[Video] Best Practice Tips For Audit Reporting In ERP Systems
Raise your hand if you’re looking forward to your next audit. Anybody? An audit can be a very stressful experience. Even if YOU feel reasonably confident about the process, your team might not and end up spending a lot of time scrambling to find evidence that either doesn’t exist or is difficult to retrieve. One key element to a successful and (relatively) lower-stress auditing experience is the quality of the audit reports you provide.
In this edition of the Appsian Insights video series, we’re going to review the importance of audit reports, the goals of each report, and a few examples of reports to use in your audit.
Three Critical ERP Audit Reporting Considerations
1. The Audience and Content of the Reports
When creating ERP audit reports, it is essential to consider who will be reading your report, for example, managers or system administrators, and the level of detail required by that audience. For example, management may require summary reports, while system administrators may require more detailed information to assist with remediation. Aim to provide the level of detail that aligns with the audience’s use of the reports, and terms or abbreviations should coincide with the audience’s level of knowledge.
2. The Goal of the Reports
The main goal of any audit report is to illustrate where the organization conforms to a standard rule, regulation, or objective that it’s required to. The report should demonstrate which evidence you use to confirm that the organization is complying. The report must contain enough information so that if a deviation from the standard is found, the receivers of the audit report can utilize it to promote change within the process.
3. Define Which Reports You Will Use
Four reports that we deem critical include:
- A summary report. A segregation of duties scan should be a summary report indicating yes and no to each rule statement. It should show if there are violations that exist on your system. It is a quick look at where you stand each week, month, or quarter.
- A detailed rule report. These are the details of what segregation of duties rules you are checking for and how they are constructed.
- Detailed violation report. This report should show the details of how a user violates a segregation of duties rule. This report will provide the details for proper and efficient remediation.
- A mitigation report. This report will list users known to be in violation but have documented exceptions that should be reported to your auditor.
Designing audit reports and ensuring they meet both the audience and compliance requirements is critical to the success of your next audit. Accuracy, alignment to associated processes, and documentation will all demonstrate the effectiveness of your information technology general computing controls.
The experts at Pathlock understand that creating and obtaining audit reports can be daunting. Contact us today, and we’ll be happy to discuss your specific challenges.