Seradex White Paper
A Discussion of Issues in the Manufacturing OrderStream
Internal Controls, Fraud Detection and ERP
Recently the SEC adopted Section transactions. The general approach
404 of the Sarbanes Oxley Act. This should be applicable to most ERP
law requires each annual report of a systems.
company to contain
What is SERADEX ERP?
1. A statement of management's
responsibility for establishing Seradex is an ERP application
and maintaining an adequate processing data from a database. It
internal controls and offers flexible configuration and
security options. Seradex links data in
2. Management's assessment of real time across the traditional
the effectiveness of the business functions such as sales-
company's internal control production-inventory-procurement and
structure and procedures for finance
financial reporting. An important point to note is to
realize that Seradex ERP is an
3. The company's auditor to attest application program, like Microsoft
to, and report on Excel or Word. It typically sits between
management's assessment of the end user and a database
the effectiveness of the management system (such as SQL
company's internal controls and Server) and controls the adding,
procedures changing and deleting of data from
that database.
Sarbanes Oxley requires that Seradex ERP is a very flexible
internal controls be extensively system that is configured to meet the
documented and this is a significant organizational needs and
exercise. This brief review will look at requirements. This adds to the
some issues that should be considered complexity of auditing the system
in setting up internal controls in an because not only do you need to know
ERP environment. how Seradex ERP works but also how
your company is using Seradex.
Internal Controls: reviewing the One important feature
practices, transactions, procedures and characteristic of the Seradex ERP
processes used to control the financial system is that user access is
transactions and protecting a dependent on the Windows network
company's property and assets. security setting for each user and
group. By setting up groups with
This paper will examine how highly detailed access parameters
the internal auditor working users can be easily setup and added to
specifically with the Seradex ERP the appropriate group reducing
system can implement internal security administration efforts.
controls and detect fraudulent
Page 1
Seradex ERP and Internal Controls • Reconciliations of data to
external information – bank
Seradex ERP dictates that reconciliation, accounts payable
operational data and financial data are statement reconciliations
totally integrated. More people are • Cost centre and responsibility
able to enter transactions without accounting
review or checking by a supervisor. • Management review and
Many organizations give users very budgetary control
wide access to data without • Review and authorization of
necessarily analyzing specific work non-routine transactions
requirements. • Validation checks
• Validation of data input in
particular transactions
Note: Without careful consideration • Properly designed and validated
this wide access can weaken internal reports with authority checks
controls by violating the segregation of • Matching of documents prior to
duties concept. “closing out” e.g. purchase
order – receiving
documentation – invoice
ERP systems change the role of • Master file control
middle management for transaction • Independent review of master
review and authorization. Questioning file changes
and follow up formerly done by middle • Independent master file
managers is commonly reduced when creation to transactional
an ERP system is implemented. responsibilities Identifying
redundant master
There are several implications
and considerations to the internal Auditing for Fraud
controls possible in Seradex ERP.
These can be segregated into the Auditors have a responsibility
following categories: to minimize opportunities by ensuring
that adequate internal controls are in
• Network Security and User place. If internal controls are weak in a
Identities particular area the next step would be
• User and Group Setup to consider red flags. A red flag is an
• Security authorization issues indicator that some kind of irregularity
• Use of Active Directory is occurring and that something may
• Administrative user be wrong. It does not prove that fraud
management has occurred but if a red flag is
• Password control identified more detailed transaction
• Customer / Supplier Access examination is required.
User Controls
• Server, Network and Firewall
controls
• Patch policy on Servers and
Workstations
• System Controls
• Reconciliation of control
accounts to subsidiary ledgers –
Accounts Payable, Accounts
Receivable, Inventory,
Invoicing, Vendor Invoicing
Page 2
Identifying Red Flags segregation of duties. An invoice
voucher can be printed and reviewed
Some example of red flags for each check over a threshold
could include: amount to additional review.
• Actual expenses far exceeding An invoice voucher can be
budgeted or prior years printed for any purchase from a one
expenses time vendor or any PO for a “Special”
• Expenses out of historic norms item. Establish procedures on when a
• Significant manual entries vendor master is required.
made to asset and expense Requiring a PO offers more control
accounts than entering a miscellaneous payable
• Addresses, telephone numbers directly into A/P as more people have
and other data that link to be involved in the transaction.
employees to vendor master These transactions need more
records thorough controls and testing.
• Ratios are not making sense:
ex. ratio of overtime expenses Vendor Master File changes
to sales, should be a separate function from
• Unexplained price increases in Purchasing to ensure segregation of
material costs (kickback duties
scheme) Duplicate invoice control - the system
• Excessive Inventory quantity will review invoices posted to a
and cost adjustments particular vendor code and highlight
whether the current invoice is the
Manual database queries can be same as a previous one.
developed to examine the inventory
audit trail, adjustment details, phone Fraud Tests in the Accounts
number and address comparisons of Payable Cycle
employees and vendors to provide
identify further transactions for Some things to test for in this
examination. All transactions in cycle include developing queries for
Seradex record the network user who identifying high risk vendors and
created or changed the transaction as payments:
well as time and date stamps.
• Transactions where the same
Accounts Payable in SERADEX ERP user created the PO, Receipt
and Approved the Vendor
Purchasing and accounts Invoice
payable represents a major area for • PO’s where the person changing
fraud because it results in the physical the PO is different that the
disbursement of cash to suppliers. person issuing the PO
• Any PO for a non inventory item
Seradex ERP offers excellent or service item that is >$XXX.
built in tools to avoid fraudulent • Service expenditures don’t
activity in the accounts payable involve asset that has to be
function: produced later. This includes
expenditures for consulting,
Seradex offers three ways advertising or marketing
matching between Purchase Order, • Any PO to a one time vendor
Receiving and Vendor Invoicing. This is that is >$XXX
followed by check preparation. Ideally • Transactions where the Vendor
each of these transactions should be was created by the user issuing
done by separate individuals to ensure the PO
Page 3
Password Control
Seradex ERP has challenged the role of The system can enforce minimum
internal auditors and it requires password lengths and enforce
auditors to learn new skill sets - some password expiry on a regular basis.
of which are fairly technical and
involve directly accessing data in the Patch Management Policy
system. Document the frequency of patch
updates for servers and workstations.
Security Authorizations
Data Access
At the heart of internal control In these days of DVD burners, USB
is security access to the ERP system. keys that can hold 1 Gigabyte of data,
Defined policies on who sets users up stringent control over corporate data
and what groups they belong to is needs to be established. Unauthorized
critical. Make sure network logs are users could easily take customer lists,
switched on for full tracking. This sales history, product information and
allows you to check who logged on at pricing home in their shirt pockets.
what workstation. Queries can be
developed to list all users that logged Remote Users
on to each workstation and at what Remote users accessing the system
time. Information on which through VPN connections need to be
workstations logged onto Seradex is securely authenticated.
easily available. These can be
correlated to the time of individual
transactions in Seradex ERP. These
logs will also identify which data files
were copied to the local workstations.
Most users are not aware that
these capabilities exist.
Severely limit users who are granted
administrative rights and ensure users
only have access to the information
they require. Often a short cut is taken
and the easiest answer is to give all
personnel very wide access if
authorizations are set too narrow,
users will require significant Help Desk
resources.
Seradex Inc.
4460 Harvester Rd.
Burlington, ON
L7L 4X2
Tel: 905-332-5051
mcorker@seradex.com
www.seradex.com
Page 4
Page 5