ERP SYSTEMS AND THE SARBANES–OXLEY ACT (STUDY OBJECTIVE 8)

Referring back to Exhibit 15-3, you will notice that within the financials module, there is a section entitled “Corporate Governance.” Since the passage of the Sarbanes–Oxley Act of 2002, ERP systems have been enhanced to include functions that assist management in complying with sections of the Act. For example, Section 404 of the Act requires assessment of internal controls. An internal control report is required to accompany each financial statement filing. The internal control report must establish management's responsibility for the company's internal controls and related financial reporting systems. It must also include an assessment of the effectiveness of the company's internal controls and related financial reporting systems. If there are any weaknesses in internal controls, they must be disclosed in this report.

Enhanced ERP systems provide feedback information to management regarding internal controls. To effectively use this function of an ERP system, there are important steps the company should accomplish:

1. Establish and maintain a list of incompatible duties. These incompatible duties are often called conflicting abilities. For example, proper segregation of duties should not allow an employee to both approve purchases and record or approve goods received at the receiving dock. A company must review all of the possible activities conducted by employees within the accounting system and catalog the list of conflicting abilities.
2. As user ID and passwords are assigned to employees, ensure that they are given access and authority only to those parts of the system required. If done correctly, this should segregate duties to avoid giving conflicting abilities to any employee involved with the ERP system. This assigning of access and authority for a specific user ID is called a user profile. ERP systems can be used to properly segregate duties. The ERP system can incorporate a matrix of tasks that are conflicting abilities. For each employee ID and password, the system can check the employee's access to various tasks to ensure that no employee can initiate or conduct incompatible tasks. The ERP system electronically segregates duties by limiting the types of transactions each employee can perform. For example, an individual employee should not have system access to initiate a purchase and record it as received. In ERP systems in which integrated modules often automatically trigger events, recording the receipt can automatically initiate a check for payment. Thus, it is important that any employee not have authorization in the ERP system to initiate a purchase and also record the receipt.
3. Because of promotions or other job changes, an employee may have different access or authorizations. It is important that a company review the user profile and change any access and authority levels as necessary. Forgetting to do this may lead to an employee having conflicting abilities.
4. Configure the ERP system to track and report any instances where an employee initiated or recorded an event with conflicting abilities. For processes tracked by the ERP software, a report can be generated that identifies which employees are authorized to initiate and conduct processes. Based on each employee's user profile, audit trails can be constructed and reported that indicate which employees initiated or conducted individual processes. This module within the ERP system can map processes to assist management in understanding whether duties are appropriately segregated. The timing for this reporting of conflicting abilities is determined by management. Some companies review these reports on a periodic basis, such as weekly or monthly. Alternatively, companies may use real-time notification, where the ERP system continually scans for conflicting ability events. If one is detected, an e-mail or text message is immediately sent to the appropriate manager so that it can be addressed in real time.
5. Monitoring these periodic reports or real-time reports allows the appropriate manger to determine if user profiles should be changed to prevent future conflicting abilities.

Segregation of duties is an important part of internal control that can help previous errors and fraud. By using the process outlined here, an ERP system can assist management in monitoring internal control, monitoring errors and problems, and monitoring exceptions to internal controls. An ERP system can also produce other reports related to monitoring internal controls. There are too many reports to describe each one, but Exhibit 15-5 list some examples of internal controls monitored in an accounts payable system.

The main purpose of these reports is to ensure that transactions are carried out only in accordance with management's authorization and that unauthorized transactions are prevented or detected. They also provide objective evidence that management can use when assessing compliance with Sarbanes-Oxley internal control requirements.

Exhibit 15-5 Examples of Accounts Payable Internal Control Reports