Audit considerations for your 11i implementation

1
Audit considerations for your 11i implementation

• Richard Byrom
• Oracle Applications Consultant
• EOUG October 2003

2
Agenda

• Objectives
• Why an ERP audit?
• Some common mistakes
• Audit considerations
• Conclusion
• Questions Answers

3
Objectives

• To highlight how Sarbanes Oxley Act of 2002 and
  Corporate Governance initiatives are requiring
  enhanced levels of internal control
• To point out common audit and review errors
• To outline how Oracle can assist in establishment
  of strong internal controls and facilitate the
  audit and review process

4
Why an ERP audit?

• Increased risk
• Higher Levels of Regulation
• Sarbanes Oxley 2002
• Increased adoption of IAS

5
Required Action Internal Control

• Institute controls which mitigate the risks
  posed. The objectives of such controls should be
  to -
• 1.Safeguard all the assets of the enterprise
• 2.Ensure accurate and reliable accounting (and
  other) information
• Validity - only valid items are allowed to enter
  a system (authorisation)
• Completeness - all valid items are captured and
  entered into system (number of items)
• Input accuracy - data that is entered into the
  system is correct (data fields)

6
Required Action Internal Control

• Improve operational effectiveness, efficiency and
  security
• Effectiveness - fulfils intended objective.
• Efficiency - prevents unnecessary waste of
  resources.
• Security - protection of resources from misuse
  or destruction.
• Promote adherence to managerial policies

7
Required Action - Guidelines

• Audit and Review guidelines should be developed
  which provide a management-oriented framework and
  proactive control self-assessment specifically
  focused on -
• Performance measurementHow well is the IT
  function supporting business requirements?
• IT control profilingWhat IT processes are
  important? What are the critical success factors
  for control?
• AwarenessWhat are the risks of not achieving the
  objectives?
• BenchmarkingWhat do others do? How can results
  be measured and compared?

8
Required Action Assess Controls
Internal Controls Maturity Framework Source
PricewaterhouseCoopers paper on Sarbanes Oxley
Act of 2002

• Level 1 Unreliable
•  
• Unpredictable environment where controls are not
  designed or in place.
•  
• Level 2 Informal
• Controls are designed an in place but are not
  adequately documented
• Controls mostly dependent on people
• No formal training or communications of controls.

9
Required Action Assess Controls
Internal Controls Maturity Framework Source
PricewaterhouseCoopers paper on Sarbanes Oxley
Act of 2002

• Level 3 Standardised
• Controls are designed and in place
• Controls have been documented and communicated to
  employees.
• Deviations from controls may not be detected.
• Level 4 Monitored
• Standardised controls with periodic testing for
  effective design and operation with reporting to
  management
• Automation and tools may be used in a limited way
  to support controls

10
Required Action Assess Controls
Internal Controls Maturity Framework Source
PricewaterhouseCoopers paper on Sarbanes Oxley
Act of 2002

• Level 5 Optimised
• An integrated internal control framework with
  real-time monitoring by management with
  continuous improvement (Enterprise-Wide Risk
  Management).
• Automation and tools are used to support controls
  and allow the organisation to make rapid changes
  to the controls if needed.

11
Some Common Mistakes

• Poor Planning
• Lack of Focus
• Competency of Auditors
• Independence
• Reliance on Technology for the Solution
• Silo approach
• Reports and Reviews not taken seriously.

12
Audit Considerations

• Who should review?
• What should be reviewed?
• How to effectively utilise your software

13
Who should review

• Internal Audit
• External Audit
• Implementation Consultants/Partners
• Departmental/Functional Level Management
• Senior Management
• Third Party Review

14
What should be reviewed

• Hardware
• Network
• Software

15
What should be reviewed

• Processes
• People
• Implementation approach or strategy

16
How to effectively manage your software

• The Oracle Information Architecture
• Efforts to meet new regulatory requirements
• Global Audit and Review Capability
• Modular/Detailed Audit and Review Capability

17
The Oracle Information Architecture

• Unified data model
• Accessible by anyone, with any device
• Global
• Configurable
• Open

18
Efforts to meet new regulatory requirements
The Oracle Solution to Sarbanes-Oxley Act of
2002 Source oracle.com
19
Visibility

• Access a complete and accurate view of financial
  data for quicker reporting and meaningful
  disclosure.
• View global enterprise information that is
  timely, relevant, consistent, and available in
  real-time.
• Obtain a complete view of your business with
  global information from a single source of truth.

20
Control

• Support the audit department in enforcing
  corporate compliance with documented policies and
  procedures, risk and process control management,
  visibility to business process workflow, and
  improved project management.
• Keep your employees informed - document and track
  critical business processes, determine workflow,
  and develop and deploy applicable training to
  ensure compliance.
• Manage and document corporate communications and
  data with an integrated suite of enterprise level
  applications that focus on managing all of the
  communications between individuals and teams, the
  content they create, as well as the information
  for supporting them.
• Centralise and automate processes and controls
  for information consistency. Eliminate duplicate
  processes, reduce overhead, and cut costs.

21
Efficiency

• Eliminate bottlenecks and streamline the rollout
  of new internal processes and procedures with
  self-service.
• Reduce the risk of malfeasance and accidental
  errors by streamlining inter-user approvals and
  participation in review processes.
• Enable efficient execution of internal audits by
  providing project team members complete
  visibility into audit data.
• Integrate enterprise data and business processes
  based on a unified data model to support global
  compliance.

22
The Oracle Corporate Governance Solution Set
23
Global Audit and Review Capability Daily
Business Intelligence

• Daily Business Intelligence (DBI) can be defined
  as a reporting framework that enables senior
  managers and executives to see an accurate and
  integrated daily summary of their business. DBI
  provides the technology components that enable
  cross-functional analysis, daily summarisation,
  and optimised reporting performance.

24
Global Audit and Review Capability Daily
Business Intelligence
25
Global Audit and Review Capability Daily
Business Intelligence

• The following intelligence products utilise the
  daily business intelligence reporting and
  analysis framework to give users a cross
  functional view of their business -
• Contracts Intelligence
• Human Resource Intelligence
• Financials Intelligence
• Interaction Centre Intelligence
• Marketing Intelligence
• Projects Intelligence
• Purchasing Intelligence
• Quoting Intelligence
• Sales Intelligence
• Supply Chain Intelligence

26
Global Audit and Review Capability Daily
Business Intelligence
27
Global Audit and Review Capability Internal
Controls Manager

• Oracle Internal Controls Manager is a
  comprehensive tool for executives, controllers,
  internal audit departments, and public accounting
  firms to use to document and test internal
  controls and monitor ongoing compliance

28
Global Audit and Review Capability Internal
Controls Manager
29
Internal Controls Manager Benefits

• More efficient internal control testing
• Higher Certainty in your Risk Assessment
• Lower external audit verification costs.

30
More efficient internal controls testing
31
More efficient internal controls testing
32
More efficient internal controls

• Audit Program office/project management
• Risk assessment questionnaires
• Confidential feedback mechanism
• Reviewing reconciliation status of all subsystems
• Reviewing policy compliance

33
Higher certainty in your risk assessment

• Internal audit system is part of your operational
  system this ensures accurate, real time
  business information.
• Risk library and associated controls developed by
  Oracle working with world leaders in Audit and
  Risk Assurance.

34
Lower external audit verification costs

• Internal control manager ensures internal
  external auditors understand your business
  systems risks and associated controls, hence
  reducing time taken to understand the system and
  saving you money.

35
Modular/Detailed audit and review capability

• Modular integration
• Reporting Capability
• Scripts
• Network Test
• Audit Trail

36
Modular Integration
37
Reporting on line

• Two way drill
• Transaction status

38
Reporting - On line

• T- accounts

39
Reporting - on line

• Activity Summaries

40
Reporting

• Web reports
• Standard Reports
• Transactional Data
• Master Data
• Roles and Responsibilities
• Setup parameters at modular and system level
• Sequentially numbered documents
• Security Rules and Cross Validation

41
Scripts

• CRM analysis tool runs detailed analysis of setup
  parameters. Ref Note 167000.1 per Metalink (will
  demo the results)

42
Network Test
43
Audit Trail

• Report History

44
Audit Trail

• Record History

45
Audit Trail

• Table Audit
• Sign on Audit
• Monitor Users

46
Audit Trail

• Sign on audit reports
• Sign on Audit Forms Report who is navigating
  what form and when
• Sign on Concurrent Requests Report to view
  information about concurrent requests.
• Sign on Audit Responsibilities Report view who
  is selecting what responsibility and when
• Sign on Audit Unsuccessful Logins Report view
  who attempted unsuccessfully to log in to Oracle.
• Sign on Audit Users Report view who signs on
  and for how long.

47
Conclusions

• Risks of implementing ERP systems requires
  special attention to mitigating controls
  especially considering new regulatory
  requirements
• Audit and review of ERP systems should be carried
  out by skilled professionals
• The Oracle E-Business Suite functionality
  outlined will enable an organisation to optimise
  their controls and move to level 5 in the
  Internal Controls Maturity Framework

48
(No Transcript)
49
Speaker Information

• Name Richard Byrom
• e-mail richard_at_rpcdata.com
• richard_at_richardbyrom.com
• Company RPC Data Ltd
• Web Site http//www.rpcdata.com
• http//www.richardbyrom.com
• Mobile 256-77983245