Professional Documents
Culture Documents
R . M.Johri
Principal Director ( Information Systems & IT Audit)
SAI INDIA
WHAT IS AN ERP ?
ERPs have substantially altered the method by which administrative processes, such as
payroll, accounts payable, inventory, sales and accounts receivable, operate, are
controlled and audited.
Opportunities for personal review and clerical checking have declined as the
collection and subsequent uses of data have changed.
The changes are the result of moving from manual procedures performed by
individuals familiar with both the data and the accounting process; to high volume,
automated processes performed by individuals unfamiliar with either the data or the
accounting practices.
It is imperative, therefore, that these systems are reviewed, as they are being
implemented; to ensure that adequate controls and security are designed into the ERP
system from the outset.
ERP Audit - Focus Areas
The risks in an ERP environment include both those present in a manual processing
environment and those that are unique or increased in an ERP environment. These risks
may pertain to any of the following:
Improper Use of Technology
Inability to Control Technology
Inability to Translate User Needs into Technical Requirements
Illogical Processing
Inability to React Quickly
Cascading of Errors
RISKS IN AN ERP ENVIRONMENT – contd.
Repetition of Errors
Incorrect Entry of Data
Concentration of Data
Inability to Substantiate Processing
Concentration of Responsibilities
Program Errors
Misuse by Authorized End Users
Ineffective Security Practices for the Application
INTERNAL CONTROL
Internal control systems are set up to help mitigate against the risks discussed above. The
purpose of internal control systems is to reasonably ensure that :
All assets are safeguarded against waste, loss, unauthorized use, and
misappropriation.
Assets, including software programs, data, human resources, computer facilities, etc.
are safeguarded against damage, theft, and so forth (Security).
System and data integrity is maintained (Integrity).
System availability is assured (Availability).
System controllability and auditability is maintained (Controllability and Auditability).
System maintainability is assured (Maintainability).
System usability is assured (Usability).
System economy and efficiency are maintained (Efficiency).
Key Controls Techniques
Each control objective is met by one or more control techniques. These techniques are
the ways and means by which the management controls the operations. They are varied
in nature and exist as:
Procedures and policies. For example, independent balancing, cancellation of
documents after processing, independent signing for approval of prepared source
documents, competent and trustworthy personnel, segregation of duties, mandatory
vacations and rotation of duty assignments.
Information systems design. For example, numerically pre-numbered forms, message
authentication, console logs, encryption, range and limit checks on input fields.
Physical controls. For example, combination locks for vaults, card acceptor devices for
restricted access areas.
Segregation of duties.
Indian auditing experience in ERP Audit
There is not doubt that ERP has been gaining popularity all over the world. However, its
growth in India has taken place more rapidly in the Private sector than the Public or
Government sector.
Still one can find a number of of public sector enterprises which have implemented
ERP. The coming slides discusses some of the audit findings of a few selected public
sector enterprises.
Indian Oil Corporation Limited
(ranks at 83 rd in the list of FORTUNE 500 COMPANIES having a turnover of $ US
20 billion )
Out of 13,451 user IDs, 955 user IDs were common i.e. used by more than one user. It
was found that Common User IDs were still carrying create / change / cancel /
delete authorisations .
Finance module : Finance Module (FI) was designed for management of the processes
involved in preparation of the accounts. The FI Module has inter-linkages with all the
modules in the ERP system and consolidates all the financial information to generate
the financial statements of the Company.
The IT audit was conducted keeping in view the importance , criticality and efficacy of
FI module in the preparation and generation of the accounts of the Company.
The deficiencies as illustrated in next slide were observed in the finance module due to
which the reports generated from the system could not be relied upon. Persistence of
these deficiencies resulted in not meeting the regulatory requirements.
. Indian Oil Corporation Ltd( Audit
Observations)
GR/IR is an intermediary account used for payments against goods received. Analysis
showed that more than three lakh entries amounting to Rs. 20911.2 million were pending
clearance ranging from one to four years indicating lack of proper monitoring by the
Company.
It was observed that, though the stock balances are maintained in the system the valuation
of stocks is done outside the system which defeated the purpose of the ERP system.
The Company decides and assigns credit limits to various categories of customers which
are accordingly entered into the system. Analysis of data on credit limit extended to
customers showed that, there were inadequate validation checks with the credit limits
maintained in the system that resulted in overdue amount of Rs. 2948.9 million in respect of
293 customers who had exceeded their credit limit.
Each customer is allotted a unique code. However, there was more than one customer
code assigned to the same customer in 1,552 cases in the customer master.
GAIL (India) Limited ( A company having
turnover of $ US 8 billion)
FICO module of SAP handles all the financial transactions of the Company. This
module is used for maintaining books of accounts, Asset management and
preparation of final accounts including balance sheet, profit & loss accounts, etc. Test
check of transactions, balances and reports revealed following observations on
accounts receivables, accounts payable, general ledger accounting and asset
management.
Vendor master: The Company was maintaining 44039 vendor master records.
Review of these records revealed :
(a) Purchase orders were placed on vendors with incomplete details
(b) Duplicate vendors
GAIL (India) Limited (Audit Observations)
Contd..
Missing credit master data: The Company was maintaining credit data of its
customers, which includes credit limit and actual credit extended there against. It was
seen that the credit data was not available for 5188 customers out of 9839 customers.
Out of the above, 797 customers were carrying outstanding balance of Rs.13023.7
million.
Multiple vendors with same bank account: It was seen that there were 76 vendor
records attached with 37 bank accounts; indicating risks of irregular payments.
Incorrect posting in GL accounts:
GAIL (India) Limited (Audit Observations)
Contd..
Assets carrying negative value: As per the general principles of asset accounting,
assets should not carry negative balances, since that will turn them into liabilities
rather then assets. During review of assets for the year 2008-09, it was found that some
assets were carrying negative balances.
Credit extended beyond credit limit: A review of credit management data of
customers was carried out and it was seen that the credit extended was not validated
from the respective credit limit prescribed. As a result, 307 customers, for whom the
credit limit was defined as zero, were extended credit of Rs.3080.6 million.
Payments trail in SAP: To facilitate a trail on payment cycle it is necessary that date of
vendor invoice and date of receipt of invoice are captured in the system. It was
observed that the system had not been customised to capture these dates.
GAIL (India) Limited (Audit Observations)
Contd..
Bharat Sanchar Nigam Limited introduced SAP R/3 version 4.7 in Gujarat Telecom
Circle (GTC). The SAP-ERP server is installed at ERP Data Centre at Ahmedabad and
LAN (Local Area Network) / WAN (Wide Area Network) were used for connecting R/3
environment to the nodes at Secondary Switching Areas (SSAs). The work of
implementation of ERP in GTC was awarded to Siemens Information Systems Limited
(SISL), Mumbai at a cost of Rs. 201.4 million .
The objectives of implementation of ERP were to:
(i) Improve the information flow to facilitate better decision making leading to overall
improvement in the performance of the organisation by way of improvements in
productivity, cycle time, financial performance and information transparency,
(ii) Convert GTC into a paperless working environment and
(iii) Reduce manpower requirement.
Bharat Sanchar Nigam Limited ( Audit
Observations)
However, it was observed that the desired objectives did not accrue to the Company
due to following:
Implantation of ERP without finalization of Business Process Re-engineering (BPR)
No interface with the telephone revenue billing packages
Non-digitisation of service details and records
Declaration of ‘Go Live’ status even before achieving online status in various modules
Improper customisation and mapping of rules on delegation of financial powers
Lack of effective monitoring of functioning of ERP
Bharat Electronics Limited ( A company
with a turnover of $ US 1 billion)
The Company entered into an agreement (December 2004) with SAP INDIA SYSTEMS
at a fee of Rs.38.7 million for Enterprise Resource Planning (ERP) software and with
WIPRO for implementation of ERP at a total contract price of Rs.56.5 million.
The system is based on 3-tier architecture (R/3). Application is centrally run in servers
at Information System–Corporate Office {IS (CO)}. Clients are connected to the server
through Local Area Network for Bangalore Complex and through Wide Area Network
for units outside Bangalore.
Audit conducted a general review of the acquisition, implementation and utilisation of
ERP system.
Bharat Electronics Limited - Audit
Observations
System design/customisation deficiencies:
(i) The system was configured to value the inventory at different rates with reference to
corresponding sale orders. This led to valuation of inventory against the Company’s
accounting policy.
(ii) Lack of relational integrity was observed between the materials shown under work in
progress (WIP) in material management module and the corresponding status of the
material in the production planning module.
(iii) The system was not designed to adjust the advance payment made immediately on
receipt of material. This resulted in over lapping of accounting entries of both debiting
and crediting inventory account and wrong depiction of accounting status of
payment as advances.
Bharat Electronics Limited – Audit
Observations
The absence of referential integrity between sale order and production order resulted in data
inconsistency, incorrect valuation of raw material and manual intervention. This increased the
risk of incorrect data being processed and accounted as illustrated below:-
The value of the raw materials differed among account schedules, purchase price, store
ledger and pricing entry.
The status of material worth Rs.10.2 million were shown as ‘finished goods’ as on 31 March
2008 even though the materials had been sold in March 2007.
Test check of major completed sale orders revealed that out of six sale orders selected,
against three sale orders the production orders were not closed (May 2008). Hence, these
were still shown under WIP and manual entries were resorted to effect value reduction
(Rs.23.6 million) in WIP as at 31 March 2008.
Out of 3702 production orders reviewed, 177 were created without linking to any authorised
orders.
Bharat Electronics Limited – Audit
Observations
Absence of uniform pattern for coding of material built into the system resulted in
inconsistent material codes in the system.
Incomplete capturing of details in columns like profit centre, purchasing group etc.,
affected the cost allocation.
The non-incorporation of data in respect of net value, material code, vendor code
and quantity etc. affected allocation of cost and the accounts of the units.
The system was designed to block duplicate entries of vendors. However,
inconsistency in pattern of data entry led to duplicate vendor codes, which led to risk
of inconsistent order placements and deficient payment tracking for the vendors.
Konkan Railway Corporation Limited ( a
company having turnover of $ US 32 million)
KRCL developed an ERP system known as RAP containing seventeen modules which
was developed by Tata Infotech Limited (TIL) in 1995 and implemented in 2001.
The main objectives of RAP were to increase the efficiency in various financial and
operational functions of the organisation and timely generation of various MIS reports
to aid the Board of Directors of the Company in decision making.
During 2004, KRCL decided to re-engineer RAP system to java based system known as
JRAP
KRCL - System Design Deficiency
The system was not designed to calculate rates as a percentage above or below the
accepted tender rates. This resulted in not only duplication of work but full
dependence on manual controls.
The system did not exhibit the opening balance of the ledger resulting in this being
incorporated through manual intervention to prepare Trial balance.
After creation of the master database, the system did not display relevant pop-ups at
the time of entering the data which was required to ensure data integrity. This led to
multiple party codes for the same party, in respect of supply contract, works contract
and miscellaneous contracts.
KRCL - Audit Observations
The JRAP-FA module is the back bone of ERP System. Considering the significance of the
financial and accounting module and its linkages with other modules, the working of JRAP-FA
Module was audited and it was observed that:
Critical activities had not been envisaged during system development and consequently
certain activities that were part of the user’s requirement had not been designed/
developed;
Certain activities were designed/developed but with deficiencies;
The linkages and interfaces of FA module with other modules were yet to be implemented
(September 2007);
The validation checks were inadequate, critical changes in business rules were not
incorporated/updated; and
The business continuity and disaster recovery system were deficient.
KRCL -Critical requirements not envisaged
The system was not envisaged to generate region wise trial balances although separate regional
cost centres were maintained. Thus, the system could not monitor and evaluate performance of
different regions.
Simple functions like calculation of tax deducted at source, sales tax, other taxes, etc. were not
envisaged to be performed through the system. Thus, recovery/short recovery of the above
items had to be calculated and monitored manually.
The system was not envisaged to capture the accounting period to which the bill were related.
Thus, important information like outstanding liabilities, prepaid expenses of the respective
accounting period could not be generated. For example, a contactor’s/supplier’s bill which
related to the accounting period 2006-07 could be accounted for in 2007-08 and vice versa,
prepaid insurance for the period 2007-08 could be booked as expenditure in 2006-07.
Critical information relating to contracts such as, date of completion, number of extensions,
penalty waived, interest levied/waived for delayed completion/supply were not envisaged to
be captured to enable the system based monitoring and evaluation of the execution of
contracts.
Thank You