Expert answer:Need help with a Summary
Answer & Explanation:I need all of the information attached PowerPoint slides put into 2 page. Note: you can do it by hand and scan it. merp_chapter_12_v3__1_.pptxmerp_chapter_11_v3__1_.pptxmerp_chapter_10_v3__1_.pptx
merp_chapter_11_v3__1_.pptx
merp_chapter_12_v3__1_.pptx
merp_chapter_10_v3__1_.pptx
Unformatted Attachment Preview
MODERN ERP
SELECT, IMPLEMENT, & USE TODAY’S
ADVANCED BUSINESS SYSTEMS
3rd Edition
CHAPTER 11:
ERP Security and
Implementation Assurance
Objectives
▪ Become acquainted with the concept of internal
control and its objectives
▪ Differentiate between IT general and application
controls
▪ Understand the process of ERP systems
implementation assurance
▪ Recognize the various IT certifications for
professionals involved in ERP implementation
assurance, audit, security, governance, and risk
2
Internal Control
▪ Internal control – the policies and procedures put in
place by an organization’s board of directors,
management, and other personnel to provide
“reasonable assurance” regarding achievement in
the following objectives:
–Effectiveness and efficiency of operations
–Reliability of financial reporting
–Compliance with applicable laws and regulations
▪ Example: segregation of duties among employees
3
Information Technology (IT) Control
▪ IT control – a procedure or policy that provides
reasonable assurance that the IT used by an
organization operates as intended, that data is
reliable, and that the organization is in compliance
with applicable laws and regulations
▪ IT controls are some of the most important internal
controls because of the organization’s pervasive
reliance upon automated transaction processing
4
The Audit and Internal Control
▪ Internal Control helps achieve an unqualified audit
report which is a “clean bill of health” and shows
compliance with the Sarbanes-Oxley of Act of 2002
(SOX)
▪ SOX Section 404 requires management at publicly
traded companies to:
– Establish internal controls and procedures over financial
reporting
– Document, test, and maintain those internal controls and
procedures to guarantee their effectiveness
5
ERP and Internal Controls
▪ Auditors look for internal control issues that expose
the ERP system and the data to misstatements
▪ Most ERP systems are designed with internal controls
in mind
▪ ERP systems include edit checks, which occur at the
point of data entry to make sure data adheres to
specific data standards
▪ Some internal controls must be configured
▪ ERP systems include an audit trail, which is a log of
transactions that records when the transactions were
entered and by whom
6
ERP Layers and Security Issues
▪ Security issues exist in every layer of ERP systems:
– Client tier – Employees need to be trained on what
data to enter and where and access controls must be
built into this layer to allow user input only where it is
appropriate
– Application tier – The integrated nature of ERP
applications means that data entered at one stage in
the process is carried forward to later stages;
configuring the system correctly is essential
– Database tier – The database layer is a prime target
because it comprises highly sensitive data, such as
personally identifiable consumer and employee data
and financial information
7
IT Application Controls
▪ IT application controls (ITACs) – control the input,
processing, and output functions of an ERP system
by enabling, disabling, or limiting the actions of ERP
system users and enforcing business-driven rules and
data quality
▪ Programmed in the ERP system or configured during
implementation to facilitate data accuracy,
completeness, validity, verifiability, and consistency
to help guarantee the confidentiality, integrity, and
availability of the ERP application and its associated
data
8
IT Application Controls
Figure 11-1: Types of Information Technology Application Controls (ITAC)
Description
Control
Input Controls – Ensure that all
•
Sequence checks prevent missing transactions
data input into the system is
•
Drop-down menus to only allow valid items
accurate, complete, and
•
Authorization and approval rights for transactions based on user
authorized
roles
•
Override capabilities restricted to only certain users
•
Edit checks to ensure accurate, valid, and complete input
•
Standardized input screens
•
Checks for duplicate entry of data
Processing Controls – Ensure
that valid input data is
processed accurately and
completely
•
•
•
•
Output Controls – Ensure that
output is complete, accurate,
and distributed to the
appropriate personnel
•
•
•
•
Automated tracking of changes made to data that associates the
change with a specific user; enables the audit trail
Automated checks of data from feeder systems, a process known
as an interface control
Automated tracking of overrides made during processes
Checks to ensure that automated calculations produce expected
results
Distribution of sensitive reports only to appropriate personnel
Adherence to record retention periods
Analysis of error reports and corrective action to rectify issues
All successful transactions posted to subsidiary ledger and
summarized in the GL
9
Segregation of Duties
▪ Segregation of duties (SoD) –the concept of
requiring different people to complete different
parts of a process
▪ Effective SoD means that these three functions
should be kept separate:
(1) Approving a transaction
(2) Recording and reconciling the transaction
(3) Having custody of the assets involving the
transaction
10
Segregation of Duties
Figure 11-2: Segregation of Duties
11
Role-Based Access Control
▪ Authorization – the level of access a certain
user has in the ERP system ; accomplished
through RBAC
▪ Role-based access control (RBAC) – assigns
individuals to organizational roles and those
roles to specific access in the system
–A role is a job assignment or function (e.g.,
accountant)
–Employed at the company, application, and
transaction levels
–Enforces SoD
12
Auditing IT Application Controls
▪ When evaluating ITAC, the auditor would focus on the
modules
▪ The first questions the auditor should ask are “What does
this module do?” and “What business process or processes
does this module support?”
▪ Next, they can identify the potential risks associated with
the business processes in question by asking “What could go
wrong?” Then they can see how the risk is handled by asking
the question “What controls the risk?”
– Example: Inspection of system configurations in the Purchasing
module to make sure quantities and prices are being checked in the
three-way match
13
IT General Controls
▪ IT general controls (ITGCs) – controls that apply to
all systems components, processes, and data for a
given organization or IT environment
▪ These controls work to both secure and validate the
data contained in the systems that process financial
transactions
▪ The objectives of ITGCs are to ensure:
– Proper development of and changes to applications,
databases, and operating systems
– Proper controls over the logical access to the network and
applications
– Controls over the hardware in the data center
14
IT General Controls (ITGCs)
Figure 11-3: Relationship between IT General Controls and IT Application Controls
Expenditure
Fixed
Assets
Payroll
Financial
Closing
Inventory
Revenue
Treasury
Audit Trails
Automated Decision Making
Transaction Edits and Sequential Numbering
Interface Controls
Segregation of Duties
Edit checks
Application
Database
Operating
System
Network
Hardware
Program
Change
Controls
Logical
Access
Controls
Data
Center
Controls
Source: Deloitte
15
Program Change Controls
▪ Program change controls – controls that govern the
changes made to made to the ERP system and
underlying database
▪ Help ensure that the development of and changes to
systems are properly designed, tested, validated, and
approved prior to migrating the changes to PRD
▪ Examples of program changes: patches, bug fixes,
updates, enhancements, and minor upgrades
▪ Need to ensure SoD in this process
16
ERP System Landscape
Figure 11-4: ERP System Landscape
17
Program Change Controls
Figure 11-5: Examples of Program Change Controls
Program changes are only initiated with a valid IT or business justification.
An IT manager or management in the business area requesting the change approves the program change prior to development
in the DEV instance.
Application programmers should only make changes in the DEV instance. Once work is completed, application programmers
should move the program changes to the QA instance.
Depending on the type of program change, functional users and/or IT staff test to make sure the application responds suitably
in the QA environment. These staff members are separate from developers.
Prior to moving changes to PRD, an impact analysis is performed to determine the potential effect of the proposed change to
other systems and modules as well as to users.
Program changes moved to PRD are scheduled during downtime, and users are notified in advance when the changes will occur.
After testing and sign-off in the QA instance is complete, an IT employee—separate from the employee who developed the
change—moves the change to PRD.
Programmers should not have direct access to the PRD instance and should not make changes directly into PRD.
Documentation exists to show proper approvals and procedures in the program change control process.
Source: ISACA
18
Logical Access Controls
▪ Logical access controls – the policies, procedures,
organizational structure, and electronic controls
designed to restrict access to information systems and
data only to individuals with genuine authority to
access the information
▪ Not the same as physical access controls, which use a
mechanical lock and key or other devices controlling
access to a building or room
19
Identity and Access Management
▪ Logical access is part of identity and access management
(IAM) – the management of individual identities and
privileges or permissions within or across system and
company boundaries
▪ Three functions of IAM:
– Identification – the process of describing an individual to a
system with a unique user ID
– Authentication – involves verifying that a user’s claim to a
particular identity is, in fact, true; carried out through the
combination of user ID and password
– Authorization –the level of access a particular authenticated
user should have to the ERP system
20
Levels of Authentication
▪ The process of verifying the identity of users through a
user ID and a password is authenticated using a
knowledge factor, or “what the user knows”
▪ However, this can be combined with a possession
factor, or “what the user has”
▪ And an inherence factor, or “what only the user is” to
add more layers of logical access control accomplished
through biometrics
– Dual-factor authentication – requiring two forms of
authentication
– Multi-factor authentication – requiring more than two
forms authentication
21
Logical Access Controls
Figure 11-6: Examples of Logical Access Controls
Documentation exists to show proper approvals and procedures to grant logical access.
Use of privileged access in applications such as SYSADMIN is limited only to appropriate personnel
Procedures are put into place to notify IT security personnel when employees change roles and responsibilities
or are terminated. Access privileges of such individuals are immediately changed to reflect their new status.
Roles and responsibilities related to IT security are assigned to appropriate personnel.
Data encryption, firewalls, network segmentation, and other measures are put in place to keep hackers, cybercriminals, and other outsiders from accessing the ERP system and database.
Effective password management policies, such as periodically changing passwords and requiring passwords that
are not easily guessed, are in place and enforced.
Dual-factor authentication is enforced when logging onto the network.
Default passwords are effectively replaced upon first login to the ERP system.
Direct access to the ERP database is closed and programmatically prevented.
Effective use of HTTPS for remote access is enforced.
Source: ISACA
22
Data Center Controls
▪ Data center controls – help protect computer facilities and
resources from environmental hazards, espionage,
sabotage, damage, and theft
– Reliability – the ability of a system or component to
execute its required functions under stated conditions for
a specified period of time. Factors into….
– Availability – the degree to which a system or
component is accessible and operational when it is
needed
23
Data Center Controls
Figure 11-7: Data Center Controls
Physical Security
Build on the right spot
Protection of Data
Employ redundancy by storing
copies of data in multiple locations
Reliability and Availability
Use an uninterruptible power
supply (UPS)
Use surveillance cameras
Back up critical data
Use emergency backup generators
Limit entry points and avoid
windows
Use fire detection and suppression
Use fiber optic cables
Use biometrics for access
Destroy hard drives when retiring
them
Have a disaster recovery plan
Employ 24/7 security and
use perimeter fencing
Shred paper
Maintain service-level agreements
with customers
Keep a roster of those who
are allowed access to the
data center
Use proper air conditioning and
have redundant utilities
Have a data recovery plan
Source: ISACA
24
System Implementation Assurance
▪ Systems implementation assurance (SIA) – third-party
opinion that is an independent assessment of the health
and expected outcome of the ERP implementation and
corresponding change initiative
Figure 11-8: Points in the ERP Life Cycle Where Assurance is Beneficial
Before Go-Live
After Go-Live
25
Control Risks
▪ Does the design and implementation of ITGCs and ITACs satisfy
financial reporting, operational, and regulatory requirements?
Assurers look at:
– Business processes – Has management evaluated the best mix of
manual versus automated or configured controls?
– ITGC – Do the IT infrastructure and manual IT processes support the
new ERP system?
– Data quality – Has the legacy data been successfully migrated to the
ERP system and is it accurate and in a usable format?
– Interfaces – Do interfaces between the ERP system and other
systems stream data properly to ensure data integrity?
▪ Negative tests – testing software to ascertain if it is doing
something it is not supposed to do
26
Business Risks
▪ Some ERP risks present themselves during planning, such
as:
– Business case – Is there a solid business case in place for
the ERP investment, and is it aligned with corporate
strategy?
– Benefits realization plan – Are there appropriate key
performance indicators that back up the business case,
and will they produce measureable outcomes?
– Organizational structure – Is the project properly
structured? Include a high-level sponsor and steering
committee? Are functional areas involved? Is team
experienced?
27
Project Risks
▪ These risks involve whether the ERP system will be delivered on time
and on budget, meet the stated requirements, and whether
employees be adequately prepared for the new system and
processes. Will look at:
– Project management – Are timelines and resources being
effectively managed?
– Project governance – Is there appropriate management support
throughout the implementation?
– Functional readiness – Are mechanisms in place to develop
functional requirements?
– Technical readiness – Are mechanisms in place to translate the
functional requirements into the ERP software?
– Organizational readiness – Are changes to processes being
effectively communicated and understood throughout the
organization? Is training being conducted effectively?
28
ISACA Certifications for
IT Professionals
▪ Information Systems Audit and Control Association
(ISACA) – the independent, nonprofit, global
association engaged in the development, adoption,
and use of globally accepted knowledge and best
practices in IT
▪ ISACA is the leading organization that disseminates
information for information governance, control,
security, and audit professionals
▪ Offers certifications in various IT areas related to ERP
29
CISA
▪ Certified Information System Auditor (CISA) –qualifies an
individual as globally proficient in the areas of IS audit,
assurance, and security. Tests:
– The process of auditing IS
– Governance and management of IS
– IS acquisition, development, and implementation
– IS operation, maintenance, and support
– Protection of information assets*
*main area tested
30
CISM
▪ Certified Information Security Manager (CISM) –uniquely
targets the professional who manages, designs, oversees, and
assesses an organization’s information security program.
Tests:
– Information security governance
– Information risk management and compliance*
– Information security program development
and management
– Information security incident management and response
*main area tested
31
CRISC
▪ Certified in Risk and Information Systems Control (CRISC) –
recognizes a wide range of IT and business professionals for their
knowledge of enterprise risk management (ERM) and their ability
to design, implement, monitor, and maintain systems controls to
reduce risk
▪ Risk management – the identification, analysis, assessment,
control, avoidance, minimization, or elimination of unacceptable
risks; includes IT risk management
▪ Tests:
– IT risk identification
– IT risk assessment*
– Risk response and mitigation
– Risk and control monitoring and reporting
*main area tested
32
CGEIT
▪ Certified in the Governance of Enterprise IT (CGEIT) –
designates a professional with the knowledge and
application of enterprise IT governance principles and
practices. Tests:
– Framework for the governance of enterprise IT *
– Strategic management
– Benefits realization
– Risk optimization
– Resource optimization
▪ IT governance – the leadership, organizational structures,
and processes that ensure that an organization’s technology
sustains and extends its strategies and objectives
* main area tested
33
MODE RN E RP
S E LE CT, IMP LE ME NT, & US E TODAY’ S
ADVANCE D B US INE S S S YS TE MS
3rd E dition
CHAPTER 12:
ERP and Business Analytics
Objectives
▪ Understand how the discipline of business analytics
intersects with ERP systems
▪ Recognize the various data stores for business
analytics
▪ Become familiar with the types of business analytics
▪ Learn the role of KPIs and what corporate
performance management entails
▪ Know the essentials of the balanced scorecard as a
corporate performance management framework
▪ Be aware of the importance of data governance in
business analytics
2
Business Analytics
▪ Business analytics (BA) – the comprehensive use of data
and quantitative analysis for business decision-making using:
– Structured data – data in ERP database or spreadsheets
– Unstructured data – data that doesn’t reside in a
traditional row-column database or spreadsheet
▪ Expands upon business intelligence (BI) – the ability to take
information resources and convert them into knowledge
that is useful in decision-making
– Lower level decision-making consisting of reports, queries,
scorecards, dashboards
– Rear-view mirror approach using structured data only
3
Business Analytics
Figure 12-1: Warning Signs an Organization Needs Business Analytics
You have to wait longer than a day for someone to make or change a report for you.
Across the organization there are more than 100 pending requests for reporting /dashboard/scorecard
changes waiting for a specialist to make them.
At meetings, there are multiple numbers being quoted for the same thing—and on one knows which is
correct.
The commentary is larger than the automatically generated report.
The report is not generated automatically, but is a handcrafted labor of love by either yourself or one of
your staff.
There are hundreds of rep …
Purchase answer to see full
attachment
How it works
- Paste your instructions in the instructions box. You can also attach an instructions file
- Select the writer category, deadline, education level and review the instructions
- Make a payment for the order to be assignment to a writer
- Download the paper after the writer uploads it
Will the writer plagiarize my essay?
You will get a plagiarism-free paper and you can get an originality report upon request.
Is this service safe?
All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades