AIS REPORTING

Topic Outline:

Chapter 10: The REA Approach to Database Modeling

First Reporter - ROJAS

●​ THE REA APPROACH 460

-​ The REA Model 460

●​ DEVELOPING AN REA MODEL 462

-​ Differences between ER and REA Diagrams 463
-​ View Modeling: Creating an Individual REA Diagram 463

Second Reporter - SANCHEZ

●​ VIEW INTEGRATION: CREATING AN ENTERPRISE-WIDE REA MODEL 470
-​ Step 1. Consolidate the Individual Models 470
-​ Step 2. Define Primary Keys, Foreign Keys, and Attributes 475
-​ Step 3. Construct Physical Database and Produce User Views 477

Third Reporter - NEPTUNO

●​ REA and Value Chain Analysis 481
●​ REA Compromises in Practice 482

Chapter 11: Enterprise Resource Planning Systems

●​ WHAT IS AN ERP? 490

-​ ERP Core Applications 491
-​ Online Analytical Processing 492

●​ ERP SYSTEM CONFIGURATIONS 492

-​ Server Configurations 492
-​ OLTP Versus OLAP Servers 493
-​ Database Configuration 496
-​ Bolt-on Software 496

Fourth Reporter - VILI

●​ DATA WAREHOUSING 497
-​ Modeling Data for the Data Warehouse 497
-​ Extracting Data from Operational Databases 498
-​ Cleansing Extracted Data 498
 AIS REPORTING

-​ Transforming Data into the Warehouse Model 500

-​ Loading the Data into the Data Warehouse Database 501
-​ Decisions Supported by the Data Warehouse 501
-​ Supporting Supply Chain Decisions from the Data Warehouse 502

●​ RISKS ASSOCIATED WITH ERP IMPLEMENTATION 503

-​ Big Bang Versus Phased-in Implementation 503
-​ Opposition to Changes in the Business’s Culture 504
-​ Choosing the Wrong ERP 504

Fifth Reporter - ACERDEN

-​ Choosing the Wrong Consultant 505
-​ High Cost and Cost Overruns 506
-​ Disruptions to Operations 507

●​ IMPLICATIONS FOR INTERNAL CONTROL AND AUDITING 507

-​ Transaction Authorization 507
-​ Segregation of Duties 508
-​ Supervision 508
-​ Accounting Records 508
-​ Independent Verification 508
-​ Access Controls 509
-​ Internal Control Issues Related to ERP Roles 509
-​ Contingency Planning 511
 AIS REPORTING

PowerPoint Presentation:

First Reporter - ROJAS

THE REA APPROACH

REA - resources, events, and agents

●​ The REA model

-​ It is an accounting framework for modeling an organization’s critical resources,
events, and agents and the relationships between them.
-​ It permits both accounting and nonaccounting data to be identified, captured, and
stored in a centralized database.
-​ It may be implemented within either relational or object-oriented database
architectures.

Figure 10-1: Basic REA Model

●​ Elements of REA Model

1.​ Resources
-​ Economic resources are things of economic value to the organization. They are
defined as objects that are both scarce and under the control of the enterprise.
Resources are used in economic exchanges with trading partners and are either
increased or decreased by the exchange.

2.​ Events
-​ Two Classes of Events
❖​ Economic events
-​ It is the phenomena that effect changes (increases or decreases) in
resources as represented by the stock flow.
-​ They result from activities such as sales of products to customers,
receipt of cash from customers, and purchases of raw material
from vendors.
-​ The critical information elements of the accounting system, and
must be captured in as disaggregated (highly detailed) form as
possible to provide a rich database.

❖​ Support events
 AIS REPORTING

-​ It includes control, planning, and management activities that are

related to economic events, but do not directly effect a change in
resources.
-​ Examples of support events include:
a.​ determining inventory availability for a customer prior to
making a sale
b.​ verifying supporting information (performing a
three-way-match) prior to disbursing cash to a vendor
c.​ checking customer credit before processing a sale.

3.​ Agents
-​ Economic agents are individuals and departments that participate in economic and
support events.
-​ They are parties both inside and outside the organization with discretionary power
to use or dispose of economic resources.
-​ Each economic event is associated with at least one internal agent and one
external agent who participate in the exchange.
-​ Internal and external agents are also involved in support events, but the exchange
involves information rather than economic resources.

●​ DUALITY
-​ The exchange is a pair of economic events, which is expressed via the duality
association.
-​ Each economic event is mirrored by an associated economic event in the opposite
direction.

Figure 10-2
-​ It expands the basic REA model to illustrate the connection between these dual events:
the give event and receive event. From the perspective of the organization function being
modeled, the give half of the exchange decreases the economic resource, as represented
by the outflow association.

Figure 10-3
-​ It presents several examples of the give and receive events as they relate to the revenue,
expenditure, and conversion cycles.

DEVELOPING AN REA MODEL

●​ Differences between ER and REA diagrams

1.​ ER and REA diagrams differ visually in a significant way.

 AIS REPORTING

-​ Entities in ER diagrams are of one class, and their proximity to other entities is
determined by their cardinality and by what is visually pleasing to keep the
diagrams readable.
-​ Entities in an REA diagram, however, are divided into three classes (resources,
events, and agents) and organized into constellations by class.
Figure 10-4

2.​ The Sequencing of Events

-​ ER diagrams present a static picture of the underlying business phenomena.
Relationships between data are shown through cardinality and associations, but
the sequence of activities that determine the cardinality and associations is not
clearly represented.
-​ REA diagrams, however, are typically organized from top to bottom within the
constellations to focus on the sequence of events. An advantage of this is that
during systems development, management and nontechnical users better
understand REA diagrams

3.​ Naming Conventions for Entities

-​ In ER diagrams, entity names are always represented in the singular noun form.
-​ REA modeling applies this rule when assigning names to resource and agent
entities. Event entities, however, are given verb (action) names such as Sell
Inventory, Take Order, or Receive Cash. The reader should, therefore, be careful
to not confuse an event entity with a process. Event entities on an REA diagram
represent and describe database tables that will store data about processes, but
they are not representing or describing the processes themselves.

●​ View Modeling: Creating an Individual REA Diagram

This section describes the view modeling process as applied to creating an REA
diagram. The process involves the following steps:

1.​ Identify the event entities.

2.​ Identify the resource entities.
3.​ Identify the agent entities.
4.​ Determine associations and cardinalities between entities.

These procedures are performed for each organizational function being modeled.
The result is several individual REA diagrams. The modeling process is completed
during the view integrating phase (described later) where the individual models are
consolidated into a single global model.
 AIS REPORTING

a.​ STEP 1: Identify the Event Entities

-​ The first step in developing an REA model is to identify the event entities in the
function being modeled.
-​ These entities include Verify Availability, Take Order, Ship Product, and Receive
Cash.
-​ An REA model must, at a minimum, include the two economic events that
constitute the give and receive activities that reduce and increase economic
resources in the exchange.
-​ It may include support events, which do not change resources directly.

●​ VERIFY AVAILABILITY.
-​ The Verify Availability event is a support event because it does not directly
increase or decrease a resource. The decision to add this entity to the model will
depend on management’s need for information regarding customer inquiries. Such
information could help them determine which inventory items customers most
frequently demand.

●​ TAKE ORDER.
-​ Depending on the circumstances, it could be either an economic or support event.
-​ It typically involves only a commitment on the part of the seller to sell goods to
the customer.
-​ It may even involve adjusting (decreasing) the inventory available for sale to
prevent it from being sold or promised to other customers.

●​ SHIP PRODUCT.
-​ It is an economic event. This is the give half of an economic exchange and
reduces the inventory resource directly.

●​ RECEIVE CASH.
-​ It is an economic event, and receiving half of the exchange increases the cash
resource.

●​ INVALID ENTITY TYPES.

-​ REA modeling focuses on value chain events.
-​ These are the activities that use cash to obtain resources including equipment,
materials, and labor and then employ those resources to earn new revenues.
Bookkeeping tasks such as recording a sale in the journal and setting up an
account receivable are not value chain activities.
-​ These are invalid entity types and should not be included in an REA diagram.
 AIS REPORTING

-​ A fundamental precept of REA is the rejection of accounting artifacts, including

journals, ledgers, and double-entry bookkeeping.
-​ Capturing transaction data in sufficient detail adequately serves traditional
accounting requirements.

Figure 10-5 presents the four events previously described in sequence of occurrence.

b.​ Step 2. Identify the Resource Entities

-​ The next step in creating the REA diagram is to identify the resources that are
impacted by the events selected to be modeled.
-​ Each economic event in an REA model must be linked to at least one resource
entity whose economic value will be either reduced or increased by the event.
-​ Support events are also related to resources but do not effect a change in the
resource value.
-​ This resource is increased as employees render their services to the organization
and is simultaneously decreased as those services are employed in the
performance of a task.

The resource and associated event entities are presented in Figure 10-6.

c.​ Step 3. Identify the Agent Entities

-​ Each economic event entity in an REA diagram is associated with at least two
agent entities. One of these is an internal agent and the other is an external agent.
The external agent associated with all four events in the Apex case is Customer.
In addition, four internal agents are associated with the four events:
1.​ The customer services clerk, who participates in the Verify Availability
event.
2.​ The sales representative, who participates in the Take Order event.
3.​ The shipping clerk, who participates in the Ship Product event.
4.​ The cash receipts clerk, who participates in the Receive Cash event

d.​ Step 4. Determine Associations and Cardinalities between Entities

-​ Association is the nature of the relationship between two entities, as the labeled
line connecting them represents.
-​ Cardinality (the degree of association between the entities) describes the number
of possible occurrences in one entity that are associated with a single occurrence
in a related entity. Four basic forms of cardinality are possible: zero or one (0,1),
one and only one (1,1), zero or many (0,M), and one or many (1,M).
-​ Figure 7
-​ Figure 8
 AIS REPORTING

●​ CARDINALITY BETWEEN THE VERIFY AVAILABILITY AND TAKE ORDER

ENTITIES.
○​ Each occurrence of the Verify Availability entity is the result of a customer
inquiry. We know from the case description, however, that not all inquiries result
in a customer order. On the other hand, we will make the simplifying assumption
that each Take Order occurrence is the result of an inquiry. The cardinality on the
Take Order side of the relation, therefore, is 0,1. On the Verify Availability side, it
is 1,1.

●​ CARDINALITY BETWEEN THE TAKE ORDER AND SHIP PRODUCT ENTITIES.

○​ The 0,1 cardinality on the Ship Product side of the relation reflects the timing
difference between orders taken and shipped. Because sales are not processed
instantly, we can assume that an order will exist (occurrence of Take Order) that
has not yet been shipped (no occurrence of Ship Product). Furthermore, an order
that is canceled before being shipped would also result in no Ship Product record
being created.

●​ CARDINALITY BETWEEN THE SHIP PRODUCT AND RECEIVE CASH

ENTITIES.
○​ Business terms of trade and payment policies vary greatly. Companies that make
credit sales to consumers often accept partial payments over time. This would
result in many cash receipts occurrences for a single shipment occurrence. On the
other hand, companies whose customers are other businesses typically expect
payment in full when due. Business customers, however, may consolidate several
invoices on a single cash payment to reduce check writing.

●​ CARDINALITY BETWEEN THE CASH AND RECEIVE CASH ENTITIES.

○​ The cash resource of an organization is composed of several different accounts,
such as the general operating account, payroll imprest account, petty cash, and so
on. These are consolidated for financial reporting into a single account, but are
used and tracked separately. The cardinality depicted in this relationship implies
that cash is received from many customers and is deposited into one account.

●​ MANY-TO-MANY ASSOCIATIONS.
○​ Figure 8
○​ Figure 9
 AIS REPORTING

Second Reporter - SANCHEZ

 AIS REPORTING

Third Reporter - NEPTUNO

REA and Value Chain Analysis:

●​ REA (Resources, Events, Agents) approach provides competitive advantages by

enhancing the focus on value-added activities.
●​ Organizations must prioritize processes that drive value to remain competitive and
responsive to external changes.
●​ Value chain analysis distinguishes between primary activities (directly create value) and
support activities (assist primary activities).
●​ Applying value chain analysis helps organizations improve flexibility, customer
satisfaction, and product scheduling.
●​ Traditional information systems do not efficiently support value chain analysis, leading
to issues like data redundancy.
●​ REA as a single information system framework overcomes these issues by offering
integrated, detailed data.

Advantages of REA:

1. Helps managers identify nonvalue-added activities and eliminate inefficiencies.

2. Enables storage of financial and nonfinancial data in a common database, reducing
maintenance issues.
3. Provides detailed financial and nonfinancial data for broader management decision-making.
4. Offers more accurate and timely information, enhancing customer service, product quality, and
production flexibility.
 AIS REPORTING

REA Compromises in Practice:

●​ REA is often seen as a theoretical model for improving system and database design, but
larger organizations may compromise the model for financial reporting purposes.
●​ Extracting financial information from REA’s event database can be challenging due to the
volume of data.
●​ Most companies use REA for operational databases while maintaining a traditional
ledger system for financial reporting.
●​ Enterprise resource planning (ERP) systems often integrate both event-based and
traditional systems for comprehensive data management.

What is an ERP?

●​ ERP Definition: ERP (Enterprise Resource Planning) systems are multi-module software
packages that evolved from Manufacturing Resource Planning (MRP II) systems.
●​ Objective: ERP integrates key processes across an organization, such as order entry,
manufacturing, payroll, and human resources, into a single, integrated system that shares
information organization-wide.
●​ Traditional System Flaws:
o Traditional models used separate systems for each functional area (e.g., order
entry, procurement), leading to communication and data redundancy issues.
o Closed database architecture results in disconnected systems with high data
redundancy and delays.
o Information such as order status is hard to track across departments, causing
inefficiencies and frustrated customers.
 AIS REPORTING

●​ ERP Benefits:
o ERP replaces the fragmented systems with a single, unified database to
streamline operations and improve communication across departments.
o Provides a standardized environment for seamless information flow, helping
with process efficiency.
o ERP databases store data centrally and can be structured according to specific
business needs.

ERP Core Applications:

●​ ERP systems have two main groups of applications:
1. Core applications: Support daily business operations (e.g., sales, distribution,
planning, logistics).
2. Business analysis applications: Assist with decision-making and performance analysis.
o Core applications are critical for business continuity, also known as Online
Transaction Processing (OLTP).

●​ Key Core Applications:

o Sales and Distribution: Manages order entry, delivery scheduling, product availability,
and credit limit checks.
o Business Planning: Forecasts demand, plans production, manages routing information,
and handles capacity planning. Some ERPs offer simulations for managing shortages.
o Shop Floor Control: Oversees production scheduling, dispatching, job costing, and
production status tracking.
o Logistics: Manages inventory, warehouse operations, and shipping, ensuring timely
delivery.
●​ Integration Benefits:
o Customer orders are entered once, reducing manual errors.
o Information is shared across departments in real-time, improving operational efficiency
and decision-making.
 AIS REPORTING

Online Analytical Processing (OLAP):

●​ ERP is more than a transaction processing system; it helps management with real-time
information for decision-making.
●​ OLAP supports decision-making through functions like modeling, data retrieval, ad hoc
reporting, and analysis.
●​ Some ERP systems include industry-specific modules or third-party integrations.
●​ Data warehouse: A central repository for business analytics, providing easy data retrieval
for analysis.
●​ Data can be periodically extracted from operational databases to serve as a data
warehouse.

ERP System Configurations:

●​ ERP systems typically use a client-server model.

●​ Two-Tier Model:
➢​ The server manages both application and database functions.
➢​ Client computers handle data presentation and communication with the server.
➢​ The two-tier model is generally suitable for local area networks (LANs) with
smaller user bases.
●​ Three-Tier Model:
○​ Separates database and application functions.
○​ Used in large ERP systems, typically involving Wide Area Networks (WANs).
○​ Requires multiple network connections: the client communicates with the
application server, which then connects to the database server.

OLTP vs. OLAP Servers:

●​ OLTP (Online Transaction Processing) focuses on large numbers of simple transactions,

such as updating accounting records across various tables.
●​ OLAP (Online Analytical Processing) is used for complex queries and decision-making
support, often tied to data warehouses.
 AIS REPORTING

Database Configuration:

●​ ERP systems are made up of thousands of database tables associated with specific
business processes.
●​ Configuration of these tables requires careful planning to align with business operations
and often involves reengineering processes to match ERP functionality.

Bolt-On Software:

●​ Some companies use additional bolt-on software from third-party vendors to meet
specific needs not covered by the core ERP system.
●​ These bolt-ons can be provided by ERP vendors or other third parties. Examples like
Domino's Pizza have been mentioned for independent solutions.

Supply Chain Management (SCM):

●​ SCM software manages the movement of goods from raw materials to the consumer.
●​ Key activities include procurement, production scheduling, order processing, inventory
management, transportation, warehousing, customer service, and demand forecasting.
●​ SCM integrates and coordinates all aspects of the supply chain, creating a seamless
process.
●​ Competitive advantage is achieved by linking supply chain activities more efficiently
than competitors.

ERP and SCM Convergence:

●​ ERP vendors are adding SCM functionality to their products, with major players like
SAP and Oracle integrating SCM modules.
●​ SCM vendors are also expanding their systems to include ERP-like functionalities.
●​ Smaller SCM and ERP vendors may be pushed out as larger companies dominate the
market.
 AIS REPORTING

Fourth Reporter - VILI

DATA WAREHOUSE/ DATA WAREHOUSING

-​ A large storage system for relational or multidimensional data, often terabytes in size,
serving the entire organization.
●​ Data Mart
-​ A smaller version of a data warehouse, focused on a specific department or
function, containing less data.
●​ Data Mining
-​ The process of analyzing large datasets to identify patterns and relationships using
sophisticated techniques.

ESSENTIAL STAGES OF DATA WAREHOUSE

➢​ Modeling data for the data warehouse
-​ Normalizing data in an operational database is necessary to reflect accurately the
dynamic interactions among entities.
-​ Data attributes are constantly updated, new attributes are added, and obsolete
attributes are deleted on a regular basis.
●​ The Warehouse Consists of Denormalized Data
-​ A three-way join between tables in a large data warehouse may take an
unacceptably long time to complete and may be unnecessary.
-​ In the data warehouse model, the relationship among attributes does not
change.
➢​ Extracting data from operational databases
-​ Data extraction involves collecting data from operational databases, flat files,
archives, and external sources, typically requiring operational databases to be
offline to prevent inconsistencies.
●​ Change data capture - Is a technique that can dramatically reduce the extraction
time by capturing only newly modified data.
●​ Extracting Snapshots versus Stabilized Data
-​ Transaction data stored in the operational database go through several
stages as economic events unfold.
➢​ Stabilized Data
-​ A key feature of a data warehouse is that the data contained in it
are in a nonvolatile, stable state.
-​ Potentially important relationships between entities may, however,
be absent from data that are captured in this stable state.
➢​ Extracting Snapshots
 AIS REPORTING

-​ One way to reflect these dynamics is to extract the operations data

in slices of time. These slices provide snapshots of business
activity.
➢​ Cleansing extracted data
-​ Data cleansing involves filtering out or repairing invalid data prior to being stored
in the warehouse.
-​ Data cleansing also involves transforming data into standard business terms with
standard data values.
●​ Four important steps in the data cleansing process:
-​ Errors from Data Entry
-​ Standardization of Terms
-​ Different Naming Conventions
-​ Commercial Data Integration
●​ Figure 11-6, 11-7

➢​ Transforming data into the warehouse model

-​ Data warehouse is composed of both detail and summary data.
-​ A data warehouse that contains the most frequently requested summary views of
data can reduce the amount of processing time during analysis.

➢​ Loading the data into the data warehouse database

-​ Most organizations have found that data warehousing success requires that the
data warehouse be created and maintained separately from the operational
(transaction processing) databases.
-​ This point is developed further in the next sections.
●​ Internal Efficiency
-​ The structural and operational requirements of transaction processing and
data mining systems are fundamentally different,
➢​ Transaction processing systems - need a data structure that supports
performance.
➢​ Data mining systems - need data organized in a manner that permits
broad examination and the detection of underlying trends.
●​ Integration of Legacy Systems
-​ The continued influence of legacy systems is another reason that the data
warehouse needs to be independent of operations.
●​ Consolidation of Global Data
-​ The emergence of the global economy has brought about fundamental
changes in business organizational structure and has profoundly changed
the information requirements of business entities.
 AIS REPORTING

➢​ DECISIONS SUPPORTED BY THE DATA WAREHOUSE

-​ Some decisions that a data warehouse supports are not fundamentally different
from those that traditional databases support.
●​ Drill-down capability
-​ It is a useful data analysis technique associated with data mining.
-​ Is an OLAP feature of data mining tools available to the user.
●​ Standard Report vs Drill-Down Report
-​ Standard reports and queries produced from summary views can answer
many what questions, but drill-down capability answers the why and how
questions.
●​ Figure 11-1

➢​ SUPPORTING SUPPLY CHAIN DECISIONS FROM THE DATA WAREHOUSE

-​ The primary reason for data warehousing is to optimize business performance.
-​ Many organizations believe that more strategic benefit can be gained by sharing
data externally.
●​ Examples:
-​ Western Digital Corporation
-​ General Motors (GM) Supply Chain
-​ MIM Health Plans Inc.

➢​ Risks Associated with ERP Implementation

-​ An ERP system is not a silver bullet that will, by its mere existence, solve an
organization’s problems.
●​ 2 main approaches for implementing ERP : BIG BANG VERSUS
PHASED-IN IMPLEMENTATION
➢​ Big Bang Approach
-​ This method is the more ambitious and risky of the two.
-​ Although this method has certain advantages, it has been
associated with numerous system failures.
➢​ Phased-In Approach
-​ It is particularly suited to diversified organizations whose units do
not share common processes and data.
-​ Common processes and data, such as the general ledger function,
can be integrated across the organization without disrupting
operations throughout the firm.

➢​ OPPOSITION TO CHANGES IN THE BUSINESS’S CULTURE

-​ To be successful, all functional areas of the organization need to be involved in
determining the culture of the firm and in defining the new system’s requirements.
 AIS REPORTING

-​ The technological culture must also be assessed.

➢​ CHOOSING THE WRONG ERP

-​ A common reason for system failure is when the ERP does not support one or
more important business processes.
●​ Goodness of Fit
-​ Management needs to make sure that the ERP they choose is right for the
company.
-​ Finding a good functionality fit requires a software selection process that
resembles a funnel, which starts broad and systematically becomes more
focused.

➢​ System Scalability Issues

-​ Scalability is the system’s ability to grow smoothly and economically as user
requirements increase.
-​ The term system in this context refers to the technology platform, application
software, network configuration, or database.
●​ Dimensions in terms of the ideal of linear scaling:
➢​ Size
➢​ Speed
➢​ Workload
➢​ Transaction Costs
 AIS REPORTING

Fifth Reporter - ACERDEN

Choosing the Wrong Consultant 505

-​ ERP system implementation involves consulting firms, costing $20 billion, and requires
expertise. Success relies on coordination, requirements specification, package selection,
and cutover management. Thus, prior to hiring an outside consultant, management ought
to:
-​ • Interview proposed staff and draft detailed contract.
-​ • Establish written procedures for staff changes.
-​ • Conduct reference checks of proposed staff.
-​ • Negotiate pay-for-performance scheme based on project milestones.
-​ • Set firm termination date to prevent interminable consulting arrangements and fees.

High Cost and Cost Overruns 506

-​ ERP systems' total cost of ownership (TCO) varies significantly, ranging from hundreds
of thousands to millions of dollars, including hardware, software, consulting services, and
initial upgrades. Some of the more commonly experienced problems
occur in the following areas.
Training Costs
-​ • Higher than estimated due to management's focus on teaching employees new software
and procedures.
-​ • Budgeting often overlooks these costs.
System Testing and Integration
-​ • ERP is often used as a backbone system for organizations with legacy systems and other
bolt-on systems.
-​ • Integration and testing are done on a case-by-case basis, making it difficult to estimate
costs in advance.
Database Conversion
-​ • A new ERP system usually requires a new database.
-​ • Data conversion involves transferring data from the legacy system's flat files to the
ERP's relational database.
-​ • High degree of testing and manual reconciliation is necessary for successful
conversion.
-​ • Incompatible legacy data with new system processes may require manual data entry
procedures.

Develop Performance Measures

 AIS REPORTING

-​ ERP implementation costs often attract criticism, but managers can assess success by
understanding needs, establishing performance measures, and establishing an
independent value assessment group.

Disruptions to Operations 507

-​ ERP systems can cause significant performance issues for companies, with 25%
experiencing a drop in performance immediately after implementation. Major
organizations like Dow Chemical, Boeing, Dell Computer, Apple Computer, Whirlpool
Corporation, and Waste Management have experienced disruptions.

IMPLICATIONS FOR INTERNAL CONTROL AND AUDITING 507

Transaction Authorization 507

-​ ERP systems' integrated architecture can cause transaction authorization issues, such as
incorrect bill of materials configuration, necessitating the implementation of controls and
a comprehensive understanding of the system's configuration and business processes by
auditors.

Segregation of Duties 508

-​ ERP-based organizations streamline operations by integrating functions like order entry,
billing, and accounts payable, but require new security, audit, and control tools for
efficient role assignment.

Supervision 508
-​ ERP implementation can hinder management's understanding of business impact, and
supervisors require extensive knowledge to adapt. The employee-empowered ERP
philosophy should enhance efficiency, allowing supervisors more control.

Accounting Records 508

-​ ERP systems improve financial reporting by eliminating traditional batch controls and
audit trails. However, risks to accuracy exist due to close customer-supplier interfaces
and data importation from legacy systems.

Independent Verification 508

ERP systems utilize OLTP, eliminating independent verification controls, improving
efficiency, and providing canned controls and performance reports. Internal auditors
require technical background and expertise in ERP technology.

Access Controls 509

 AIS REPORTING

-​ Access security is crucial in an ERP environment to maintain data confidentiality,

integrity, and availability. It prevents transaction errors, corruption, and financial
statement misrepresentations, while also protecting organizations from cybercriminals.

Traditional Access Control Models

-​ Modern ERP environments use role-based access control (RBAC) to efficiently manage
access privileges, replacing traditional trust-based models. This model effectively
manages new hires, promotions, transfers, and personnel terminations, ensuring
flexibility and efficiency.

Role-Based Access Control (RBAC)

-​ A role is a formal method for grouping users based on system resources, such as a Sales
Role for sales department personnel, assigning access permissions and allowing multiple
individuals to log in simultaneously. Creating a role involves defining the following role
attributes:
1. A stated set of business responsibilities to be performed within the role
2. The technical competencies needed to perform the role
3. The specific transactions (permissions) required to carry out the stated responsibilities

Internal Control Issues Related to ERP Roles 509

-​ Figure 11-8
The Creation of Unnecessary Roles
-​ RBAC prioritizes organizational needs, balancing ERP managers' discretion in creating
roles with judgment to prevent dysfunction and control risk, ensuring temporary
assignments are deleted when necessary.
The Rule of Least Access
-​ Access privileges (permissions) should be granted on a need-to-know basis only.
Nevertheless, ERP users tend to accumulate unneeded permissions over time. This is
often due to two problems:
1.Managers often overlook the importance of internal controls when assigning permissions,
leading to the inadequacy of their ability to detect excessive permissions.

2. Managers often assign privileges more efficiently than remove them, potentially allowing
individuals to retain unneeded access privileges from previous job assignments, leading to duties
segregation violations.
-​ Figure 11-9

Monitor Role Creation and Permission-Granting Activities

 AIS REPORTING

-​ Role-based governance systems are utilized for ensuring compliance with internal control
objectives in ERP environments, despite the complexity of verifying role compliance
across all applications and users.
●​ View the current and historical inventory of roles, permissions granted, and the
individuals assigned to roles.
●​ Identify unnecessary or inappropriate access entitlements and segregation-of-duties
violations
●​ Verify that changes to roles and entitlements have been successfully implemented.

These systems can continually monitor for risk and issue alerts when violations are detected so
that remedial action can be taken. In addition, role-based governance can maintain an audit trail
to provide a record of violations and evidence of compliance.

Contingency Planning 511

-​ ERP implementation creates a single point of failure, putting organizations at risk from
equipment failure, sabotage, or natural disasters. To control this, organizations need a
contingency plan. Two approaches are centralized organizations with integrated business
units, clusters of servers sharing workload, and autonomous organizations installing
regional servers.