11

Embedded Audit Modules Embedded Audit Modules in ERP Systemsin ERP Systems

Implementation Implementation andand Functionality Functionality

Roger DebrecenyRoger DebrecenyGlen GrayGlen Gray

Joeson Jun-Jin NgJoeson Jun-Jin NgKevin Siow-Ping LeeKevin Siow-Ping LeeWoon-Foong Yau Woon-Foong Yau

Presented at the Fifth Continuous Assurance SymposiumRutgers University, November 2002

22

In this PresentationIn this Presentation

Background and Research QuestionsBackground and Research Questions EAM scenariosEAM scenarios Testing environmentTesting environment ResultsResults Future research and limitationsFuture research and limitations

33

ERP SystemsERP Systems

Enterprise Resource Planning Enterprise Resource Planning Systems are the carrier battle group Systems are the carrier battle group of the enterpriseof the enterpriseinformation systemsinformation systems

Average ERP system costs $11.5mAverage ERP system costs $11.5mand takes 19 months to implementand takes 19 months to implement

Foundation on a single or federatedFoundation on a single or federatedDBMS DBMS

44

Embedded Audit ModulesEmbedded Audit Modules

““Modules placed at predetermined Modules placed at predetermined points to gather information about points to gather information about transactions or events within the transactions or events within the system that auditors deem to be system that auditors deem to be material.” Weber (1999)material.” Weber (1999)

Implemented in the DBMS environment Implemented in the DBMS environment as triggers or stored procedures as triggers or stored procedures

EAMs as compliance-testing or EAMs as compliance-testing or substantive testing tools substantive testing tools

Very little evidence of actual usageVery little evidence of actual usage

55

Research QuestionsResearch Questions

What functionality is provided by pre-What functionality is provided by pre-existing EAMs or other monitoring existing EAMs or other monitoring technology to support appositely technology to support appositely designed triggers and stored designed triggers and stored procedures within ERP systems? procedures within ERP systems?

What coverage of transactions is What coverage of transactions is readily provided within the ERP readily provided within the ERP database environmentdatabase environment

What are the barriers to adoption of What are the barriers to adoption of EAMs in the ERP environment? EAMs in the ERP environment?

66

MethodologyMethodology

Develop EAM scenariosDevelop EAM scenarios• Fraud prevention and detectionFraud prevention and detection

Develop sample of ERP providersDevelop sample of ERP providers• Medium Medium large size corporations large size corporations

Provide scenarios to ERP providersProvide scenarios to ERP providers Code solutionCode solution Review in f2f interviewsReview in f2f interviews

77

EAM ScenariosEAM Scenarios

Nine-step EAM implementation process Nine-step EAM implementation process of Groomer and Murthy (1989) followedof Groomer and Murthy (1989) followed

Audit objectives relate to POB’s Audit objectives relate to POB’s Forensic Fieldwork PhaseForensic Fieldwork Phase

Five test alert scenarios were designedFive test alert scenarios were designed• Red flag Red flag • Simulated fraud scenario Simulated fraud scenario • Identify triggers or stored proceduresIdentify triggers or stored procedures• Develop pseudocodesDevelop pseudocodes

Pass to ERP supplier for Pass to ERP supplier for implementation and reviewimplementation and review

88

Sampled ERP SuppliersSampled ERP Suppliers

FrontstepFrontstep

ScalaScala

Industrial & Financial Solutions-IFS Industrial & Financial Solutions-IFS

IntentiaIntentia

OracleOracle

SAPSAP

99

Results-FrontstepResults-Frontstep

Use Frontstep’s field triggers scripted Use Frontstep’s field triggers scripted in PROGRESSin PROGRESS

Data from field trigger written to a file Data from field trigger written to a file Data analyzed and distributed using Data analyzed and distributed using

SQL & ASP SQL & ASP Also use Cognos’ Decision Stream for Also use Cognos’ Decision Stream for

data warehousedata warehouse AnalysisAnalysis

• Limited supportLimited support• ToughTough

1010

Results-ScalaResults-Scala

Either script in MS VBA or MS OfficeEither script in MS VBA or MS Office Analysis: Analysis:

• No support for EAMNo support for EAM• ToughTough

1111

ResultsResultsIndustrial & Financial Solutions-Industrial & Financial Solutions-

IFS IFS IFS uses an object, component IFS uses an object, component

approachapproach EAM can be simulated using EAM can be simulated using

combination of Java and SQLcombination of Java and SQL AnalysisAnalysis

• Feasible with support for querying, Feasible with support for querying, timing and knowledge distributiontiming and knowledge distribution

• ToughTough

1212

Results-IntentiaResults-Intentia

Intentia’s Movex ERP product has Intentia’s Movex ERP product has predefined alerts related to major predefined alerts related to major business cyclesbusiness cycles

Support for new alerts in script managerSupport for new alerts in script manager AnalysisAnalysis

• Intentia has comprehensive alert system Intentia has comprehensive alert system • >100 predefined user-defined alerts>100 predefined user-defined alerts• Support for both triggers and stored Support for both triggers and stored

proceduresprocedures• Good script managerGood script manager

1313

Results-OracleResults-Oracle

Provides an Alert ManagerProvides an Alert Manager• Complete an alert definition formComplete an alert definition form• Alert can include OS command queue or Alert can include OS command queue or

SQL scriptSQL script• Can define actions on alert firingCan define actions on alert firing

AnalysisAnalysis• Alert Manager provides most of the Alert Manager provides most of the

required functionality of an EAMrequired functionality of an EAM

1414

Results-SAPResults-SAP

Require writing of an Advanced Require writing of an Advanced Business Application Programming Business Application Programming (ABAP) script (ABAP) script

Subsequently embedding the script Subsequently embedding the script within the database. within the database.

AnalysisAnalysis• Require expert knowledge of Require expert knowledge of

ABAP programming ABAP programming Client’s database structure Client’s database structure

1515

ConclusionsConclusions

Highly variable support for EAMs Highly variable support for EAMs within surveyed ERP systemswithin surveyed ERP systems

Barriers to adoptionBarriers to adoption• Extensive knowledge set required to Extensive knowledge set required to

program EAMprogram EAM Barriers to deploymentBarriers to deployment

• Lack of demandLack of demand• Difficulty in defining the conditions for Difficulty in defining the conditions for

firing EAMsfiring EAMs

1616

Future Research AgendaFuture Research Agenda

Relationship of EAMs to wider Relationship of EAMs to wider assurance objectivesassurance objectives

More work required on conditions for More work required on conditions for EAMsEAMs• Were scenarios realistic?Were scenarios realistic?

Relationship between EAMs and Relationship between EAMs and Business Intelligence/Data Warehouse Business Intelligence/Data Warehouse systems?systems?

Demand for EAMs?Demand for EAMs?

1717