP software they are trying to audit. This entails Internal audit understanding how the system works. This step is very important as it helps internal audit identify high risk areas in the system, loop holes that could be exploited and the controls in place. A good understanding of how the ERP system works is cardinal for an efficient and effective audit.

It is important to understand that ERP software can be developed internally or can be outsourced from various vendors that offer ERP software packages. Whichever way the organisation takes, it is important that Internal audit verifies that there is justification for such a project through a robust business case that outlines the limitation of the current system (if one already exists) or the current difficulties the employees are facing in the absence of an ERP software (if no ERP software already exists). The business case must also highlight the benefits of using an ERP software to the organisation or the benefit of migrating from one ERP software to another e.g quicker processing times, bulk processing etc. Internal audit must verify that the benefits are clearly spelt out and that they are realistic. Developing or outsourcing ERP software without a business case may lead to an organisation developing or outsourcing software they don’t really need or one that does not provide tangible benefits to the organisation.

Another important factor the Internal auditor must verify is whether User Acceptance Tests (UAT) of the newly acquired or developed ERP software were conducted before it was taken in the production environment. This can be verified by checking that well documented User Acceptance Tests results are available. Without User Acceptance Tests there is a risk that ERP system problems may not be identified and rectified at inception or that the ERP software does not address User needs.?

Internal audit should also verify that the developed or acquired ERP software is compatible with the current or available hardware. Lack of compatibility may lead to a risk of ineffective and inefficient system performance (a situation where the ERP software is not operating at optimum).

In order to ensure quality of service, Internal Audit should verify that a Service Level Agreement (SLA) exists between the Organisation and the vendor so as to stipulate the agreed levels of service from the vendor which is important for vendor performance evaluation. Without a Service Level Agreement there is a risk that the organisation may not get the anticipated level of service from the vendor. It would also be difficult to take the vendor to task without agreed service level benchmarks or parameters. If a Service Level Agreement exists, it is important that Internal Audit verifies that the actual service levels are in line with the agreed service levels as per Service Level Agreement. If service levels are below those agreed in the SLA, Management must bring the matter to the attention of the vendor for discussion and rectification. It is also important for internal audit to check that management indeed monitors and reviews the performance of the vendor in reference to the Service Level Agreement. Vendor performance reports signed as evidence of review by a superior officer in the organisation could evidence monitoring and review. It is not uncommon for management to receive vendor performance reports but not review them. Internal Audit must treat matters of service levels as very important in the audit process as they ensure that the organisation gets value for money. Matters to do with system availability and incident management are some of the issues Internal Audit would expect to find in a SLA.

Internal Audit must also ensure that change management policies are in place to guide all changes that are made in the ERP environment by staff. Procedures for approving system changes must be stipulated with approval being done by a Seniour officer in the organisation. Lack of change management policies may lead to the risk of staff making unauthorised and adverse system changes. It is also important to verify that all system changes were authorised and approved. Documentation to this effect would suffice. Check that system changes made were in fact those authorised and approved and nothing beyond.

Verifications of access control is another area audit must focus on. Internal audit should verify that all user accounts created in the ERP environment are authorised and approved and that they are granted appropriate system access based on “least privilege” or “need to know basis”. Users should only be granted access necessary for them to perform their work. It is also important to check that user roles have sufficient segregation of duty controls. The importance of access control verifications is that it helps to prevent creation of unauthorised user accounts which may be used for illegal activity in the ERP environment. It also helps to ensure that designated roles do not give too much or too little access to users. The lack of segregation of duty controls in the ERP environment may allow for some users to exploit the system for illegal activity. Internal Audit must also verify that User rights on the approved ERP access forms are in actual fact the same as the actual user rights, permissions and privileges in the ERP environment. It is not uncommon for users to have different rights, permissions and privileges on the system different to those authorised and approved.

Internal audit must also carry out audits of user activity in the ERP environment by reviewing system audit history/audit logs/activity logs. Specific focus must be made to user accounts with privileged system access such as super users. Policies and procedures must be in place to manage privileged access. Suspicious activity in the ERP environment must be investigated. It is not uncommon for those entrusted with privileged access to abuse that privilege for personal gain and illegal activity in the ERP environment.

To verify that only those allowed to access the system do in fact access it, internal audit must check that access to the ERP environment is protected by passwords which must be defined by character and length. Audit should verify that multiple failed log-in attempts lead to user account lock-out. Prolonged inactivity on a logged-in account must lead to session expiry and prompt a fresh request for system log-in. Such verification is important to prevent unauthorised access to the ERP environment which can lead to illegal activity in the ERP environment.

If the ERP is hosted on an offsite location under the control of the vendor (applicable to outsourced ERP software), it is important for audit to verify the availability of a data retention policy within the contract to protect the organisation in the event that the outsourcing relationship came to an end. Losing data in the event that the relationship with the vendor came to an end may be catastrophic to the organisation. It is also important for audit to verify that sufficient and timely data back-up controls are in place. The auditor must satisfy themselves that the organisation has a Business Continuity and disaster recovery plans.

Conclusion

Conducting an ERP software audit is a robust task. Procedures may stretch wide and afar. What is important is for the auditor to understand the system and think outside the box. Technology advancements happen every day and hence the procedures and areas of focus highlighted above are not exhaustive but are sufficient as a guide for auditors to provide the necessary assurance expected by management.?

?

Want an ERP Audit?? Think FIVESIGHT. A futuristic Consultancy Firm.

FIVESIGHT:?BEYOND FORESIGHT!!

?

Author:

Francis Milambo (AZICA, BBAA, FCI, CISA,CFE)????????????????????????????????????????????????????????????????????????????????????????????????????????? CEO FIVESIGHT BUSINESS AND RISK CONSULTANCY LIMITED???????????????????????????????????????????????

Mobile: +260963-210803 Email: [email protected]