Académique Documents
Professionnel Documents
Culture Documents
Exception Reports to
Monitor and Improve
Controls
BY LESLIE D. TURNER, CMA, CFM, DBA, AND VINCENT OWHOSO, PH.D.
IMPROVE USER ACCESS CONTROLS AND SEGREGATION OF DUTIES CAN REDUCE COSTS
Improved
Safeguard Assets Organizational Data Integrity SOX Compliance
Efficiency
ACHIEVES
EXCEPTION REPORTS
for the purpose of monitoring internal controls over master data. The model also assumes that there is a
strategic goals and external compliance. well-established reporting chain in the organization to
ensure that upper management follows up exception
ASSUMPTIONS OF THE MODEL reports on safeguarding of assets, improvement of orga-
The model assumes the existence of a proper organiza- nizational effectiveness, data integrity, and compliance
tional structure that is integrated with the operational or with SOX (and other laws and regulations) and con-
business processes, information technology objectives, tracts. The model expects the organizational structure
and the various internal players. It also assumes that the to include well-defined information technology and
organization is committed to a culture that encourages operations and control objectives, policies, and proce-
regular monitoring and control of user access through dures that are available to the access administrators for
segregation of duties and avoidance of conflicting capa- setting up the ERP for appropriate user access, segrega-
bilities. The model further assumes the existence of a tion of duties, and the required control objectives and
properly configured ERP system with access adminis- control activities at each business process or departmen-
trators at each major unit within the organization to tal unit.
assist in the development, continuous monitoring, and The model begins with the performance of control
improvements of internal controls. The access adminis- activities by the internal players. These control activi-
trators should provide updates of user profiles as ties create dynamic and iterative processes for monitor-
changes in duties occur, should schedule regular control ing and improving internal controls through the
reports of conflicts in user profiles and changes to mas- generation of control reports. The control reports allow
ter data, and should use control reports regularly to business unit managers to identify potential deficien-
reduce profile conflicts and unauthorized changes to cies in the user access profiles and conflicting capabili-
SECTION DESCRIPTION
1. Conflicting Ability descriptions Conflicting Ability IDs & descriptions
2. Potential Risk to XYZ Co. Description of the potential risk to XYZ Co. that this conflict ID
is designed to identify
3. Identification of transactions using Method for identifying transactions that utilized Ability 1
Ability 1
4. Identification of transactions using Method for identifying transactions that utilized Ability 2
Ability 2
5. Comparison of transactions to Method for comparing transactions to identify potential fraud
identify potential fraud or damage or damage to XYZ Co.
to XYZ Co.
6. Other considerations Any additional considerations that the business expert would
like to add
memo or invoice, can allow the user to generate a fraud- promoted, etc.).
ulent payment because the two are incompatible duties. When incompatible activities are flagged dur-
CONTROL REPORTS AND REPORTING CHAIN Without a separation of these abilities, a fraudster
Based on the user profiles and conflicting abilities data- could assign personal information to a vendor account
base, the User SAP Security Contact (USSC) of each and generate a fraudulent payment to the vendor.
business unit runs a conflicting transactions report from After identifying the conflicting capabilities, a report
SAP at the end of each month. The USSC reviews the must be requested from SAP. In this case, an SAP report
report and forwards it to the business administrator (BU of vendor master changes is run. The report is sorted by
AD) of that business unit. The BU AD signs the report the logon ID of the SAP user with conflicting capabilities.
to indicate it has been reviewed, and the report is main- The Changed By field in the report contains logon ID.
tained and filed for audit purposes. If the USSC or BU This report shows which users created or changed vendor
AD notes any problems to be addressed, the USSC information. (See Table 3 for an example.)
requests those changes to user profiles or conflicting Next, a second table must be reviewed to determine
abilities database. which invoices the SAP user posted. This table identi-
The outlined process has several important internal fies particular invoices entered by user ID. A compari-
control components. First, accountability and responsi- son of the Create/Change Vendor report and the
bility are assigned to the USSC and BU AD. Second, a invoices by user ID allow the USSC to determine any
regular, monthly report is reviewed for continuous mon- conflicting transactions that occurred. Then the USSC
itoring of segregations. Third, signed documentation in can request appropriate changes to user access to avoid
the form of the conflicting transactions report is pre- future conflicting capability transactions.
served as audit evidence of the existence and efficacy
of internal controls. Finally, there is a defined, regular OT H E R C R I T I CA L CO N T R O L R E P O R T S IN
tive and ongoing in the review of segregation of duties, ed, including checks and price changes. Similarly, the
proper user access, SAP profile review, conflicting capa- review of the SAP Profile report on a quarterly basis
bilities, global business warehouse spending, purchase ensures that business unit managers have nonconflict-
order (PO) list display, invoice changes report, and ing profiles for SAP or compensating controls. The
blocked invoice reports, to name a few. quarterly review of the conflicting capability report
Specifically, the blocked invoice report is generated ensures that no one person has conflicting abilities that
and reviewed twice a week to detect invoices blocked could enable fraud, such as the ability to create requisi-
for whatever reason. By reviewing this report, the unit tions and purchase orders.
manager is able to identify reasons why invoices are By continuously reviewing these periodic reports
blocked and then track the system so that overdue and updating the system for observed weaknesses,
items are promptly identified and attended to. Second, the organization is committed to ensuring data and
by reviewing the PO changes report monthly, the busi- system integrity in both its IT and business process
ness manager can review everything that is being creat- operations.
C O N T R O L S A R E V I TA L
In the post Sarbanes-Oxley era, organizations must con-
tinue to improve internal controls over their ERP and
organizational processes to remain effective, efficient,