Podcast
Questions and Answers
What do IT application controls (ITACs) control in an ERP system?
What do IT application controls (ITACs) control in an ERP system?
Segregation of duties (SoD) requires the same person to approve a transaction, record it, and have custody of the assets involved.
Segregation of duties (SoD) requires the same person to approve a transaction, record it, and have custody of the assets involved.
False
What is the main purpose of Role-Based Access Control (RBAC) in an ERP system?
What is the main purpose of Role-Based Access Control (RBAC) in an ERP system?
Assign individuals to organizational roles and those roles to specific access in the system
_______ is a concept of requiring different people to complete different parts of a process to reduce the risk of erroneous and inappropriate actions.
_______ is a concept of requiring different people to complete different parts of a process to reduce the risk of erroneous and inappropriate actions.
Signup and view all the answers
Match the following controls with their descriptions:
Match the following controls with their descriptions:
Signup and view all the answers
The ERP system's general ledger is the primary source of data for financial statements.
The ERP system's general ledger is the primary source of data for financial statements.
Signup and view all the answers
ERP systems are designed to bypass internal controls to increase efficiency.
ERP systems are designed to bypass internal controls to increase efficiency.
Signup and view all the answers
Auditors do not need to inspect IT controls during a year-end audit.
Auditors do not need to inspect IT controls during a year-end audit.
Signup and view all the answers
IT application controls are not necessary for ERP systems.
IT application controls are not necessary for ERP systems.
Signup and view all the answers
ERP systems do not have built-in auditing capabilities.
ERP systems do not have built-in auditing capabilities.
Signup and view all the answers
Role-Based Access Control (RBAC) is not necessary for ERP systems.
Role-Based Access Control (RBAC) is not necessary for ERP systems.
Signup and view all the answers
Segregation of duties (SoD) requires multiple people to perform the same task.
Segregation of duties (SoD) requires multiple people to perform the same task.
Signup and view all the answers
IT general controls are not necessary for ERP systems.
IT general controls are not necessary for ERP systems.
Signup and view all the answers
Program change controls are not necessary for ERP systems.
Program change controls are not necessary for ERP systems.
Signup and view all the answers
Logical access controls are not necessary for ERP systems.
Logical access controls are not necessary for ERP systems.
Signup and view all the answers
Study Notes
IT Application Controls (ITACs)
- ITACs control input, processing, and output functions of an ERP system by enabling, disabling, or limiting user actions and enforcing business-driven rules and data quality.
- ITACs facilitate data accuracy, completeness, validity, verifiability, and consistency to ensure confidentiality, integrity, and availability of the ERP application and its associated data.
Segregation of Duties (SoD)
- SoD is a concept requiring different people to complete different parts of a process, reducing the risk of erroneous and inappropriate actions by employees.
- Segregation of duties is a deterrent to fraud, requiring three functions to be kept separate: approving a transaction, recording and reconciling the transaction, and having custody of the assets involving the transaction.
Role-Based Access Control (RBAC)
- Authorization in an ERP system is accomplished through RBAC, assigning individuals to organizational roles and those roles to specific access in the system.
- A person can be assigned to more than one role, but may be required to act in a single role at any one time.
Auditing IT Application Controls (ITAC)
- It is essential to subject a company's ERP software to a thorough and detailed audit, as transactions involving money, material, and services are recorded in the application.
- The first questions the auditor should ask are "What does this module do?" and "What business process or processes does this module support?"
IT General Controls (ITGCs)
- ITGCs are controls that apply to all systems components, processes, and data for a given organization or IT environment.
- ITGCs secure and validate the data contained in systems that process financial transactions.
Program Change Controls
- Program change controls govern changes made to programs, including the ERP system and underlying database, based on user requests or maintenance requirements.
- These controls ensure that changes are properly designed, tested, validated, and approved prior to migration to the production environment.
Logical Access Controls
- Logical access controls are policies, procedures, organizational structure, and electronic controls designed to restrict access to information systems and data only to individuals with genuine authority to access the information.
- Logical access is part of Identity and Access Management (IAM), managing individual identities and privileges or permissions within or across system and company boundaries.
Data Center Controls
- Data center controls protect computer facilities and resources from environmental hazards, espionage, sabotage, damage, and theft.
- Reliability is the ability of a system or component to execute its required functions under stated conditions for a specified period of time.
- Availability is the degree to which a system or component is accessible and operational when needed.
System Implementation Assurance (SIA)
- SIA is an independent assessment of the health and expected outcome of the ERP implementation and corresponding change initiative.
- SIA evaluates the design and implementation of IT General Controls and IT Application Controls to ensure they satisfy financial reporting, operational, and regulatory requirements.
Control Risks
- Control risks involve whether the design and implementation of IT General Controls and IT Application Controls will satisfy financial reporting, operational, and regulatory requirements.
- Assurers evaluate control risks in areas such as IT application controls, IT general controls, and program change controls.
Business Risks
- Business risks to the ERP implementation present themselves early in the implementation during planning.
- The SIA team evaluates the project plan, budget, and timelines.
Project Risks
- Project risks involve whether the ERP system will be delivered on time and on budget, meet stated requirements, and whether employees are adequately prepared for the new system and processes.
- The SIA team evaluates project risks, including training, organizational change management, and project team experience.
ERP System Controls
- ERP system controls are implemented to ensure data accuracy, completeness, validity, verifiability, and consistency.
- These controls guarantee the confidentiality, integrity, and availability of the ERP application and its associated data.
Segregation of Duties (SoD)
- SoD is an ITAC that requires different people to complete different parts of a process to reduce the risk of erroneous and inappropriate actions.
- Three functions must be kept separate: approving a transaction, recording and reconciling the transaction, and having custody of the assets involving the transaction.
Role-Based Access Control
- Authorization in an ERP system is accomplished through role-based access control (RBAC), which assigns individuals to organizational roles and access levels.
- A person can be assigned to multiple roles, but may need to log out and log in again to switch roles.
Auditing Information Technology Application Controls (ITAC)
- ERP software should undergo a thorough audit to ensure transactions are recorded accurately.
- Auditors should ask "What does this module do?" and "What business process or processes does this module support?"
IT General Controls (ITGCs)
- ITGCs are controls that apply to all system components, processes, and data for a given organization or IT environment.
- They secure and validate data contained in systems that process financial transactions.
- ITGCs are the first line of defense in a secure ERP environment.
Program Change Controls
- Program change controls govern changes made to programs, including ERP system and underlying database changes.
- These controls ensure that changes are properly designed, tested, validated, and approved prior to migrating to the production environment.
Logical Access Controls
- Logical access controls restrict access to information systems and data to individuals with genuine authority.
- These controls differ from physical access controls, which control access to a building or room.
Internal Control
- Internal control is the policies and procedures put in place by an organization's board of directors, management, and other personnel to provide "reasonable assurance" regarding achievement of objectives.
- Internal control minimizes IT risk by implementing various policies and procedures.
ERP and Internal Controls
- ERP systems process transactions that affect financial statements, and a company's year-end audit must include an inspection of IT controls.
- ERP systems are designed with internal controls in mind, ensuring process integrity through automated postings and an audit trail.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Learn about IT application controls in ERP systems, including their role in ensuring data accuracy and security.