Embedded Audit Modules in
ERP Systems
Implementation and Functionality
Roger Debreceny
Glen Gray
Joeson Jun-Jin Ng
Kevin Siow-Ping Lee
Woon-Foong Yau
Presented at the Fifth Continuous Assurance Symposium
Rutgers University, November 2002
1
In this Presentation





Background and Research Questions
EAM scenarios
Testing environment
Results
Future research and limitations
2
ERP Systems



Enterprise Resource Planning Systems are
the carrier battle group of the enterprise
information systems
Average ERP system costs $11.5m
and takes 19 months to implement
Foundation on a single or federated
DBMS
3
Embedded Audit Modules




“Modules placed at predetermined points
to gather information about transactions
or events within the system that auditors
deem to be material.” Weber (1999)
Implemented in the DBMS environment as
triggers or stored procedures
EAMs as compliance-testing or substantive
testing tools
Very little evidence of actual usage
4
Research Questions



What functionality is provided by preexisting EAMs or other monitoring
technology to support appositely designed
triggers and stored procedures within ERP
systems?
What coverage of transactions is readily
provided within the ERP database
environment
What are the barriers to adoption of EAMs
in the ERP environment?
5
Methodology

Develop EAM scenarios
• Fraud prevention and detection

Develop sample of ERP providers
• Medium  large size corporations



Provide scenarios to ERP providers
Code solution
Review in f2f interviews
6
EAM Scenarios



Nine-step EAM implementation process of
Groomer and Murthy (1989) followed
Audit objectives relate to POB’s Forensic
Fieldwork Phase
Five test alert scenarios were designed
•
•
•
•

Red flag
Simulated fraud scenario
Identify triggers or stored procedures
Develop pseudocodes
Pass to ERP supplier for implementation
and review
7
Sampled ERP Suppliers

Frontstep

Scala

Industrial & Financial Solutions-IFS

Intentia

Oracle

SAP
8
Results-Frontstep





Use Frontstep’s field triggers scripted in
PROGRESS
Data from field trigger written to a file
Data analyzed and distributed using SQL &
ASP
Also use Cognos’ Decision Stream for data
warehouse
Analysis
• Limited support
• Tough
9
Results-Scala


Either script in MS VBA or MS Office
Analysis:
• No support for EAM
• Tough
10
Results
Industrial & Financial Solutions-IFS



IFS uses an object, component approach
EAM can be simulated using combination
of Java and SQL
Analysis
• Feasible with support for querying, timing and
knowledge distribution
• Tough
11
Results-Intentia



Intentia’s Movex ERP product has
predefined alerts related to major
business cycles
Support for new alerts in script manager
Analysis
• Intentia has comprehensive alert system
• >100 predefined user-defined alerts
• Support for both triggers and stored
procedures
• Good script manager
12
Results-Oracle

Provides an Alert Manager
• Complete an alert definition form
• Alert can include OS command queue or SQL
script
• Can define actions on alert firing

Analysis
• Alert Manager provides most of the required
functionality of an EAM
13
Results-SAP



Require writing of an Advanced Business
Application Programming (ABAP) script
Subsequently embedding the script within
the database.
Analysis
• Require expert knowledge of


ABAP programming
Client’s database structure
14
Conclusions


Highly variable support for EAMs within
surveyed ERP systems
Barriers to adoption
• Extensive knowledge set required to program
EAM

Barriers to deployment
• Lack of demand
• Difficulty in defining the conditions for firing
EAMs
15
Future Research Agenda


Relationship of EAMs to wider assurance
objectives
More work required on conditions for
EAMs
• Were scenarios realistic?


Relationship between EAMs and Business
Intelligence/Data Warehouse systems?
Demand for EAMs?
16
17