Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by: Michele Foster

Published byHillary Potter Modified over 6 years ago

Similar presentations

Presentation on theme: "Presented by: Michele Foster"— Presentation transcript:

1 Presented by: Michele Foster
Surviving an Ax audit Presented by: Michele Foster

2 Brief INTRO Michele Foster, G&A Applications Manager, IT
AX System Administrator AXUG Board of Advisors member External / Internal audit POC for 8 years (2 companies) Audited by 2 of the big 4 audit firms Depomed, Inc. – Specialty Pharma co Highly Regulated Publicly Traded AX 2012, R2 platform

3 Discussion Disclaimer
Comments are based on annual SOX audit for Depomed Your Company’s audit varies by: External auditing team used Business complexity and identified control matrix Audit observations cover Depomed experiences with: IT Finance

4 Recent changes in audit world
Recent increases in: PCAOB requirements Auditor’s understanding of AX Audit requirements New expectations around: Documentation User understanding System changes PCAOB = Public Company Accounting Oversight Board (the auditor’s auditor)

5 Ways DEPOMED ensures a successful audit (IT)
Providing complete code change list w/ approvals Providing user access change list w/ approvals Having clearly-defined change management policies Performing periodic, signed review of application controls and changes Having thorough understanding of AX functionality Providing answers only to questions asked (no filler comments) Periodicity of review depends on risk determined by company size, complexity, turnover, etc.

6 IT – Side of audit

7 Ways Depomed ensures a successful audit (finance)
Prep for walkthroughs prior to audit visit Performance of periodic, signed access reviews to in-scope applications Reviews of control narratives Do the controls reflect business reality? Are there any known control failures? Providing documented validation of Key Control reports Demonstrating thorough understanding of AX transactions Providing answers only to questions asked Walkthrough prep by employees with key responsibilities Periodicity of reviews again depends on growth of company, number of users with high-risk access (Finance)

8 Complete code change list options
System-Driven list Database Trace Log Element Log or other exportable log Project List (AOT) Change Control Log (external to system) Other ticketing system change list Show Database Trace Log & Project List

9 User access controls System-driven list of changes Change approvals
Audit bolt-on used by Depomed Change approvals SOD Rules Workflows for high-risk transactions Security Groups to restrict approvals Show sample change document Database trace log (DAT) Company ASM tool report SOD Table

10 Clearly-defined change policies (IT)
Periodic change policy review Consistent change documentation Signatures / Dates consistent with changes Proof of Testing (QA and UAT where required) Show Sample change request template

11 Periodic review of application controls (IT)
Controls are Different for each business Defined by business Controls (systematic or manual) ensure low-risk system use Manual controls = very curious auditors System controls = happy auditors Show system controls

12 Finance – Side of audit

13 Key reports testing (Finance)
High-level and/or detailed snapshots of business operations Used as a basis for management decisions AX Key Report types Canned / Standard (audited every 3 years) Custom (audited annually) Extracted spreadsheets (audited annually) Testing must prove Accuracy against system data Completeness against system data That changes to report are validated and approved Show sample of custom report Show change date in AOT that is reviewed by auditors

14 User (POC) system understanding (It & finance)
Walk-through contacts Describe business process and related controls in AX Walk through any major changes to system code, reports or configuration Provide documentation Transaction testing users (Finance) Describe their function and use of AX Perform observed transactional tests Application testing users (IT) Describe changes to the application Perform observed application tests Given example of when user understanding went wrong Show typical application control test Show typical transactional test

15 QUESTIONS?

16 Contact info Michele Foster

Download ppt "Presented by: Michele Foster"

Similar presentations

HR SERVICE REQUEST SYSTEM Department Demonstrations February 2012.

HR SERVICE REQUEST SYSTEM Department Demonstrations February 2012.
© Craig McDonald 2005 UC Ethics and Systems Quality Craig McDonald School of Information Sciences and Engineering University of Canberra

© Craig McDonald 2005 UC Ethics and Systems Quality Craig McDonald School of Information Sciences and Engineering University of Canberra
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, 2002. Established.

Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
Justin Walsh FOCI Program Manager Industrial Security Field Operations.

Justin Walsh FOCI Program Manager Industrial Security Field Operations.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
What to Expect if you are Audited Susan Fleener, 10/18/06.

What to Expect if you are Audited Susan Fleener, 10/18/06.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
External Quality Assessments

External Quality Assessments
Complete Weekly Timesheets Select work. Add hours and comments Tell Mgr if ETC=0 and need more time. Tell Mgr if using someone else’s ETC. End week, change.

Complete Weekly Timesheets Select work. Add hours and comments Tell Mgr if ETC=0 and need more time. Tell Mgr if using someone else’s ETC. End week, change.
Network security policy: best practices

Network security policy: best practices
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
SAS 70 (Statement on Auditing Standards No. 70) Kelley Piner Charles Roberts Ashley Walker.

SAS 70 (Statement on Auditing Standards No. 70) Kelley Piner Charles Roberts Ashley Walker.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
For Sage MIP Fund Accounting

For Sage MIP Fund Accounting
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
TCEQ Auditor Criteria and Third Party Audit Protocol EMS Stakeholder Meeting April 23, 2003.

TCEQ Auditor Criteria and Third Party Audit Protocol EMS Stakeholder Meeting April 23, 2003.
Overview of Financial Statement Analysis

Overview of Financial Statement Analysis
Full Process: From Application to Finalization

Full Process: From Application to Finalization

Similar presentations

Ads by Google