background – possible uses of this assignmentleeds-faculty.colorado.edu/marlattj... · web...

Accounting Information Systems Assignment Using SAP Business ByDesign – Instructors’ Guide

Background – Possible Uses of this AssignmentHistorically, I have taught AIS using the SAP Business Suite and SAP BW to illustrate some of my course objectives. With the introduction of SAP Business ByDesign to the University Alliances, I was able to expose my students to both systems and illustrated concepts such as segregation of duties and audit trails in each system. I chose to have students complete activities in Business ByDesign before completing activities in SAP ERP, so that uninitiated students could get experience in a more user-friendly interface before plunging into the intricacies of the “big” ERP. I found that having students work in both systems has been a more effective approach than just using one system. Possibly increased effectiveness is due to repetition of activities in different contexts and with slightly different approaches. Use of both systems also provides students an opportunity for hands-on comparison of system interfaces, capabilities, and complexity. The comparison can illustrate to the students that “one size does not fit all” when it comes to software and integrated systems.

Certainly, this assignment could be effectively used on its own, without pairing it with SAP ERP assignments. It addresses important AIS control topics such as segregation of duties and access controls, fraud investigation, internal audit, audit trails, recording of transactions, and use of general ledger “suspense” accounts.

In addition, SAP Business ByDesign provides students insights into controls in “smaller” systems and allows them to better understand where system vulnerabilities in a smaller company might occur. Furthermore, use of SAP Business ByDesign, an on-demand system, in coursework provides an opportunity for discussions on cloud computing and related security issues. You might also develop discussions further by talking about how the control environment might change for companies using Business ByDesign for their smaller subsidiaries and the “big” SAP ERP for their core business processes and analytics.

For entrepreneurship courses teaching system controls, SAP Business ByDesign is especially pertinent since entrepreneurs and small business managers may indeed end up using Business ByDesign. Showing the students Business ByDesign lets them see best-of-class and affordable software for small businesses as an alternative to other less robust products. In an entrepreneurial setting, this assignment can facilitate discussion of internal controls for small businesses, particularly segregation of duties, and compensating controls such as authorizations.

Nancy Jones – California State University, Chico – 2012

This activity may also be used in a shared-tenant environment to facilitate class discussions. Rather than have each student actually complete the assignment in the system, the instructor could demonstrate the assignment in class and have students answer the questions via discussion groups or team assignments. The internal audit projects should provide ample fuel for discussion in a class environment or as a writing assignment.

ObjectivesThe following are the assignment objectives:

- Investigate how segregation of duties is enforced in an ERP system- Look at system access control policy- Explore authorizations controls in an ERP system- Discover and follow audit trails throughout transaction processing in an ERP system- Understand the role of the internal auditor in an organization- Discuss the use of temporary holding accounts (or suspense accounts) and transactional timing

differences

Assignment FeaturesThis assignment has been updated for Business ByDesign version 3.5.

The assignment was intentionally created without detailed “how-to” instructions for the students in order to 1) approximate a real-life situation and 2) help students develop trouble-shooting and problem-solving skills. Business ByDesign has robust help and tutorial features to assist users. Most students quickly learn how to use the help features. I have found it helpful to set the expectations prior to assigning the activities, so students know that they will be working with minimal navigational instruction. In my class, I spent one class period going over basic navigation in Business ByDesign and showing them how to set up and test their computer using the self-services center. In addition, I would recommend assignment of one or more of the built-in Business ByDesign tutorials for navigation and system basics, so that students feel comfortable in the system. If you use unique logins, you can check the learning modules to see that students have indeed completed the assigned tutorials.

The assignment is set up as if the student is a newly hired internal auditor and has been assigned an audit task requiring investigation via the Business ByDesign system. There are four distinct parts to this assignment and each may be used independently. However, the fourth part, “Internal Audit Project 4”, assumes the student has completed Nitin Kale’s (USC Business Process curricula) purchase-to-pay and order-to-cash assignments which include some general ledger posting checks. I have the students complete the transactional assignment prior to starting the AIS assignment to further enhance the students’ ability to navigate the system and to start them thinking about segregation of duties and audit trails. I am including these business process assignments as an addendum to this document.


This assignment provides further opportunities to discuss the role of an auditor within an organization. In particular, you will want to discuss with students that the role of the auditor is to look only and not change or add any entries within the system.

System PreparationI have all my students use the same user login ID. This of course, makes it difficult to track individual work and introduces a risk of unauthorized collaboration. If you are concerned with tracking, you might add a screen print requirement to the steps within the assignments or you could assign each student a unique login or both. With unique logins, you can track student activities within the system.

The “special” login used in Internal Audit Projects 1 and 2 is a basic user with additional access to the Application and User Management work center to investigate access rights during the audit and the Compensation work center to investigate salary information for a user. Because this user login allows the student to access user settings, you may wish to put a time limit on your special user’s access rights, so that students are not tempted to alter users’ passwords or access rights. This can be done when you assign a password to your user. The special user in my system and in the instructions for this assignment is “DWills”. You can name your special user login whatever you would like to name it. The special user login is the only preparation you will need for your Business byDesign tenant. The assignment assumes all other settings are the defaults sent with the tenant. Note: if you have changed settings in your tenant to accommodate the BIT curricula, this assignment will still work correctly.

Possible SolutionsNote that as with SAP ERP, there is frequently more than one way to accomplish the same task. Suggestions in this document are exactly that – suggestions. You may know of or prefer a different means to complete the steps in these assignments. Also, you may wish to emphasize other AIS concepts than what I suggest. You are welcome to use the assignments as best fits your course objectives.

Internal Audit Project 1Some in the company have some concerns about Almika's CFO, Edward "Eddie" Black, who has recently been taking lavish holiday vacations in the south of France. Many feel that he could not possibly be able to afford such expensive trips. The Audit team has initiated an investigation and your supervisor has assigned you the task of looking at the company's ERP to see if there may be any red flags within the system as to whether Eddie might be embezzling funds from the company in order to afford his holidays or if there might be some other explanation. You have been given a temporary login and password for this special audit. Log in as DWills, password Welcome1. This login and password will automatically expire in two weeks which is the due date for the audit report.

Since you are a new auditor, your supervisor has provided you with some hints as to how to proceed. She suggests that you first look at Eddie's authorizations within the system. Authorizations are contained in an access control matrix which is in the Application and User Management work center in


SAP Business ByDesign. User profiles and authorizations are maintained and viewed under User and Access Management – Business Users. Find Edward Black's login and study his assigned Work Centers and Views.

1.1 Make note of anything within the list that looks out of the usual here. Focus on potential segregation of duties violations. Indicate why you think these issues may be red flags. Be specific.

To access Edward Black’s assigned work center information, look at the bottom of the page under Edward’s general information. To do this, go to the Application and User Management work center, Business Users view, find Edward Black via the find field or by scrolling down the list until you find Edward Black’s name. When you click on Edward’s name, the system will take you to the master data. The general information regarding Edward Black will be at the top of the view and the work centers will be at the bottom of the screen. The student will need to scroll down to see all of Edward’s assigned work centers. This will give the names of the work centers but no detail. The student will need to postulate which work centers pose a possible violation of segregation of duties (SOD). There are many potential issues here as Almika is a small company. The student might note for instance that Edward has access to general ledger journal entries and the bank statement or that he has access to customer accounts and check deposits. It is important that the student indicate why he thinks these might be red flags. For instance, by having access to general ledger and bank statements, he could hide misappropriation of cash via journal entries.


1.2 Now look at the access matrix itself by clicking on edit and choosing access rights. The list of access rights is sorted by the Work Center ID by default. You can also sort it by any of the other column headings. The system automatically notes any possible segregation of duties conflicts and indicates them in the column to the far right. Note potential conflicts as indicated by the system. Did the system confirm your suspicions from the previous step? Be sure to look at the segregated duties tab also. Are there additional conflicts that you did not catch in the first step?

To get more detail, the student will need to click on the edit button near the top of the screen and go to edit access rights. On this screen, the system will suggest possible SOD conflicts which are indicated by red and green lights. Further detail is provided on the access restrictions tab. Again, you may want to discuss with your students that they should only be looking at the information and no changes should be made.


The student should notice that there are indeed some system-generated warnings about Edward’s authorizations in the system and be able to discuss why these are SOD violations.

1.3 Now check Eddie's pay data to confirm his current compensation plan. Find the Compensation work center and find the Employees list. Select all employees and select Edward Black from the list. What is Eddie's current compensation structure assignment grade? How much is Eddie's compensation for a year?

This step is a simple fact finding “mission” so that the management team can judge whether Eddie can afford his vacations at his current compensation rate. By clicking on Eddie’s employee ID, the students will get the following screen.


1.4 Based on your discovery regarding potential segregation of duties violations, do you think Eddie has the system access to commit fraud to finance his holiday vacations? If so, what kinds of potential frauds do you think Eddie might be committing because of the lack of SOD in the system? If not, justify why you feel Eddie's access is sufficiently limited to prevent the type of fraud which could allow him to acquire funds necessary for expensive holiday vacations.

Hopefully these questions cause the students to think about the intricacy of the fraud question. For instance, Eddie’s salary on its own may not be sufficient to fund his expensive vacations. However, he could be married to a wealthy individual, or he may have just inherited some money, or he may live very frugally so that he can afford a nice vacation. What might be the other indicators of a person living beyond his means?

If the student does believe that Eddie may be committing fraud, he should discuss the type of fraud(s) he feels may be possible. For instance, Eddie could commit financial statement fraud because he has access to the general ledger. He could misappropriate assets and hide the theft via a journal entry. He might also add an unauthorized vendor in order to take kickbacks or even to redirect supply or service payments, …and so on. As in a typical small business, Eddie has more authorizations than he might have in a larger business with the resources to segregate duties more effectively.

Without additional information about the operations of Almika, the student should not answer that Eddie’s duties are sufficiently segregated to prevent the type of fraud which could allow him to acquire funds necessary for expensive holiday vacations. If the student does so, he should justify his answer.


1.5 What could be done to further segregate Eddie's duties within the ERP and still allow him to do his job? Be specific.

A discussion regarding segregating duties further should include the idea of viewing data versus the creating or changing data. For instance, if Eddie has the authorizations to view the general ledger, but not change the general ledger, he would not be able to hide certain frauds and therefore segregation of duties would be stronger. To continue the discussion, you might also talk about queries, dashboarding and other reporting to get Eddie the information he needs, but not allowing him access to make changes or to create records.

The student could also approach this as an access matrix problem whereby he determines exactly which activities Eddie should be allowed to access. Business ByDesign can assist in this effort via the SOD monitor illustrated in step 1.2 of this assignment.

1.6 Opportunity to commit fraud is not proof of fraud. Fraud cannot be prosecuted without absolute proof. Thus further investigation will be necessary. Could there be other reasons that Eddie is able to travel to the south of France? What might they be?

See 1.4: he could be married to a wealthy individual, or he may have just inherited some money, or he may live very frugally so that he can afford a nice vacation, or he has friends in the south of France, and so on.

Internal Audit Project 2While investigating Eddie Black's authorizations within SAP Business ByDesign, your team determined that it could be possible that another person had obtained Eddie's password and was using it to commit a fraud. Now that you have been able to tighten up segregation of duties within the system, the perpetrator will be less likely to commit the same types of fraud. However, internal auditors are responsible for ascertaining that all internal controls are sufficient and access controls are part of those controls. Since you did so well on investigating Eddie's authorizations, your supervisor would now like you examine the password policy and make sure that the system enforces the policy.

Company policy states that users should have passwords to their PC's and to the SAP Business ByDesign system of sufficient complexity and length that it would be difficult for someone to guess the password. In addition, employees are required to change their passwords every six months. Another member of your team will check the PC's. You are in charge of checking SAP Business ByDesign.

2.1 Using your special login "DWills", log into SAP Business ByDesign. Under the Application and User Management work center look at Edit Security Policy under Common Tasks. Select the default security policy RS_Almika_Business_User, and note the settings. Look at the column marked Complexity. Do you


feel these meet the goals of Almika's password policy? Why or why not? What settings could we change to strengthen the company's password controls even more?

The missing password policy control here is the minimum number of special characters. There should be at least one special character to make the password more complex although the requirement is not specified in the Almika policy.

2.2 On the same screen under the heading Validity, note the settings. Do you feel these meet the goals of Almika's password policy? Why or why not? What settings could we change to strengthen the company's password controls even more?

The missing password policy control here is the maximum password validity. Almika requires users change their password every six months, but that setting is left blank. Students might argue that Almika should change the policy to require user password changes more frequently. The student might also note that the initial password should have a time limit so that the unused login isn’t creating a system vulnerability, particularly if initial passwords are always the same; e.g. Welcome1.

You could also expand this step of the assignment to have the student compare policy IDs and determine if it is appropriate to have more than one password policy at Almika.

2.3 What other policies outside of the SAP Business ByDesign system might strengthen Almika's access controls?


Other possible controls include access restrictions based on normal working hours, automatic timed logoffs, or login permitted from only one device at a time. Management policy regarding appropriate use of company resources and penalties for noncompliance should also be spelled out in employee handbooks and other communications. Most AIS texts address these issues and more in their internal control chapters.

Internal Audit Project 3One of the responsibilities of the internal audit function is to ascertain that procedures are being followed correctly. As a seasoned member of the team, you have been asked to verify that year-end closing procedures have been carried out in the accounting department. You will log into the system using your own login, Auditor and password Welcome1.

3.1 You will first want to ascertain that all auditor year end tasks have been completed. Under the Auditor work center and Closing Relevant Tasks task, check to see if there are outstanding tasks by listing the open tasks. What tasks are outstanding, (if any)?

Depending on what work has been done in your tenant, the outcome of this step may differ. Typically, there will be no outstanding tasks and this step introduces the student to the idea of a closing cockpit and the series of tasks that are required to close an accounting period. The following is a screen print of a tenant with closing activities to complete. Note that you can click on the task to view details.


3.2 In the normal process of closing the financial books, timing differences occur and occasionally documents are not posted before the actual year end calendar date. Accountants are responsible for making sure that documents are posted in the proper time period and may be required to enter accrual journal entries to be sure the transactions are entered properly. At year end, we want to be sure that all documents have been posted so that our end-of-year financials are accurate. Check to see that all documents have been posted to the system for the closing of the year. Look under Source Documents on the task list. What outstanding documents need to be posted, (if any)?

Again, depending on what work has been done in your tenant and what time of year it is, the outcome of this step may differ. The following shows several documents to be posted prior to year end close, but yours may show no outstanding documents.

3.3 The closing cockpit helps accountants manage the month-end and year-end closing processes. It assigns tasks to individuals and creates a check list so that tasks are not forgotten. For instance, our financial statements would be inaccurate if the accountant forgot to amortize prepaid expenses or did not accrue expenses, and so on. Look at Almika's Closing Cockpit in the task list and look at the closed periods and specifically December 2011. Who was responsible for closing tasks December 2011? Are there any outstanding tasks to do?


Iris Green (Financial02) is responsible for closing the year. If you have done other general ledger closings in your tenant, you might also have month end closing tasks open as is the case with the tenant in the following screen shot.

3.4 SAP Business ByDesign provides a means to send a message or alert to others within the organization regarding transactions, reports, and other noteworthy issues within the ERP system. In addition, tasks which are not authorized by the user are sent on to supervisors for authorization before they can be processed fully, and supervisors can be alerted to transactions which have been processed and should be reviewed or otherwise investigated. Let's experiment with an alert. In the Auditor work center, choose the View Open and Closed Periods under Common Tasks. Show the All Periods list and choose IFRS December 2011. On the drop down list under New, there are four options to create a new task, notification, alert, and clarification request. What are the differences between these four communications?


Students may look up the definitions in the SAP Business ByDesign glossary or create their own. The task in this case is considered an escalation task for glossary purposes. According to the glossary, an escalation task is “the task created in addition to the original task to involve a more senior employee in the business process”. A notification is defined as “an information item that typically requires no action”. An alert is “a task with highest available priority that requires immediate user action.” The glossary identifies a clarification request as “a manually created task used for asking another user for more information on an item.”

3.5 Create an alert to DWills for the IFRS December 2011 set of books. Tell Dee to look at the financial statements for December 2011 and be sure to sign your name to the alert (since you are logged in as Auditor rather than a login with your own name). Send the alert as a high priority. Log off the SAP Business ByDesign system and log back in as DWills. Where on DWills' home page did you find your alert? What are your options regarding the alert; in other words, what are your disposition options under the Actions list?


No action is necessary to make the alert high priority, since by definition “high priority” is the default.

When the student logs in as Dee Wills, he will see the following on the home screen.


Double clicking on the open alerts will take you to the alert message. The options regarding the message are captured in the following screen print.


3.6 Now let's look at an example of authorizations enforced by the system. Log in as Kate Jacobs in Sales, Sales02P, password Welcome1. In Kate's Home work center, find and click on the Self Services Overview. Kate would like to requisition 200 reams of paper at $3.00 each. Go shopping with Kate to request 200 reams of paper. Hint: enter "paper" in the find field and the system will locate the item number and cost for you. When you complete the order, note the message at the bottom left of the screen and write it down here. Be sure to note the system-generated requisition number.


Only the item to be ordered and the quantity need to be entered on this screen. The $3.00 price per ream of paper will be entered automatically and will show up in the next screen.


Students should note their shopping cart ID and more importantly, the fact that it is in approval with their supervisor, Bob Menson.


3.7 Log out of Kate's account and log into Bob Menson's account, Sales01P, password Welcome1. Bob is Kate's manager and is responsible for the department's profitability. Under the Managing My Area work center, look at Approvals. Find Kate's order number as you noted it above. Notice the message in the description box. Why is Bob getting a request for approval?

Bob is getting a request for approval because Kate’s purchase is over her limit.

3.8 Describe how this approval process is a strong internal control for Almika and how it can be used to reduce fraud and waste.

The students may offer many different explanations of the approval or authorizations internal control. If your textbook provides specific detail regarding the authorizations control you may want to guide students toward the concepts of the textbook. In my classes, I look for answers which include some discussion of approvals as an internal control to prevent employees from ordering unneeded items or overpriced items or ordering items from unauthorized vendors. Students might also mention approvals as a means to keep departments within budget constraints. Furthermore, approvals can be used as a compensating control for lack of SOD within a business process.

3.9 As you logged in as different users, you should have noticed that each user had a different set of views which aligned with his or her access to the system. The user was not able to see those functional areas where he or she did not have authorizations. This is typically called an "ignorance control". In your opinion, how effective do you think the ignorance control may be in enforcing segregation of duties


controls? Justify your opinion. Why do you think Bob Menson had more graphic measures in his home work center than other users, (Hint: think about his responsibilities)?

A reasonable answer to this question would mention that typically ignorance controls are fairly effective because users do not see what else is available in the system. These controls fail when users share passwords or leave computers logged in and others can see their access rights or if there is a means to “see behind” the user menus.

Regarding why Bob Menson has more graphic measures, I look for a statement about Bob’s role at Almika. He is the sales manager and needs “high level” views of what is going on with all his sales people and he needs to know quickly what is going on. He doesn’t necessarily have time to look at lots of detailed reports. He wants information at a glance.

Internal Audit Project 4 Another responsibility of the internal auditor is to be sure that the system is processing transactions properly. In "real life", this is a fairly extensive and sometimes complex task so we will look at only a portion of the process. One way that we can be sure the system is processing transactions properly is to do a "test of transactions" and check to be sure the transaction is posting correctly to the financial statements. You have already done this in the business process exercises you did in the procure-to-pay and order-to-cash previously.

4.1 In the purchase-to-pay process, when you were logged in as Iris Green, you were asked to look at the GR/IR account via a report. This account does not appear on the financial statements. What is the purpose of this account?

The GR/IR account is a temporary holding or “suspense” account to accommodate timing differences. In this case, we have received inventory, but not the vendor’s invoice yet. We need to increase the inventory account, but we cannot yet record the Accounts Payable (A/P) liability. Temporary accounts need to be reconciled to a zero balance each month.

4.2 You should have noticed that the debits and credits in the GR/IR account did not offset each other. What procedures should the accountant follow to reconcile this difference? In other words, what would be appropriate end of month procedures regarding the GR/IR account? Discuss how the GR/IR account be used as a control to insure completeness of data.

If the GR/IR account or other suspense accounts are not zero at the end of the period, then the accountant needs to determine why it is not zero. In the case of the GR/IR account, we have the inventory, but not the vendor’s invoice, so we need to request the invoice or accrue the liability. It is important to note, that we cannot just post this liability to A/P because the A/P detail must match the general ledger and it will not match until we get the vendor invoice.


This is a good control to be sure we have all the vendor invoices recorded as liabilities. Otherwise, the balance sheet will be inaccurate. Conversely, we cannot just wait for the vendor invoice to arrive before we book the inventory because our balance sheet will still be inaccurate, (the assets will be understated), our physical inventory will not match our general ledger and our sales staff will be misinformed about inventory availability.

4.3 How might an auditor use the drill down capabilities that you observed in step 3.9 of the Business Process exercises to determine the accuracy of financial accounting records? Do you have other suggestions on how SAP Business ByDesign can be used to assist the auditor in verifying the accuracy of the transactional data?

The drill down function allows us to determine from where the information in any part of the financial statements is derived. It can help us insure accuracy of the financials. If an unusual item is posted to an account we can investigate further by looking at the journal entry. If it still looks questionable, we can pull source documents to confirm the posting.

The document flow function is helpful to an auditor confirming that a transaction is completed and subsequent documents reflect the original document.

The built-in field validations in Business ByDesign can help reduce the likelihood of incorrect data being entered into the system. For example, drop down boxes are also a type of field validation control which only allows certain entries into the field. Other field controls reduce errors because if someone enters something outside of the acceptable range, an exception report will be generated which may be reviewed by the auditor.

Auditors can look at change and exception logs to determine if perhaps an incorrect entry has been made. Auditors can also look at reports showing trends to extrapolate possible abnormalities in data entry.
