Use ERP Internal Control

Exception Reports to
Monitor and Improve
Controls
BY LESLIE D. TURNER, CMA, CFM, DBA, AND VINCENT OWHOSO, PH.D.

ORGANIZATIONS WITH ERP SYSTEMS CAN USE INTERNAL REPORTS TO CONTINUOUSLY

MONITOR AND IMPROVE THEIR INTERNAL CONTROLS THROUGH PERIODIC

ON-DEMAND OR SPECIALIZED REPORTS. USING THESE REPORTS TO MONITOR AND

IMPROVE USER ACCESS CONTROLS AND SEGREGATION OF DUTIES CAN REDUCE COSTS

AND THE LIKELIHOOD OF UNNECESSARY EXPOSURE WHILE IMPROVING EFFICIENCY,

RESPONSIVENESS, AND COMPLIANCE PROCEDURES.

he extensive use of enterprise resource plan- monitoring internal control compliancespecifically,

T ning (ERP) systems provides opportunities

for continuous monitoring and improvement
of internal control systems. This continual
monitoring and improvement of internal con-
trols, in turn, assures that management can comply with
relevant sections of the Sarbanes-Oxley Act of 2002
(SOX). In this article, we will describe critical processes
and systems that are necessary to monitor internal con-
trol compliance and the implications for SOX compli-
ance. Internal controls have been integrated into
accounting software systems for many years, and ERP
systems have enabled monitoring of internal controls
that was not possible with legacy systems. For example,
ERP systems can provide control reports that highlight
inappropriate segregation of duties from an enterprise-
wide perspective.
The focus here will be on such newer approaches to
the use of control reports to monitor and improve user
access controls and segregation of duties.
Control reports can be defined in many ways. Our
use of control reports will refer to standard or special-
ized reports available in ERP systems to report autho-
rization or user access violations. Some reports may
have an enterprise-wide focus, while others may be
within specific business processes, such as purchasing.
For example, a report of conflicting capabilities can
show users with conflicts across various business
processes. A report examining a history of changes to a
record for control violations would focus on a specific
business process. These reports are used for several
purposes. The appropriate manager or internal auditor
can review such reports for internal control self-
assessment and control improvement.
Monitoring internal control compliance is important

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 41 SPRING 2009, VOL. 10, NO. 3

in ERP systems because core business processes such as
purchasing, accounts payable, cost accounting, banking/
treasury functions, and human resource systems are inte-
grated into an enterprise-wide system. The ERP plat-
forms allow companies to reduce costs, become more
efficient, and respond faster to changes in the market-
place. This increased functionality, however, creates dif-
ferent risk profiles that, if not monitored properly, can
result in control breakdowns and potentially significant
losses for a company. ERP systems also push initiation
or authorization of transactions to lower levels of the
organization, thereby causing increased control prob-
lems. These control risks and problems must be coun-
terbalanced by effective internal controls that should be
monitored constantly to ensure organizational effective-
ness, efficiency, and safeguarding of processes.
I M P O R TA N C E OF INTERNAL CONTROLS
Managers, accountants, and internal auditors bear
responsibility for developing, monitoring, and improv-
ing internal control systems. Their responsibilities
include preventing, detecting, and correcting control
weaknesses and risks that may cause a failure to achieve
operational and information-processing objectives. The
key risks of which each of these parties must be aware
as they develop and monitor internal controls include:
The risk of fraud, particularly for systems with
payment-generation capability, when a single person
has ERP authorizations that allow control of two
parts of a transaction. This inappropriate segregation
of duties can lead to fraudulent activity.
Noncompliance with privacy guidelines. ERP
systems store enormous amounts of data, including
customer, vendor, and employee data. Without prop-
er internal control, privacy can be violated intention-
ally or unintentionally.
Inappropriate disclosure of time-sensitive business
data.
Malicious or accidental damage to data. If weak
internal controls allow inappropriate access to data, it
is possible for data to be altered or destroyed.
A potential loss of competitive advantage.
The potential for incorrect management decisions to
be made.
A potential loss of business.
M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY
Potential damage to customer or shareholder confi-
dence, public image, and reputation.
The possibility of incurring additional costs.
A breach of legal, regulatory, or contractual
obligations.
The potential disruption of business activity.
To lessen these risks, internal controls should be
properly established, monitored, and improved.
The use of control reports to monitor authorization or
user access violations is important in continuous moni-
toring and improvement of internal control. As an analo-
gy, the use of cost accounting systems with variance
reports can be useful in continual monitoring and
improvement of manufacturing efficiency and effective-
ness. Yet such variance reports are not useful unless an
underlying structure has been established with a proper
accounting system to monitor costs against standards
and unless management regularly reviews variance
reports and uses the reports to improve manufacturing
control. Likewise, control reports in an ERP system can
be useful if a proper underlying structure is established
and management uses the resulting control reports
properly to monitor and improve internal controls.
CO N T I N U O U S M O N I TO R I N G U S I N G E R P
E XC E P T I O N R E P O R T S
A model of continuous monitoring using ERP excep-
tion reports presents a dynamic, iterative, and interac-
tive process whereby a properly configured ERP system
generates reports for the purpose of monitoring and
improving internal control (see Figure 1).
The use of a system based on this model improves
control over business goals and objectives, business
processes, and control activities. The controls moni-
tored include controls over user access, segregation of
duties, operations, policies and procedures, information
technology, and external compliance. The model
ensures that internal control weaknesses within core
business processes routinely are prevented, detected,
and corrected at the business unit levels. Business unit
administrators periodically run and review exception
reports for control deficiencies. This allows administra-
tors to improve affected controls. At the enterprise lev-
el, the model ensures that generated reports are used
42 SPRING 2009, VOL. 10, NO. 3
 Figure 1: A Model of Internal Control Compliance
Through Exception Reporting

Improved
Safeguard Assets Organizational Data Integrity SOX Compliance
Efficiency
ACHIEVES

EXCEPTION REPORTS

Feedback to improve Feedback to improve

ERP SYSTEM

Segregation of Access User Access

Duties Administrator

for the purpose of monitoring internal controls over
strategic goals and external compliance.
ASSUMPTIONS OF THE MODEL
The model assumes the existence of a proper organiza-
tional structure that is integrated with the operational or
business processes, information technology objectives,
and the various internal players. It also assumes that the
organization is committed to a culture that encourages
regular monitoring and control of user access through
segregation of duties and avoidance of conflicting capa-
bilities. The model further assumes the existence of a
properly configured ERP system with access adminis-
trators at each major unit within the organization to
assist in the development, continuous monitoring, and
improvements of internal controls. The access adminis-
trators should provide updates of user profiles as
changes in duties occur, should schedule regular control
reports of conflicts in user profiles and changes to mas-
ter data, and should use control reports regularly to
reduce profile conflicts and unauthorized changes to
master data. The model also assumes that there is a
well-established reporting chain in the organization to
ensure that upper management follows up exception
reports on safeguarding of assets, improvement of orga-
nizational effectiveness, data integrity, and compliance
with SOX (and other laws and regulations) and con-
tracts. The model expects the organizational structure
to include well-defined information technology and
operations and control objectives, policies, and proce-
dures that are available to the access administrators for
setting up the ERP for appropriate user access, segrega-
tion of duties, and the required control objectives and
control activities at each business process or departmen-
tal unit.
The model begins with the performance of control
activities by the internal players. These control activi-
ties create dynamic and iterative processes for monitor-
ing and improving internal controls through the
generation of control reports. The control reports allow
business unit managers to identify potential deficien-
cies in the user access profiles and conflicting capabili-

M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY 43 SPRING 2009, VOL. 10, NO. 3

ties and then make timely improvement to the control
profiles.
The access administrator is a key internal player who
first implements the control objectives (as agreed to by
management) and control activities within the informa-
tion technology area of the organization. He or she sets
up the ERP properly to allow for the generation of on-
demand and periodic reports for continued monitoring
and improvement of the setup. Some of the critical set-
up areas are user access and segregation of duties. User
access is the determination of which data and modules
a user is authorized to access, and segregation of duties
prevents a single person from controlling two ends of a
transaction. These activities are determined and con-
trolled by the access administrator, who assigns segrega-
tion of duties profiles to each and every user according
to the policies and procedures of the organization.
These specific user profiles in the ERP system also
allow the organization to implement the policies and
procedures regarding segregation of duties, access con-
trols, delivery and support services, IT solutions and
services, and other business processes. The access
administrator feeds these policies, procedures, and con-
trol activities into the ERP and the enterprise-wide sys-
tems and restricts each user to specific control activities.
Then the appropriate unit managers (or other autho-
rized individuals) monitor these activities for the
desired outcomes in their departments through on-
demand or regular control reports related to safeguard-
ing assets, organization efficiency, data integrity, and
SOX compliance. By reviewing these reports for excep-
tions or violations, the business unit managers and IT
administrators are able to identify weaknesses in the
various control activities. Upon evaluating the implica-
tions of the weakness, the managers respond to the
deficiencies by designing improvements that, in turn,
are fed into the ERP systems. This ends an iteration
process for one period and begins another iterative step
in a dynamic process of monitoring internal controls.
(We want to note that the outcome of the iterative and
feedback process also results in reports that are generat-
ed and used for ensuring that goals relate to organiza-
tion efficiencies and the maintenance of data integrity.)
This outcome also helps ensure that external compli-
ance such as SOX compliance requirements are also
M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY
being met in a timely, continuous manner.
In summary, the iterative steps in the model of ERP
control reports are proper setup of the organizational
structure and the ERP system, management review of
control reports, and improvement of the organizational
and ERP setup.
Now we examine the major critical issues in the
model and its application and analysis in a real Fortune
500 company. As it is not possible to cover the entire
array of internal controls in a single article, we will focus
on a set of extremely critical internal controls. Our focus
is on user access and the prevention of conflicting
capabilities.
A C C E S S A D M I N I S T R AT O R
The role of the access administrator in the model is a
critical one because the access administrator is responsi-
ble for monitoring and granting user access. The pur-
pose of this role is to ensure that all users have the
appropriate system access that allows them to work effi-
ciently and within boundaries that minimize the risk of
fraud, inappropriate access, or the loss of data. The
access administrator is responsible for delivering control
reports to each business unit manager, who is then
responsible for reviewing the capabilities of individual
employees authorized roles for compliance and conflict
resolution. (The access administrator only delivers the
reports; the responsibility to review and validate the
correctness is with the businessi.e., the users
managers.)
Persons appointed as access administrators should be
well trained in their field and be responsible for admin-
istering user access to the ERP system, including the
ability to create, suspend, remove, and maintain user
accounts as defined for a specific class or group of users
and manage and reset credentials and services as autho-
rized by management. In addition, access administrators
should possess the ability to define and update key
business process information or transactions, monitor
the status of key transactions, validate processes and
data periodically, review errors and control reports, and
document standards, guidelines, and procedures. These
responsibilities suggest that the role of access adminis-
trator should be assigned to business unit managers.
Some of the duties that access administrators perform
44 SPRING 2009, VOL. 10, NO. 3
include:
Determining business and information security
requirements that are based on management
objectives.
Ensuring information and systems are protected in
line with their importance to the enterprise.
Granting user access based on each unit manager
determining which users are authorized to access
particular information and systems.
Developing service-level agreements.
Signing off on specifications for business require-
ments (including security requirements).
Authorizing new or significantly changed systems.
Ensuring users are aware of their security responsi-
bilities and are able to fulfill them.
Being involved with security audits/reviews.
Access administrators should be accountable to a
supervisor who is in upper management in line with the
responsibilities specified and documented for protect-
ing the organizations information as well as its informa-
tion technologies. The supervisor may engage IT
auditors to monitor and review the activities of the
access administrator to ensure that he or she abides by
sound policies and procedures regarding separation of
duties and performs only those activities that are autho-
rized by management.
U S E R AC C E S S CO N T R O L S
An effective model of continuous monitoring should
include a process to ensure that system access of all ter-
minated and/or transferred employees is revoked imme-
diately upon a change. More specifically, the process
should ensure that users access is restricted to their
required job activities to avoid having inappropriate
ability to:
Commit fraud.
Edit or modify financial statement information or
data that directly impacts financial statements (i.e.,
consolidated information, journal entry posting, price
lists, formula cards, etc.).
Edit or view highly restricted data that is important
operationally but not from a financial reporting per-
spective (i.e., budgeting files, personnel files, etc.).
Perform something that they should not have the
M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY
access to execute and therefore might cause consid-
erable rework or system availability issues.
In summary, monitoring user access in an ERP sys-
tem will ensure that breaches of unauthorized access to
the system are found and that procedures and employ-
ees with conflicting roles are quickly identified and
those authorizations are terminated in a timely manner.
S U P E R - U S E R OV E R S I G H T
We cannot overemphasize the need for super-users in
ERP environments. Super-users must have user profiles
that allow conflicting capabilities access. Specifically, a
super-user is a user who has unrestricted access to the
entire system whether it is the system commands or
system files, regardless of their permission levels.
These super-users require such access to manage risks
across the enterprise by enforcing segregation-of-duty
profiles and preventing security and control violations
before they occur in core business processes. For exam-
ple, super-users are able to address segregation-of-duty
issues by detecting, removing, and preventing access
authorizations risks within and across business process-
es. In this regard, super-users typically have access to
the systems files and setup and have the highest level
of privilege for applications.
Because super-users possess unlimited access to
the systems root, commands, and applications, they can
cause damage to the system and expose the organiza-
tion to untold hardship and embarrassment. For exam-
ple, they can mount and dismantle file systems, change
another users password without knowing the password,
remove any file directory, and even shut down the
entire system. As a result, the activities of super-users
should be controlled by management. Management
should:
Review super-user access privileges and align them
with IT auditors for highly critical and conflicting
capabilities.
Control super-users activities through audit trail
documentation of creation, modification, distribu-
tion, and usage.
Assign independent person(s) to review the super-
user audit trail (i.e., a record of sources of informa-
tion and changes made by date and by an
45 SPRING 2009, VOL. 10, NO. 3
 accountable individual or organization). These need
to be reviewed frequently to identify suspicious or
dubious activities and responsibility for particular
events.
An independent manager should review audit trails
frequently and follow up on issues arising such as:
Instances of access to applications by super-users.
These should be examined by event logs that have
been configured properly to generate appropriate
event types, including time spent while logged on,
tasks performedcreation of data, deletions, modifi-
cation of named files, event attributes in event
entries (e.g., IP address, user identity, time and date,
protocol and port used, files or system utilities
accessed, method of connection, name of device, and
object name).
Any activities performed by a super-user with anoth-
er users ID must be tracked, monitored, and logged.
This should be established to allow the tracking of
inputs into the system down to the field value level,
including any sorting, filtering, and downloading of
information from the system.
Table 1: Contents of a Detailed Conflicting Ability Analysis
SECTION
1. Conflicting Ability descriptions
2. Potential Risk to XYZ Co.
3. Identification of transactions using
Ability 1
4. Identification of transactions using
Ability 2
5. Comparison of transactions to
identify potential fraud or damage
to XYZ Co.
6. Other considerations
M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY
S E G R E G AT I O N OF DUTIES
To accomplish internal control objectives, any organiza-
tion must segregate user duties properly. ERP systems
allow segregation of duties via user authorizations. User
profiles determine the type of access and authority each
user has within the system. A user profile should not
allow any user to have incompatible duties. An organi-
zation must develop, maintain, and monitor appropriate
segregation of duties properly. This requires a detailed
analysis of individual job functions and a determination
of which functions are incompatible activities. A contin-
uous reporting system should be able to report and use
these reports to avoid segregation-of-duty violations by
performing a test of the entire ERP system, control
activities, or specified business processes at unit levels.
For instance, by testing the systems process, the exam-
ples presented in Table 1 show a detailed analysis of
incompatible duties. Individual organizations may refer
to incompatible duties by different names. At this
Fortune 500 company, incompatible duties are called
conflicting abilities. This specific example provides
detailed information about the conflicting ability of
new vendor account and post an MM Document in
DESCRIPTION
Conflicting Ability IDs & descriptions
Description of the potential risk to XYZ Co. that this conflict ID
is designed to identify
Method for identifying transactions that utilized Ability 1
Method for identifying transactions that utilized Ability 2
Method for comparing transactions to identify potential fraud
or damage to XYZ Co.
Any additional considerations that the business expert would
like to add
46 SPRING 2009, VOL. 10, NO. 3
an SAP environment. The ability to create a new ven-
dor account, coupled with the ability to post a credit
memo or invoice, can allow the user to generate a fraud-
ulent payment because the two are incompatible duties.
These descriptions of conflicting abilities are main-
tained, stored, and accessed through the company
intranet. Thus access administrators and managers can
easily review potential conflicting abilities within their
subunit.
A N E X A M P L E A P P L I C AT I O N OF THE MODEL
AT A F O R T U N E 5 0 0 C O M PA N Y
This company implemented SAP as its ERP of choice
and maintains a database of conflicting abilities for vari-
ous business processes. Conflicting abilities are those
activities performed by one individual that violate the
rules of segregating incompatible duties (SoD) as a form
of internal control. When SoD is violated, an organiza-
tion may be subject to fraud and loss of resources
through embezzlement and theft of assets and deletion
or destruction of company data. Business unit adminis-
trators and systems security supervisors can use the
inventory of conflicting capabilities to monitor and
update internal control violations through periodic
reports on conflicting abilities in various operations.
Proper management of these conflicting abilities
involves the correct establishment of user profiles. User
profiles are the tasks within the ERP system that are
assigned to the user. When determining which conflict-
ing abilities must be identified, business areas must
consider not only those conflicts composed of abilities
that their business area owns, but also those conflicts
that are the result of one of their abilities combined
with an ability from another business area. Therefore,
conflicting abilities may be composed of two abilities
owned by one business area or two abilities, each
owned by separate business areas. The company uses
these conflicting capability documents in the following
manner:
Develop potential list of key control conflicts for
business processes/operations.
Identify each control activitys control conflicts.
Establish a matrix of control activities and control
conflicts.
Use software (SAP) to monitor and correct viola-
M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY
tions of control activities and control conflicts:
When employees change roles (are transferred,
promoted, etc.).
When incompatible activities are flagged dur-
ing business process/operations.
When functional departments delay or fail to
periodically seslf-report activities of control
conflicts.
Audit units compliance with control activities.
Provide report to appropriate supervisor on sta-
tus of control activities and control conflicts.
To prevent internal control breaches, each individual
profile is listed with a corresponding set of conflicting
activities that those individuals are not expected to per-
form. For example, in Table 2, individual profiles are
presented with the relevant conflicting abilities. Indi-
viduals possessing these profiles should be precluded
from performing the conflicting abilities.
Because the company is concerned with maintaining
internal control integrity, it analyzes, documents, and
updates the inventory of conflicting abilities in its
intranet and makes them available to managers and
access administrators. The availability of the incompati-
ble abilities allows managers and internal auditors to
mitigate the risks of one or more of these conflicts
occurring by using continuous reporting to review the
profiles assigned to each user. For example, during
internal transfer of one individual from one department
to another, managers, access administrators, and internal
auditors can identify if the individual possesses conflict-
ing abilities that must be addressed. Periodic reporting
also may reveal whether an individual attempted to vio-
late his or her user profiles by inappropriately accessing
a file for which he/she had no authorization to access.
In summary, a system should be in place to monitor
system and business processes and be designed to keep
passwords confidential. This may involve having poli-
cies requiring passwords to be changed frequently and
not be shared. This policy has the potential to protect
the employee and ensure that system transactions are
performed only by employees with proper authority.
The internal and external auditors should review the
process for managing and changing passwords and test
the effectiveness of password management processes.
47 SPRING 2009, VOL. 10, NO. 3
 Table 2: Conflicting Abilities of Individual Profiles
PROFILE
Create and change general ledger
accounts and cost elements.
Setting pay rates. Maintaining
employee personnel records.
Enter invoices. Pay vendors.
Vendor master maintenance.
Cash application.
Sales order/credit memo entry.
Customer Master Maintenance.
CONTROL REPORTS AND REPORTING CHAIN
Based on the user profiles and conflicting abilities data-
base, the User SAP Security Contact (USSC) of each
business unit runs a conflicting transactions report from
SAP at the end of each month. The USSC reviews the
report and forwards it to the business administrator (BU
AD) of that business unit. The BU AD signs the report
to indicate it has been reviewed, and the report is main-
tained and filed for audit purposes. If the USSC or BU
AD notes any problems to be addressed, the USSC
requests those changes to user profiles or conflicting
abilities database.
The outlined process has several important internal
control components. First, accountability and responsi-
bility are assigned to the USSC and BU AD. Second, a
regular, monthly report is reviewed for continuous mon-
itoring of segregations. Third, signed documentation in
the form of the conflicting transactions report is pre-
served as audit evidence of the existence and efficacy
of internal controls. Finally, there is a defined, regular
process for improvements to the control process via the
USSC requesting changes.
D E TA I L S OF THE PROCESS
The first necessary step is the identification of the con-
flicting capabilities that will be the subject of the
report. In this case, the conflicting abilities are:
Ability 1: Creating a new vendor master account,
and
Ability 2: Posting an invoice to the vendor.
M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY
MUST NOT HAVE THIS PROFILE AS WELL
Make journal entry postings to the general ledger.
Entering time data. Cutting checks and/or direct deposit.
Purchasing. Receiving.
Enter invoices. Pay vendors.
Sales order/credit memo entry. Billing.
Billing.
Billing. Delivery/Distribution. Sales Order Entry.
Payment Processing.
Without a separation of these abilities, a fraudster
could assign personal information to a vendor account
and generate a fraudulent payment to the vendor.
After identifying the conflicting capabilities, a report
must be requested from SAP. In this case, an SAP report
of vendor master changes is run. The report is sorted by
the logon ID of the SAP user with conflicting capabilities.
The Changed By field in the report contains logon ID.
This report shows which users created or changed vendor
information. (See Table 3 for an example.)
Next, a second table must be reviewed to determine
which invoices the SAP user posted. This table identi-
fies particular invoices entered by user ID. A compari-
son of the Create/Change Vendor report and the
invoices by user ID allow the USSC to determine any
conflicting transactions that occurred. Then the USSC
can request appropriate changes to user access to avoid
future conflicting capability transactions.
OT H E R C R I T I CA L CO N T R O L R E P O R T S IN
A C C O U N T S P AYA B L E
Various other reports are generated to ensure that the
accounts payable process has integrity. To effectively
generate these reports in a timely manner, the SAP
Security Contacts and Business Administrators in each
business unit at the example company also review and
use these SAP control reports (see Table 4).
REPORTING CHAIN
As noted earlier, the use of these various reports is itera-
48 SPRING 2009, VOL. 10, NO. 3
 Table 3: Conflicting Transaction Report for Purchasing and Payables
tive and ongoing in the review of segregation of duties,
proper user access, SAP profile review, conflicting capa-
bilities, global business warehouse spending, purchase
order (PO) list display, invoice changes report, and
blocked invoice reports, to name a few.
Specifically, the blocked invoice report is generated
and reviewed twice a week to detect invoices blocked
for whatever reason. By reviewing this report, the unit
manager is able to identify reasons why invoices are
blocked and then track the system so that overdue
items are promptly identified and attended to. Second,
by reviewing the PO changes report monthly, the busi-
ness manager can review everything that is being creat-
Table 4:
REPORT NAME
SAP profile review
Conflicting capabilities report
POs without reference to a requisition
POs created after the invoice
Open purchase documents
Blocked invoice report
M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY
ed, including checks and price changes. Similarly, the
review of the SAP Profile report on a quarterly basis
ensures that business unit managers have nonconflict-
ing profiles for SAP or compensating controls. The
quarterly review of the conflicting capability report
ensures that no one person has conflicting abilities that
could enable fraud, such as the ability to create requisi-
tions and purchase orders.
By continuously reviewing these periodic reports
and updating the system for observed weaknesses,
the organization is committed to ensuring data and
system integrity in both its IT and business process
operations.
SAP Control Reports
FREQUENCY PURPOSE
Quarterly To ensure nonconflicting profiles
Quarterly To ensure no conflicting capabilities
Monthly To ensure all materials are requisitioned
Monthly To ensure no POs are created after the
invoice
Monthly To detect POs not fully received or
invoiced
Twice per week To resolve invoice discrepancies
49 SPRING 2009, VOL. 10, NO. 3
COMPLIANCE WITH S OX S E C T I O N 3 0 2
SOX Section 404 requires public companies to publish
information within the annual report concerning the
scope and adequacy of internal controls. In addition, the
statement on internal controls must assess their effec-
tiveness. An effective system of internal controls must
include policies and procedures to provide reasonable
assurance that:
1. Detailed records accurately reflect the underlying
transactions.
2. Transactions are recorded in accordance with Gener-
ally Accepted Accounting Principles (GAAP).
3. Transactions are being carried out only in accordance
with managements authorization.
4. Unauthorized transactions are being prevented or
detected.
The iterative process and the use of control reports
described in this article will assist management in
ensuring it has achieved, to the extent possible, the
third and fourth items. This iterative process of improv-
ing internal controls is extremely important to the
CEOs and CFOs of public companies because of the
requirements of SOX Section 302. Section 302
describes signed certifications required of the CEO and
CFO in corporate financial reports. It also includes a
requirement that these signing officers certify that they
are responsible for internal controls and that they have
evaluated the internal controls within the last 90 days.
The continuous reporting and monitoring described in
this article allow the CEO and CFO to have some
assurance that controls have been evaluated within the
last 90 days.
The current versions of ERP software also will allow
real-time notification of problems in internal control.
For example, the system can be configured to send an
e-mail notification to the appropriate unit administrator
if a user conducts transactions with conflicting abilities.
The Fortune 500 company described in this article does
not yet use such real-time notification.
C O N T R O L S A R E V I TA L
In the post Sarbanes-Oxley era, organizations must con-
tinue to improve internal controls over their ERP and
organizational processes to remain effective, efficient,
M A N A G E M E N T A C C O U N T I N G Q U A R T E R LY
and in compliance with regulations. Although different
organizations might pursue different internal control
strategies, organizations with an ERP system can lever-
age the current system to continuously monitor and
improve their internal controls through periodic or on-
demand controls or specialized reports. These reports
easily can be created from an ERP system, and they can
help alert managers and supervisors about authorization
or user access violations.
Through these control reports, conflicting capabilities
across various business processes can be detected and
corrected in a timely manner, either by a business unit
manager or an access control administrator. By utilizing
these control reports, organizations can reduce costs,
become more efficient, respond faster to changes in the
marketplace, safeguard assets, and avoid unnecessary
business exposures.
Organizations utilizing these control reports also can
expect to comply with the requirements of SOX more
effectively by having available detailed records that
accurately reflect the underlying transactions and by
having reports that show unauthorized transactions and
raise alerts when access to critical areas of the compa-
nys system are being prevented or detected.
Leslie D. Turner, DBA, CMA, CFM, is a professor of
accounting in the Rinker School of Business at Palm Beach
Atlantic University in West Palm Beach, Fla. He is a mem-
ber of the Palm Beach Area Chapter. You can reach him at
(561) 803-2470 or LESLIE TURNER@pba.edu.
Vincent Owhoso, Ph.D., is a professor in the Department of
Accountancy in the Haile/US Bank College of Business at
Northern Kentucky University in Highland Heights, Ky. You
can reach him at (859) 572-7548 or owhosov1@nku.edu.
50 SPRING 2009, VOL. 10, NO. 3