Comments on: Auditors And ERPs – Can We Rest “Assured” ? http://retheauditors.com/2008/07/08/auditors-and-erps-can-we-rest-assured/ The Business of the Big 4 Audit Firms Tue, 22 May 2012 15:02:22 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: re: The Auditors » Blog Archive » Auditing Standard 5: How Now, Brown Cow? http://retheauditors.com/2008/07/08/auditors-and-erps-can-we-rest-assured/comment-page-1/#comment-70674 re: The Auditors » Blog Archive » Auditing Standard 5: How Now, Brown Cow? Tue, 29 Dec 2009 16:50:57 +0000 http://76.12.174.187/?p=754#comment-70674 [...] challenges for the IT audit and risk teams within the audit [...] [...] challenges for the IT audit and risk teams within the audit [...]

]]> By: keystonesandrivets http://retheauditors.com/2008/07/08/auditors-and-erps-can-we-rest-assured/comment-page-1/#comment-793 keystonesandrivets Thu, 28 Aug 2008 15:04:00 +0000 http://76.12.174.187/?p=754#comment-793 Hi Francine,<br/><br/>You and Dennis Howlett put together a great series of posts on this topic.<br/><br/>In your ‘Links to this Post’ section there is a link my post “Auditing IT systems” where I discuss them and add my take:<br/><br/>“To be able to accurately assess risk of IT system failure, three things need to be clearly understood and easily communicable:<br/><br/>1. Which IT assets or resources support a particular business process or service - allowing the question, “Which parts of the business will be directly affected should this IT System, or part thereof, fail?” to be answered.<br/><br/>2. The value of those business processes to the company operation - allowing the question “What would be the financial impact should an IT system, or component thereof, fail?” to be answered.<br/><br/>3. How data flows between the IT Systems that enable the business services to operate - which, critically, allows an assessment to be made of “Which parts of the business will be indirectly affected should this IT asset fail?” ”<br/><br/>What do you think? Your feedback is very welcome.<br/><br/>Regards,<br/>Paul Wallis Hi Francine,

You and Dennis Howlett put together a great series of posts on this topic.

In your ‘Links to this Post’ section there is a link my post “Auditing IT systems” where I discuss them and add my take:

“To be able to accurately assess risk of IT system failure, three things need to be clearly understood and easily communicable:

1. Which IT assets or resources support a particular business process or service – allowing the question, “Which parts of the business will be directly affected should this IT System, or part thereof, fail?” to be answered.

2. The value of those business processes to the company operation – allowing the question “What would be the financial impact should an IT system, or component thereof, fail?” to be answered.

3. How data flows between the IT Systems that enable the business services to operate – which, critically, allows an assessment to be made of “Which parts of the business will be indirectly affected should this IT asset fail?” ”

What do you think? Your feedback is very welcome.

Regards,
Paul Wallis

]]> By: Francine McKenna http://retheauditors.com/2008/07/08/auditors-and-erps-can-we-rest-assured/comment-page-1/#comment-708 Francine McKenna Wed, 09 Jul 2008 19:27:00 +0000 http://76.12.174.187/?p=754#comment-708 @IJustWorkHere Thanks much. SAS 70 was just one area around ERP risks, specifically related to growth of SaaS/cloud computing, that I wanted to mention, based on some recent conversations. You raise several more really good ones. @IJustWorkHere Thanks much. SAS 70 was just one area around ERP risks, specifically related to growth of SaaS/cloud computing, that I wanted to mention, based on some recent conversations. You raise several more really good ones.

]]> By: Anonymous http://retheauditors.com/2008/07/08/auditors-and-erps-can-we-rest-assured/comment-page-1/#comment-707 Anonymous Wed, 09 Jul 2008 18:46:00 +0000 http://76.12.174.187/?p=754#comment-707 The failure to map CLC's and not having a centralized list of all required SAS 70 reports are both common. As an external auditor I am not overly concerned about them though because we can perform our own mapping and identify all required SAS 70's with proper scoping and understanding of the clients systems. <br/><br/>To me, the real risks are:<br/>1) Defining roles and responsibilities via access rights (SOD)<br/>2) Improperly configured software allowing application controls to be bypassed<br/>3) Push back from the client and the audit teams, forcing the IT Auditor to only do a cursory review of the ERP<br/>4) Failure to identify certain application controls as key<br/>5) Competency of client ERP admins.<br/>6) Competency of IT Auditors<br/><br/>-IJustWorkHere The failure to map CLC’s and not having a centralized list of all required SAS 70 reports are both common. As an external auditor I am not overly concerned about them though because we can perform our own mapping and identify all required SAS 70’s with proper scoping and understanding of the clients systems.

To me, the real risks are:
1) Defining roles and responsibilities via access rights (SOD)
2) Improperly configured software allowing application controls to be bypassed
3) Push back from the client and the audit teams, forcing the IT Auditor to only do a cursory review of the ERP
4) Failure to identify certain application controls as key
5) Competency of client ERP admins.
6) Competency of IT Auditors

-IJustWorkHere

]]>