Home / Resources / ISACA Journal / Issues / 2023 / Volume 4 / Internal Control of Financial Reporting With ERP

Internal Control of Financial Reporting With ERP

Author: Hassan Toor, CISA, ACA, ACCA, CFE, PMP
Date Published: 9 August 2023

Company A, a multinational conglomerate, operated a chain of hypermarkets and retail companies. It sought to transform its business processes and procedures from a set of disconnected legacy applications to a fully integrated platform using Oracle enterprise resource planning (ERP) cloud implementation. The expected result would enable major process improvements across business functions and address existing business and technology pain points. The pain points resulting from disconnected legacy applications were mainly related to inefficient processes, data inconsistencies and a lack of visibility into opportunities for improvement and growth.

Challenge

There was a critical need to build a new set of system controls to ensure reliance on general IT controls (GITCs) and address segregation-of-duties (SoD) risk. Overall, an effective controls environment needed to be developed around the ERP application. Company A decided to establish an effective governance model by implementing a technology solution to enhance the risk and control management processes. In the past, the International Standards on Auditing (ISA) standard ISA 315 required auditors to understand the entity and its environment, including the entity’s system of internal control, to design and implement audit procedures.1 External auditors were required to consider the entity’s IT environment, including IT controls, when planning and executing the audit. In particular, the auditor needed to:

  • Identify and assess the risk of material misstatement due to IT.
  • Evaluate the design and implementation of IT controls that were relevant to the audit.
  • Test the operating effectiveness of IT controls that were relevant to the audit.
  • Consider the effect of IT-related deficiencies on other aspects of the audit.

Due to the nature of the retail sector, it became increasingly difficult to assess and audit without relying on underlying IT controls. Apart from external compliance requirements, the company faced several challenges with respect to ERP and business processes:

  • Increased operational and fraud risk due to inadequate SoD within the finance team
  • Inability to monitor or report user access resulting in SoD violations and sensitive functions being tampered with (e.g., opening or closing of the accounting period)
  • Sample-based testing by the internal audit team for different business cycles, resulting in increased external audit efforts
  • Challenges complying with regulatory requirements; external inability of auditor to take a control approach, resulting in an increased external audit fee for a substantive approach

Company A analyzed various tools available on the market and selected Oracle Fusion Cloud’s risk management cloud solution to build controls around ERP business processes.

There were several important objectives to be met that would indicate challenges had been addressed:

  • Identify and configure effective, sustainable automated controls to mitigate risk associated with business processes.
  • Develop sustainable processes for user access monitoring and automated reporting of SoD violations and GITC process areas and control objectives.
  • Develop controls for detecting unwanted transactions and/or risky configurations within the organization’s business processes (e.g., identify purchase orders created within the past three months and after the payable’s invoice date).

Solution

High-level solution mapping helped address the GITCs around ERP application (figure 1).

Automated Controls for Internal and External Audit
Automated application controls were defined with the assistance of management and the internal audit team. The design of each control was clearly documented along with a list of attributes required for effective control operation. Transaction model functionality was utilized to test and validate the control design to ensure its effectiveness.

The external audit team was onboarded to understand Company A’s scope and align with its testing requirements. The team initiated its auditing process by seeking to understand various business processes, which resulted in the identification of process risk points (PRPs). The PRPs were subsequently associated with the manual or automated controls of the organization. A list of automated controls for the areas that were expected to be relied upon was provided by the external audit team. A testing plan/approach was aligned with the external auditor to support reliance on management’s testing. Testing timing was aligned with the external auditor or other assurance activities (e.g., internal audit). Design testing was shared and agreed upon with the external auditor for each control to prepare audit-ready working papers.

Company A utilized advanced configuration controls to continuously monitor transactions for anomalies and fraud. The transaction controls were established via configuration restriction (i.e., monitoring of payable invoices with backdated purchase orders [POs]). Regular interaction was established with the external auditor to discuss progress, share insights from work completed, and ensure alignment on timing of activities to reduce duplication and business disruption.

Key interactions with the external auditor included:

  • Planning—The confirmed plan included timing, key contacts and controls, and alignment on expectations. Prior to finalizing the scoping and risk assessment, a workshop was conducted to align on risk coverage and in-scope entities.
  • Documentation—Company A confirmed that its documentation standards and controls approach were aligned with external auditor expectations. Throughout the project, documentation was shared with the external auditor for review.
  • Design walkthroughs—The adequacy of design assessment templates was confirmed and the output from the design effectiveness walkthrough was shared to confirm whether reliance could be placed on the work completed.

Benefits

The project enhanced the effective management of Company A’s financial, business and technology risk, resulting in several achievements:

  • Company A was able to meet the deadline for external audit, because the ERP was audit ready.
  • Company A reduced the external audit fee from the second year and onward because the external auditor was able to rely on established controls rather than conducting substantive testing.
  • Key risk factors for different business processes were embedded in automated controls. The coverage of internal audit reached 100 percent, and any exception or deviation could be accessed by running a report by the internal audit team. It helped the internal audit team save labor resources and establish a continuous audit mechanism.
  • Application controls such as the accounts payable invoice matching control increased the reliability of sourcing and invoice payments. Company A achieved a 100 percent match by setting up additional controls.
  • Company A reduced manual costs and enhanced accuracy of incident reports with automated analysis and system-generated reporting on SoD incidents. It also helped reduce production incidents with an enhanced-security change management process.
  • Company A managed to achieve financial reporting with consistent, repeatable controls across the enterprise with direct visibility into specific activities, issues and high-risk areas.

With assistance from Oracle ERP cloud implementation, Company A was successful in elevating its unorganized legacy processes and improving its control posture and procedures to help ensure a smooth-running operation.

Endnote

1 KPMG, “ISA 315 (Revised)—Key Requirements,” Accounting and Auditing Update, iss. 42, 2020, https://assets.kpmg.com/content/dam/kpmg/in/pdf/2020/01/Chapter-3-aau-tax-ordinance.pdf

HASSAN TOOR | CISA, ACA, ACCA, CFE, PMP

Is the associate director of IT audit for KPMG LG. He has provided IT risk advisory and assurance services to many financial audit clients including banks, multinational enterprises and organizations in the public sector. Toor specializes in the areas of IT audit, business process reengineering, enterprise resource planning (ERP) implementations, ERP audits, ERP quality assurance, project management reviews and pre- and post-implementation reviews.