ERP Systems Overview Quiz

Questions and Answers

Which type of controls are implemented at the time of installing the ERP?

• Configurable controls (correct)
• Inherent controls
• Embedded controls
• Processing controls

Which options are commonly known as processing controls?

• Inherent and configurable controls
• Configurable and embedded controls
• Management and security controls
• Both B & C (correct)

What is a fundamental aspect of inherent controls?

• Ensuring Debit equals Credit (correct)
• Mandatory third-party validation
• Integration with external systems
• Documentation of all procedures

What must an auditor do if they find ineffective General IT Controls (GITC)?

Test the automated controls (D)

Should an auditor report deficiencies that were present in prior audit periods?

Yes, they should always mention it (A)

What is the nature of the audit procedures required for companies?

Both listed and unlisted companies (A)

Which term best describes a system where all modules are seamlessly connected?

Integrated system (A)

In an ERP system, how many primary sets of Books typically exist?

One, all (B)

Which of the following is not a possible reason why substantive procedures may not be feasible in ERP?

Low level of integration (D)

Which of these best characterizes the flow of transactions in an integrated ERP system?

Transactions flow between relevant modules (A)

What does an integrated Enterprise Resource Planning system imply about its modules?

They are interconnected and collaborative (A)

In the context of ERP systems, what is a characteristic trait of transactions?

Distributed processing is common (A)

What is implied by a 'high volume of transactions' in ERP systems?

Increased complexity in audits (D)

What can be utilized to extract payroll information such as leaves available per employee?

Database Queries (C)

Which of the following is not considered an element for determining the testing strategy for reports?

Validation Techniques (D)

What is included in the validation of reports?

All of the above (D)

Before planning to understand the types of reports, the auditor checks the ____________ of the data.

Integrity (B)

When may the auditor limit test procedures to validate or test the reports?

When GITC are effective (B)

Which indicative commands are used by companies in SAP to generate reports?

All the above (A)

What aspect of report validation ensures that all necessary data is included?

Completeness check (A)

Which of the following would NOT typically be checked for during data validation?

Data Source Authentication (B)

What does NSJE stand for?

Non Standard Journal Entries (D)

Where can unusual, non-recurring transactions typically be directly entered?

General Ledger (A)

Estimates and impairments are generally categorized as what type of journal?

Non Standard journals (D)

What should be noted while understanding IT/ERP systems that record entries?

Timing of entries (A)

Which of the following are considered fraud risk factors leading to unusual transactions?

All of the above (D)

In which type of entries are unusual transactions for non-recurring events typically recorded?

General ledger entries (C)

What does PCI-DSS stand for?

Payment Card Industry Data Security Standard (D)

Which of the following best describes non-standard journal entries?

Entries for unusual or irregular transactions (A)

What could lead to non-standard journal entries besides impairments?

One-time extraordinary events (C)

Which of the following is NOT a key aspect of SA 300?

Evaluating the audit evidence (D)

Which of the following standards is related to assurance engagements?

ISAE (D)

What area does PCI-DSS primarily address?

Security of payment card information (D)

Which of the following terms is associated with ISAE?

Assurance Engagements (C)

Payment Card Industry Data Security Standard is developed to ensure what?

Protection of cardholder data (D)

How does ISAE benefit auditors?

By establishing overall audit objectives (C)

Which of the following is part of the goals of PCI-DSS?

To secure payment processing systems (C)

The main focus of SA 300 is primarily on which aspect?

Planning the audit strategy (D)

What must be tested annually for completeness and accuracy?

Custom reports (A)

Who needs to be verified by the auditor when testing custom reports?

Authorized users (D)

What should be verified if changes occurred to a custom report before an audit?

Approval of changes (D)

What type of access do users with critical business activity capabilities have in an ERP?

Sensitive Access (D)

What is the purpose of segregation of duties?

To prevent conflicts of interest (D)

What generally defines the relationship between ERP roles and users?

Many to many (D)

What group typically consists of regular employees who perform daily tasks in an ERP?

Normal Users (C)

What represents a designation within a company and not an individual?

Roles (C)

What type of errors may occur when deficiencies are present in a tested report?

Significant reporting errors (D)

What distinguishes privileged users in an ERP system?

Extensive access (D)

Internal users of the ERP system that perform automated operations are known as?

System Users (D)

What kind of users do not belong to the company?

External Users (D)

What is an effective access control feature in an ERP?

All of the above (D)

What are controls established to manage data manipulation in the context of databases?

Effective controls (B)

Flashcards

What type of companies require audit procedures?

Audit procedures are mandatory for both listed companies and unlisted companies that have an integrated enterprise resource planning (ERP) system.

What is an integrated ERP system?

An integrated enterprise resource planning (ERP) system is a software system that seamlessly connects all business modules (e.g., finance, inventory, sales) and ensures a smooth flow of transactions across the organization.

How do transactions flow in an ERP system?

In an ERP system, all transactions are recorded in one primary set of books, which serves as the single source of truth for financial information. These transactions are then distributed and processed across various modules based on their nature and destination.

Why may substantive procedures be difficult in an ERP system?

Substantive procedures, a crucial part of auditing, might not be feasible in an ERP system due to factors like the distributed nature of transactions, outsourced functions, or the sheer volume of transactions processed by the system.

What are substantive procedures in an audit?

Substantive procedures are audit procedures designed to obtain sufficient appropriate audit evidence to detect material misstatements at the assertion level. These procedures involve examining the substance of transactions and balances to verify their accuracy.

How does the distributed nature of transactions impact audits?

The distributed nature of transactions in an ERP system means that data is spread across multiple modules and systems, making it difficult to track and verify the flow of transactions during an audit.

How do outsourced functions impact audits in an ERP?

Outsourced functions, common in modern organizations, can complicate audits in an ERP system because external service providers may handle key processes, making it challenging to obtain sufficient evidence about their operations.

How does transaction volume impact audits?

The sheer volume of transactions processed by an ERP system can overwhelm auditors, making it a logistical challenge to obtain sufficient evidence about the accuracy and completeness of all transactions.

Inherent controls

Controls that are built into a system during the design and development phase.

Configurable controls

Controls that can be modified or configured by the user after the system is implemented.

Processing controls

Controls that are part of the day-to-day operations of an organization.

Testing Inherent controls

The auditor must test automated controls closer to the balance sheet date if they are found to be ineffective.

Mentioning Deficiencies

The auditor must mention any control deficiencies found in prior audit periods.

What does ISAE stand for?

International Standard on Assurance Engagements (ISAE) is a set of globally recognized standards providing guidance for assurance engagements, helping to build trust in financial reporting and other information.

What does PCI DSS stand for?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data during payment transactions. It's mandatory for all organizations that process, store, or transmit credit card information.

SA 300 - What is it about?

SA 300 is a standard issued by the International Auditing and Assurance Standards Board (IAASB) that provides guidance for auditors when planning and performing an audit of financial statements. It focuses on setting the overall audit strategy and the auditor's responsibilities.

What are the main aspects of SA 300?

The key areas of SA 300 include: understanding the entity and its environment, assessing the risks of material misstatement, and designing and performing audit procedures to obtain sufficient appropriate audit evidence.

What can be used to extract payroll information?

Database queries can be used to extract specific information from a database, such as payroll data like available leaves per employee.

What does validating a report involve?

Validation of reports involves assessing the accuracy of data, the logic used, and the completeness of information to ensure the reliability of the report.

What needs to be checked before validating reports?

The auditor needs to check the integrity of data before planning to understand the types of reports and the validation process. Integrity ensures data is accurate, consistent, and reliable.

When can the auditor limit report validation?

The auditor might limit the validation procedures when the controls in business processes or the General IT Controls (GITC) are effective. This means the internal controls are working well.

When can the auditor limit report validation?

The auditor might limit the validation procedures when the controls in business processes or the General IT Controls (GITC) are effective. This means the internal controls are working well.

What commands can be used to generate reports in SAP?

SE16, SE16N, and SA38 are some common commands in SAP that can be used to generate reports. These commands provide access to data and tools for reporting.

Substantive Audit Procedures

Tests designed to evaluate the accuracy and completeness of reports generated by an ERP system.

Customised Reports

Reports created by company personnel for internal use and reporting purposes.

Authorized Users

Users who are authorized to create or modify custom reports in an ERP system.

Appropriate Approvals

Verification that changes made to custom reports are approved through proper channels.

Database Queries

Reports pulled on an as-needed basis in response to specific requirements.

Data Manipulation

The potential for data manipulation after a report is created.

Effective GITC's

The effectiveness of controls across all domains of an ERP system.

Non-Standard Journal Entries

Unusual, non-recurring transactions that are not part of regular business operations. These transactions might be infrequent and often require special attention.

Standard Journal Entries

Entries that are directly related to the company's core business operations and happen regularly. These are typically well-defined and follow standard procedures.

Timing of Report Testing

The criteria for determining the timing of report testing.

One Sample in Each Scenario

A sampling procedure where one sample is selected from each scenario or domain.

Intercompany Transactions

Transactions that happen between different companies or departments within the same organization. It's important to carefully track these transactions to ensure accuracy.

Audit Procedures

The process of verifying that accounting entries are accurate and complete. This may involve reviewing source documents, reconciling balances, and analyzing transactions.

Types of Errors

The types of errors that may occur when deficiencies are found in reports.

Sensitive Access

The ability of a user to perform critical business actions in the ERP System.

Fraud Risk Factors

Factors that increase the risk of fraudulent activity. These factors can relate to internal or external pressures, a lack of internal controls, or opportunities for manipulation.

Users with Sensitive Access

Users with high-risk business activities that can have a wide impact on operations.

Internal Controls

Procedures that are designed to prevent or detect errors in financial reporting. These controls can include internal checks, audits, and segregation of duties.

Segregation of Duties

The separation of job duties to prevent conflicts of interest.

ERP Systems

Software systems that integrate all aspects of a business, such as finance, inventory, and sales. This can help improve efficiency and control.

Non-Standard Transactions

Transactions that are not related to the company's core business operations. These transactions may be unusual or infrequent and require special attention.

Normal Users

Users who perform daily business operations and transactions in an ERP system.

Previleged Users

Users with a high level of access and privileges within the ERP system.

Study Notes

ERP Systems

• ERP systems (Enterprise Resource Planning) are integrated management systems encompassing various business functions.
• Examples include SAP and Oracle.

Internal Control Risk Assessment (SA 315)

• Auditors aim to identify and assess material misstatement risks, including fraud.
• Understanding the entity and internal control environment, including relevant information systems.
• Auditor's responsibility is to design and implement responses in audit procedures in response to SA315.
• Assessing the effectiveness of internal controls for reporting.

Governance Framework

• The business team is the owner of data residing within application.
• Ownership is transferred to the IT team in charge of application
• Communication channels are crucial between Chief Information Officer and Chief Financial Officer for effective data management

Automated Environment Risks

• Automated environments present numerous risks due to the complexity and interconnectedness of applications.
• Risks are influenced by the number and location of applications within the system.

Reporting from ERP Systems

• Standard generated reports are provided by ERP systems to businesses
• Customised reports are developed for business use within the ERP system.
• Database queries are used to retrieve information in a structured format from the database.

Controls in ERP

• Inherent controls ensure the accuracy, completeness, and validity of transactions, present in ERP.
• Configurable controls are those implemented during ERP installation in an organization.
• Input controls are the first point of control within ERP.

Sensitive Access and Segregation of Duties (SOD)

• Sensitive access in an ERP system grants extensive or unrestricted access to carry out various activities.
• Role-based access control (RBAC) involves grouping related access rights into roles for streamlined user management.
• Segregation of Duties is the distribution of job roles among employees to avoid conflicts and ensure accountability.

User Roles and Access

• Normal users perform daily operations within the ERP system.
• System users execute automated operations and transactions.
• Privileged users possess extensive or unlimited access for key activities.
• Default users come embedded with the ERP software
• Generic users are positions or designations, not specific people
• Temporary users are granted access for a limited time.
• External users represent individuals/entities outside the company
• Multiple roles and users can interact in a "many-to-many" relationship.

User and Access Control Deficiencies

• Auditors must document and report control deficiencies to management, following standards.
• The deficiencies relating to user access controls should be evaluated in order to understand the impact of the deficiencies on audit.
• Understanding the business environment and IT environment is a crucial starting point for audits on segregation of duties.
• The business rules for the implementation and review of SOD and sensitive access should focus on the company rules, policies and procedure.

ERP Migration and Data Procedures

• ERP migration involves planning, system design, data conversion/configuration, testing, and go-live stages.
• Rollback procedures are for managing potential errors during the process.
• During migration, sensitive access, SOD, and related controls must be considered.
• Internal auditors can provide valuable experience regarding ERP changes.
• Documentation is essential to effectively manage any ERP implementation.

Financial Data Records (Journal Entries)

• Standard journal entries record regular transactions.
• Non-standard journal entries capture unusual and non-recurring transactions, adjustments, and corrections.
• Non-standard entries are often not subject to normal internal controls.
• The extraction and analysis of JE data can be enhanced using software scripts.

Query Creation and Usage in ERP

• Subqueries can be used within queries to filter specific output values.
• Access uses a variety of queries ranging from simple to complex, capable of extracting aggregated results.
• Joins in Access can connect data from different tables.
• Aggregate functions summarise numerical values.
• A wide arrange of filters are available for further refinement.

Working with and Summarizing Data

• Using Pivot Tables helps users quickly summarize and analyze data in a spreadsheet.
• Calculations can be run on existing data using expressions and functions.
• Conditional formatting highlights cells containing specific values, a powerful method to track and refine data during analyses.

Statistical and Probability Concepts

• Benford's Law is useful for identifying potential data irregularities when a specific numerical pattern appears significantly off from the expected value.
• Hypothesis testing involves comparing observed data to a predicted outcome, using calculated probabilities to determine whether to accept or reject those probabilities.
• Statistical analysis is crucial for drawing meaningful conclusions from data sets.

Data Mining and Warehousing

• Data Mining is used to uncover patterns from a database.
• Data Warehousing is a repository for storing and organizing historical data, for analysis.
• OLAP is the technique and tool to query complex multi-dimensional databases.
• Operational Data Stores are used for detailed data for processes.

Accounting and Financial Concepts

• Financial Planning involves establishing financial targets.
• Depreciation is the accounting process for spreading the cost of using an asset over its useful life.
• Cash budgets and capital budgeting are used to manage and model monetary flow in a business.
• Various financial ratios help in comparison analysis.

Excel Functions

• Specific Excel functions are used to generate and manage financial/accounting data
• Excel functions help in performing various calculations on financial data.
• There are tools in Excel suited for various data management activities.

Description

Test your knowledge on Enterprise Resource Planning (ERP) systems with this quiz. Explore key concepts such as controls, audit procedures, and transaction characteristics within ERP environments. Ideal for students and professionals looking to enhance their understanding of ERP.