In Part 1 of this post, we discussed the role of auditors in protecting the interests of outside parties. We also looked at the first two of four internal control objectives: centralized administration of master files and segregation of duties.
Safeguarding of Assets
While it is true that no ERP system can fully protect cash, customer invoices, or hard assets, ERP provides process and reconciliation tools that reduce the risk that assets will be mismanaged, lost, or stolen. Here are some examples:
- “Positive payment” exports to the bank as an external control to prevent altered or stolen checks from being paid
- Bank reconciliations that track outstanding checks and deposits-in-transit
- Accounts receivable aging and collection notes along with specific credit memo codes that identify the reasons for why invoices were discounted or written off
- First-Expired, First-Out (FEFO) picking and potency management to reduce the risk of inventory write offs
- Inventory transaction journals that provide a trail of all receipts and issues, including those related to unidentified physical count adjustments
- Project accounting that allows construction costs to be accumulated before a new asset is completed and transferred to fixed assets for depreciation
System Security
Certain fundamental program logic and set-up parameters also provide control in the ERP environment. Restricted user access is an important function. User profiles can be developed to allow the user to create and/or edit master or transaction data based on defined roles. “View only” or authorization to generate certain reports may be granted to others on a “need to know” basis. For example, while the CSR must be able to review customer contacts and product pricing, the buyer often does not need access to that information.
ERP systems will not allow a document to be deleted once it is created. Although a transaction such as a PO, work order, sales order, or check could be cancelled or voided, it cannot be deleted or the serial number sequence would be broken.
Inventory records can be associated with lot and/or serial numbers and tracked by location and stock status, including quarantine. Through backward traceability, an enterprise can follow the history of a shipped product to in-house and subcontracted manufacturing operations, inspections and testing, and the origins of subassemblies and components. The document attachment feature can be used to store a digital copy of receiving paperwork such as a country of origin, heat treat, or sterilization certificate.
Finally, because of the integrated nature of ERP systems, different transaction records are tied to other records. One example is a return to vendor (RTV) shipment for non-conforming product that links to a debit memo, receiver, and the original PO. Another one is a customer return merchandise authorization (RMA) that links to the credit memo, shipment, and original sales order. Often the chain of recordkeeping can be accessed easily via a “drilldown.”
* * * * * * * * * * * * * * *
While there are numerous features in ERP systems that facilitate an audit process, ultimately the integrity of an organization is in its people. Systems training, standard operating procedures (SOPs), codes of conduct, informative reporting, management by exception, and prompt action on auditors’ recommendations are all vital for the well-being and reputation of any company.
