1、1外文文献翻译原文USEERPINTERNALCONTROLEXCEPTIONREPORTSTOMONITORANDIMPROVECONTROLSTHEEXTENSIVEUSEOFENTERPRISERESOURCEPLANNINGERPSYSTEMSPROVIDESOPPORTUNITIESFORCONTINUOUSMONITORINGANDIMPROVEMENTOFINTERNALCONTROLSYSTEMSTHISCONTINUALMONITORINGANDIMPROVEMENTOFINTERNALCONTROLS,INTURN,ASSURESTHATMANAGEMENTCANCOMPL
2、YWITHRELEVANTSECTIONSOFTHESARBANESOXLEYACTOF2002SOXINTHISARTICLE,WEWILLDESCRIBECRITICALPROCESSESANDSYSTEMSTHATARENECESSARYTOMONITORINTERNALCONTROLCOMPLIANCEANDTHEIMPLICATIONSFORSOXCOMPLIANCEINTERNALCONTROLSHAVEBEENINTEGRATEDINTOACCOUNTINGSOFTWARESYSTEMSFORMANYYEARS,ANDERPSYSTEMSHAVEENABLEDMONITORING
3、OFINTERNALCONTROLSTHATWASNOTPOSSIBLEWITHLEGACYSYSTEMSFOREXAMPLE,ERPSYSTEMSCANPROVIDECONTROLREPORTSTHATHIGHLIGHTINAPPROPRIATESEGREGATIONOFDUTIESFROMANENTERPRISEWIDEPERSPECTIVETHEFOCUSHEREWILLBEONSUCHNEWERAPPROACHESTOMONITORINGINTERNALCONTROLCOMPLIANCESPECIFICALLY,THEUSEOFCONTROLREPORTSTOMONITORANDIMP
4、ROVEUSERACCESSCONTROLSANDSEGREGATIONOFDUTIESCONTROLREPORTSCANBEDEFINEDINMANYWAYSOURUSEOFCONTROLREPORTSWILLREFERTOSTANDARDORSPECIALIZEDREPORTSAVAILABLEINERPSYSTEMSTOREPORTAUTHORIZATIONORUSERACCESSVIOLATIONSSOMEREPORTSMAYHAVEANENTERPRISEWIDEFOCUS,WHILEOTHERSMAYBEWITHINSPECIFICBUSINESSPROCESSES,SUCHASP
5、URCHASINGFOREXAMPLE,AREPORTOFCONFLICTINGCAPABILITIESCANSHOWUSERSWITHCONFLICTSACROSSVARIOUSBUSINESSPROCESSESAREPORTEXAMININGAHISTORYOFCHANGESTOARECORDFORCONTROLVIOLATIONSWOULDFOCUSONASPECIFICBUSINESSPROCESSTHESEREPORTSAREUSEDFORSEVERALPURPOSESTHEAPPROPRIATEMANAGERORINTERNALAUDITORCANREVIEWSUCHREPORTS
6、FORINTERNALCONTROLSELFASSESSMENTANDCONTROLIMPROVEMENTMONITORINGINTERNALCONTROLCOMPLIANCEISIMPORTANTINERPSYSTEMSBECAUSE2COREBUSINESSPROCESSESSUCHASPURCHASING,ACCOUNTSPAYABLE,COSTACCOUNTING,BANKING/TREASURYFUNCTIONS,ANDHUMANRESOURCESYSTEMSAREINTEGRATEDINTOANENTERPRISEWIDESYSTEMTHEERPPLATFORMSALLOWCOMP
7、ANIESTOREDUCECOSTS,BECOMEMOREEFFICIENT,ANDRESPONDFASTERTOCHANGESINTHEMARKETPLACETHISINCREASEDFUNCTIONALITY,HOWEVER,CREATESDIFFERENTRISKPROFILESTHAT,IFNOTMONITOREDPROPERLY,CANRESULTINCONTROLBREAKDOWNSANDPOTENTIALLYSIGNIFICANTLOSSESFORACOMPANYERPSYSTEMSALSOPUSHINITIATIONORAUTHORIZATIONOFTRANSACTIONSTO
8、LOWERLEVELSOFTHEORGANIZATION,THEREBYCAUSINGINCREASEDCONTROLPROBLEMSTHESECONTROLRISKSANDPROBLEMSMUSTBECOUNTERBALANCEDBYEFFECTIVEINTERNALCONTROLSTHATSHOULDBEMONITOREDCONSTANTLYTOENSUREORGANIZATIONALEFFECTIVENESS,EFFICIENCY,ANDSAFEGUARDINGOFPROCESSESIIMPORTANCEOFINTERNALCONTROLSMANAGERS,ACCOUNTANTS,AND
9、INTERNALAUDITORSBEARRESPONSIBILITYFORDEVELOPING,MONITORING,ANDIMPROVINGINTERNALCONTROLSYSTEMSTHEIRRESPONSIBILITIESINCLUDEPREVENTING,DETECTING,ANDCORRECTINGCONTROLWEAKNESSESANDRISKSTHATMAYCAUSEAFAILURETOACHIEVEOPERATIONALANDINFORMATIONPROCESSINGOBJECTIVESTHEKEYRISKSOFWHICHEACHOFTHESEPARTIESMUSTBEAWAR
10、EASTHEYDEVELOPANDMONITORINTERNALCONTROLSINCLUDE1THERISKOFFRAUD,PARTICULARLYFORSYSTEMSWITHPAYMENTGENERATIONCAPABILITY,WHENASINGLEPERSONHASERPAUTHORIZATIONSTHATALLOWCONTROLOFTWOPARTSOFATRANSACTIONTHISINAPPROPRIATESEGREGATIONOFDUTIESCANLEADTOFRAUDULENTACTIVITY2NONCOMPLIANCEWITHPRIVACYGUIDELINESERPSYSTE
11、MSSTOREENORMOUSAMOUNTSOFDATA,INCLUDINGCUSTOMER,VENDOR,ANDEMPLOYEEDATAWITHOUTPROPERINTERNALCONTROL,PRIVACYCANBEVIOLATEDINTENTIONALLYORUNINTENTIONALLY3INAPPROPRIATEDISCLOSUREOFTIMESENSITIVEBUSINESSDATA4MALICIOUSORACCIDENTALDAMAGETODATAIFWEAKINTERNALCONTROLSALLOWINAPPROPRIATEACCESSTODATA,ITISPOSSIBLEFO
12、RDATATOBEALTEREDORDESTROYED5APOTENTIALLOSSOFCOMPETITIVEADVANTAGE6THEPOTENTIALFORINCORRECTMANAGEMENTDECISIONSTOBEMADETOLESSENTHESERISKS,INTERNALCONTROLSSHOULDBEPROPERLYESTABLISHED,MONITORED,3ANDIMPROVEDTHEUSEOFCONTROLREPORTSTOMONITORAUTHORIZATIONORUSERACCESSVIOLATIONSISIMPORTANTINCONTINUOUSMONITORING
13、ANDIMPROVEMENTOFINTERNALCONTROLASANANALOGY,THEUSEOFCOSTACCOUNTINGSYSTEMSWITHVARIANCEREPORTSCANBEUSEFULINCONTINUALMONITORINGANDIMPROVEMENTOFMANUFACTURINGEFFICIENCYANDEFFECTIVENESSYETSUCHVARIANCEREPORTSARENOTUSEFULUNLESSANUNDERLYINGSTRUCTUREHASBEENESTABLISHEDWITHAPROPERACCOUNTINGSYSTEMTOMONITORCOSTSAG
14、AINSTSTANDARDSANDUNLESSMANAGEMENTREGULARLYREVIEWSVARIANCEREPORTSANDUSESTHEREPORTSTOIMPROVEMANUFACTURINGCONTROLLIKEWISE,CONTROLREPORTSINANERPSYSTEMCANBEUSEFULIFAPROPERUNDERLYINGSTRUCTUREISESTABLISHEDANDMANAGEMENTUSESTHERESULTINGCONTROLREPORTSPROPERLYTOMONITORANDIMPROVEINTERNALCONTROLSIIUSERACCESSCONT
15、ROLSANEFFECTIVEMODELOFCONTINUOUSMONITORINGSHOULDINCLUDEAPROCESSTOENSURETHATSYSTEMACCESSOFALLTERMINATEDAND/ORTRANSFERREDEMPLOYEESISREVOKEDIMMEDIATELYUPONACHANGEMORESPECIFICALLY,THEPROCESSSHOULDENSURETHATUSERSACCESSISRESTRICTEDTOTHEIRREQUIREDJOBACTIVITIESTOAVOIDHAVINGINAPPROPRIATEABILITYTO1COMMITFRAUD
16、2EDITORMODIFYFINANCIALSTATEMENTINFORMATIONORDATATHATDIRECTLYIMPACTSFINANCIALSTATEMENTSIE,CONSOLIDATEDINFORMATION,JOURNALENTRYPOSTING,PRICELISTS,FORMULACARDS,ETC3EDITORVIEWHIGHLYRESTRICTEDDATATHATISIMPORTANTOPERATIONALLYBUTNOTFROMAFINANCIALREPORTINGPERSPECTIVEIE,BUDGETINGFILES,PERSONNELFILES,ETC4PERF
17、ORMSOMETHINGTHATTHEYSHOULDNOTHAVETHEACCESSTOEXECUTEANDTHEREFOREMIGHTCAUSECONSIDERABLEREWORKORSYSTEMAVAILABILITYISSUESINSUMMARY,MONITORINGUSERACCESSINANERPSYSTEMWILLENSURETHATBREACHESOFUNAUTHORIZEDACCESSTOTHESYSTEMAREFOUNDANDTHATPROCEDURESANDEMPLOYEESWITHCONFLICTINGROLESAREQUICKLYIDENTIFIEDANDTHOSEAU
18、THORIZATIONSARETERMINATEDINATIMELYMANNERIIISUPERUSEROVERSIGHTWECANNOTOVEREMPHASIZETHENEEDFORSUPERUSERSINERPENVIRONMENTSSUPER4USERSMUSTHAVEUSERPROFILESTHATALLOWCONFLICTINGCAPABILITIESACCESSSPECIFICALLY,ASUPERUSERISAUSERWHOHASUNRESTRICTEDACCESSTOTHEENTIRESYSTEMWHETHERITISTHESYSTEMCOMMANDSORSYSTEMFILES
19、,REGARDLESSOFTHEIRPERMISSIONLEVELSTHESESUPERUSERSREQUIRESUCHACCESSTOMANAGERISKSACROSSTHEENTERPRISEBYENFORCINGSEGREGATIONOFDUTYPROFILESANDPREVENTINGSECURITYANDCONTROLVIOLATIONSBEFORETHEYOCCURINCOREBUSINESSPROCESSESFOREXAMPLE,SUPERUSERSAREABLETOADDRESSSEGREGATIONOFDUTYISSUESBYDETECTING,REMOVING,ANDPRE
20、VENTINGACCESSAUTHORIZATIONSRISKSWITHINANDACROSSBUSINESSPROCESSESINTHISREGARD,SUPERUSERSTYPICALLYHAVEACCESSTOTHESYSTEMSFILESANDSETUPANDHAVETHEHIGHESTLEVELOFPRIVILEGEFORAPPLICATIONSBECAUSESUPERUSERSPOSSESS“UNLIMITED”ACCESSTOTHESYSTEMSROOT,COMMANDS,ANDAPPLICATIONS,THEYCANCAUSEDAMAGETOTHESYSTEMANDEXPOSE
21、THEORGANIZATIONTOUNTOLDHARDSHIPANDEMBARRASSMENTFOREXAMPLE,THEYCANMOUNTANDDISMANTLEFILESYSTEMS,CHANGEANOTHERUSERSPASSWORDWITHOUTKNOWINGTHEPASSWORD,REMOVEANYFILEDIRECTORY,ANDEVENSHUTDOWNTHEENTIRESYSTEMASARESULT,THEACTIVITIESOFSUPERUSERSSHOULDBECONTROLLEDBYMANAGEMENTMANAGEMENTSHOULD1REVIEWSUPERUSERACCE
22、SSPRIVILEGESANDALIGNTHEMWITHITAUDITORSFORHIGHLYCRITICALANDCONFLICTINGCAPABILITIES2CONTROLSUPERUSERSACTIVITIESTHROUGHAUDITTRAILDOCUMENTATIONOFCREATION,MODIFICATION,DISTRIBUTION,ANDUSAGE3ASSIGNINDEPENDENTPERSONSTOREVIEWTHESUPERUSERAUDITTRAILIE,ARECORDOFSOURCESOFINFORMATIONANDCHANGESMADEBYDATEANDBYANAC
23、COUNTABLEINDIVIDUALORORGANIZATIONTHESENEEDTOBEREVIEWEDFREQUENTLYTOIDENTIFYSUSPICIOUSORDUBIOUSACTIVITIESANDRESPONSIBILITYFORPARTICULAREVENTSIVSEGREGATIONOFDUTIESTOACCOMPLISHINTERNALCONTROLOBJECTIVES,ANYORGANIZATIONMUSTSEGREGATEUSERDUTIESPROPERLYERPSYSTEMSALLOWSEGREGATIONOFDUTIESVIAUSERAUTHORIZATIONSU
24、SERPROFILESDETERMINETHETYPEOFACCESSANDAUTHORITYEACHUSERHASWITHINTHESYSTEMAUSERPROFILESHOULDNOTALLOWANYUSERTOHAVEINCOMPATIBLEDUTIESANORGANIZATIONMUSTDEVELOP,MAINTAIN,ANDMONITORAPPROPRIATESEGREGATIONOFDUTIESPROPERLYTHIS5REQUIRESADETAILEDANALYSISOFINDIVIDUALJOBFUNCTIONSANDADETERMINATIONOFWHICHFUNCTIONS
25、AREINCOMPATIBLEACTIVITIESACONTINUOUSREPORTINGSYSTEMSHOULDBEABLETOREPORTANDUSETHESEREPORTSTOAVOIDSEGREGATIONOFDUTYVIOLATIONSBYPERFORMINGATESTOFTHEENTIREERPSYSTEM,CONTROLACTIVITIES,ORSPECIFIEDBUSINESSPROCESSESATUNITLEVELSTHESEDESCRIPTIONSOFCONFLICTINGABILITIESAREMAINTAINED,STORED,ANDACCESSEDTHROUGHTHE
26、COMPANYINTRANETTHUSACCESSADMINISTRATORSANDMANAGERSCANEASILYREVIEWPOTENTIALCONFLICTINGABILITIESWITHINTHEIRSUBUNITVOTHERCRITICALCONTROLREPORTSINACCOUNTSPAYABLEVARIOUSOTHERREPORTSAREGENERATEDTOENSURETHATTHEACCOUNTSPAYABLEPROCESSHASINTEGRITYTOEFFECTIVELYGENERATETHESEREPORTSINATIMELYMANNER,THESAPSECURITY
27、CONTACTSANDBUSINESSADMINISTRATORSINEACHBUSINESSUNITATTHEEXAMPLECOMPANYALSOREVIEWANDUSETHESESAPCONTROLREPORTSEEUNDERTABLETABLESAPCONTROLREPORTSREPORTNAMEFREQUENCYPURPOSESAPPROFILEREVIEWQUARTERLYTOENSURENONCONFLICTINGPROFILESCONFLICTINGCAPABILITIESREPORTQUARTERLYTOENSURENOCONFLICTINGCAPABILITIESPOSWIT
28、HOUTREFERENCETOAREQUISITIONMONTHLYTOENSUREALLMATERIALSAREREQUISITIONEDPOSCREATEDAFTERTHEINVOICEMONTHLYTOENSURENOPOSARECREATEDAFTERTHEINVOICEOPENPURCHASEDOCUMENTSMONTHLYTODETECTPOSNOTFULLYRECEIVEDORINVOICEDBLOCKEDINVOICEREPORTTWICEPERWEEKTORESOLVEINVOICEDISCREPANCIESVIREPORTINGCHAINASNOTEDEARLIER,THE
29、USEOFTHESEVARIOUSREPORTSISITERATIVEANDONGOINGINTHEREVIEWOFSEGREGATIONOFDUTIES,PROPERUSERACCESS,SAPPROFILEREVIEW,CONFLICTINGCAPABILITIES,GLOBALBUSINESSWAREHOUSESPENDING,PURCHASEORDERPOLISTDISPLAY,6INVOICECHANGESREPORT,ANDBLOCKEDINVOICEREPORTS,TONAMEAFEWSPECIFICALLY,THEBLOCKEDINVOICEREPORTISGENERATEDA
30、NDREVIEWEDTWICEAWEEKTODETECTINVOICESBLOCKEDFORWHATEVERREASONBYREVIEWINGTHISREPORT,THEUNITMANAGERISABLETOIDENTIFYREASONSWHYINVOICESAREBLOCKEDANDTHENTRACKTHESYSTEMSOTHATOVERDUEITEMSAREPROMPTLYIDENTIFIEDANDATTENDEDTOSECOND,BYREVIEWINGTHEPOCHANGESREPORTMONTHLY,THEBUSINESSMANAGERCANREVIEWEVERYTHINGTHATIS
31、BEINGCREATED,INCLUDINGCHECKSANDPRICECHANGESSIMILARLY,THEREVIEWOFTHESAPPROFILEREPORTONAQUARTERLYBASISENSURESTHATBUSINESSUNITMANAGERSHAVENONCONFLICTINGPROFILESFORSAPORCOMPENSATINGCONTROLSTHEQUARTERLYREVIEWOFTHECONFLICTINGCAPABILITYREPORTENSURESTHATNOONEPERSONHASCONFLICTINGABILITIESTHATCOULDENABLEFRAUD
32、,SUCHASTHEABILITYTOCREATEREQUISITIONSANDPURCHASEORDERSBYCONTINUOUSLYREVIEWINGTHESEPERIODICREPORTSANDUPDATINGTHESYSTEMFOROBSERVEDWEAKNESSES,THEORGANIZATIONISCOMMITTEDTOENSURINGDATAANDSYSTEMINTEGRITYINBOTHITSITANDBUSINESSPROCESSOPERATIONSVIICOMPLIANCEWITHSOXSECTION302SOXSECTION404REQUIRESPUBLICCOMPANI
33、ESTOPUBLISHINFORMATIONWITHINTHEANNUALREPORTCONCERNINGTHESCOPEANDADEQUACYOFINTERNALCONTROLSINADDITION,THESTATEMENTONINTERNALCONTROLSMUSTASSESSTHEIREFFECTIVENESSANEFFECTIVESYSTEMOFINTERNALCONTROLSMUSTINCLUDEPOLICIESANDPROCEDURESTOPROVIDEREASONABLEASSURANCETHAT1DETAILEDRECORDSACCURATELYREFLECTTHEUNDERL
34、YINGTRANSACTIONS2TRANSACTIONSARERECORDEDINACCORDANCEWITHGENERALLYACCEPTEDACCOUNTINGPRINCIPLESGAAP3TRANSACTIONSAREBEINGCARRIEDOUTONLYINACCORDANCEWITHMANAGEMENTSAUTHORIZATION4UNAUTHORIZEDTRANSACTIONSAREBEINGPREVENTEDORDETECTEDTHEITERATIVEPROCESSANDTHEUSEOFCONTROLREPORTSDESCRIBEDINTHISARTICLEWILLASSIST
35、MANAGEMENTINENSURINGITHASACHIEVED,TOTHEEXTENTPOSSIBLE,THETHIRDANDFOURTHITEMSTHISITERATIVEPROCESSOFIMPROVINGINTERNALCONTROLSISEXTREMELY7IMPORTANTTOTHECEOSANDCFOSOFPUBLICCOMPANIESBECAUSEOFTHEREQUIREMENTSOFSOXSECTION302SECTION302DESCRIBESSIGNEDCERTIFICATIONSREQUIREDOFTHECEOANDCFOINCORPORATEFINANCIALREP
36、ORTSITALSOINCLUDESAREQUIREMENTTHATTHESESIGNINGOFFICERSCERTIFYTHATTHEYARERESPONSIBLEFORINTERNALCONTROLSANDTHATTHEYHAVEEVALUATEDTHEINTERNALCONTROLSWITHINTHELAST90DAYSTHECONTINUOUSREPORTINGANDMONITORINGDESCRIBEDINTHISARTICLEALLOWTHECEOANDCFOTOHAVESOMEASSURANCETHATCONTROLSHAVEBEENEVALUATEDWITHINTHELAST9
37、0DAYSTHECURRENTVERSIONSOFERPSOFTWAREALSOWILLALLOWREALTIMENOTIFICATIONOFPROBLEMSININTERNALCONTROLFOREXAMPLE,THESYSTEMCANBECONFIGUREDTOSENDANEMAILNOTIFICATIONTOTHEAPPROPRIATEUNITADMINISTRATORIFAUSERCONDUCTSTRANSACTIONSWITHCONFLICTINGABILITIESTHEFORTUNE500COMPANYDESCRIBEDINTHISARTICLEDOESNOTYETUSESUCHR
38、EALTIMENOTIFICATIONVIIICONTROLSAREVITALINTHEPOSTSARBANESOXLEYERA,ORGANIZATIONSMUSTCONTINUETOIMPROVEINTERNALCONTROLSOVERTHEIRERPANDORGANIZATIONALPROCESSESTOREMAINEFFECTIVE,EFFICIENT,ANDINCOMPLIANCEWITHREGULATIONSALTHOUGHDIFFERENTORGANIZATIONSMIGHTPURSUEDIFFERENTINTERNALCONTROLSTRATEGIES,ORGANIZATIONS
39、WITHANERPSYSTEMCANLEVERAGETHECURRENTSYSTEMTOCONTINUOUSLYMONITORANDIMPROVETHEIRINTERNALCONTROLSTHROUGHPERIODICORONDEMANDCONTROLSORSPECIALIZEDREPORTSTHESEREPORTSEASILYCANBECREATEDFROMANERPSYSTEM,ANDTHEYCANHELPALERTMANAGERSANDSUPERVISORSABOUTAUTHORIZATIONORUSERACCESSVIOLATIONSTHROUGHTHESECONTROLREPORTS
40、,CONFLICTINGCAPABILITIESACROSSVARIOUSBUSINESSPROCESSESCANBEDETECTEDANDCORRECTEDINATIMELYMANNER,EITHERBYABUSINESSUNITMANAGERORANACCESSCONTROLADMINISTRATORBYUTILIZINGTHESECONTROLREPORTS,ORGANIZATIONSCANREDUCECOSTS,BECOMEMOREEFFICIENT,RESPONDFASTERTOCHANGESINTHEMARKETPLACE,SAFEGUARDASSETS,ANDAVOIDUNNEC
41、ESSARYBUSINESSEXPOSURESORGANIZATIONSUTILIZINGTHESECONTROLREPORTSALSOCANEXPECTTOCOMPLYWITHTHEREQUIREMENTSOFSOXMOREEFFECTIVELYBYHAVINGAVAILABLEDETAILEDRECORDSTHATACCURATELYREFLECTTHEUNDERLYINGTRANSACTIONSANDBYHAVINGREPORTSTHATSHOWUNAUTHORIZEDTRANSACTIONSANDRAISEALERTSWHENACCESSTOCRITICALAREASOFTHE8COM
42、PANYSSYSTEMAREBEINGPREVENTEDORDETECTEDSOURCELESLIEDTURNER,ANDVINCENT,PHDUSEERPINTERNALCONTROLEXCEPTIONREPORTSTOMONITORANDIMPROVECONTROLSMANAGEMENTACCOUNTING2009,341509译文利用ERP内部控制例外报告,以监督和改进控制广泛使用企业的资源规划为(ERP)系统提供了连续监测和改善内部控制系统的机会。通过持续监测和改善内部控制,进而确保管理层能够遵守2002年萨班斯奥克斯利法案的相关条文。在这篇文章中,我们将描述关键过程和系统,这对监督内
43、部控制的合规性和合法性是很有必要的。内部控制已经被纳入会计软件系统很多年了,ERP系统较传统系统更能够监督内部控制的运行。例如,ERP可以提供控制报告,强调从一个企业范围的角度显示出不恰当的职责划分。这里的重点是用一些新的途径来监督内部控制的合规性,具体而言,使用控制报告从而监督和提高用户的访问控制和职责的划分。控制报告被定义在很多方面,我们使用的控制报告将会参照标准或专业的报告,ERP为系统提供授权和报告的访问冲突。一些报告可能会成为整个企业的重点,而其他人可能会将焦点放在特定的业务流程,比如采购等。例如,一项有冲突的报告可以显示用户在不同的业务流程中存在分歧。检查报告的改变历史记录能集中控
44、制某一特定的业务流程。这些报告被用于多种用途,适当的利用这些报告可以为经理或内部审计师审查考评自己的职业道德。在ERP系统中监督内部控制的合规管理是非常重要的,例如,在核心业务流程采购,应收账款,资金管理,以及人力资源系统等企业系统中。ERP的平台使企业降低成本,提高效率,并更快地适应市场的变化。然而,这些有利的功能可以营造出不同的风险状况,如果监管不当,可能会使公司遭受控制故障和一些潜在的重大损失。ERP系统也开始推出授权下级组织,从而提高控制水平。这些控制风险和问题的解决,必须通过有效的内部控制进行不断的监测,以确保组织的有效性和保障程序的运行。一、内部控制的重要性经理,会计师,审计师负责
45、内部控制制度的开发、监督、和改善的责任。他们的职责包括预防,监测和纠正控制弱点以及可能导致故障的风险,以实现业务处理和信息处理的目标。各方必须认识到其中的关键风险,因为他们制定和监督的内部控制包括1、欺诈的风险,特别是与支付能力有关的系统,当一10个人拥有ERP授权,允许控制买卖交易两个方面,这种不恰当的职责划分可能会导致欺诈行为。2、没有遵守隐私原则,信息系统存储了大量的数据,包括客户,供应商和员工信息。如果没有适当的内部控制,隐私也会受到有意无意地侵犯。3、不适当的披露时间敏感的业务数据。4、恶意或意外损失数据。如果内部控制比较薄弱,就会允许不适当的访问数据,它有可能会使数据被篡改或销毁。
46、5、竞争优势的潜在损失。6、做出不正确的管理决策。为了减轻这些风险,内部控制应该受到适当的监控和改善。使用控制报告监测用户的授权或控制访问冲突对内部控制的完善是很重要的。打个比方,使用成本核算系统中非常有用的误差报告进行连续监控,可以提高生产效率和效果。然而这样的误差报告是没有用的,除非底层结构已经建立了适当的会计系统,定期监测标准成本,管理层也定期检查差异报告,并使用报告来提高生产控制。同样地,如果适当的基本结构已经建立和管理运营正常,那么产生的控制报告能正确的监测和改善内部控制,并且在ERP系统中是有用的。二、用户访问控制连续监测的有效模型应该包括这样一个过程,确保系统接近终止或被转让撤销
47、后,立即改变员工的系统访问。更具体地说,这一过程应确保用户的访问是限制于其所要求的业务活动,这样可以避免不恰当的行为发生1、犯欺诈罪。2、编辑或修改财务报表的信息或数据,直接影响财务报表(即总账,日记账,价格表,配方卡等)。3、编辑或查看高度限制的数据是一项重要的工作,而不是从财务报告的角度(即,预算编制文件,人事档案等)运作。4、完成一件他们不应该访问执行的业务活动,可能会造成相当大的返工或系统的可用性问题。总之,监测用户访问ERP系统将确保未经授权的访问进入该程序,并能迅速查明该员工是否经过批准,以终止某些违法行为的发生。三、监督系统管理员我们不能过分强调ERP环境对系统管理员的需求,系统
48、管理员必须有用户配置文件,允许有访问冲突的能力。具体地说,系统管理员可以不受限制地访问整个系统,不论是系统命令还是系统文件。系统管理员需要用这些数据来管理整个企业的内部风险,从侧面防止违法核心业务流程的事情发生。例如,系11统管理员可以通过检测、删除处理,用于防止各业务流程存在授权访问风险。在这方面,系统管理员通常可以通过申请最高权限来调整访问系统文件。因为系统管理员可以“无限”访问系统的应用程序和内部系统,他们可能会导致系统损坏还可以揭露该组织不堪的内幕。例如,他们可以安装和拆卸文件系统,改变别人的密码,清除文件的目录,甚至关闭整个系统。因此,系统管理员的活动应受控于管理层。管理层应该做到以
49、下几点1、查看系统管理员的访问权限并配合审计师的审计准则。2、通过审核文件的创建、修改、使用来控制系统管理员的活动。3、分配特定的人审查系统管理员的操作(即根据资料修改的日期来确定特定的员工或组织),这些工作需要经常审查,用以识别可疑的操作行为,并针对这一行为承担特定的责任。四、职责划分为了实现内部控制的目标,任何组织都必须隔离用户的职责,ERP系统可以通过用户的授权进行职责分工。利用用户配置文件来确定机构的类型和每个用户的访问系统。用户配置文件设置了每个用户具有不相容的职务。一个组织要发展,职责划分要适当,并且要进行维护和监督。这需要详细分析个人的工作,确定哪些职责是不相容的。通过连续的报告系统,能够避免执行整个ERP系统控制活动,或对指定的业务流程进行测试删除。通过公司内部的局域网可以进行数据的存储,系统维护,测试冲突。另外,访问管理员和经理可以轻松地查看潜在的冲突。五、应收账款中的其他关键控制报告编制其他各种报告以确保应收账款的完整性。为了有效及时的生成这些报告,公司每个部门的业务管理员都要利用SAP输入信息,审查和控制报告(见下表)。表SAP控制报告报告名称频率目的SAP的个人资料审查按季为了确保不冲突的个人档案冲突能力报告按季为了确保没有冲突的能力主要官员没有提及的商品采购表每月为了确保所有的材料被领用商品采购后制造的发票每月为了确保没有虚假的采购发
