How to prepare for your next ERP audit

Most CFOs trust their system administrators to manage user roles and security in a way that protects the company against segregation of duties (SoD) issues. These precautions ensure auditors won’t find users who have misunderstood role assignments or have even manipulated roles to set up fake vendors. Really? Fake vendors? Really. We see it regularly at Arbela through our Audit and Security practice for Dynamics AX. We asked Corey Bakhtiary, ASM Practice Director for Arbela, to share scenarios that threaten companies and their officers, including five questions to answer before your next audit.

Arbela's Audit & Security Manager (ASM) addresses audit, risk management, and security management, producing simple AX reports for users, their roles and their level of security. It also allows simple changes to security when the roles are not performing as intended.

Company officers often don’t realize that no user ever has just one role. Users stack roles and try to align a person or a user base with a job title and job position. But administrators can assign one user 15 or 20 roles, stacking roles to give them a lot of access. Sometimes administrators don’t understand what the user really does when they get a request to assign an AP role. So, they will assign one or the other to see if it works without consideration for the rights that come with the role. With ASM, administrators can give users access on a granular level. Companies can be prescriptive about how they provision security. The risk comes in the out-of-the-box AX roles themselves. But some roles have inherent risk. For example, in the accounting manager role, users could create vendors and customers, submit general journals, create fictitious accounts, and you face explaining to your auditors how the system was compromised. Risk is not just stacking roles.

Arbela protects officers of AX implementations with role audits using ASM. The audit role change log tracks security, which includes changes to roles and assignments for users. If an administrator assigns a role to a user to allow an activity the user has a problem with, that will generate a red flag. We track those changes so an auditor can see what roles are approved and what have been generated without approval.

ASM also has standard reports to identify who can perform various activities, who can post an activity, who can touch the ledger, who can or potentially can make a material impact on financial statements. Instead of the CFO trying to figure out what happened and how it happened, you have a list of everyone who can touch the ledger. And someone with signing authority must authorize these roles.

So how do you protect yourself? Don't fear your next ERP audit, know the answers to these five questions:

1. Who can impact your financial statements?
   Are those users set up with a receivable account? If so, they can set up a shell bank account where they can post payments or receivables to that account for themselves.
2. How can you spot unauthorized changes to security?
   We have noticed that numerous changes happen immediately before an audit and immediately after an audit. Users removed everyone’s access to the point that business stopped so they could pass their audit. After the audit, they would re-provision the rights which is a fraudulent violation. Since someone in IT made the changes, the CFO did not know this was happening. The user didn’t get approval from finance and audit to make changes. But the auditors didn’t see any violations. Then, lo and behold, when the auditors leave, someone sets up a vendor that is actually their brother-in-law and pays them for nothing. Without security, this activity is consistently unnoticeable during regular workflow.
3. Are you in compliance with licenses?
   One of our clients had 300 enterprise users without licenses to use their Microsoft software. That’s $200K in licensing fees they weren’t paying. With ASM’s license auditing, we cut 120 users. We ask questions that eliminate redundancies like users with multifaceted jobs being counted more than once.
4. Do you know your users’ material impact to financial statements?
   Inappropriate access puts you and your company at risk. Every quarter for a public company, the corporate controller should assign a statement of understanding for the Board: “To the best of my ability we went through a user access review and we understand that there is no material impact to the financial statement.” Could you confidently sign your name to that?
5. How well does your corporate auditor know AX?
   Risks are same for public or private companies, but punishment is different. A private company is your company, so you need to know what’s happening and we can give you the benefit of our years of AX knowledge. Public companies might let their audit firms handle ERP audits even though they don’t know AX. Having us in the room with the audit firm gives you an extra level of confidence because we train them on the process of how you manage security and your process and goals. We make a project plan and continually improve the process.