Need help with a Summary

Question Description

I need all of the information attached PowerPoint slides put into 2 page. 

Note: you can do it by hand and scan it. 


Unformatted Attachment Preview

MODERN ERP SELECT, IMPLEMENT, & USE TODAY’S ADVANCED BUSINESS SYSTEMS 3rd Edition CHAPTER 11: ERP Security and Implementation Assurance Objectives ▪ Become acquainted with the concept of internal control and its objectives ▪ Differentiate between IT general and application controls ▪ Understand the process of ERP systems implementation assurance ▪ Recognize the various IT certifications for professionals involved in ERP implementation assurance, audit, security, governance, and risk 2 Internal Control ▪ Internal control – the policies and procedures put in place by an organization’s board of directors, management, and other personnel to provide “reasonable assurance” regarding achievement in the following objectives: –Effectiveness and efficiency of operations –Reliability of financial reporting –Compliance with applicable laws and regulations ▪ Example: segregation of duties among employees 3 Information Technology (IT) Control ▪ IT control – a procedure or policy that provides reasonable assurance that the IT used by an organization operates as intended, that data is reliable, and that the organization is in compliance with applicable laws and regulations ▪ IT controls are some of the most important internal controls because of the organization’s pervasive reliance upon automated transaction processing 4 The Audit and Internal Control ▪ Internal Control helps achieve an unqualified audit report which is a “clean bill of health” and shows compliance with the Sarbanes-Oxley of Act of 2002 (SOX) ▪ SOX Section 404 requires management at publicly traded companies to: – Establish internal controls and procedures over financial reporting – Document, test, and maintain those internal controls and procedures to guarantee their effectiveness 5 ERP and Internal Controls ▪ Auditors look for internal control issues that expose the ERP system and the data to misstatements ▪ Most ERP systems are designed with internal controls in mind ▪ ERP systems include edit checks, which occur at the point of data entry to make sure data adheres to specific data standards ▪ Some internal controls must be configured ▪ ERP systems include an audit trail, which is a log of transactions that records when the transactions were entered and by whom 6 ERP Layers and Security Issues ▪ Security issues exist in every layer of ERP systems: – Client tier – Employees need to be trained on what data to enter and where and access controls must be built into this layer to allow user input only where it is appropriate – Application tier – The integrated nature of ERP applications means that data entered at one stage in the process is carried forward to later stages; configuring the system correctly is essential – Database tier – The database layer is a prime target because it comprises highly sensitive data, such as personally identifiable consumer and employee data and financial information 7 IT Application Controls ▪ IT application controls (ITACs) – control the input, processing, and output functions of an ERP system by enabling, disabling, or limiting the actions of ERP system users and enforcing business-driven rules and data quality ▪ Programmed in the ERP system or configured during implementation to facilitate data accuracy, completeness, validity, verifiability, and consistency to help guarantee the confidentiality, integrity, and availability of the ERP application and its associated data 8 IT Application Controls Figure 11-1: Types of Information Technology Application Controls (ITAC) Description Control Input Controls – Ensure that all • Sequence checks prevent missing transactions data input into the system is • Drop-down menus to only allow valid items accurate, complete, and • Authorization and approval rights for transactions based on user authorized roles • Override capabilities restricted to only certain users • Edit checks to ensure accurate, valid, and complete input • Standardized input screens • Checks for duplicate entry of data Processing Controls – Ensure that valid input data is processed accurately and completely • • • • Output Controls – Ensure that output is complete, accurate, and distributed to the appropriate personnel • • • • Automated tracking of changes made to data that associates the change with a specific user; enables the audit trail Automated checks of data from feeder systems, a process known as an interface control Automated tracking of overrides made during processes Checks to ensure that automated calculations produce expected results Distribution of sensitive reports only to appropriate personnel Adherence to record retention periods Analysis of error reports and corrective action to rectify issues All successful transactions posted to subsidiary ledger and summarized in the GL 9 Segregation of Duties ▪ Segregation of duties (SoD) –the concept of requiring different people to complete different parts of a process ▪ Effective SoD means that these three functions should be kept separate: (1) Approving a transaction (2) Recording and reconciling the transaction (3) Having custody of the assets involving the transaction 10 Segregation of Duties Figure 11-2: Segregation of Duties 11 Role-Based Access Control ▪ Authorization – the level of access a certain user has in the ERP system ; accomplished through RBAC ▪ Role-based access control (RBAC) – assigns individuals to organizational roles and those roles to specific access in the system –A role is a job assignment or function (e.g., accountant) –Employed at the company, application, and transaction levels –Enforces SoD 12 Auditing IT Application Controls ▪ When evaluating ITAC, the auditor would focus on the modules ▪ The first questions the auditor should ask are “What does this module do?” and “What business process or processes does this module support?” ▪ Next, they can identify the potential risks associated with the business processes in question by asking “What could go wrong?” Then they can see how the risk is handled by asking the question “What controls the risk?” – Example: Inspection of system configurations in the Purchasing module to make sure quantities and prices are being checked in the three-way match 13 IT General Controls ▪ IT general controls (ITGCs) – controls that apply to all systems components, processes, and data for a given organization or IT environment ▪ These controls work to both secure and validate the data contained in the systems that process financial transactions ▪ The objectives of ITGCs are to ensure: – Proper development of and changes to applications, databases, and operating systems – Proper controls over the logical access to the network and applications – Controls over the hardware in the data center 14 IT General Controls (ITGCs) Figure 11-3: Relationship between IT General Controls and IT Application Controls Expenditure Fixed Assets Payroll Financial Closing Inventory Revenue Treasury Audit Trails Automated Decision Making Transaction Edits and Sequential Numbering Interface Controls Segregation of Duties Edit checks Application Database Operating System Network Hardware Program Change Controls Logical Access Controls Data Center Controls Source: Deloitte 15 Program Change Controls ▪ Program change controls – controls that govern the changes made to made to the ERP system and underlying database ▪ Help ensure that the development of and changes to systems are properly designed, tested, validated, and approved prior to migrating the changes to PRD ▪ Examples of program changes: patches, bug fixes, updates, enhancements, and minor upgrades ▪ Need to ensure SoD in this process 16 ERP System Landscape Figure 11-4: ERP System Landscape 17 Program Change Controls Figure 11-5: Examples of Program Change Controls Program changes are only initiated with a valid IT or business justification. An IT manager or management in the business area requesting the change approves the program change prior to development in the DEV instance. Application programmers should only make changes in the DEV instance. Once work is completed, application programmers should move the program changes to the QA instance. Depending on the type of program change, functional users and/or IT staff test to make sure the application responds suitably in the QA environment. These staff members are separate from developers. Prior to moving changes to PRD, an impact analysis is performed to determine the potential effect of the proposed change to other systems and modules as well as to users. Program changes moved to PRD are scheduled during downtime, and users are notified in advance when the changes will occur. After testing and sign-off in the QA instance is complete, an IT employee—separate from the employee who developed the change—moves the change to PRD. Programmers should not have direct access to the PRD instance and should not make changes directly into PRD. Documentation exists to show proper approvals and procedures in the program change control process. Source: ISACA 18 Logical Access Controls ▪ Logical access controls – the policies, procedures, organizational structure, and electronic controls designed to restrict access to information systems and data only to individuals with genuine authority to access the information ▪ Not the same as physical access controls, which use a mechanical lock and key or other devices controlling access to a building or room 19 Identity and Access Management ▪ Logical access is part of identity and access management (IAM) – the management of individual identities and privileges or permissions within or across system and company boundaries ▪ Three functions of IAM: – Identification – the process of describing an individual to a system with a unique user ID – Authentication – involves verifying that a user’s claim to a particular identity is, in fact, true; carried out through the combination of user ID and password – Authorization –the level of access a particular authenticated user should have to the ERP system 20 Levels of Authentication ▪ The process of verifying the identity of users through a user ID and a password is authenticated using a knowledge factor, or “what the user knows” ▪ However, this can be combined with a possession factor, or “what the user has” ▪ And an inherence factor, or “what only the user is” to add more layers of logical access control accomplished through biometrics – Dual-factor authentication – requiring two forms of authentication – Multi-factor authentication – requiring more than two forms authentication 21 Logical Access Controls Figure 11-6: Examples of Logical Access Controls Documentation exists to show proper approvals and procedures to grant logical access. Use of privileged access in applications such as SYSADMIN is limited only to appropriate personnel Procedures are put into place to notify IT security personnel when employees change roles and responsibilities or are terminated. Access privileges of such individuals are immediately changed to reflect their new status. Roles and responsibilities related to IT security are assigned to appropriate personnel. Data encryption, firewalls, network segmentation, and other measures are put in place to keep hackers, cybercriminals, and other outsiders from accessing the ERP system and database. Effective password management policies, such as periodically changing passwords and requiring passwords that are not easily guessed, are in place and enforced. Dual-factor authentication is enforced when logging onto the network. Default passwords are effectively replaced upon first login to the ERP system. Direct access to the ERP database is closed and programmatically prevented. Effective use of HTTPS for remote access is enforced. Source: ISACA 22 Data Center Controls ▪ Data center controls – help protect computer facilities and resources from environmental hazards, espionage, sabotage, damage, and theft – Reliability – the ability of a system or component to execute its required functions under stated conditions for a specified period of time. Factors into…. – Availability – the degree to which a system or component is accessible and operational when it is needed 23 Data Center Controls Figure 11-7: Data Center Controls Physical Security Build on the right spot Protection of Data Employ redundancy by storing copies of data in multiple locations Reliability and Availability Use an uninterruptible power supply (UPS) Use surveillance cameras Back up critical data Use emergency backup generators Limit entry points and avoid windows Use fire detection and suppression Use fiber optic cables Use biometrics for access Destroy hard drives when retiring them Have a disaster recovery plan Employ 24/7 security and use perimeter fencing Shred paper Maintain service-level agreements with customers Keep a roster of those who are allowed access to the data center Use proper air conditioning and have redundant utilities Have a data recovery plan Source: ISACA 24 System Implementation Assurance ▪ Systems implementation assurance (SIA) – third-party opinion that is an independent assessment of the health and expected outcome of the ERP implementation and corresponding change initiative Figure 11-8: Points in the ERP Life Cycle Where Assurance is Beneficial Before Go-Live After Go-Live 25 Control Risks ▪ Does the design and implementation of ITGCs and ITACs satisfy financial reporting, operational, and regulatory requirements? Assurers look at: – Business processes – Has management evaluated the best mix of manual versus automated or configured controls? – ITGC – Do the IT infrastructure and manual IT processes support the new ERP system? – Data quality – Has the legacy data been successfully migrated to the ERP system and is it accurate and in a usable format? – Interfaces – Do interfaces between the ERP system and other systems stream data properly to ensure data integrity? ▪ Negative tests – testing software to ascertain if it is doing something it is not supposed to do 26 Business Risks ▪ Some ERP risks present themselves during planning, such as: – Business case – Is there a solid business case in place for the ERP investment, and is it aligned with corporate strategy? – Benefits realization plan – Are there appropriate key performance indicators that back up the business case, and will they produce measureable outcomes? – Organizational structure – Is the project properly structured? Include a high-level sponsor and steering committee? Are functional areas involved? Is team experienced? 27 Project Risks ▪ These risks involve whether the ERP system will be delivered on time and on budget, meet the stated requirements, and whether employees be adequately prepared for the new system and processes. Will look at: – Project management – Are timelines and resources being effectively managed? – Project governance – Is there appropriate management support throughout the implementation? – Functional readiness – Are mechanisms in place to develop functional requirements? – Technical readiness – Are mechanisms in place to translate the functional requirements into the ERP software? – Organizational readiness – Are changes to processes being effectively communicated and understood throughout the organization? Is training being conducted effectively? 28 ISACA Certifications for IT Professionals ▪ Information Systems Audit and Control Association (ISACA) – the independent, nonprofit, global association engaged in the development, adoption, and use of globally accepted knowledge and best practices in IT ▪ ISACA is the leading organization that disseminates information for information governance, control, security, and audit professionals ▪ Offers certifications in various IT areas related to ERP 29 CISA ▪ Certified Information System Auditor (CISA) –qualifies an individual as globally proficient in the areas of IS audit, assurance, and security. Tests: – The process of auditing IS – Governance and management of IS – IS acquisition, development, and implementation – IS operation, maintenance, and support – Protection of information assets* *main area tested 30 CISM ▪ Certified Information Security Manager (CISM) –uniquely targets the professional who manages, designs, oversees, and assesses an organization’s information security program. Tests: – Information security governance – Information risk management and compliance* – Information security program development and management – Information security incident management and response *main area tested 31 CRISC ▪ Certified in Risk and Information Systems Control (CRISC) – recognizes a wide range of IT and business professionals for their knowledge of enterprise risk management (ERM) and their ability to design, implement, monitor, and maintain systems controls to reduce risk ▪ Risk management – the identification, analysis, assessment, control, avoidance, minimization, or elimination of unacceptable risks; includes IT risk management ▪ Tests: – IT risk identification – IT risk assessment* – Risk response and mitigation – Risk and control monitoring and reporting *main area tested 32 CGEIT ▪ Certified in the Governance of Enterprise IT (CGEIT) – designates a professional with the knowledge and application of enterprise IT governance principles and practices. Tests: – Framework for the governance of enterprise IT * – Strategic management – Benefits realization – Risk optimization – Resource optimization ▪ IT governance – the leadership, organizational structures, and processes that ensure that an organization’s technology sustains and extends its strategies and objectives * main area tested 33 MODE RN E RP S E LE CT, IMP LE ME NT, & US E TODAY’ S ADVANCE D B US INE S S S YS TE MS 3rd E dition CHAPTER 12: ERP and Business Analytics Objectives ▪ Understand how the discipline of business analytics intersects with ERP systems ▪ Recognize the various data stores for business analytics ▪ Become familiar with the types of business analytics ▪ Learn the role of KPIs and what corporate performance management entails ▪ Know the essentials of the balanced scorecard as a corporate performance management framework ▪ Be aware of the importance of data governance in business analytics 2 Business Analytics ▪ Business analytics (BA) – the comprehensive use of data and quantitative analysis for business decision-making using: – Structured data – data in ERP database or spreadsheets – Unstructured data – data that doesn’t reside in a traditional row-column database or spreadsheet ▪ Expands upon business intelligence (BI) – the ability to take information resources and convert them into knowledge that is useful in decision-making – Lower level decision-making consisting of reports, queries, scorecards, dashboards – Rear-view mirror approach using structured data only 3 Business Analytics Figure 12-1: Warning Signs an Organization Needs Business Analytics You have to wait longer than a day for someone to make or change a report for you. Across the organization there are more than 100 pending requests for reporting /dashboard/scorecard changes waiting for a specialist to make them. At meetings, there are multiple numbers being quoted for the same thing—and on one knows which is correct. The commentary is larger than the automatically generated report. The report is not generated automatically, but is a handcrafted labor of love by either yourself or one of your staff. There are hundreds of rep ...
Purchase answer to see full attachment

Final Answer


The tutor was pretty knowledgeable, efficient and polite. Great service!

Heard about Studypool for a while and finally tried it. Glad I did caus this was really helpful.

Just what I needed… fantastic!


Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors