Amsterdam Business School
The Impact of ERP Systems on Internal Audit Planning: a
TeamMate Perspective.
Name: Peter Jas
Student number: 10681078
Supervisor: drs. Ed H. Jansen RA MCM Date: June 22, 2015
Word count: 79672, 0
MSc Accountancy & Control, variant Control
2 Statement of Originality
This document is written by student Peter Jas, who declares to take full responsibility for the contents of this document.
I declare that the text and the work presented in this document is original and that no sources other than those mentioned in the text and its references have been used in creating it. The Faculty of Economics and Business is responsible solely for the supervision of completion
of the work, not for the contents.
Abstract
The objective of this study is to research to which extend the use of an ERP system has an impact on internal audit planning. In-depth knowledge of the internal audit planning process and how ERP systems impact on this by semi-structured interviews on TeamMate experts. Additionally, reviews of documents from an internal audit department and TeamMate surveys, give support to the interview findings.
The conclusions from this research are: 1. The internal audit planning process and the related risk assessment, is performed at a high level, to create a risk rating for each auditable entity, and at granular level, to review specific risks within the entity when the engagement audit takes place. 2. The use of an ERP system does have limited to no impact on the high level internal audit planning. 3. The use of an ERP system does have impact on the audit planning in the way that less time is required to audit an ERP environment. This is because of smaller and fewer audit samples, uniform availability of all data and the possibility to grow towards continuous auditing.
Content: 1 Introduction ... 5 2 Research Method ... 8 2.1 Semi-structured Interviews ... 8 2.2 Document Review ... 9 3 Literature Review ... 10
3.1 General information about the internal audit process ... 10
3.2 Main concerns in ERP auditing ... 12
3.3 ERP impact on high level audit planning ... 14
3.4 ERP impact on granular level audit planning ... 15
3.5 Other findings ... 17
4 Background ... 18
4.1 Wolters Kluwer Financial Services ... 18
4.2 TeamMate ... 19
4.3 Why TeamMate ... 19
5 Findings ... 21
5.1 General information internal audit planning process ... 21
5.2 Main concerns in ERP systems ... 25
5.3 ERP impact on high level audit planning ... 26
5.4 ERP impact on granular level audit planning ... 28
5.5 Other findings ... 32
6 Discussion ... 35
6.1 General information internal audit process ... 35
6.2 Main concerns ERP systems ... 37
6.3 ERP impact on high level audit planning ... 38
6.4 ERP impact on granular level audit planning ... 39
4
7 Conclusion ... 43
References ... 45
8 Appendices ... 48
8.1 Appendix I: Mind map to specify research topic ... 48
8.2 Appendix II: Thesis structure ... 49
8.3 Appendix III: Interview #1 ... 50
8.4 Appendix IV: Interview #2 ... 62
8.5 Appendix V: Interview #3 ... 74
8.6 Appendix VI: Interview #4 ... 90
8.7 Appendix VII: Interview #5 ... 103
8.8 Appendix VIII: Interview #6 ... 115
8.9 Appendix IX: Interview #7 ... 130
8.10 Appendix X: Interview #8 ... 137
8.11 Appendix XI: Interview #9 ... 151
8.12 Appendix XII: Interview #10 ... 159
1 Introduction
ERP systems link related business processes to one another through workflow automation and the use of one single database, which can facilitate real-time recording and reporting of economic events. Any single error, unintended or not, can have a significant effect on the accuracy of the data and as a result also on the reporting. Internal auditors have the task to assure that the data does not contain uncalculated risks, in order for senior management to make decisions on adequate information.
Organizations require Accounting Information Systems to support Management Accounting Controls with timely and correct information. Accounting Information Systems need to collect and store data, transform data into information and provide controls to safeguard assets. Internal Control relies on Accounting Information Systems to monitor risk as well as compliance to regulations. COSO (2013) provides a framework for organizations to ensure that the businesses and their risks are in control.
Alsop (1998) provides a brief history of enterprise computing. He states that computers are invented around 1940 and were used by companies in the 1950’s. This “Big Computing” contained large and complicated mainframe machines, which could only be used by specialized people. In the 1980’s the “Personal Computing” was introduced and made the world of computers accessible for everyone. Limited connectivity and various languages made communication between the PC’s challenging. The World Wide Web resolved this and moved the enterprise computing into the age of “Networked Computing”, in which we currently are. The Networking Computing is making highly integrated information systems, like Enterprise Resource Planning (ERP), possible.
ERP systems can be seen as an integrated set of applications from various business procedures and departments and is sharing one single database. This is creating two main advantages: the elimination of multiple data entry and the increase in flexibility and real-time information to support Management Accounting (Kanellou and Spathis, 2013). According to Grabski, Leech and Schmidt, 2011) ERP systems also have some downsides: implementation is expensive, no long-term benefit compared to competitors and not always recognized to the full potential. Scapens and Jazayeri (2003) conclude in their research that Management Accounting is not changing because of ERP systems, but the role of the management accountant is.
As multiple data entry is eliminated with further integration of Accounting Information Systems, an Internal Control is fading (Sayana, as cited in Grabski et al., 2011). In organizations without any integration, and so with multiple data entry, the results from various databases can be intermediately verified and used as control method to guarantee completeness and correctness
6 of data. For audits, as great part of the internal control process, this will have an impact on the risk assessment and control activities (Bedard, Graham & Jackson, 2005).
This leads to the research question:
What impact has the use of ERP systems on Internal Audit Planning?
Teammate is part of the Wolters Kluwer enterprise and creates audit tools for internal auditors around the world. I’m currently working for Wolters Kluwer as financial analyst, which helped in having access to the TeamMate expertise. As financial professional I make use of ERP systems and frequently communicate with internal auditors. The research question is therefor interesting in my profession. Another reason for this research question is because there has been a lot of research on the benefits and downsides of ERP Systems, but there is limited in-depth research available on the impact of ERP systems on audit planning. This research can give further insights to an organization on how an ERP system can have an impact on the internal audit planning and in particular the risk assessment.
In order to answer this question this research question can be broken down in detailed questions. ERP systems are characterized by the use of one single database throughout the organization. As a result from this characteristic, the data is entered only once in the ERP system and this may be done in various physical locations. The detailed question resulting from this knowledge is:
a. What are the main concerns of risk in an ERP system?
TeamMate experts and internal auditors indicate that audit planning can be split into two levels: the annual high level audit planning and the engagement granular audit planning. A risk assessment is performed at both levels of audit planning. The detailed research questions resulting from these aspects are:
b. How does the use of an ERP system impact the annual or high level risk assessment and audit planning?
c. How does the use of an ERP system impact the engagement or granular level risk assessment and audit planning?
In the next chapter, I will give an explanation of the research methodology. After that, I will give a literature review on the research question. In the background chapter, I will give a brief outline of TeamMate, the expertise on which my research will be based. This will give a further explanation why TeamMate expertise adds value to this research. In the following chapter, the findings of the interviews and the documentation review are reflected, followed by the discussion between the findings and the literature research. The final chapter will state the conclusions of the research are stated, together with the limitations and possible future research directions.
8
2 Research Method
This research has as goal to gain in-depth knowledge of the relation between ERP systems and the internal audit planning. TeamMate experts and users are selected to provide further information about the research question. Chapter 4 explains why TeamMate is suitable for this research. For robustness two non-TeamMate users, which perform audit planning, are added. An iterative process of research has been used as newly found information from the semi-structured interviews may require further literature research. The qualitative approaches of semi-structured interviews and documentation review will be most suitable to gain an in depth understanding. For both approaches a brief description is given below.
2.1 Semi-structured Interviews
The main part of the research is performed by interpreting interviews. Interviews are held with developers, consultants and users of TeamMate. As mentioned above, two non-TeamMate users, which are performing risk assessment and audit planning, can be added to gain robustness in this research.
Semi-structured interviews will start from topics as described in the literature section of this research. The questions will be open and not formulated too specific, to give room for the interviewees to add topics and give a wide critical opinion of the impact of ERP systems on risk assessment and audit planning. The interviews start with questions about their role in the organization, their expertise in internal audit and in internal planning tools as TeamMate. The interview continues with discussions about audit planning and ERP systems. This gives room for a good understanding of both aspects and for possible findings outside the research area of this paper. When the mindset of the research is created, questions about the impact of ERP systems on audit planning are finalizing the interview.
The professional roles of the interviewees are: Product Manager (Interviewees #7 & 9), Director of Product Management (Interviewee #6), Manager Consulting (Interviewee #1), Consultant (Interviewees #4 & 5), Director of Internal Audit (Interviewee #8) and Internal Auditor (Interviewees #2 & 3). As mentioned before, Internal Auditors (Interviewees #10 & 11) who are not using TeamMate, are added for robustness of the research.
The interviews have taken place in the April / May time frame in 2015. The interviews have been recorded, transcribed and send to the interviewees for review. Interviews 8, 10 and 11 have been in Dutch. Any citations coming from those interviews have been translated in agreement with the interviewees. After interview #5 a mind map has been created (see Appendix I) to specify the general direction of the interviews and to review the direction of this research.
2.2 Document Review
TeamMate consultants and developers are in constant communication with their clients, which are internal auditors all over the world in any type of industry, including governmental organizations. They annually have surveys and interviews about the internal audit process. The documentation resulting from these surveys and interviews are used in this research in order not only to confirm findings from the interviews, but possibly also for new information to answer the research question.
Another part of the document review sources from an internal audit department. A document is used, showing the criteria in the annual risk assessment as used by this internal audit department. This documentation is used to mainly answer the question if an ERP system has an impact on the annual risk assessment and audit planning.
10
3 Literature Review
This chapter researches how an Enterprise Resource Planning system has an impact on internal audit planning based on existing literature. The first paragraph will give a general overview of the internal audit process. After that, three paragraphs will give a literature review of the detailed research questions. A final paragraph has been added after the interviews have taken place, to reflect the additional findings. Appendix II provides an overview of the structure in this chapter.
3.1 General information about the internal audit process Goal internal audit
Audits generally produce assurance and increased confidence in the organization or parts of the organization (Power, 2003). Kanellou and Spathis (2011) give a further explanation that internal auditing is an independent and objective validation of the organization, which improves the performance of the processes and assists in aligning the processes to achieve the goals of an organization. Auditors make use of electronic audit planning tools in order to make the audit process more efficient and this will give internal audit more room to perform the additional advisory task (Barret, Cooper and Jamal, 2005).
The COSO framework states that internal control, and therefor internal audit as well, can be seen as a process (COSO, 2013). Ditsmith & Haskins (as cited in Power, 2003) contradict by stating that internal audit cannot be seen as a logical series of steps, but is more “a social enterprise
relying on deeply embedded perspectives”. They explain that there is more to internal auditing then just
following a formal process approach, because there are parts of the organization, which will not be in the scope of this formal process. In agreement is the statement from Power (2003), who states that in spite of programs to standardize the audit process, differences in audit routines are found. The continuous necessity for change in audits, sourced from economic, regulatory and political pressures, is another reason why it is challenging to standardize the audit process.
COSO framework
The COSO Executive Summary (2013) states: “Internal control is a process, effected by an entity’s board
of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.” Organizations can develop controls, like
2013). The COSO framework contains the components control environment, risk assessment, control activities, information & communication and monitoring activities.
In their research for the nature of specific control risks and the auditor response on risks, Bedard et al. (2005) find evidence that control environment risk factors are most frequently identified in the management information quality risk area. In their research, they identify two important areas of risk: Electronic Data Processing (EDP) security and management information quality. From their studies can be concluded that not all risk factors of the COSO structure are included in the audit planning. For example control environment appears to be less tangibly related to audit planning. In line this this statement, Hsu, Sylvestre and Sayed (2006) explain that the COSO framework is used for consideration of risks that are relevant to business, accounting and auditing & assurance and that the assessment of risks involved in an ERP environment can be classified into four categories: business, control, system and security. These statements conclude that if the COSO framework can be used as a basis for auditing, but is not necessarily used completely.
Risk assessment
One of the five integrated components in the COSO framework is the risk assessment. COSO (2013) explains about the risk assessment that every organization faces risks, either sourced internally or externally. Risk is further defined as “the possibility that an event will occur and adversely
affect the achievement of objectives”, which means that events may occur that will have an impact on
the possibility to achieve the objectives of that organization. COSO (2013) also includes that the risk assessment should include objectives at all levels of the organization and is determining what level of risk is being accepted by the organization. The risk assessment in the COSO framework in relation to internal audit can be interpreted as a way to identify and rate risks at all levels of an organization, to specify what areas the internal audit department should focus on.
Auditors already have been performing some sort of risk assessment before the first COSO framework was introduced. The COSO organization has been setup in 1985, while Gaumnitz et al. (1982) already concluded that auditors are performing some sort of evaluation of internal control in order to determine the audit plan. Whether or not the risk assessment is originating from the COSO framework, it is certain that the risk assessment is an important part of the audit planning process (Bedard et al., 2005). In his research for the impact of information system risk on the audit planning, he finds evidence that the risk assessments increases if the risk factors related to management information quality, increase as well.
12 Power (2003) further concludes that if the risk assessment is performed with an unstructured approach, than a wider range of risk factors will be used in the risk assessment. Low (2004) makes the additional statement that with the current complexity in organizations, auditors specialized by industry are better capable of recognizing risk factors to be used in the risk assessment.
3.2 Main concerns in ERP auditing
Accounting Information Systems are important in creating support for management accounting and have evolved throughout the years. They started out to automate processes as posting transactions to journals and sorting the transactions according to the chart of accounts of the general ledger (Rom & Rhode, 2006, p. 40). In the 1980’s each department has its own Information System including a stand-alone database. In order to make processes more efficient, interfaces are created to communicate between the different databases. This communication is challenging, as the different systems might not be using the same language (Davenport, 1998).
Characteristics of ERP
Kanellou et al. (2013) describe the need for integration between the systems of the various departments has become bigger as management accounting requires more real-time information for decision-making. They find in their research evidence that with introduction of ERP systems, organizations are capable to increase flexibility in information generation, increase integration of data throughout the organization in the accounting information system, improve quality of the reports and improve the decisions based on timely and reliable accounting information. Hsu et al. (2006) add that ERP systems are implemented to gain efficiency in the processes. These ERP systems contain cross-functional modules to integrate all information systems from the different departments and are using one database (Robey, Ross & Boudreau, 2002).
As a result of these characteristics, Scapens et al. (2003) conclude that ERP systems lead to more forward-looking information and line managers gain accounting knowledge. An ERP system also eliminates multiple data entry, as data is being processed decentralized by operating personnel in each department, which is automatically generating the appropriate accounting entries, instead of the centralized routine task in the accounting department. In their research they also conclude that the elimination of the routine tasks makes room for a different role for the management accountant and become support for the business managers.
Another characteristic of an ERP system is that they are including their own unique features (Hsu et al., 2006) and it is challenging to find the ERP system, which is closest aligned
with the organizations requirements. The research from Grabski et al. (2011) is in line with this statement, as they explain that the implementation of an ERP system results in an iterative process between how an ERP system is shaping the processes of an organization and how the ERP system is modified to meet the organizations requirements.
Access Management
An ERP system is making use of a single database, which is containing organization wide confidential information. This raises the concern of internal and external access to the corporate data (Grabski et al., 2011). Hsu et al. (2006) refer to this security risks containing unauthorized access to equipment, software or the database, which should be mitigated by physical and logical security controls. The physical controls relate to equipment and are very similar in an ERP environment as in a non-ERP environment. The logical controls relate to passwords, encryption and firewalls, and are used to prevent unauthorized access to a system or database.
Hsu et al. (2006) explain that the logical controls also contain the segregation of duties, which prevents errors and fraudulent activities. The segregation of duties in a non-ERP environment is more easily monitored as access of an individual can be captured by fragmented system and in an ERP system there is more staff and are more access points in the system to be controlled. About the segregation of duties COSO (2013) states that it is part of the control activities and if the segregation of duties is not practical, management should install alternative control activities.
Hunton, Wright and Wright (2004) state that a weakness in the access controls will have a greater significance, because if these controls are not properly configured, then unauthorized access to confidential information or the possibility to unauthorized adjustment to the data, can have a big impact on the organization. Hsu et al. (2006) are in agreement with this statement and add that internal audit needs to determine the potential risk and develop mitigating controls.
Process flows
Decisions are not better than the data which they are based on. Haug, Stentoft & Pedersen (2009) describe that data are created in every step of the business process and that decisions are based on this data. In order to make the appropriate decisions it is vital that the data is of adequate quality. In their research, they describe that for non-ERP the main concern of data quality is caused by the use of inconsistency between the various used systems in an organization. In line with this are the conclusions of Hunton et al. (2004) and Hsu et al. (2006), who explain that with the integrated modules of an ERP system, processes become
14 interdependent and the fact that data is entered only once can heighten the control risk requirements.
Sanaya (as cited in Grabski et al., 2011) points out that with the integration between modules and the seamless data collection, there is no longer the opportunity to verify data by comparing the same data from the different databases in the steps of a business process. This contradicts with the statement from Grabski et al. (2011), who explain that an ERP system is offering advantages for risk management as these controls are integrated and tested within the system. Hsu et al. (2006) explain that the standard set of controls are not always configured as intended by design, because controls have a negative impact on efficiency and in the trade-off between controls and productivity, management usually chooses for efficiency.
3.3 ERP impact on high level audit planning IT Controls
ERP systems encompass the risk of depending on one single system. COSO (2013) specifically states that an organization should have control activities in place that mitigate the risk to acceptable levels for all parts of the organization, including the technology environment. In a study of audit risk assessment, Hunton et al. (2004) conclude that auditors identify high risks in business interruption, process interdependency and overall control risks in ERP systems compared to non-ERP systems. The research claims that financial auditors underestimate ERP system risk, and specifically the risk in system security, and that audits should be a combined effort of both financial as IT experts.
ERP implementation or adjustments
ERP systems are expensive and complicated to implement (Davenport, 1998; Grabski et al., 2011; Hunton et al., 2004). To have implementation success, Grabski & Leech (2007) conclude that internal audit should be part of the implementation process. Internal auditors can review if the control methods are configured in line with the company policy. Grabski et al. (2011) explain that the ERP systems do not create a status quo after the implementation. ERP systems continue to be reconfigured, updated and extended after the implementation. This raise concerns in an organization how these changes impact the flow of data and the accuracy of information. COSO (2013) also recognizes the risk in system alterations and there should be included in the risk assessment.
3.4 ERP impact on granular level audit planning Single manual data entry
As ERP systems are tightly integrated, any single data entry error, regardless whether or not intentional, will have an effect on the quality of data and may result on decisions in the business operation (Hsu et al, 2006). It is important that managers are aware of these business risks and properly address these risks. Hsu et al. (2006) continue that the human factor has a great impact on the business risk and is caused by lack of user involvement, lack of adequate knowledge and high stress levels. In detail they describe that in an ERP system processes are interconnected and automated, so any single data entry will have an impact on connected cycles and that there is usually no verification or rectification possibilities at a later stage in the process.
Haug et al. (2009) agrees with this statement and adds that outside an ERP environment data quality problems occur as a result of inconsistency of the same data in various systems. Kang and Sanhtanam (2004) also agree with the statement that errors in the data entry will cause misinformation and conclude that users need adequate training to have a better understanding of not only the system, but also about the business impact of the performed data entry. They conclude that not enough attention is paid to training about interdependencies of tasks in an ERP environment. Hsu et al. (2006) also recognize a solution can be found in adequate training.
System controls
ERP systems already contain adequate controls in order to mitigate security issues and process interdependencies, although these system controls should be adequately configured (Hunton et al., 2004). An impact on the audit planning comes from the complexity of the audit environment (Gaumnitz et al., 1982). Their research concludes that there should be an inverse relationship between the strength of internal control and the audit hours planned. Hunton et al. (2004) futher claims that management should recognize the risk in the system controls and internal audit should be testing them.
In their research Hunton et al. (2004) find evidence that financial auditors underestimate the ERP system risk, where IT auditors do recognize the risk in system controls. The solution which Hunton et al. (2004) provide is to combine expertise of financial and IT auditors in the audits of an ERP environment. Kanellou et al. (2011) state that the auditors’ role is changing and gets a higher focus on IT auditing, because of the complex IT settings in ERP systems. Not only should IT auditors get more involved in the audit process and the correlated risk assessment, but also financial auditors should be adequately trained to be able to perform audit tests in an efficient and effective manner.
16 Audit preparation
One of the characteristics of an ERP system is the fact that it uses only one database containing all data of the organization in one single format. Grabski et al. (2011) explain that the internal audit department can benefit as data will be available more quickly, although this depends on the system user knowledge and system access authorizations. They also state that the internal audit department will benefit from the data being in one single format. The data will be easier to read and recognize. Also no reformatting of data will be required to fit into any analytical tools. This will decrease the required audit time and for this reason impact the audit planning.
Continuous auditing
In the last two decades the need for continuous auditing of business information has increased (Kuhn and Sutton, 2010). Continuous auditing can be described as the methodology to review and report on all transactions and system settings on a real time basis in order to gain assurance on the data and information accuracy for a company (Alles, Brennan, Kogan and Vasarhelyi, 2006). As mentioned above ERP systems contain all company data in a single database and in a uniform format. Kuhn et al. (2010) state that this provides the critical infrastructure which is required for internal audit to use electronic tools created to perform continuous auditing, with implemented modules called Embedded Audit Modules (EAM).
Kuhn et al. (2010) also explain that organizations focus more on strategic enterprise risk management and for this reason the demand for continuous auditing is increasing. ERP environments also demand for increased control procedures; because a lot of reliance is placed on system controls and many errors may remain undetected in the enormous amount of data (Kanellou et al., 2011; Alles et al., 2006).
Jans, Alles and Vasarhelyi (2013) raise some concerns related to continuous auditing. They reason that in the data analysis every transaction can be seen as an anomaly in some perspective. The internal auditor should have a thorough understanding of the possible point of error and that the logic in the analysis is focused on this point. Debreceny, Gray, Jun-Jin NG, Siow-Ping Lee and Yau (2005) add concerns about the independence of the auditor with the use of EAM. If the internal audit department no longer makes use of a separate system, the independence of the auditor might become questionable. They also state that with the use of an EAM, the performance of the entire ERP system will be negatively impacted. A final point of concern is raised by Kuhn et al. (2010), who raise the issue that large organizations make use of
various ERP systems and in each instance an EAM should be implemented and maintained. This will have a negative impact on the availability of audit hours.
3.5 Other findings Audit risk
The COSO framework states that internal control procedures should provide a reasonable assurance for an organization to meet its objectives (COSO, 2013). It also states that there are limitations to this, because internal control does not have an influence on external influences or internal bad judgments and decisions. This means that the COSO framework recognizes that internal auditors cannot identify and/or mitigate all company risks. Bedard et al. (2005) note a contradiction on this for the IT controls, because of ISA regulations, at least in the US, which highlights the importance of thorough understanding of IT, it’s no longer acceptable to default to the conclusion of high risk on controls issues and avoid assessment of controls systems weakness in audit planning.
Power (2009) concludes in his research for challenges on Enterprise Risk Management, that the risk management in an organization is mainly focused on accounting and auditing norms of control. This indicates that there would be less or no focus on risks, which are outside the financial area of an organization. Power also states that the risk appetite, which can be translated as the acceptable risk level of an organization, is becoming a tick-box exercise for management instead of having a true focus on the organization’s risks.
Future of ERP systems
As stated above, ERP systems are not always matching the requirements of an organization (Hsu et al., 2006); Grabski et al., (2011). A way to work around this issue is to make use of several ERP systems, because one single ERP system cannot meet the requirements for all parts of an organization (Kuhn et al., 2010). These points raise the concern if those organizations should adopt an expensive and complicated ERP solution. Peng and Gala (2014) see a trend for organizations to migrate their ERP systems into applications and databases in the cloud, as a reaction on high investments and maintenance of ERP systems. Cloud computing is a network model to use a pool of configurable computing services and in the form of hybrid cloud, various clouds can be combined to make use of data from various environments (Mel and Grance, 2010).
18
4 Background
In this chapter I describe the TeamMate organization. I will also explain why this organization is used as subject in this paper.
4.1 Wolters Kluwer Financial Services
Wolters Kluwer Financial Services (WKFS) provides software, expertise and service available to organizations around the world to assist in with critical business decisions as compliance & risk management and save & profitable growth. WKFS is the worldwide leader of compliance, risk management, finance and audit solutions for the financial industry and utilize this expertise in other industry segments. These solutions can help at all levels of the organization, including risk and compliance challenges related to growth of the business by new or existing customers, manage risk and performance of portfolios or optimizing risk based performance in the entire organization.
The risk solutions provide a more comprehensive view of risk across multiple disciplines within an organization and a deeper understanding of risk affecting financial organization’s business. This includes risk items like: credit risk, enterprise risk, financial crime control, liquidity risk, market risk and operational risk. The compliance solutions enable organizations to balance increasing regulatory and risk management obligations with improving business performance. The technology systems and services allow organizations to more efficiently adapt to changing regulations, enhance data quality and break down operational silos. The compliance solutions contain information about the various dimensions of regulations, policies, procedures and the compliance and reporting related to these items.
The finance solutions bring risk management, compliance, finance and performance together in a single architecture. This allows organizations to better control and manage financial data as well as getting a clear organizational view and enhanced management of risk and performance. The audit process is more efficiently managed by the audit solutions and allows auditors to spend less time on documenting and reviewing and more time on providing value added services.
4.2 TeamMate
TeamMate is a part of WKFS, which is developing audit management software systems to increase the efficiency and productivity of the internal control process, including risk assessment, scheduling, planning, execution, review, report generation, trend analysis, audit committee reporting and storage. The TeamMate software contains a paperless strategy to manage audits and eliminates the barriers between paper filled binders and disconnected electronic files, leading to an efficient internal control workflow. The TeamMate software can be used as one fully integrated system or as three stand-alone pieces of software:
- TeamMate Audit Management - TeamMate Analytics
- TeamMate Control Management
TeamMate Audit Management (TAM) contains several modules, which provide a tool for a streamlined audit process. In the software there is a seamless dataflow for the different audit aspects as: risk assessment (to develop a risk based audit plan), audit documentation system, scheduling of staff and audits and tracking of audit projects. TeamMate Analytics (TA) is a set of tools which provide auditors a quick and easy analysis to identify unusual patterns and anomalies in data. Internal auditors, fraud examiners, finance managers and accountants, in organizations ranging from small single person departments to Big 4 audit companies, make use of TA. TeamMate Control Management (TCM) is software developed to address financial reporting standards compliance as SOX. The TCM software provides a flexible relationship between entities, processes, financial statement accounts and other reporting structures to facilitate filtering and sorting of key information.
4.3 Why TeamMate
TeamMate is relevant to this research as the audit planning tool is used by more than 90,000 auditors around the world. Both the support to the implementation of the software as the annual surveys held with the users, which are used to further develop the software, give TeamMate the expertise in Internal Control Planning. The interviewees from the TeamMate development and consulting departments are not performing internal audit planning currently, but they are aware of the internal audit planning process, because they work closely with clients to properly configure their audit planning process in the TeamMate system and most of the interviewees have experience in internal audit planning from prior internal auditing roles.
The applicable systems settings can be found in:
• TeamRisk: a risk assessment tool to generate audit plans and compare risk with COSO, Basel Committee on Banking Supervision, Institute of Internal Auditors. Score of selected risks, populate custom measures.
• TeamEWP: a documentation system to spend less time on documenting. • TeamCentral: an issues tracking database of audit findings and key statistics. • TeamTEC: a time and expense capture and reporting tool.
• TeamSchedule: a tool to schedule staff and audits.
• TeamStore: a companion tool that houses best practice work programs and workpaper templates
The settings that will be most applicable to the research question are within TeamRisk and TeamSchedule. These areas contain detailed information which part of the processes within the organization contain the biggest risks and how the audit planning is designed to cover these risks.
5 Findings
This chapter contains the results from the interviews and documentation review. This chapter has the same structure as the interviews. It starts with general questions about the audit process, after which it will continue with paragraphs per detailed research question. It ends with a paragraph with additional findings. The general interpretation of the interviews is described and will lead to a conclusion to answer the detailed research questions. Interviewee citations are placed at the end of each section and will support the interpretations coming from the interviews. Each paragraph ends with a conclusion coming from the interviews.
5.1 General information internal audit planning process Goal internal audit
The main goal of internal audit is to give assurance to the board on the risks in the organization and the reliability of information by performing an independent review. This includes testing of business processes that these are working as intended and to report if processes are not working as intended. Internal auditors also assist in the mitigation of risks and remediation of irregularities in the processes. Any errors in transactions, whether these are intended or unintended, will be investigated by internal audit and they will advise mitigations to prevent damaging actions to reoccur. As long as internal audit is only advising in this process, they will keep their independence, which is important to properly review those mitigations. Internal audit is aware that it is close to impossible to prevent any errors ever to occur at all.
Apart from this classical role of internal audit, in the last decennium the role is shifting to a more advisory role. Internal audit keeps track of companywide best practices, which can be used to assist departments to organize their processes. When systems or processes are newly implemented or changed, internal audit departments are asked to assist in testing the setups and controls of these systems and processes up front, as a post launch adjustment to this system or process is always more complicated.
Interviewee #9: “I would say the main goal of an audit is that the chief audit executive gains an
understanding as to how certain parts of the business or a certain process of the business works. Ideally to gain assurance that it’s working or that things are as they should be, but if they are not that they identify those issues, identify problems that might impact the business. And they work with the management to put in place a process for remediating them.”
22 COSO framework
The TeamMate system used to be built aligned to the COSO framework. From customer experience, the TeamMate products are now more focused on the risk assessment part from the COSO framework. There has certainly been a shift over the years towards the use of the COSO framework in organizations. To the question if internal auditors perform their profession with the use of the COSO framework, no uniform conclusion an be formed.
According to some of the interviewees the COSO framework is not used, because internal auditors will have to spend time on explaining the principles of that framework to the various stakeholders. As internal auditors are already pressed for time, they would rather use terminology the company is familiar with. Aside from the terminology, there is also a concern if COSO is used as intended: to monitor the entire internal control system of a company. The risk assessment of the COSO framework is used, but maybe that is too much focused on the economic side of an organization. Other parts of the COSO framework, for example the monitoring activities are not used that frequently in internal audit.
Other interviewees respond positively to the question and state that the COSO framework is focused on risk in the company environment and how those risks are controlled. They state that internal control is also focused on control of risk, so the COSO framework is used in internal control. The terminology used by internal controllers, like risk assessment and control activities, is used in the COSO framework as well.
The interviewees contradict in their answers, which leads to an interesting discussion outside the scope of this research. An alignment between the COSO framework and internal audit is recognized in all interviews. If the COSO framework is not entirely used by internal auditors, at least it’s a starting point and used within systems as TeamMate. For sure the risk assessment is used as can be interpreted from the COSO framework.
Interviewee #6: “Corporately they will tell you that they follow the COSO framework. They’re monitoring
risks and measuring them and they will identify controls. But if you take a look at what the COSO framework was supposed to be for, you realize they don’t really follow it.”
Interviewee #11: “You'd say that most of it is based on the COSO framework. It comes back a lot in
literature and I think there is quite a lot of reference to it. In fact it is also a question of what controls you have in your environment designed to hedge risk and that’s what COSO is all about.”
Risk assessment
By definition, an internal audit department only exists in larger organizations and larger organizations tend to be more complex. The internal auditors do not have sufficient resources to perform full companywide audits and for this reason, internal auditors want to focus on the areas of high risk. From the interviews it is not certain if the COSO framework or a risk assessment is obliged for larger companies, but performing a risk assessment will identify the areas of high risk in large complex organizations.
The majority of internal auditors are no longer checklist driven departments and are performing a true risk assessment. In the past the risk assessment would only take up to 25% of the budget of an audit, nowadays it takes up to 40% of the audit budget. This states that the risk assessment has become a more important part of the audit process and the audit planning specifically.
The organizations that are audited are large and complex. The organization is split up in various entities, which can be a business unit or a project, on which an audit be performed. These entities together are called the audit universe and each of these entities has specific risks. For a risk assessment it is impossible to identify each specific risk and to compare all risks to state which has a higher risk ranking. The internal audit department will perform a risk assessment at high level, with similar risk factors, to identify which entities are to be audited. When an entity is being audited, a risk assessment is performed at a granular level.
Interviewee #1: “What I’m seeing now, how internal audit has evolved, is that true focus on risk. I would say
that probably 90% of the clients I work with do a true risk assessment as part of their audit planning.”
Interviewee #4: “The main goal for a risk assessment, is to really to be able to stand back and from a very
high level to be able to focus in on areas that are of higher risk. So that way we can then perform and audit during that particular year that will further assess those risks.”
High level audit planning
The high level audit planning is performed on an annual basis, or a similar timeframe, and results in a list of entities to be audited in that timeframe. The audit planning process starts with the creation of an audit universe, which is listing all auditable entities. If an audit universe is already identified, it only needs updating by adding new investments or projects, eliminating any divestments and possibly combining auditable entities which have been merged.
Then the risk assessment is performed, starting with a review of the strategy for each auditable entity within the audit universe to get a good understanding of the environment or
24 business that it’s in. Internal audit defines the risk factors, from both the company wide policies as well as the entity strategy. These risk factors are given pre-defined specific rating criteria. The risk assessment continues by rating all the entities of the audit universe on these risk factors. This creates a priority list of entities with the highest risk. The outcome of the risk assessment is discussed with the audit committee and the board of directors. Any concerns may change the priority of the entities. When the audit planning is set, then this is discussed with the entity management to create a more exact planning of when the audit can take place.
Interviewee #2: “So what we do is we try to list all those entities and processes, create an audit universe and
then we have defined risk criteria and we rate all the entities based on those criteria. So we have defined those risks criteria and we have defined how we rate those criteria. And then based on the outcome of that we have the riskier entities and those are the ones we should be focusing on.”
Granular level audit planning
The high level audit plan has been set and internal auditors start with the granular level audit planning. The auditors will perform a review of the entity and by interviews with management and senior staff and reading of reports a better understanding is gained of the product portfolio, business processes, objectives and the managers opinion of risk within that entity. This can be compared with the review of the previous audit and the high level review of that entity to see if anything has changed.
A risk assessment is performed at granular level to identify controls and potential risks within that entity. Based on that risk assessment a granular audit plan or testing plan is created. The auditors will then execute the testing from the audit plan and if new risks are identified, then a new risk assessment is performed including the new knowledge. From the findings of the audit execution, an opinion is formed. Finally a report is issued which is stating the issues and possible advice for mitigation.
Conclusions
From this paragraph can be concluded that the interviewees have a very aligned vision of the reason for internal audit and which processes are used. All interviewees state that the risk assessment has grown to become an important part of the audit planning process and that the audit planning and the risk assessment as part of it, is performed at a high annual level and at a granular engagement level. Although there is a discussion if the audit planning is sourced from the COSO framework, generally can be concluded from the interviews that they are related.
5.2 Main concerns in ERP systems Characteristics of ERP
ERP systems are defined as large complicated systems, which have an impact across the entire organization. They are modular in setup and almost every department is using that same system and all data is stored in one database. This places a lot of reliance on one system as all staff is depending on the same system and database.
The interviewees consider ERP systems expensive and difficult to implement. The challenge in the implementation is to properly setup system controls which are matching the requirements from each department working in that system. Another point of attention is that an ERP system is basically forcing an organization to adapt the process flows as designed in that system. This means that the system is not adapting to the requirements of the organization, but the organization squeezes it’s processes in the designed process flows of the system. Organizations should be aware of this when making the choice of purchasing such an ERP system.
Access management
ERP systems are using one database which many departments and their staff are using. One of the major concerns from the interviewees was related to access management. There is a big concern on who has access to data and who can change it. An ERP system and its database contains company wide information and every single person, internal or external, is allowed to have access to view or even change that information.
A proper setup of the segregation of duties in system controls together with security controls become essential. If the system controls such as access controls are not setup correctly, then a person could have access or even change company information. A strict segregation of duties is required between the maintenance of master data and the usage of it. For example you cannot have a purchaser have access to bank information of the vendors, because he or she might change that, which may result in incorrect payments. However if access controls are setup properly then the use of an ERP system gives a solid mitigation for fraud.
Process flows
Another point of concern are the process flows within an ERP system. ERP system process flows are usually well tested before going to market, but those process flows always need to be tested to ensure the proper information is coming from the ERP system. Especially if the ERP system is unfit for the organization and moderations in the system or in the process have been
26 adjusted to make it fit. This gives great concerns about the accuracy of data and the reliability of the information. When an ERP system is used as intended and with a fit to the company process flows, then this will give more assurance to the accuracy of data and reliability of the information.
Interviewee #2: “Access management. Because if access is not managed correctly you have segregation of duties
issues. Second thing is how the process flows in the system.”
Interviewee #7: “The first concern is probably going to be the accuracy of the data. You want to look at the
reporting that is coming out of it. Making sure there is a correct security in place. So making sure that people don’t have access to information they shouldn’t have.”
Conclusions
This paragraph describes that organizations that use ERP systems are gaining communication between departments, because of the integration of the various modules. They also raises the risks of improper fit with the organization and incorrect configuration of those systems. From an internal audit point of view ERP systems raise concerns about access management, including segregation of duties, and process flows within the ERP systems, resulting in the reliability of information. If an ERP system is matching the organizations needs and setup properly, then this will give powerful system controls to mitigate risks.
5.3 ERP impact on high level audit planning IT Controls
As stated in the previous paragraph, a lot of reliance is placed on an ERP system as it is a big part of the organization. If the system is not operating or data has been corrupted then this could cost millions for an organization, because the entire organization will not be able to operate.
In a non-ERP environment the systems and databases are more scattered and for that reason the risk of an entire organization not to operate, is scattered as well. If in such an environment a system is not operating or a database is corrupted, only part of the business might not be able to operate and that will make the financial impact lower. For this reason a backup procedure or a disaster recovery procedure is more important for an organization with an ERP system then for an organization which makes use of more scattered systems. In the high level risk assessment this can be taken into account and therefore impact the high level audit planning.
Interviewee #11: “You look what are your critical systems and how is the backup procedure, recovery
procedure and alternate location. What happens if there is a power failure and everything is down? Costs could be millions a day, globally said. What do you have as an alternative? “
ERP implementation or adjustments
In the high level audit planning and risk assessment the only concern which is related to systems is the implementation of a new system or changes in the process flows of existing systems. The concern is mainly in the process flow and in the control settings. For example if a change has been made in the process flow on the input side, then how does that change impact the information on the output side. This concern is not limited to ERP environments, but as ERP systems contain a high complexity, the impact of this change could result in a higher risk ranking in the risk assessment.
Interviewee #3: “One of the big things that would trigger for a specific entity a higher ranking in the overall
risk in the annual planning, if it changed systems. When something is business as usual, you can have a little bit more comfort that everything is running ok and you can assume that they are setup ok. There’s a lot more risk in an entity that is going to roll out a new system, to completely replaces an old system. So that would cause an entity to be rated a lot more risky.”
ERP no impact
In the interviews no other impact of ERP systems on the high level audit planning has been raised. Both mentioned items can be included in the high level risk assessment and especially the risk of improper IT controls can have a major impact, but the likelihood is small and for this reason often does not impact the risk assessment much.
Interviewee #3: “I wouldn’t say it particularly impacts the planning in a sense that we know that regardless
of whether there is a monolithic system or multiple systems in place, we will still be looking at the same scope areas if we go to an entity.”
In the documentation from the internal audit department the risk factors, which all give rating values between 1 and 5, are listed based on which auditable entities are rated. Most of the risk factors are purely financial, in example the variance between last year EBITA and budget.
28 Other risk factors focus on the change of product mix, acquisitions or customer assurance. These type of risk factors have no relation with he use of an ERP system. Out of the fourteen risk factors only one can be related to ERP systems, which is the risk factor to score changes or transformations in the processing. In this risk factor entities which are going through a change of applications or do a system implementation will get a higher risk rate. This is in line with the statements above, but is not limited to ERP systems.
Conclusions
This paragraph concludes that the impact of ERP systems on high annual level risk assessment is minimal. The IT controls of disaster recovery and backup procedures should be taken into consideration, because of the dependence on one single system. An additional note is that the implementation of an ERP system or changes within the ERP settings can trigger an entity to become rated with a higher risk.
5.4 ERP impact on granular level audit planning Single manual data entry
Manual data entry is the area which raises more concerns to internal auditors then automated data entry, such as using scanning devices. More testing or bigger samples are tested at a manual data entry process and this increases the time required to perform the audit. In an ERP environment data is entered only once in the system, which means that data needs to be entered correctly in that entry. There is no opportunity to match data input from various databases, as there is in a non-ERP environment. This raises the question on how this will impact the granular audit planning, not if it will impact the granular audit planning.
The data entry is performed by decentralized departments, which might not have an understanding of the impact of these entries. For example a sales order is entered by the sales department and this eventually impacts the financial reporting. The sales department does not have specific finance knowledge and for that reason is not aware of the impact of an entry. Opposed to that, the sales person does have expert knowledge of a sale and likely has better knowledge if a sales order has actually taken place. From that perspective the data entry may contain less risk.
In a non-ERP environment where multiple data entries are used, the data is entered centrally at the accounting department, which does have specific knowledge of the financial reports, but lacks the knowledge of the actual sales order. In such an environment there will be double the quantity of manual data entries and double the samples to be testing as internal
auditor, increasing the audit time required and by that also the audit planning. With the use of interfaces, eliminating the multiple manual data entry, there is the great concern of matching data. What happens to the data which is in transit? It raises a lot more concern over data accuracy. The fact that the same data is in two or more databases, which can be used as a reconciling method, does not benefit in audit planning as much as the additional work auditors have in testing, because comparing different databases in a non-ERP environment is not that effective or easy.
The fact that data might be entered in different geographical locations does not have an impact on the audit planning. There are risks of communication issues or cultural differences, but in a non-ERP environment that potential risk will be the identical.
Interviewee #6: “It depends on whether the people who are doing this data entry understand the implications
of everything they do. If the people who enter the data understand what the information is used for, then it will be ok to have them enter the information. But if they don’t understand the purpose of it, therefore they don’t think they need to be 100% accurate on things, it will impact all the way down the chain.”
System controls
In an ERP environment the risks which manual data entry contains, as raised above, can be mitigated by system controls, as briefly mentioned in paragraph 5.2. The risk of incorrect data entry can be mitigated by having a second person checking on the data entry. Training can also help to ensure that data is entered in the appropriate fields and at the same time create awareness of the impact of their data entry. These two mitigation methods are not as strong as the system controls, which an ERP system offers.
Form masks or field limitations can be set in the system controls of an ERP system. These system controls can ensure that all fields required are populated at the data entry and that fields are entered with a certain logic to it, for example using thresholds in amounts or not being able to use future or past dates. A proper configuration of these system control settings will lead to a powerful mitigation. These system control settings will raise concern in an audit and will be thoroughly tested, but that will save a lot of time in the overall audit time and therefor will have an impact on the audit planning. The testing of data control settings requires specific knowledge, which differs from the knowledge when testing manual entry samples. The internal auditors expertise will shift to become less operational auditors to more IT auditors.
30 Interviewee #8: “In fact an ERP has a single database with multiple points of entry. If you configure that
correctly then it’s really powerful. If you don’t configure that correctly or if you’re using more databases, then you have a problem. Then you don’t have the advantage of an ERP system. The more unambiguous you configure the ERP, the better the controls are and less risk and less audit. And the other way around, if you increase complexity, then that increases exponentially.”
Interviewee #3: “If you have a fully integrated sales order entry and bookkeeping system and fulfillment
system. If that is all in one, we will then don’t need to spend quite as much time looking at that, because you know if the order was entered right and if it’s been fulfilled, then in theory everything in between went well. We might focus more on change in processes, systems, discount procedures, credit notes.”
Audit preparation
An ERP system contains all its data into one database. This characteristic is very beneficial for the internal audit department as data is more quickly available and easier to interpret. All the data is stored in one place, which results in a single place to retrieve the data as well. There are possibilities for internal auditors to retrieve the data themselves, although that does raise some concerns in how the retrieving data script is impacting the data base. The data will be available in a consistent format and for that reason easier to use. If the same database is used over the years, then the benefit only increases. The internal auditors will only have to evaluate one set of data, which means they don’t have to familiarize themselves with the different outputs from different systems.
Another beneficial point is that the sample size will be stable. If you have a maximum sample of 10.000 entries, in an ERP environment you will only have 10.000 entries to test, no matter if you have 2 million or 10 million data entries. Whereas in a non-ERP environment for every database there will be a sample of 10.000 data entries. For this reason the use of an ERP system reduces sample size tremendously and therefore audit time is reduced and audit planning as well.
Continuous auditing:
On September 22, 2014 Wolters Kluwer announced the launch of an analytical tool within the TeamMate systems (Wolters Kluwer Financial Services, 2015). The tool itself is briefly described in paragraph 3.2 of this paper. Wolter Kluwer Financial Services see TeamMate Analytics as a tool which allows internal auditors to easily analyze big data and to limit time in engagement testing.
It becomes a requirement for internal audit departments to have skilled staff and to have the proper tools in place to perform data analytics. More and more internal auditors are performing data analytics in their audit testing. Big data is retrieved from a system and is analyzed for certain criteria. This way of auditing is replacing the sample testing, because auditors can, with the use of data analytics, review more transactions in less time, then they could with sample testing. It will save the auditors a lot of time, while still reviewing more transactions.
This seems to be an auditors dream to put data in a tool and that the tool will identify the problem areas. Data analytics does raise the issue that the tool is only as good as it has been setup. If an auditor is using the wrong criteria on the data, then the tool cannot identify the problem areas properly. Another prerequisite is that the data is in the same format. In non-ERP environments it will be more challenging as the various databases will contain data in different formats.
With the use of an ERP system, data analytics can be very powerful and internal auditors will not be limited by sample size. This means that they will be able to audit 100% of the transactions. Then internal auditors will move towards continuous auditing. Entity controllers will perform continuous monitoring, which is reviewing 100% of the transactions in real-time. The roles of the controllers and the internal auditors will be very aligned, where the controller is checking all the transactions of accuracy and the internal auditor is assuring the accuracy of all the transactions.
Interviewee #5: “People are becoming more aware of analytical procedures and being able to administer and
then save time and being able to look at more things. And just become more efficient in your process. It’s not so much as becoming limited, it’s more that you will be able to cover more. When you’re dealing with analytical procedures and being able to rely on those results, you’ll be able to test a 100%. Using an analytical process. I’m not talking about comparison from this year to last year, but digging much deeper. Looking for information, using statistical methods. Like if there is a normal distribution to evaluate information. Being able to look at outliers. Things like that.”
Interviewee #9: “I think the advantage to this type of testing is that you don’t need to limit yourself to a
sample size. There are tools now that auditors can use where they can use analytics to test an entire data set. So they don’t necessarily have to rely on small samples of data to gain assurance. Ideally or what is the trend in the industry is towards empowering the business so that they can have their own controls in place, so towards continuous monitoring.”
