4.2. What should be reviewed?
In any systems implementation, it is not just about the
software. There are many other components that make up a successful
implementation and these will be identified. Each of these areas may
necessitate specialised audit, as they require a unique level of knowledge and
skills set. Although I have mentioned each of these components separately, it
is important to understand that they all interact with each other and are part
of an organisational system.
4.2.1. Hardware
Each software vendor will provide the business with certain
minimum specifications that they should follow when determining the hardware
requirements of clients and servers. These requirements should be strictly
adhered to. Often these specifications will be based on statistics that the
auditors have provided the vendor with regarding volumes of transactions that
are to be processed. Every effort should be made to ensure that these
statistics are correct as this may result in sizing problems. The organisation
should ensure that they size the hardware in such a manner that it provides for
growth.
4.2.2. Network
There's nothing worse than going live and finding that
inadequate network speed brings the system to a screeching halt. Efforts should
be made to ensure that network speeds are tested and that all persons involved
in system operation have access to the network. Control should also be
maintained over the network to prevent unauthorised users gaining access.
4.2.3. Software
Every organisation has various layers of software upon which
their ERP systems reside as well other systems, both internal and external,
with which they interact - see figure 2. Audits should be conducted of software
subsystems within the organisational system. The following are key areas that
should be examined:
- Standard ERP parameters, including application controls,
authorisations and standard security configuration.
- Application security - to ensure processing occurs in an
efficient and controlled
manner, while protecting valuable data.
- Configuration decisions - to help provide reasonable assurance
of the integrity of business processes and application security.
- Design documentation - to ensure appropriate security and
control.
- The security administration process - to provide reasonable
assurance that access granted is appropriately identified, evaluated and
approved.
Many business processes may be extended out over the intranet,
extranet or Internet. The auditor should provide reasonable assurance that
security processes appropriately address these risks.
4.2.4. Processes
An audit of an ERP should provide assurance on the integrity
of processes in use by the business. Specifically, the following tasks relating
to audit and review should be undertaken.
- Identify control objectives for processes being implemented.
- Identify and assess potential business risks and financial
risks in the processes
being implemented.
- Develop and design the most effective and efficient ways of
controlling these risks (which implementers generally do not focus on or do not
have the expertise to develop).
- Perform an independent analysis of key business activities,
comparing organisation processes to leading practices and recommending process
improvements.
- Provide assurance that the controls within ERP are appropriate
and effective.
- Review the interfaces feeding into ERP from non-ERP systems
(such as, including legacy, web-based and mobile computing applications).
- Perform audit tests focusing on business process and
internal control. Many organizations reengineer business processes during ERP
implementation. Review business continuity plans and provide reasonable
assurance that they have been tested.
| 
