ERP
Four factors have contributed to the growth of the commercial software market?
(1) low cost of general commercial software as compared to customized software; (2) industry-specific vendors who target their software to the needs of particular types of businesses; (3) a growing demand from businesses that are too small to afford in-house systems' development staff; (4) the trend toward downsizing organizational units and the move toward distributed data processing has made the commercial software option appealing to larger organizations
advantages of purchased system (5)
1. Cost - lower costs 2. quicker to implement 3. customizable through modules 4. often only option for small businesses 5. Reliable - backing of vendor who has tested and certified system
disadvantages of purchased system (3)
1. Independence - dependent on vendor 2. Need for customized system - not "fully customizable" 3. Maintenance - may be inflexible if business needs change
RBAC: within roles, users' access may be further restricted by?
1. Modules 2. Transaction w/i modules 3. Permissions w/i modules (read, write)
two approaches of access controls?
1. access control list 2. role-based access controls (RBAC)
what two general groups of applications are there of ERP?
1. core applications (OLTP) 2. business analysis operations (OLAP)
RBAC key concerns?
1. creation of unnecessary roles 2. rule of least access should apply to permission assignments 3. monitor role creation and permission granting activities
Which statement below is correct? a. Only one individual can be assigned to a role and a predefined set of access permissions. b. A role is a formal technique for grouping together users according to the system resources they need to perform their assigned tasks. c. RBAC assigns specific access privileges to individuals. d. Because of the use of roles, access security concerns are essentially eliminated in theERP environment. e. None of the above are correct.
B
Auditors of ERP systems a. need not be concerned about segregation of duties because these systems possess strong computer controls. b. focus on output controls such as independent verification to reconcile batch totals. c. are concerned that managers fail to exercise adequate care in assigning permissions. d. do not see the data warehouse as an audit or control issue at all because financial records are not stored there. e. need not review access levels granted to users because these are determined when the system is configured and never change.
C
which of the following is NOT an advantage of commercial software? a. cost b. reliability c. implementation time d. independence e. internal controls
E
an integrated software package designed to meet all (or nearly all) of an organization's information needs (NOT JUST ACCOUNTING NEEDS INFO NEEDS)
ERP
combines all of these into a single, integrated system that accesses a single database to facilitate the sharing of information and to improve communications across the organization
ERP
includes decision support, modeling, information retrieval, adhoc reporting/analysis, and what-if analysis
OLAP
a group of users who need access to the same resources in the ERP system in order to perform their jobs
Role
can maintain an audit trail to provide a record of violations and an evidence of compliance
Role-based governance system
example of monitor role creation and permission granting activities
Role-based governance system
what is one helpful test an auditor might perform for assurance over an ERP system
Testing of controls
one of the most critical control issues in an ERP environment?
access security
a form of network topology in which a user's computer or terminal (the client)accesses the ERP programs and data via a host computer called the server
client-server model
support the day-to-day activities of the business. If these applications fail, so does the business
core applications
Policies need to be in place to prevent the creation of unnecessary new roles and to ensure that temporary role assignments are deleted when the reason for them terminates
creation of unnecessary roles
a database constructed for quick searching, retrieval, ad hoc queries, and ease of use
data warehouse
custom systems developed by full-time staff of programmers
in-house development
what is the objective of ERP
integrate key processes of the organization such as order entry, manufacturing, procurement and accounts payable, payroll, and human resources
BAC conveniently handles?
many-to-many relationships between users and permissions and facilitates dealing efficiently with vast number of employees
These systems can continually monitor for risk and issue alerts when violations are detected so that remedial action can be taken
monitor role creation and permission granting activities
RBAC: each user can be assigned to _________ roles
multiple
how does understanding an ERP system help auditors do their jobs more effectively?
navigate and inquire more efficiently
commercially available systems obtained from software vendors
purchased systems
A company may satisfy some of its information needs by?
purchasing commercial software and develop other systems in-house
assigns access permissions to the role an individual plays in the organization rather than directly to the individual
role based access control (RBAC)
Policies should be in place to require managers to apply due diligence in assigning permissions to roles to avoid the granting of excessive access
rule of least access should apply to permission assignments
Security weaknesses can result in?
transaction errors, irregularities, data corruption, financial statement misrepresentations
An ERP system could exist without having a data warehouse
true
what is auditor's responsibility for an ERP system?
understand system, provide recommendations
