AUDITING IN ERP ENVIRONMENT INTRODUCTION Enterprise Resource Planning (ERP) System implementation is both an art and science that consists of planning, implementation, and ongoing maintenance. This methodology is designed to automate the drudgery of implementation and provide organized approaches to problem solving by listing, diagramming, and documenting all steps. Structured methodologies help to standardize and systemize ERP implementation and maintenance by approaching them as an engineering discipline rather than as whims of individual software developers. It is essential to understand structured methodologies in the implementation of ERP systems. The basic steps of structured methodologies are: • Project Definition and Requirement Analysis. Defining the terms of reference, determining user needs and system constraints, generating a functional specification and a logical model for the best solutions. • External Design. Detailing the design for a selected solution, including diagrams relating all programs, subroutines, and data flow. • Internal Design. Building, testing, installing, and tuning software. • Pre-implementation. Evaluation and acceptance • Implementation. Implementing systems. • Post-implementation. Evaluation of controls and debugging. When an organization purchases an ERP system, the intent is that the purchased ERP system provides specific functions and benefits. These functions and benefits need to be articulated to ensure that the ERP system performs as desired. This process is called conducting a feasibility analysis. The purpose of the feasibility study is to provide: • • • • • • • • An analysis of the objectives, requirements, and system concepts. An evaluation of different approaches for reasonably achieving the objectives. Identification of a proposed approach. The feasibility analysis normally covers: Current working practices. These are examined in depth, revealing areas in the business where there is duplication of effort, or where procedures instituted in the distant past are carried out even though there is no longer any need for them. Channels of information. These are examined because the feasibility study is concerned primarily with the input and output information of each internal system. Such a study ignores departmental boundaries and prejudices. When the true information patterns within a business are exposed, it is often possible to reorganize resources so that all relevant data is captured at the point where it can be used for decision. Alternative approaches. Alternative methods of handling or presenting the data should be considered. Cost factors. These must be clearly identified and show definite cost savings or related benefits. Existing costs must be examined and used as a basis for comparison. Since this presentation is likely to be related to the information structure rather than to the departmental organization, the new approach may suggest possible improvements that were hidden under the existing system. Supporting services offered. The training and the systems and programming assistance that will be available during the installation period. Page 1 of 39 AUDITING IN ERP ENVIRONMENT • Range compatibility. If the workload expands, can the configuration be increased in power without extensive reprogramming? Audit Objectives in an ERP Environment The fundamental objectives of an audit of controls do not change in an ERP environment. When evaluating controls over ERP systems, decisions must be made regarding the relevance of operational internal control procedures to Information Technology (IT) controls. Specific control procedures for audit objectives must be tested. Descriptive material on control procedures and sample compliance tests will be provided. This material will be as detailed as possible and should be read selectively, considering its relevance to the specific environment being audited. In addition to primary audit responsibilities, auditors should be able to provide advice on effective design of control procedures. Audit should communicate significant weaknesses that come to their attention to the appropriate IT personnel. Auditors should also be alert to weaknesses that require special reviews and be capable of assessing computer systems under development, in addition to the existing systems. ERP SYSTEM ARCHITECTURE ERP systems should produce accurate, complete, and authorized information that is supportable and timely. In a computing environment, this is accomplished by a combination of controls in the ERP System, and controls in the environment in which the ERP system operates, including its operating system. Controls are divided into general and application controls. General controls can be further divided into management and environmental controls. Management controls deal with organizations, policies, procedures, planning, and so on. Environmental controls are the operational controls administered through the computer center/computer operations group and the built-in operating system controls. ERP System Architecture Page 2 of 39 AUDITING IN ERP ENVIRONMENT NEED FOR AN ERP RISK ASSESSMENT ERPs have substantially altered the method by which administrative processes, such as payroll, accounts payable, inventory, sales and accounts receivable, operate, are controlled and audited. Opportunities for personal review and clerical checking have declined as the collection and subsequent uses of data have changed. The changes are the result of moving from manual procedures performed by individuals familiar with both the data and the accounting process; to high volume, automated processes performed by individuals unfamiliar with either the data or the accounting practices. Information Technology has substantially reduced the time available for the review of transactions before their entry into the automated system’s records. In poorly controlled systems the opportunity for discovering errors or fraud before they have an impact on operations is reduced, especially in the case of real time, distributed, and database systems. The radical growth of these system configurations (or architectures) has increased the importance of both automated and manual internal control/security procedures. It is imperative, therefore, that these systems are reviewed, as they are being implemented; to ensure that adequate controls and security are designed into the ERP system from the outset. IMPLEMENTATION VERSUS OPERATIONAL AUDIT Auditing in an ERP environment can be divided into two broad areas. First is the audit of ERP systems under implementation and second is the audit of operational ERP systems. These two types of audits require significantly different approaches. In an implementation (vanilla or otherwise) of an ERP system, there is no operational system or output data. The auditor evaluates controls without the benefit of observing processing results. In an implementation audit, the auditor is concerned with ensuring that the implementation procedures and standards have been properly followed. The audit of operational ERP systems evaluates the results of the automated processes. It is normally a data-oriented audit, looking at processed transactions. The adequacy and effectiveness of the system controls can be evaluated by examining the results of operation (i.e., did the application produce the anticipated outcome). The operational audits can identify vulnerabilities, but these are costly to correct after implementation because of the associated costs (in money and operational downtime). Studies have shown that it costs approximately 50—100 times more to correct an operational system than it would have cost to build in the necessary controls during implementation. Indeed, the cost to retrofit controls into a system increases geometrically as one progress through the ERP system life cycle phases. If potential vulnerabilities can be identified during implementation of ERP systems, they can be more easily and economically corrected than after the ERP system is installed and operational. Thus, it becomes imperative to evaluate the adequacy of the implementation approach to controls (i.e., how controls are addressed, implemented, and documented). If an adequate system of controls is built in during implementation, it can be fine-tuned through operational audits, as necessary. The risks and exposures through the model ERP life cycle (ERPCL) are Page 3 of 39 AUDITING IN ERP ENVIRONMENT presented in Exhibits 3.1a—3.2e, which include the operational environment and maintenance phases. OVERVIEW OF RISKS Organizations assume risks in the normal conduct of doing business. These risks represent potential damaging events that might produce losses. Controls or safeguards are installed to reduce these risks. If controls are insufficient, the organization is overexposed and is likely to suffer losses or operate at a less efficient level than competitors. Any IT environment presents unique vulnerabilities and threats to an organization. Vulnerability is a weakness or a flaw in an IT-based system that may be exploited by a threat that can cause destruction or by misuse of the system’s assets or resources. Threats can be environmental (e.g., fire, water damage, earthquakes, hurricanes, etc.) or people-oriented (e.g., errors, omissions, intentional acts of violence, fraud, etc.). When a threat materializes and takes advantage of a system’s vulnerabilities, a damaging event causes a loss. The risks of damaging events cannot be totally eliminated, but the use of controls can reduce such risks to an acceptable level. Overview of Risks Exhibit 2.1 Risks and exposures for ERPLC Risk Analyses A risk analysis of an organization’s ERP systems, their existing controls, and their vulnerabilities results in the loss potential for the system, with an estimated likelihood of occurrence. This loss potential in damages must be represented in terms of dollar value. A risk analysis of an ERP system performs two important functions: • • Searches out an ERP system’s vulnerabilities and the probabilities of threats materializing to exploit these vulnerabilities. Calculates the damage or loss to its assets that could be produced by the resulting damaging events. Page 4 of 39 AUDITING IN ERP ENVIRONMENT A third component, to recommend controls or safeguards that would reduce the damages or loss to an acceptable level (through the use of a cost/benefit analysis), might also be added. An ERP system environment’s vulnerabilities and set of threats should be assessed to arrive at some estimate of possible damaging events. Such an assessment would also review the strengths of existing controls. A vulnerability assessment is conducted as part of a risk analysis. The vulnerability assessment is a major assessment of the adequacy of an ERP’s system. Organizations must first identify vulnerabilities and threats; and then determine whether controls are adequate to reduce the resulting risks to an acceptable level. If not, it will be necessary to correct and guard against threats. RISKS IN AN ERP ENVIRONMENT The risks in an ERP environment include both those present in a manual processing environment and those that are unique or increased in an ERP environment. The use of ERP systems clearly introduces additional risks into the system environment. These additional risks include problems associated with: • • • • • • • • • • • Improper use of technology. Inability to control technology. Inability to translate user needs into technical requirements. Illogical processing. Inability to react quickly (to stop processing). Cascading of errors. Repetition of errors. Incorrect entry of data. Concentration of data. Inability to substantiate processing. Concentration of responsibilities. Each of these risks is discussed individually below, including many of the conditions that cause the risks to occur. Improper Use of Technology Information technology provides systems analysts and programmers with a variety of processing capabilities. This technology must be matched to the user’s needs in order to best meet those needs. A mismatch of technology and needs can result in an unnecessary expenditure of organizational resources. One of the more common misuses of technology is the introduction of new technology prior to the clear establishment of its need. For example, many organizations introduce database technology without clearly establishing the need for that technology. Experience has shown that the early users of a new technology frequently consume large amounts of resources learning to use that new technology. • The conditions that lead to the improper use of technology include: • Premature user of new hardware technology. • Early user of new software technology. Page 5 of 39 AUDITING IN ERP ENVIRONMENT • Minimal planning for the installation of new hardware and software technology. • Systems analyst/programmer improperly skilled in the use of technology. Inability to Control Technology IT personnel spend most of their effort on the problems associated with the implementation of new technology. Numerous studies imply that there is often too little time left to develop and install technological controls. As a result, resources are expended to correct technological problems. Controls are needed over the technological environment. These controls ensure that the proper version of the proper program is in production at the right time; that the proper files are mounted; and that the operators perform the proper instructions. Adequate procedures must be developed to prevent, detect, and correct problems in the operating environment. The proper data must be maintained and retrievable when needed. The conditions that result in uncontrolled technology include: • Selection of vendor-offered system control capabilities by systems programmers without considering audit needs. • Too many control trade-offs for operational efficiency. • Inadequate restart/recovery procedures. • Inadequate control over different versions of programs. • Inadequate control over schedulers, system operators, tape librarians, print capabilities, and data transmission capabilities. • Inadequate review of outputs. Inability to Translate User Needs into Technical Requirements One of the major failures of information technology has been a communication failure between users and technical personnel. In many organizations, users cannot adequately express their needs in terms that facilitate the implementation of ERP applications. And the technical people are often unable to appreciate the concerns and requirements of their users. The risk associated with failure to satisfy user needs is complex. Exposures include: • Failure to implement needs because users were unaware of technical capabilities. • Improperly implemented needs because the technical personnel did not understand user requirements. • Users accepting improperly implemented needs because they are unsure how to specify changes. • • Building of redundant manual systems to compensate for weaknesses in ERP applications. • Conditions that can lead to the inability to translate user needs into technical requirements include: • Users without technical IT skills. • Technical people without sufficient understanding of user requirements. • User’s inability to specify requirements in sufficient detail. • Multi-user systems with no user in charge of the system. Illogical Processing Page 6 of 39 AUDITING IN ERP ENVIRONMENT Illogical processing is the performance of an automated event that would be highly unlikely in a manual processing environment; for example, producing a payroll check for a clerical individual for over $1 million. This is possible in an automated system due to programming or hardware errors, but highly unlikely in a manual system. ERP applications do not have the same human oversight as manual systems. In addition, fewer people have a good understanding of the processing logic of ERP applications. Thus, in some instances, illogical processing may not be readily recognizable. Conditions that can result in illogical processing include: • Failure to check for unusually large amounts on output documents. • Fields that are either too small or too large, thereby impacting the completeness, accuracy, or efficiency of the data being processed. • Failure to scan output documents. Inability to React Quickly ERP applications are valuable because they are able to satisfy user needs on a timely basis. Some of these needs are predetermined and reports are prepared on a regular basis to meet these needs. Other needs occur periodically and require special actions to satisfy. If the ERP application is unable to satisfy these special needs on a timely basis, redundant systems may be built for that purpose. One of the measures of an ERP application’s success is the speed with which special requests can be satisfied. Some of the newer online database applications that include a query language can satisfy some requests within a very short time span. On the other hand, some of the older batch-oriented applications may take several days or weeks to satisfy a special request. In some instances, the structure of the application system is an inhibits satisfying requests. For example, if an auditor wants all of the supporting information for a supply requisition in a tape-batched system, the cost and difficulty of satisfying that request may be prohibitive. That requisition could be spread over many weeks of processing, due to back orders, returned shipments, and shipping errors. The evidence supporting the transaction may be spread over many tape files and the cost of processing those files may be exorbitant. The conditions that make ERP applications unable to react quickly include: • Computer time is unavailable to satisfy the request, or computer terminals/microcomputers are not readily accessible to users. • The structure of the computer files is inconsistent with the information requested. • General-purpose extract programs are not available to satisfy the desired request. • The cost of processing exceeds the value of the information requested. Cascading of Errors Cascading of errors is the domino effect of errors throughout an application system. An error in one part of the program or application triggers a second yet unrelated error in another part of the application system. This second error may trigger a third error, and so on. The cascading of error risk is frequently associated with making changes to application systems. A change is made and tested in the program in which the change occurs. However, some condition has been altered as a result of the change, Page 7 of 39 AUDITING IN ERP ENVIRONMENT which causes an error to occur in another part of the application system. Cascading of errors can occur between applications. This risk intensifies as applications become more integrated. For example, a system that is accepting orders may be tied through a series of applications to a system that replenishes inventory based upon orders. Thus, an insignificant error in the order-entry program can “cascade” through a series of applications resulting in a very serious error in the inventory replenishment program. The types of conditions that lead to cascading of errors include: • Inadequately tested applications. • Failure to communicate the type and date of changes being implemented. • Limited testing of program changes. Repetition of Errors In a manual processing environment, errors are made individually. Thus, a person might process one item correctly, make an error on the next, process the next twenty correctly, and then make another error. In ERP systems, the rules are applied consistently. Thus, if the rules are correct, processing is always correct. But, if the rules are erroneous, processing will always be erroneous. Errors can result from application programs, hardware failures, and failures in vendor-supplied software. For example, a wrong percentage may have been entered for tax deductions. Thus, every employee for that pay period will have the wrong amount deducted for tax purposes. The conditions that cause repetition of errors include: • Insufficient program testing. • Inadequate checks on entry of master information. • Failure to monitor the results of processing. Incorrect Entry of Data In ERP applications, there is a mechanical step required to convert input data into machine-readable format. In the process of conducting this task, errors can occur. Data that was properly prepared and authorized may be entered into ERP applications incorrectly. Much of the data entered into batch-type systems is entered using a keyboard device. Some of these devices are keypunch machines and key-to-disk machines. The data originator manually transcribes the input information onto some type of form, and the form is given to a key operator to enter on computer media. During this keying process, errors can be made. In the newer technology, data can be originated and entered at the same time. For example, order entry clerks receive orders by telephone and key them directly into computer memory. However, errors can still occur during this process. Other methods of data entry include optical scanners, process-control computers that monitor production machinery, automatic cash dispensers and pointof-sale equipment. However, these are all mechanical devices and thus subject to failure. Conditions that can cause incorrect entry of data include: • Human errors in keying data. Page 8 of 39 AUDITING IN ERP ENVIRONMENT • Mechanical failure of hardware devices. • Misinterpretation of characters or meaning of manually recorded input. • Misunderstanding of data entry procedures. • Inadequate data verification procedures. Concentration of Data ERP applications concentrate data in an easy-to-access format. In manual systems, data is voluminous and stored in many places. It is difficult for an unauthorized individual to spend much time browsing undetected through file cabinets or other manual storage areas. With ERP media, unauthorized individuals can browse using computer programs. This may be difficult to detect without adequate safeguards. In addition, the data can be copied quickly without leaving any visible trail or destroying the original data. Thus, the owners of the data may not be aware that the data has been compromised. Database technology increases the risk of data manipulation and compromise. The more data that is stored in a single place, the greater the value of that data to an unauthorized individual. For example, the information about an individual in the payroll application is restricted to current pay information. But, when that data is coupled with personnel history, not only current pay information, but also pay history, individual skills, years and progression of employment, and perhaps performance evaluation is available. Concentration of data increases the problems of greater reliance on a single piece of data and reliance on a single file. If the data entered is erroneous, the more applications that rely on that piece of data, the greater the impact of the error. And the more applications that use the concentrated data, the greater the impact when that data is unavailable due to problems with the hardware or software used for processing it. The conditions that can create problems due to the concentration of data in ERP applications include: • Erroneous data and its impact on multiple users of that data. • Impact of hardware and software failures that ordinarily make the data available to multiple users. • Inadequate access controls enabling unauthorized access to data. • Inefficient use of system for data storage and/or retrieval, which may impact response time or computer capacity. Inability to Substantiate Processing ERP applications should contain the capability to substantiate processing. This substantiation includes both the ability to reconstruct the processing of a single transaction and the ability to reconstruct control totals. ERP applications should be able to produce all of the source transactions that support a control total as well as substantiate that any source document is contained in a control total. Application systems need to substantiate processing to correct errors and to prove that processing is correct. When errors occur, computer personnel need to pinpoint the cause so they can be corrected. ERP application customers, other users, and control-oriented personnel, such as auditors, frequently want to verify that processing is correct. Page 9 of 39 AUDITING IN ERP ENVIRONMENT Conditions that may cause the inability to substantiate processing include: • Evidence is not retained long enough. • The evidence from intermediate processing is not retained. • Evidence is not independently reviewed for quality assurance and/or data integrity. • Outputs are not reviewed for quality by the users. • The cost of substantiating processing exceeds the benefits derived from the process. Concentration of Responsibilities ERP systems concentrate the responsibilities of many people into the automated application. Responsibilities that had been divided among many people for control purposes may be concentrated into a single application system. A single application system may also concentrate responsibilities from many departments within an organization. The responsibilities in an ERP environment may be concentrated in both the application system and IT personnel. For example, the data-base administrator may absorb data control responsibilities from many areas in the organization. A single ERP system project leader may have the processing responsibility for many areas in the organization. New methods of separation of duties must be substituted for the previous segregation of duties among people. Conditions that cause the concentration of responsibilities in an ERP environment include: • Establishment of a data processing programming and systems group to develop ERP applications for an organization. • Centralized processing of ERP applications. • Establishment of a database administration function. • Lack of adequate standards and enforcement of those standards. • Lack of adequate quality assurance and systems or applications testing. The following is a list of negative situations to which ERP application systems are vulnerable, grouped according to common system organizational structures. While not intended to be all-inclusive, the list suggests various kinds of vulnerabilities that may exist in an ERP system. This list of potential vulnerabilities helps identify the additional risks presented in an ERP environment. Due to their value as a tool to identify unique risks, a brief description of vulnerabilities by type is also provided. Erroneous or Falsified Data Input. Erroneous or falsified input data is the simplest and most common cause of undesirable performance by an applications system. Vulnerabilities occur wherever data is collected, manually processed, or prepared for entry to the computer. • Unreasonable or inconsistent source data values may not be detected. • Keying errors during transcription may not be detected. • Incomplete or poorly formatted data records may be accepted as if they were complete records. • Records in one format may be interpreted according to a different format. • An employee may fraudulently add, delete, or modify data (e.g., payment vouchers, claims) to obtain benefits (e.g., checks, negotiable coupons) for Page 10 of 39 AUDITING IN ERP ENVIRONMENT himself. Lack of document counts and other controls over source data or input transactions may allow some of the data or transactions to be lost without detection or allow extra records to be added. • Records about the data entry personnel (e.g., a record of a personnel action) may be modified during data entry. • Data that arrives at the last minute (or under some other special or emergency condition) may not be verified prior to processing. • Records in which errors have been detected may be corrected without verification of the full record. Misuse by Authorized End Users. End users are the people served by ERP Systems. The system is designed for their use, but they can also misuse it. It may be difficult to determine whether their use of the system is in accordance with the legitimate performance of their job. � An employee may convert confidential information to an unauthorized use. For example, he may sell privileged data about an individual to a prospective employer, credit agency, insurance company, or competitor; or may use statistics for stock market transactions before their public release. • A user whose job requires access to individual records in a file may compile a complete listing of the file and then make unauthorized use of it (e.g., sell a listing of employee’s home addresses as a mailing list). • Information may be altered for an unauthorized end user (e.g., altering of personnel records). • An authorized user may use the system for personal benefit (e.g., theft of services). • A supervisor may manage to approve and enter a fraudulent transaction. • A disgruntled or terminated employee may destroy or modify records, possibly in such a way that backup records are also corrupted and useless. • An authorized user may accept a bribe to modify or obtain information. Uncontrolled System Access. Organizations expose themselves to unnecessary risk if they fail to establish controls over who can enter the system area, who can use the ERP and who can access the information contained in the system. • Data or programs may be stolen from the IT room or other storage areas. • ERP facilities may be destroyed or damaged by intruders or employees. • Individuals may not be adequately identified before they are allowed to enter the IT area. • Remote terminals may not be adequately protected from use by unauthorized persons. • An unauthorized user may gain access to the system via a dial-in line and an authorized user’s password. • Passwords may be inadvertently revealed to unauthorized individuals. A user may write his password in some convenient place, or the password may be obtained from some other apparent source, discarded printouts, or by observing the user as he types it. • A user may leave a logged-in terminal unattended, allowing an unauthorized person to use it. • A terminated employee may retain access to an ERP system because his • Page 11 of 39 AUDITING IN ERP ENVIRONMENT name and password are not immediately deleted from authorization tables and control lists. • An unauthorized individual may gain access to the system for his own purposes (e.g., theft of computer services, data or programs, modification of data, alteration of programs, sabotage and denial of services). • Repeated attempts by the same user or terminal to gain unauthorized access to the system or to a file may go undetected. Ineffective Security Practices for the Application. Inadequate manual checks and controls to ensure correct processing by the AIS, or negligence by those responsible for carrying out these checks, result in many vulnerabilities. • Poorly defined criteria for authorized access may cause employees not to know what information they, or others, are permitted to access. • The person responsible for security may fail to restrict user access to only those processes and data that are needed to accomplish assigned tasks. • Large funds disbursements, unusual price changes, and unanticipated inventory usage may not be reviewed for accuracy. • Repeated payments to the same party may go unnoticed because there is no review. • Sensitive data may be carelessly handled by the application staff, by the mail service, or by other personnel within the organization. • Post-processing reports analyzing system operations may not be reviewed to detect security violations. • Inadvertent modification or destruction of files may occur when trainees are allowed to work on live data. • Appropriate action may not be pursued when a security variance is reported to the system security officer or to the perpetrating individual’s supervisor. In fact, procedures covering such occurrences may not exist. Procedural Errors within the IT Facility. Both errors and intentional acts committed by the DP operations staff may result in improper operational procedures, lapsed controls, and losses in storage media and output. Procedures and Controls. • Files may be destroyed during database reorganization or during release of disk space. • Operators may ignore operational procedures; for example, by allowing programmers to operate computer equipment. • Job control language parameters may be erroneous. • An installation manager may circumvent operational controls to obtain information. • Careless or incorrect restarting after shutdown may cause the state of a transaction update to be unknown. • An operator may enter erroneous information at a CPU console (e.g., control switch in wrong position, terminal user allowed full system access; operator cancels wrong job from queue). • Hardware maintenance may be performed while production data is online and the equipment undergoing maintenance is not isolated. • An operator may perform unauthorized acts for personal gain (e.g., make Page 12 of 39 AUDITING IN ERP ENVIRONMENT extra copies of competitive bidding reports, print copies of unemployment checks; delete a record from a journal file). • Operations staff may sabotage the computer (e.g., drop pieces of metal into a terminal). • The wrong version of a program may be executed. • A program may be executed using wrong data or may be executed twice using the same transactions. • An operator may bypass required safety controls (e.g., write rings for tape reels). • Supervision of operations personnel may not be adequate during nonworking-hour shifts. • Due to incorrectly learned procedures, an operator may alter or erase the master files. • A console operator may override a label check without recording the action in the security log. Storage Media Handling. • Critical tape files may be mounted without being write protected. • Inadvertently or intentionally mislabeled storage media are erased. In case they contain backup files, the erasure may not be noticed until it is needed. • Internal labels on storage media may not be checked for accuracy. • Files with missing or mislabeled expiration dates may be erased. • Incorrect processing of data or erroneous updating of files may occur when input data has been dropped; partial input data is used; write rings mistakenly are placed in tapes; wrong tapes are incorrectly mounted or worn tapes mounted. • Scratch tapes used for jobs processing sensitive data may not be adequately erased after use. • Temporary files written during a job step for use in subsequent steps may be erroneously released or modified because they are not protected or because of an abnormal termination. • Storage media containing sensitive information may not get adequate protection because operations staff does not know the nature of the information content. • Tape management procedures may not adequately account for the current status of all tapes. • Magnetic storage media that contain very sensitive information may not be degaussed before being released. • Output may be sent to the wrong individual or terminal. • Improper operation of output or post-processing units (e.g., bursters, decollators, or multipart forms) may result in loss of output. • Surplus output material (e.g., duplicates of output data, used carbon paper) may not be disposed of properly. • Tapes and programs that label output for distribution may be erroneous or not protected from tampering. Program Errors. ERP system should operate in an environment that requires and supports complete, correct, and consistent program design, good programming practices, adequate testing, review, documentation, and proper maintenance Page 13 of 39 AUDITING IN ERP ENVIRONMENT procedures. Although programs developed and implemented in such an environment may still contain undetected errors, programs not developed in this manner may be rife with errors. Without these controls, programmers can deliberately modify programs to produce undesirable side effects or they can misuse the programs they monitor. • Records may be deleted from sensitive files without a guarantee that the deleted records can be reconstructed. • Programmers may insert special provisions in programs that manipulate data concerning themselves (e.g., a payroll programmer may alter his own payroll records). • Data may not be stored separately from code so that program modifications are more difficult and must be made more frequently. • Program changes may not be tested adequately before being used in a production run. • Changes to a program may result in new errors due to unanticipated interactions between program modules. • Program acceptance tests may fail to detect errors that only occur for unusual combinations of input (e.g., a program that is supposed to reject all except a specified range of values actually accepts an additional value). • Programs with contents that should be safeguarded may not be identified and protected. • Code, test data with its associated output, and documentation for certified programs may not be filed and retained for reference. • Documentation for vital programs may not be safeguarded. • Programmers may fail to keep a change log, to maintain back copies, or to formalize record-keeping activities. • An employee may steal programs he maintains and use them for personal gain (e.g., sale to a commercial organization, hold another organization for extortion). • A critical data value may be initialized twice due to poor program design. An error may occur when the program is modified to change the data value, but only changes it in one place. • Production data may be disclosed or destroyed when it is used during testing. • A programmer who misunderstands requests for changes to the program may cause errors. • A programmer who makes changes directly to machine code may introduce errors. • Programs may contain routines not compatible with their intended purposes, which can disable or bypass security protection mechanisms. For example, a programmer who anticipates being fired, inserts code into a program which will cause vital system files to be deleted as soon as his name no longer appears in the payroll file. • Inadequate documentation or labeling may result in the wrong version of a program being modified. Operating System Flaws. Design and implementation errors, system generation and maintenance problems, and deliberate penetrations causing modifications to the operating system can produce undesirable effects in the ERP systems. Flaws in the Page 14 of 39 AUDITING IN ERP ENVIRONMENT operating system are often difficult to prevent and detect. User jobs may be permitted to read or write outside the assigned storage area. • Simultaneous processing of the same file by two jobs may introduce inconsistencies into data. • An operating system design or implementation error may allow a user to disable audit controls or to access all system information. • The operating system may not protect a copy of information as thoroughly as it protects the original. • Unauthorized modification to the operating system may allow a data entry clerk to enter programs and thus subvert the system. • An operating system crash may expose valuable information such as password lists or authorization tables. • Maintenance personnel may bypass security controls while performing maintenance work. At such times, the system is vulnerable to errors or intentional acts of the maintenance personnel, or anyone else who might also be on the system and discover the opening (e.g., micro-coded sections of the operating system may be tampered with or sensitive information from online files may be disclosed). • An operating system may fail to record that multiple copies of output have been made from spooled storage devices. • An operating system may fail to maintain an unbroken audit trail. • When restarting after a system crash, the operating system may fail to ascertain that all terminal locations are still occupied by the same individuals. • A user may be able to get into monitor or supervisory mode. • The operating system may fail to erase all scratch space assigned to a job after the normal or abnormal termination of the job. • Files may be allowed to be read or written without having been opened. Communications System Failure. Information being routed from one location to another over communication lines is vulnerable to accidental failures and to intentional interception and modification by unauthorized parties. Accidental Failures. • Undetected communication errors may result in incorrect or modified data. • Information may be accidentally misdirected to the wrong terminal. • Communication nodes may leave unprotected fragments of messages in memory during unanticipated interruptions in processing. • Communication protocol may fail to positively identify the transmitter or receiver of a message. Intentional Acts. • Communication lines may be monitored by unauthorized individuals. • Data or programs may be stolen via telephone circuits from a remote job entry terminal. • Programs in the network switching computers may be modified to compromise security. • Data may be deliberately changed by individuals tapping the line (requires some sophistication, but is applicable to financial data). • An unauthorized user may take over a computer communication port as an Page 15 of 39 AUDITING IN ERP ENVIRONMENT authorized user disconnects from it. Many systems cannot detect the change. This is particularly true in much of the currently available communication equipment and in many communication protocols. • If encryption is used, keys may be stolen. • A terminal user may be spoofed into providing sensitive data. • False messages may be inserted into the system. • True messages may be deleted from the system. • Messages may be recorded and replayed into the system (i.e., “deposit $100” messages). Besides the risks described previously, the impact of these additional vulnerabilities must be assessed. These special vulnerabilities pose threats, which are not present at all, or are present to a lesser degree, in non-ERP environments. Once these risks are identified, their severity should be estimated, and controls developed to mitigate their impact on the ERP applications. INTERNAL CONTROL Internal control systems are set up to help mitigate against the risks discussed above. The purpose of internal control systems is to reasonably ensure that the following goals are achieved: • • Obligations and costs comply with applicable laws. All assets are safeguarded against waste, loss, unauthorized use, and misappropriation. • Revenues and expenditures that apply to organization operations are recorded and properly accounted for, so that accounts and reliable financial and statistical reports may be prepared and an accounting of these assets may be maintained. Control Objectives and Key Controls In order to understand control objectives and key controls, it is important to know what a system of internal controls is. The AICPA Guidelines of Internal Control define it as: The plan of organization and all the methods and procedures adopted by the management of an entity to assist in achieving management’s objective of ensuring, as far as practical, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. The system of internal controls extends beyond those matters which relate directly to the functions of accounting system. Control Objectives Control objectives are high-level statements of intent by the management to ensure that departmental programs designed to fulfill the organization’s strategic plans are Page 16 of 39 AUDITING IN ERP ENVIRONMENT carried out effectively and efficiently. These statements of intent embody the plan of organization and all the related systems established by management to safeguard assets, check the accuracy and reliability of financial data, promote operational efficiency and encourage adherence of prescribed management policies. Once the business risk for the ERP systems is defined, it is possible to determine how these risks will be contained. Control objectives can be defined as “the purpose or justification for having internal controls.” The organization’s internal control structure must meet several control objectives to prevent, detect and correct errors, omissions and irregularities in business transactions and processes, and to assure continuity of business operations. They are a link between the risks and internal controls. Control objectives may differ, depending upon the type, scope, and purpose of the audit. There could be several internal control objectives for a given business risk, so that the risk is adequately addressed. Some of the common internal control objectives that an author should look for are: • • • • • • • Transactions are properly authorized (Authorized). Transactions are recorded on a timely basis (Timeliness). Transactions are accurately processed (Accuracy). All existing transactions are recorded (Completeness). All recorded transactions are valid (Validity). Transactions are properly valued (Valuation). Transactions are properly classified and posted to proper accounts and subsidiary records (Classification). • Transactions are properly summarized and reported (Reporting). • Assets, including software programs, data, human resources, computer facilities, etc. are safeguarded against damage, theft, and so forth (Security). • System and data integrity is maintained (Integrity). • System availability is assured (Availability). • System controllability and auditability is maintained (Controllability and Auditability). • System maintainability is assured (Maintainability). • System usability is assured (Usability). • System economy and efficiency are maintained (Efficiency). Key Controls Each control objective is met by one or more control techniques. These techniques are the ways and means that management controls the operations, are varied in nature, and exist as: • Procedures and policies. For example, independent balancing, cancellation of documents after processing, independent signing for approval of prepared Page 17 of 39 AUDITING IN ERP ENVIRONMENT source documents, competent and trustworthy personnel, segregation of duties, mandatory vacations and rotation of duty assignments. • Information systems design. For example, numerically prenumbered forms, message authentication, console logs, encryption, range and limit checks on input fields. • Physical controls. For example, combination locks for vaults, card acceptor devices for restricted access areas. • Segregation of duties. Segregation of Duties The overall objective of the segregation of duties for ERP systems can be expressed as “production data is only accessible to bonafide users utilizing tested and approved ERP.” Bonafide users are those allowed by management to view, update, add or delete transactions in a specific application. The manager in charge of the division or department who relies on the data for its operations owns the data. For instance, the controller owns the financial data; he or she is ultimately responsible for its accuracy and safeguard. From a practical standpoint, that manager will have devolved the responsibility of granting user access to managers reporting to him or her. These managers will, in turn, rely on a system administrator, either a member of the user department or IT, to brief them on the available functions of the ERP; the identity of the users whose job requires access to these functions; and ultimately, the data. Having understood the sensitivity of the functions and the confidentiality of the data, these managers will delegate authority to the administrator to grant access to users. The IT department is responsible for ensuring that powerful utilities are only accessible to selected users and cannot be utilized in an unauthorized fashion to modify production data. In every environment, there will always be one user and a back-up who have access or can grant themselves access to all data. These powerful users should be carefully selected and audit trails of their actions should exist. Production data is never owned by IT unless it is specific to the operations of the IT department. Production data should only be accessed through authorized utilities that would not allow users to manipulate production data outside of the constraints and controls implemented within the ERP systems. For instance, the rules implemented at the database level require that a customer be in the customer file for their order to be recorded. If a user were able to directly access the order table, through a text editor in a UNIX environment or by TSO/ISPF (True Sharing Option/Interactive System Productivity Facility) in an MVS (Multiple Virtual Storage) environment, the ERP control implemented could be bypassed and an order entered for a nonexistent customer. Page 18 of 39 AUDITING IN ERP ENVIRONMENT Indian auditing experience in ERP Audit Bharat Sanchar Nigam Limited Bharat Sanchar Nigam Limited introduced SAP R/3 version 4.7 in Gujarat Telecom Circle (GTC). The SAP-ERP server is installed at ERP Data Centre at Ahmedabad and LAN (Local Area Network) / WAN (Wide Area Network) were used for connecting R/3 environment to the nodes at Secondary Switching Areas (SSAs). The work of implementation of ERP in GTC was awarded to Siemens Information Systems Limited (SISL), Mumbai at a cost of Rs. 20.14 crore. The objectives of implementation of ERP were to: (i) Improve the information flow to facilitate better decision making leading to overall improvement in the performance of the organisation by way of improvements in productivity, cycle time, financial performance and information transparency, (ii) Convert GTC into a paperless working environment and (iii) Reduce manpower requirement. However, it was observed that the desired objectives did not accrue to the Company as detailed below: 1. Business Process Re-engineering (BPR) Business Process Re-engineering (BPR) is one of the fundamental steps undertaken prior to ERP implementation. While according sanction for implementation of ERP in Gujarat Telecom Circle, BSNL Corporate Office in August 2003 had approved implementation of ERP in one SSA and implementation in entire Circle was to be done after finalizing business processes. Against the instructions of the Corporate Office, GTC went ahead with implementation of ERP in all SSAs without finalising BPR which resulted in manual intervention and deprived the Company of advantages of ERP. For instance, In the manual system, for sale of top-up and recharge coupons the Marketing wing issues delivery note to the franchisee for the quantity of top-up and recharge coupons and the Cash section receives the payments against the quantity authorised by the Marketing wing. The products are then issued by the Marketing wing after production of cash receipts. In an ERP environment all the above functions could be carried out through a single window. It was noticed that all the activities related to the sale of top-up and recharge coupons of GTC were being carried out in the traditional way despite operating in a computerised environment. The total value of sales of these coupons in the two years of 2007-08 and 2008-09 was Rs. 470.50 crore out of which 79 per cent amounting to Rs. 372 crore was through franchisees. 2. Interface with the telephone revenue billing packages There are two billing packages used in GTC for billing. One of the important conditions of the agreement with SISL for implementation of ERP was to provide interface with the existing billing packages. It was observed that no interface was provided with the revenue billing packages and the revenue from them are accounted in ERP through Journal Vouchers. In the absence of interface bank reconciliation of collection accounts is done manually depriving GTC of the advantages of efficient fund management. 3. Digitisation of service details and records Page 19 of 39 AUDITING IN ERP ENVIRONMENT Agreement with M/s SISL stipulated that service records, personal details, watching of crucial dates in service, Career Planning, Appraisal System, Pay Roll, terminal benefits etc for approximately 28,000 employees were to be digitised. But it was observed that the vendor did not comply with contractual agreement with the result that service related activities like leave account of employees, pay fixation, grant of increment etc are done manually in the Circle defeating one of the major objectives of ERP implementation which was to reduce human intervention in various administrative works. 4. Declaration of ‘Go Live’ status even before achieving online status in various modules: As per terms of the agreement with M/s SISL, ERP was to be commissioned by March 2005. It was observed (October 2009) that ‘Go live’ was declared in the year 2007, even though online status was not achieved in many modules and transactions. The activities like processing of Performance Bank Guarantees, posting of leave entries, settlement of temporary advances, Leave Travel Concession (LTC) and Medical claims were processed offline. Moreover, on review of the Trial Balance and other accounting statements prepared from ERP it was noticed that in the two years after declaring ‘Go Live’ more than 65,000 JVs (document created in ERP for accounting transaction carried out in legacy system) were prepared during the preparation of final accounts of the Company. It is expected that there should be minimum possible manual intervention after declaring ‘Go Live’. But absence of interface with other software packages and continuance of manual system contributed to the preparation of large number of JVs. 5. Customisation and mapping of rules on delegation of financial powers Customising the ERP package to the requirements of the Company and mapping the business rules of the Company completely to it was an important stage in the project implementation. As per Company’s accounting policy, sanction from the appropriate level of Management is a must for incurring any expenditure. It was seen that while implementing ERP the practice of preparing estimates for maintenance work was replaced with a system of ‘maintenance orders’ and no monetary limit was prescribed for ‘maintenance orders’ in the Plant Maintenance (PM) module. A review of the expenditure in PM module for 2007-08 and 2008-09 showed that expenditures of more than Rs. One lakh in each case aggregating Rs. 44.21 crore were incurred without the cases being approved through workflow of ERP. This expenditure on maintenance should have been linked with the workflow so that a watch on such expenditure could be monitored by top level Management to ensure only expenditures of maintenance nature are processed thorough Plant Maintenance module. This led to inflated per line maintenance cost for GTC besides depriving it of the benefits of depreciation which otherwise would have accrued on the capital assets booked in PM module. 6. Monitoring of functioning of ERP For efficient functioning of an IT system, it is important that the Management put in place effective monitoring mechanism which would facilitate early detection and rectification of deficiencies. Audit observed the following deficiencies due to lack of Page 20 of 39 AUDITING IN ERP ENVIRONMENT effective monitoring of the functioning of ERP: • In Vadodara SSA it was seen that equipment costing Rs. 1.45 crore received in August 2007 was taken into stock only in Jan 2008. Though the equipment was put to use, it neither formed part of Work in Progress (WIP) nor the Fixed Assets of the SSA for the financial year 2007-08. On being pointed out by audit, it was replied that the consignment was directly received by the sub-division and only on receipt of bill for payment the omission was noticed. • In the Company, transfer of stores between different units is frequent and processing of Advice of Transfer Debits (ATD) is an important activity in stores transactions. Test check of ATD transactions in Surat SSA revealed that an ATD for Rs. 43.6 lakh which was supported with invoices was shown in the system as Rs. 20.07 lakh. • As per the Company policy, assets costing less than Rs. 5,000 should be depreciated fully. It was seen from the data in FICO module that in 792 cases assets valuing less than Rs. 5,000 were not depreciated fully. 7. Data validation Efficient data validation procedures are important to ensure the reliability of output from the system. Audit observed the following deficiencies in the functioning of ERP due to weak validation of data. (a) As per existing rules the minimum subscription to GPF should be six per cent of the pay. However, it was noticed that the system was accepting subscriptions below six per cent of pay also. On this being pointed out, the Management replied that validation for GPF subscription would be restored from April 2010. (b) As per accepted accounting principles, depreciation of an asset should commence from date of its capitalisation. However, it was observed that date of capitalisation and date of commencement of depreciation were different in many cases. Moreover, life of assets was not matched properly and in many cases it was shown as 999 years. (c) The currency of assets of Vadodara SSA in “depreciation posted” sub-module in FICO was seen as US Dollars (USD) instead of Indian Rupee (INR). 8. User account management Review of the user account management of ERP revealed that multiple user accounts existed for the same officer in different capacities within the same SSA or in two different SSAs and user once created was not being cancelled or deleted on transfer or retirement of the official. It was also noticed in Surat SSA that bills pertaining to Civil Division were accepted and passed by logging in as Accounts Officer, Telecom Electrical Division. Oil India Limited Oil India Limited (OIL) adopted SAP R/3 (version 4.7) as its Enterprise Resource Planning (ERP) software to enable it to integrate its business processes across the value chain. The total project cost was Rs. 45.04 crore. The ERP system went live in December 2005. At the time of implementing the system, the Company had carried out a detailed cost benefit analysis incorporating all tangible benefits that would accrue by implementing SAP R/3 and projected a benefit of Rs. 14.67 crore per Page 21 of 39 AUDITING IN ERP ENVIRONMENT annum. The benefit, inter alia, was expected to flow mainly from control of inventory carrying cost, overtime expenditure, fuel oil consumption, repair and maintenance cost, decrease in surface equipment shutdown time in drilling operations, transport and other contract cost, etc. Audit scrutiny, however, revealed that the Company could not get the above benefits entirely, due to inadequate End User Training and underutilisation of ERP as detailed below: • There is no effective Information Security policy in the Company. • Corporate Financial Management (CFM) module is not being utilised and the server purchased for CFM is kept under shutdown. The other modules viz. Plant Maintenance (PM), Human Resource (HR) and Project System (PS) are also underutilised. Plant Maintenance activities are not being adequately monitored through PM module due to non updation of Maintenance history, Breakdown details, job completion status, etc. Manpower Planning is not being carried out in HR module. Further, HR data is not being updated regularly especially for separation cases, loan data and new recruits. Daily Progress Report (DPR) for Drilling/ workover and survey activities are not being regularly captured in the PS Module. Audit reviewed the general performance of two modules of SAP R/3 namely Financial Accounting and Controlling (FICO) and Project System (PS) which revealed the following: 1 Financial Accounting and Controlling (FICO) Financial Accounting and Controlling (FICO) module of SAP R/3 is envisaged to cater to all the accounting, financial and informational / reporting needs of the Finance and Accounts Department of the Company. However, the following deficiencies were observed in the FICO module: a) Single invoice can be processed for payment more than once in the Cash journal. b) Revenue budget has not been configured in SAP R/3 and, thus, budgetary controls on the revenue expenditure could not be exercised. c) General Ledger Accounts, which are supposed to take automatic direct posting from other modules (such as Materials Management, Sales and Distribution etc.), have not been marked for such automatic posting. d) SAP has not been configured for preventing the use of wrong cost centres. 1 e) Depletion calculation has not been properly mapped. In SAP R/3, depletion is being calculated on monthly basis, whereas the business process of the Company requires depletion to be calculated on quarterly basis. f) The system of allocation of cost to oil wells has not been properly mapped in SAP R/3. So, the cost of departmental drilling manpower could not be allocated correctly to oil wells as the allocation cycle could not differentiate between departmentally operated oil wells and contractually operated oil wells. The wrong allocation of costs is adversely affecting the well costs and leading to generation of wrong Management Information System Reports. g) In cash contra account the original document number is not properly linked with the assignment field of the document being generated at the time of cash disbursement. Due to such improper configuration of SAP R/3, cash contra entries could not be reconciled automatically. h) SAP R/3 has not been configured to generate Cash flow Statement, Segment Reporting, etc. Page 22 of 39 AUDITING IN ERP ENVIRONMENT i) Materials, which have already been consumed, are not being booked into SAP R/3 and are reflected in the inventory. The actual status of consumption of material(s), worth Rs. 91.65 crore (as on 31 March 2009), at various storage locations could not be ascertained. j) Statistical Key Figures (SKFs) are not being updated by the respective departments. So, SAP R/3 could not automatically determine the Statistical Key Figures (SKFs) for allocating the indirect costs. According to the Management, the ignorance of respective users in updating the SKFs is the reason for above anomaly. k) The records of physical verification of assets are not being updated regularly in SAP R/3 and the physical existence of assets, valued at Rs. 116.24 crore, could not be confirmed. The Management could not monitor the physical existence of assets of the Company through SAP R/3. According to the Management this is an uploading issue and the same would be addressed. l) Input controls are not sufficient to prevent the payments of regular nature being made under the facility of ‘one time vendor’ payments. Using the ‘One Time Vendor’ facility for making payments of regular nature increases the risk of payment frauds. 2 Migration of data from legacy system The data uploading into SAP R/3 was done without proper reconciliation and cleaning. There was around Rs. 247 crore difference between legacy data and the data migrated to SAP R/3. This fact was noticed by SAP itself, in course of Quality Review Program after post Go Live Phase. 3 Project System Project System (PS) module of SAP R/3 ERP system provides the framework for mapping and processing of project tasks, planning, execution and monitoring of projects in a targeted and cost-effective way. PS is linked to the SAP R/3 Financial Accounting, Sales and Distribution, Materials Management, Production Planning, and Plant Maintenance modules. The following issues were noticed during the course of audit of Project System module of SAP R/3:a) Budgetary checks are not operating at the time of raising Purchase Requisitions (PR) for contractual services. Audit noticed that Purchase Orders, valuing Rs. 12.30 crore were raised against PRs without reflecting commitment value, during the period from 2006 to 2009. b) Contract Work Order (CWO) can be created in SAP R/3 with ‘unknown’ account assignment bypassing budgetary controls. Audit noticed that sixty seven (67) work orders valuing Rs. 11.09 crore were issued with unknown account assignment during the period from 6 December 2005 to 30 April 2009. 2 c) Cost planning of the Work Break-Down Structures (WBS ), except the material cost, through network is not being done. Hence, the actual versus plan cost against WBS does not reflect the correct scenario. Hindustan Paper Corporation Limited Hindustan Paper Corporation Limited (Company) was using Integrated Business Information System (IBIS) for invoicing, sales and purchase accounting purposes. In Page 23 of 39 AUDITING IN ERP ENVIRONMENT 2003, the Company decided to implement the ERP solution for its various activities and accordingly, Oracle e-Business Suite, an ERP solution by Oracle Corporation, was selected through a global tendering process. Tata Consultancy Services Limited was the implementation partner and WIPRO was the vendor for supply of the production server. The ERP system, installed in Nagaon Paper Mill (NPM), Assam of the Company, was made operational in April 2006 at the cost of Rs. 7.70 crore. As per Memorandum of Understanding (MOU) (2002-03) with the Government of India, implementation of ERP was to be completed by March 2003. However, it was noticed that the order for implementation was issued only in January 2005 and the ERP system went live in April 2006, with a delay of three years. The delay was primarily due to procedural delays attributable to the Management. 1 Anticipated benefits of ERP The anticipated financial benefits of implementing ERP worked out to Rs. 13.07 crore over five years period mainly by way of savings in inventory carrying cost through reduction of procurement cycle. Intangible benefits such as accuracy of payment against material receipt, online availability of cost sheet integrated with production/ sales data, accurate information of real-time customer balance helping faster and error-free invoice-processing and dispatch operations were also expected. The following tangible benefits as envisaged could not be achieved: a) Against anticipated reduction of average procurement cycle time from 18 weeks (2003) to 10.8 weeks, actual average procurement cycle time for the period 200609 was found to be more than 28 weeks. b) 20 per cent reduction in inventory holding was also envisaged during post implementation period. This could not be achieved as with similar levels of turnover, the inventory levels remained almost same during 2006-2009. 2 General controls Following deficiencies in general controls were noticed: • There was no documented ‘Information Technology Policy’. • Some of the security parameters as recommended by ORACLE were not configured but retained as default values. • The user management was deficient which exposed the system to the risk of unauthorised use and loss of audit trail and difficulty in tracing the identity of the unsuccessful login. 3 Input control and validation checks The following deficiencies were noticed in this regard: • Changes in price of finished products were not immediately uploaded in the system. Consequently, sale of products in the intervening period was made at old rates necessitating manual corrections by way of raising debit/credit notes. Analysis revealed that on 81 occasions, the delay in changing price list ranged between 1 to 48 days. This increased the risk of errors and omission. • 215 codes had been allotted to 78 customers indicating that customers were allocated more than one code and the customer names were almost similar but their Page 24 of 39 AUDITING IN ERP ENVIRONMENT Customer ids were different and goods were sold to the same customers under different customer IDs. The existence of duplicate customer IDs may lead to the risk of extending additional credit facilities to a single customer. • Analysis revealed that 1,090 inventory items were allotted more than one code and separate stocks exist for 51 duplicate items. In case of 223 items, material descriptions were not available in the system. • Though the quantity ordered for 3,663 items against 488 purchase orders had been fully delivered, the purchase orders remained open. 4 Business Process Mapping Due to improper mapping of business rules the manual intervention was required which resulted in non achievement of the intangible benefits as envisaged. In this regard the following was observed: • Sale of finished product can be made either on credit or against cash/advance payment. For cash payments, the customer is entitled to get a cash discount based on the payment terms. In this connection, it is observed that for cash sale, payment received from the customers is to be attached to the delivery orders generated. It was, however, noticed that system permitted generation of delivery orders without entering such payment details. Hence, there is a risk of delivery of finished goods without payments and since cash discount is automatically calculated in the system, there is a risk of incorrect billing also. • The system accepted the entry of same cheque/DD numbers against different sales invoices. This may lead to the risk of incorrect adjustment of credits against the sales, which necessitated further supervisory controls. • In the case of credit sale, deliveries were made against receipt of post-dated cheques. It was, however, observed that system has not been customised to accept post-dated cheques against credit sales which resulted in monitoring of such sales through manual registers. • There is no provision in the system to levy penalty for quality and quantity shortage and to calculate the Liquidated Damages for delay in supply of materials though details relating to quality were available in the system. These were calculated and fed in the system manually thereby increasing the risk of inaccurate calculation besides underutilizing the system. • In case of rejection of goods by the customer, neither the returned items could be taken in the stock nor could the accounting entry be passed immediately leading to overstatement of sales and sundry debtors. This indicated that the system is deficient in accounting the material return against direct sale. • Reports like Monthly Segment Report, Monthly Stockist Off Take Report etc., required for MIS purpose continued to be maintained separately for want of customisation of the same in the system. Rashtriya Chemicals and Fertilizers Limited Rashtriya Chemicals and Fertilizers Limited (Company) issued (November 2004) a work order for implementation of mySAP ERP with SAP R/3 Enterprise Version 4.7 on turnkey basis to Siemens Information Systems Limited, Mumbai at a lump sum price of Rs. 3.47 crore. This included Rs. 1.72 crore towards 250 user licences of Page 25 of 39 AUDITING IN ERP ENVIRONMENT mySAP ERP and Rs. 1.75 crore towards design, configuration, installation and implementation of selected core modules. The Company incurred an expenditure of Rs. 1.67 crore for procurement of hardware. The project went “Go live” on 1 January 2006. Audit assessed the implementation and usage of the Material Management Module controls and the security of the system which revealed the following deficiencies: 4.2.4.1 Business Process Mapping Implementation of an ERP solution across the Company is to ensure integration of various business processes as far as possible. However, following deficiencies in mapping of business rules were noticed: (i) Logically, “Purchase Requisition” date should precede “Purchase Order” date. It was observed that in 51 cases the “Purchase Requisition” dates were after “Purchase Order” dates. (ii) There was no online system of creation, approval and release of both Purchase Requisitions and Purchase Orders. In case of raw materials the system was not configured for release of Purchase Requisitions. The system followed by the Company was to obtain approval on the file manually and input the data into the system later. (iii) Purchase Requisitions were created and released in the system for procurement action. It was observed that in respect of 4,464 cases even though quotations were invited, no further action was taken. Similarly, in 4,113 cases, no procurement action was taken. There was also no provision in the system to capture the reasons for pending “Purchase Requisitions”. (iv) As per the delegation of powers, Deputy General Manager has powers to release Purchase Orders upto Rs. 5 lakh only. The powers to be exercised by General Manager and above were exercised by Deputy General Managers and officers below the rank of Deputy General Managers which indicated absence of participation and commitment. (v) In respect of 146 cases, Purchase Orders released during the period from 1 April 2006 to 31 March 2008, valuing Rs. 5.13 crore where delivery was completed and in 1,342 cases valuing Rs. 1,390.68 crore where partial delivery was completed, the Purchase Orders were still open (August 2009). (vi) There was no provision in the system to generate MIS Reports of pending Purchase Requisitions. The system was also not configured to indicate reasons for delay. (vii) In 7,974 cases, valuing Rs. 51.57 crore, the time gap for converting Purchase Requisitions to Purchase Orders ranged from 90 days to more than 540 days. The Company had not fixed any time schedule for issue of Purchase Orders from the date of release of Purchase Requisitions in the system. (viii) In 22,051 cases the Purchase Orders were issued on the same day or after the “expected delivery date” specified by the requisitioner. 4.2.4.2 Non-utilisation of SAP The data relating to availability and consumption pattern of materials available in the SAP system was not utilised for decision-making as detailed below: Page 26 of 39 AUDITING IN ERP ENVIRONMENT (i) The Company after implementation of SAP procured materials worth Rs. 1.23 crore between 1 April 2006 and 31 March 2009 in spite of non-moving stock of the same materials worth Rs. 0.91 crore as on 1 April 2006. (ii) After implementation of ERP, there should have been reduction in the inventory holding. It was, however, observed that the inventory of non-insurance domestic and imported spares increased by Rs. 18.42 crore from Rs. 129.94 crore as on 1 April 2006 to Rs. 148.36 crore as on 31 March 2009. The inventory as on 31 March 2009 included unmoved items worth Rs. 68.25 crore (46 per cent) during the period from 1 April 2006 to 31 March 2009. (iii) Material Requirement Planning (MRP) facility to monitor and maintain minimum and reorder stock levels for critical materials has not been utilised. (iv) The SAP system has provision for capturing data relating to delivery schedule of materials ordered and levy liquidated damages wherever necessary. However, the enforcement of liquidated damages clause as per agreement in respect of late/undelivered Purchase Orders was not built into the system. During the year 2008-09, the Company recovered liquidated damages amounting to Rs. 2.12 crore based on manual calculation. (v) There were 2,075 cases (Rs. 2,240.51 crore) of partly delivered Purchase Orders issued upto 31 March 2009 for which reminders were not generated through the system and were issued manually despite reminder feature available in SAP. (vi) The vendor-wise and material-wise lead-time details were not captured in the system. In the absence of which the delays in delivery of materials could not be monitored through the system. (vii) There was no provision to capture and track shelf life and the expiry date of the inventory. In the absence of such provision, the system could not prompt the users for impending obsolescence and the risk of belated decisions for procurement, replacement and disposal of obsolete inventory continued. (viii) The system was not configured to capture inventory of repaired/repairable items and the spares used for their repair/overhauling. Due to non-maintenance of these details, inventory control could not be exercised over such items besides analysis of frequency of repair and economies of repairs over new purchases was not possible. (ix) The provision to capture information relating to warranty/guarantee terms of the materials procured was not available in the system. Absence of this provision posed the risk of failure to use/test the usability of the equipment within the warranty/guarantee periods and to invoke the same wherever the situation warranted. Indian Oil Corporation Limited Indian Oil Corporation Limited undertook an IT re-engineering project named ‘Manthan’ in 1997 and selected SAP R/3, ERP package with IS-OIL (specific ERP solution that caters to the needs of SAP R/3 users amongst the oil industry). The project was implemented in April 2004. The Company has around 10,000 users and 700 sites spread across the country working on SAP. Users from distant parts of the country are able to access and make transactions in SAP on a real-time basis. The Company has kept its Database and Application servers at the corporate data 3 centre, Gurgaon and they are accessible through leased line and / or VSAT from all State Offices, Refineries and Pipeline Unit Networks. Other units such as Terminals, Depots and Bottling Plants etc., are connected to SAP through the nearest State Page 27 of 39 AUDITING IN ERP ENVIRONMENT Office / Refinery. Along with the e-security audit of the system the finance module of SAP was also selected for audit. 1 e-security The IT security review broadly covered the IT security environment in the Company and Roles and Authorisation in SAP system to conform to the Company’s requirements. It was observed that the IT environment of the Company was not adequately secured as detailed below: • Rationalisation of Users’ roles and authorisation and segregation of duties was deficient. It was noticed that 29 combinations of two or more conflicting critical transaction codes involving processing sale orders / invoices / deliveries, payments, creation, settlement, change, deletion etc were extended to many users ranging from 18 to 4,808. The Management in its reply stated (September 2009) that roles and authorisation have to be attached to a number of employees to fulfil and meet our minimum operation, supply and distribution and logistic requirements. However, the Management did not assess the risk involved while extending a critical combination of authorisations to various users in the system. • 4 88 users other than the BASIS team was given access to the sensitive 5 Transaction Codes . • There was laxity in the password policy of the Company which allowed simple, trivial and non-alphanumeric passwords to be entered which made the system vulnerable to security threats internally. The Management stated (September 2009) that considering the size and level of the user base and optimal operational convenience, security measures were being implemented in a phased manner. • The user’s profile was not properly defined to which the Management replied (September 2009) that updating user groups and other details was a continuous process and concerned groups were taking action from time to time. • Out of 13,451 user IDs, 955 user IDs were common i.e. used by more than one user. The Management in its reply stated (September 2009) that common users had display authorisation only for reporting purposes. The Management’s reply is not factually correct as on verification it was found that Common User IDs were still carrying create / change / cancel / delete authorisations. • In the absence of corporate IT policy, different virus, malware, spyware protection softwares being used at different offices and sites. Further, internet content could not be filtered through a uniform firewall policy. At Company’s Information Hub, it was observed that (a) although a fire wall was in place at the premises, the firewall rules to censor the web content and monitoring were yet to be framed and (b) the firewall in place was not enough to maintain a log of instances of attempts and instances of actual breach into the Company’s Network / firewall internally or externally. The Management accepted the observation (September 2009) and informed that they were trying to ensure Network Security through a policy which was being finalised. 2 Finance module Finance Module (FI) is designed for management of the processes involved in preparation of the accounts. The FI Module has inter-linkages with all the modules in Page 28 of 39 AUDITING IN ERP ENVIRONMENT the ERP system and consolidates all the financial information to generate the financial statement of the Company. The IT audit has been conducted keeping in view the importance and criticality of the efficacy of FI module in the preparation and generation of the accounts of the Company. The following deficiencies were observed in the finance module due to which the reports generated from the system could not be relied upon: • The date of commencement of depreciation was 3 to 14 months prior to the date of capitalisation in respect of 15,805 assets and it was 1 to 15 months after the date of capitalisation in respect of 4,391 assets. • Depreciation rates as per Schedule XIV of the Companies Act were not adopted in respect of 2,550 assets. • The quantity was indicated as zero in 27,011 assets worth Rs. 652 crore and, thus, the correctness of depreciation provided could not be ensured. • Analysis of purchase orders/Work orders released through the system showed that in respect of service contracts, POs/WOs were created (19,406 in 200708 and 12,705 in 2008-09) in the system only at the time or after the receipt of goods/invoices for the services rendered (details given to the Company). • GR/IR is an intermediary account used for payments against goods received. Analysis showed that more than three lakh entries amounting to Rs. 2091.12 crore were pending clearance ranging from one to four years indicating lack of proper monitoring by the Company. • It was observed that, though the stock balances are maintained in the system the valuation of stocks is done outside the system which defeated the purpose of the ERP system. • The Company decides and assigns credit limits to various categories of customers which are accordingly entered into the system. Analysis of data on credit limit extended to customers showed that, there were inadequate validation checks with the credit limits maintained in the system that resulted in overdue amount of Rs. 294.89 crore in respect of 293 customers who had exceeded their credit limit. • Each customer is allotted a unique code. However, there was more than one customer code assigned to the same customer in 1,552 cases in the customer master. Neyveli Lignite Corporation Limited Neyveli Lignite Corporation Limited has an integrated power generating facility consisting of lignite mines and Thermal Power Stations. The Material Management (MM) Department of the Company centrally controls the inventory management of the Company catering to the needs of all units through sub stores attached to the respective units. The Company was using a COBOL based batch processing system for its inventory management. In March 2002, the Company placed an order on the Indian Institute of Technology (IIT), Kharagpur for development and implementation of Online Integrated Material Management System (OLIMMS) at a cost of Rs. 2.05 crore with the objective of re-engineering the existing legacy system to make it more responsive to reduce ordering costs by at least 40 per cent and lead time by at least 50 per cent and automation of demand forecasting and scientific inventory control for all items including slow moving spares etc. The Company implemented OLIMMS in October 2006. However, it was observed that the desired benefits were not accrued Page 29 of 39 AUDITING IN ERP ENVIRONMENT to the Company as detailed below: • Better Inventory control could be achieved through well defined Decision Support System (DSS) comprising of Economic Ordering Quantity (EOQ), Re-order Quantity (ROQ), Re-order Level (ROL), Safety stock, Minimum Level, Maximum Level etc. This would require data on procurement and consumption for three to five years which could lead to reduction in ordering cost, optimal inventory holding and minimum inventory carrying cost. The Company is having a system generated DSS for economic indenting purpose. The system generates an economic quantity for each and every material based on past consumption pattern, whenever an indent is raised. However, during implementation of OLIMMS, the Company could not import the legacy data and, hence, could not use the data available for effective inventory management as per the above said inventory levels. • The indented quantity in respect of 5,979 out of 33,787 material codes was in excess of system calculated economic quantity up to 100 times. This indicated non observance of control over the system as per the system generated economic quantity. It was further observed that though OLIMMS provided for recording the reasons thereon, in majority of the cases (4,823 cases) no reasons were found recorded. • The closing stock value of stores and spares as at the year end exhibited in the financial reports comprised of stock balance generated from OLIMMS and the value of materials lying at site as reported by respective units through the reports prepared manually. Manual intervention in this regard affected the true and fair view of financial reports. • The delivery status, in respect of 498 Purchase Orders against which more than 90 per cent of the ordered quantity was received, was still indicated as partial supply instead of treating them as completed. In respect of 37 purchase orders against which the ordered quantity was received in full, the delivery status still indicated as partial supply. Security controls • The MM Department did not have an approved/documented IT Security policy. • Data analysis showed that users have been allowed to have many IDs (2 to 29 IDs). Multiple user IDs would result in weak monitoring practice. • The Company did not have a documented/approved password policy. Data analysis showed that same password is being used by many users. For example out of 6,426 active User IDs available, 4,503 users (70 per cent of the users) including many senior level officers having approval authority in the work flow hierarchy, use the same password. As the Company has a customary practice of using a particular employee related information as user ID, risk of unauthorised access to the system was large, since common passwords were used and the user IDs were easily predictable. BEML Limited BEML Limited was earlier using various in house developed applications for finance, planning, purchase and inventory. In order to ensure effective utilisation of the Page 30 of 39 AUDITING IN ERP ENVIRONMENT Company resources and also to ensure connectivity among various divisions, corporate office, marketing division including its regional and district offices, the Management decided (August 2004) to implement companywide Enterprise Resource Planning (ERP). The Company selected SAP-ERP (mySAP ERP) software for implementation covering basic modules. SAP system was implemented (October 2007) by Siemens Information Systems Limited (SISL) at a cost of Rs. 6.80 crore. Later, in order to strengthen the Business operations, the Company procured and implemented SAP-Supply Chain Management software through SISL at a cost of Rs. 6.00 crore. Audit scrutiny revealed that the Company could not realise the above benefits entirely, due to the following: • SAP system allowed posting of the transactions relating to two months at any given point of time i.e. previous month and current month. Normally if the system was an on-line one, the data entry on the respective months would be allowed on the first of every month, so that the transactions can be captured as it happens. However, opening of the periods got delayed (up to 87 days) due to back log of data entry indicating system has not been made on line even though the system was made ‘Go Live’ in October 2007. • Though SAP provided for mapping of various delegations of powers for release of purchase orders, sale orders, etc., the same were not mapped into the system. • The Company continued uploading the materials balances even after the system went (October 2007) ‘Go live’ indicating incomplete migration of data into the system. As uploading of materials has one sided influence on inventories and its values in the financial accounts, these transactions should be avoided after ‘Go live’ of the system. Audit also reviewed the general performance of two modules of SAP, i.e., production planning and materials management modules, which revealed the following: Production planning Due to the back log of data entry the validation checks built in SAP system were not enabled and the system accepted: • the dates of delivery of finished goods prior to the date of opening of the production orders; • drawal of material even before opening of the respective production order and after the completion of such manufacturing activity; • closing of production orders and delivery of goods even when there were incomplete drawal of materials required for production; • the dates of invoice/billing prior to date of opening of respective production orders; • issue of materials even before receipt of materials from the suppliers resulting in issue of 1,323 materials valuing Rs. 185.50 crore during March 2009; and • 676 purchase requisitions with the requirement dates prior to the request date. From the above, it may be observed that there were inconsistencies in the dates relating to various stages of the production orders; purchase requisition dates and drawl of materials for the production. Hence, the data relating to the production Page 31 of 39 AUDITING IN ERP ENVIRONMENT planning available in the system was not reliable and dependable. Materials management The following discrepancies were noticed in the material management module: • It was observed that system accounted the materials and delivered the materials without the quality inspection checks due to deficient validation checks. • On test check of some of the materials in the inventory, the system permitted the issue of materials by adopting other than the then existing weighted average rates. The • The system released payment of Rs. 18.10 crore due to one vendor/supplier through another vendor indicating that the controls for effecting payments to relevant vendor through Company account were absent. Similarly, system accepted payment related to a sale of equipment from the customer other than the customer invoiced. • In the year 2008-09, while accounting the transfer of materials valued at Rs. 4.01 crore from manufacturing divisions to marketing divisions, instead of reducing inventory account, the same has been accounted as expenditure in Profit and Loss account. Page 32 of 39 AUDITING IN ERP ENVIRONMENT Inventory Management Bharat Electronics Limited Information Technology Audit on the computerisation of inventory management at Bangalore Complex: • Non-adjustment of finished Goods (FG) stock in the event of reversal of sale • Drawal of material in excess of Bill of Material (BOM) quantities • Non-netting of quantities while processing Purchase Requisition (PR) • Non-closure of work orders after completion • Discrepancies in comparable stock data between MRP-II and IFAS Deficiencies in General Controls: (i) In HF Division - Computer Centre, no written approvals for providing access to the staff were available. (ii) In Central Material Management Department, general authorisation was given to 68 employees without making proper analysis of minimum access requirement to discharge their duties. (iii) Report and Query rights (read only) associated with the module were provided generally to all the employees, working in the respective module, without making analysis of need to know/need to work. (iv) Based on the Audit observations, the Company issued instructions to all Departmental Heads to review and confirm permission already given to each user and to advise the Computer Centre in writing about changes, if any. (v) The Company had not assessed the exact requirement of software licences and had not procured the required software wherever necessary. (vi) Passwords were changed monthly instead of fortnightly and special characters were not enforced. (vii) Audit trails and Audit Logs, though enabled, were not periodically reviewed. Garden Reach Shipbuilders and Engineers Limited Material Management in the ERP system • • • • 1. Shortcomings in customization: Missing description of programs Duplication of programs Deficiencies in logical access control Password policy: (i) The length of the password can be checked through a system setting. Against the recommended minimum password length of five characters, the Company set a minimum length of only three characters. Page 33 of 39 AUDITING IN ERP ENVIRONMENT (ii) Recommended change of users passwords is within 30 days. It was noticed in audit that 63 users of 71 users did not change their passwords for a period ranging from 7 months to 48 months. (iii) To ensure that easy-to-guess passwords are not used by the users, the list of prohibited passwords which exists in the system has to be populated. Scrutiny, however, revealed that this had not been done. As a result, there was a possibility of some of the users creating easy-to-guess♣ password thereby putting the system at a risk of unauthorised access. • Logon activity: (i) To ensure that other users do not access the system during the authorized user’s absence, a time limit can be set on the period of inactivity before the system logs the user out of SAP. The Company has set this parameter at 5400 seconds (90 minutes) which was high. (ii) Users IDs and passwords should not be shared as it would be difficult to identify the user who is responsible for security breach, if any. It was observed, however, that several users were using one user ID on different terminals simultaneously. This indicated that the user IDs and passwords were known by more than one user or the user allowed unauthorised access to the system, thereby compromising the security of the system. • Standard user protection When SAP is installed, certain standard users are automatically created with default passwords which are commonly known. To prevent unauthorised use of such users, the default passwords should be changed. These users should then be de-activated by activating a system parameter setting. It was noticed in audit that these users had not been deactivated. This resulted in the system being exposed to the risk of unauthorised access. In a test check, Audit could access the system by using one such user ID with its default password. 2. Observations on material management module • Input and validation controls Inconsistent codes and duplicate description in the material master Updation of master data Different units of measurement for same material Duplicate vendor codes Inconsistencies in delivery and purchase order dates Inconsistencies in purchase requisition release date and purchase order date 7. Purchase documents without material code 1. 2. 3. 4. 5. 6. Page 34 of 39 AUDITING IN ERP ENVIRONMENT 8. Valuation of stock as per accounting policy 9. Scrap/off-cut material being processed manually Oil and Natural Gas Corporation Limited IT Audit of Material Management Input Controls 1. 2. 3. 4. Purchase orders for stores and spares items with wrong valuation types Purchase orders for capital items with wrong valuation type Delivery date in purchase orders Creation of fresh purchase requisitions with earlier requisitions remaining pending 5. Non clearance of stock in transfers 6. Delay in recording of material consumption 7. Insurance spares Mapping of business rule 1. Material procurement planning: Analysis of inventory holding of material vis-à-vis consumption to find out the extent to which the stock holding was in consonance with the actual requirement or consumption revealed that there existed 6512 items (material codes) each of average stock value exceeding Rs.one lakh, consumption of which during 2005-06 was nil. Based on the value of the average stock holding during 2005-06, funds invested on these inventory items amounted to Rs.523.09 crore. Included in these items were 47 stores items costing Rs.177.38 crore and six spares items costing Rs.11.52 crore of average stock value over Rs.one crore. Further month-wise stock analysis, since implementation of the ERP system, of items with average stock value over Rs.50 lakh revealed 62 items with nil consumption during the entire period. The average stock value of these items amounted to Rs 139.66 crore in March 2006. ♥ 2. Purchase requisition release dates: It was observed that the release date field in the purchase requisitions in the system automatically captured the date as one day prior to the date of delivery of material indicated in the purchase requisition instead of actual date of release. Capturing of wrong date of release, which was a vital key indicator resulted in vitiating any analysis or MIS generation involving date of release of the PR due to wrong capture of data in the SAP reports. 3. Open purchase orders with small residual quantity: In case where the finally delivered quantity of material against a purchase order was marginally less than the ordered quantity and the remaining ordered quantity was not expected to be delivered, the purchase order was to be closed as completed so that funds attached therewith were freed for other use. The ERP system had neither been configured to close or trigger the closing of such purchase orders nor did the MM function generate periodical reports from the system to close such open purchase orders. Due to non closing of such type of open purchase orders, the material and funds attached to such quantities remained blocked during the year. Analysis of open purchase orders for the Page 35 of 39 AUDITING IN ERP ENVIRONMENT period October 2003 to March 2005 with delivery date before 30 September 2005 and residual quantity of less than 10 per cent of the ordered quantity as in July 2006 revealed that 240 purchase orders of this nature involving funds of Rs.3.39 crore were yet to be closed. Data migration 1. Material master data: 1 It was observed that 16780 master records were migrated into the ERP system without complete codification details out of which 3880 records were not associated with any material in the master table. As the primary details of the material were missing in these records, transactions concerning these materials could not be made. The inventory lying against these material codes since October 2004 amounted to Rs.3.52 crore. It was also observed that subsequent to the data migration, ICE MM core teams, responsible for creation and maintenance of the Material Master ♥ data further blocked 4043 discrepant master records to prevent the users from making any procurement against these material codes. There were 801 records of spares items in the master table without details of part numbers. So, these records provided insufficient details to the users for placing indent on inventory management and for MIS generation. Similarly, 56741 records with missing manufacturer name were also found among the spares items. In order to check the correctness of data during the data migration from the legacy system into the new system, Audit analysed sample data that was uploaded into the MM module. Comparative study of the migrated unit price vis-à-vis the current moving average prices revealed that the former was abnormally higher than the latter. This indicated that the data migrated from legacy system was unreliable. Oil India Limited Material Management System Input controls 1. Absence of primary details of material: following: Review in audit revealed the (i) Standardisation of description was not done; (ii) Description in respect of 45 materials valuing Rs.1.72 lakh was incorrect; (iii) Manufacturers’ names were not incorporated in the material master; (iv) Out of 38095 stock materials, part number was not mentioned in respect of 18358 materials; (v) Detailed specification did not exist in respect of 10745 materials valuing Rs.8.42 crore; and (vi) Duplicate material descriptions were noticed in the material master and in respect of 224 materials valuing Rs.14.90 lakh, 1069 material codes existed. 2. Existence of incorrect material group 3. Discrepancies in vendor master: (i) Classification data like annual turnover, manufacturer, distributor, retailer Page 36 of 39 AUDITING IN ERP ENVIRONMENT and trader were not maintained. (ii) Incorrect grouping under SSI and PSU. (iii) Naming convention was not consistent. (iv) Duplicate/multiple vendor code continued to exist in the system. 4. Wide variation in values of same materials at two storage locations 5. Carrying of material at low value: It was observed that materials, which ♦ were written off during earlier years , were uploaded in the system at their residual value of five per cent. The value of such materials was Rs.2.08 crore and Rs.1.49 crore as on 31 March 2006 and 31 March 2007, respectively. On a review (June 2007) of data in the system, it was noted that materials valuing Rs.28.84 lakh were issued to capital jobs up to 31 March 2007 at residual value instead of at full material value. Thus, capital jobs were under charged to the extent of Rs.5.48 crore. Further, these materials were also issued on loan to other companies (Rs.8.11 lakh) and contractors (Rs.34.54 lakh). Therefore, in case any recovery was to be made from outside parties there was a risk of under recovery as compared with the actual value of materials. 6. Existence of capital and stock code for the same material: Audit found that purchase of stock material like line pipe, cable, cement, coupling, elbow, gasket and valve were made as ‘non-stock material’ and ‘capital material’. As per the accounting procedure, unconsumed stock and non stock material of the project is returned to store. In case of capital materials which were fully charged to the capital job, such portion of the material that remained unconsumed could not be taken back into the store records. 7. Delay in posting of goods issue and receipts: It was noticed in audit that: (i) there was delay in posting of 2697 goods issue documents valuing Rs.12.28 crore towards cost centers and capital jobs by periods exceeding 30 days; (ii) due to delay in posting of the material documents referred to above, material consumption amounting to Rs.80.22 lakh (Rs.78.02 lakh in 2005-06 and Rs.2.20 lakh in 2006-07 ) was accounted for in the following financial years; (iii) posting of 8410 goods receipt documents valuing Rs.119.75 crore was delayed for periods more than 30 days. As a result, goods receipt documents amounting Rs.42.89 crore of 2005-06 and Rs.41.21 lakh of 2006-07 were accounted for in the following financial years; and (iv) data pertaining to the period Jan 2006 to June 2007 revealed that in 2020 cases (Rs.15.73 crore), there were delays ranging from 30 to 496 days in final posting after the materials were provisionally accepted. Validation checks 1. Change date of purchase requisition earlier than its creation date and anomaly in change history: (i) Purchase requisition date and any subsequent change date in the requisition are system created dates. Analysis of purchase requisitions revealed that in three cases, date of change of purchase requisitions were Page 37 of 39 AUDITING IN ERP ENVIRONMENT earlier than its creation date. (ii) Purchase order number is generated automatically in the system. In one case, the system did not show any purchase order number but purchase order date was indicated. (iii) There was anomaly in last change date of purchase requisition as in one case, two different dates were shown in two places in the system. In this 1 case, the requisition was flagged as closed but in the change history no detail of its closing was indicated. As a result of the anomaly in change history, complete and correct picture on processing of document from creation to latest status was not available in the system. 2. Expected/scheduled delivery date in the purchase requisition and purchase order earlier than requisition/order date 3. Creation of purchase order without reference to RFQ 4. Excess withdrawal of material against reservation 5. Placement of PO on blocked vendor 6. Release of PO beyond authorization Failure to capture complete data 1. Slow moving stores and spares: No provision is made in the ERP system ♣ for analysis of slow moving item of stores and spares by importing from the legacy system the necessary information like last issue dates and last receipt dates of materials. The Company has also not developed customised report for analysis of slow moving material. 2. Non stock items: According to the Management, stock items based on the physical verification were uploaded into the system and non-stock items were not uploaded into the system. Review in audit revealed that the Company held non stock materials amounting to Rs.17.29 crore and Rs.32.65 crore as on March 2006 and March 2007, respectively. Evidently, at any point of time some non-stock materials would remain unconsumed and should be suitably reflected in the data base. Incorrect/inadequate business mapping 1. Insurance spares: In the Material Master, 209 materials valuing Rs.8.66 crore were flagged as insurance spares as on 31 March 2007. It was noticed in Audit that these materials were considered as a part of inventory instead of being capitalised as required by Accounting Standards issued by Institute of Chartered Accountants of India. Thus the system was not mapped to take care of the above mentioned provisions of the Accounting Standards 2. Old reservations remaining open without any withdrawal or partial withdrawal: In terms of business blue print, automatic closure of the reservations in the system was required if the material was not withdrawn within 15 days. It was noticed in Audit (June 2007) that in respect of 2036 reservations, goods were either not issued or partially issued. However, Page 38 of 39 AUDITING IN ERP ENVIRONMENT reservations were not closed for the period ranging from 3 to 15 months. Thus, the system was not configured for automatic flagging for deletion of reservations even for long pending reservations. Delayed or non closure of old unwanted reservations leaves scope for possible irregular practice. Out put control ♣ 1. Business warehouse module: Business Warehouse (BW) module contains reports which are generated based on SAP R/3 database on all aspects of the business of the Company. Review of reports relating to material management analytics revealed the following discrepancies: (i) Procurement lead time analysis for the year 2006-07 in the BW module considered 1473 purchase orders. However, a total 3540 purchase orders were issued during this period. (ii) As per the stock values for stock and non-stock items shown in BW report the stock, as on 31 March 2007, stood at Rs.294.86 crore whereas in ERP database it was Rs.296.05 crore. Page 39 of 39