Design and Implementation of Continuous Monitoring and Auditing in SAP Enterprise Resource Planning

• Author: Kishore Singh,Peter J. Best
• Published date: 01 November 2015
• DOI: http://doi.org/10.1111/ijau.12051
• Date: 01 November 2015

Design and Implementation of Continuous Monitoring and Auditing in SAP

Enterprise Resource Planning

Kishore Singh and Peter J. Best

Griffith Business School

The need for continuous monitoring (CM) is increasing. Collapses of multinational organizations have imposed

strict regulatory and legislative requirements on organizations.This study develops an automated system and uses

a large sample of accounts payable transaction data to simulate an implementation of continuous monitoring. The

value of the system lies in its ability to translate business rules into configurable controls that evaluatetransactions

against expected results. The study demonstrates an application of continuous monitoring and the use of

contextual meta-data to perform rich audit analyses. Several anomalies reported by the CM system were not

detected by the organization’s internal auditors when they conducted their examination of the same data using

conventional procedures. Such a system may potentially bring greater insights and transparency for continuous

monitoring, assurance and organizational performance.

Key words: Continuous monitoring, vendor fraud, financial data visualization, automation,SAP audit trail analysis

1. INTRODUCTION

Modern integrated enterprise resource planning (ERP)

systems record several thousands of transactions daily.

For large organizations this means monitoring hundreds

of thousands of transactions and investigating suspicious

ones in detail. The demand for continuous monitoring

(CM) is driven by global commerce and the evolution of

new technologies and processes (Vasarhelyi & Halper,

1991). The goal is to provide constant surveillance on a

real- or near real-time basis (Kuhn & Sutton, 2010),

providing a degree of assurance shortly after disclosure

(Rezaee et al., 2002).

Internal auditors depend on traditional audit tools to

support the audit process (AuditNet, 2012). These tools

automate standard audit processes and procedures (Kotb

& Roberts, 2011; Vasarhelyi et al., 2012) but have

limitations, for instance,information overload (Alles et al.,

2006; Kuhn & Sutton, 2006; Alles, Kogan & Vasarhelyi,

2008). Graphical visualization methods that reduce

excessive information are more likely to contribute to the

overall effectiveness of the audit process (Fetaji, 2011;

Gleicher et al., 2011).

This study develops a prototype continuous

monitoring system (CMS) and uses a large sample

of accounts payable data from a major international

manufacturing organization. The study is limited to

vendor fraud schemes involving shell companies and

non-accomplice vendors (ACFE, 2012). The objective is to

demonstrate: (i) the application of continuous monitoring

using the full population of transaction data, and (ii) the

use of contextual meta-data (information relating to

transactions) to enable rich audit analyses. A multi-view

graphical approach addresses the issue of information

overload. The CMS relies on recorded evidence from an

ERP system, therefore transactions that occur outside the

system cannot be investigated using this method (Lanza,

2007).

The paper is organized as follows. Section 2 provides a

review of the relevant literature upon which the work is

based and to which the results contribute. Sections 3 and

4 discuss the design and implementation of the CMS.

Section 5 discusses results of implementing the CMS in a

real-world organization. Section 6 discusses feedback

obtained from independent review of the CMS. Section 7

offers concluding remarks.

2. RELATED WORK

Continuous monitoring systems have been the subject of

research since the early 1990s (Vasarhelyi & Halper, 1991;

Kogan, Sudit & Vasarhelyi, 1999). Rezaee et al. (2002)

proposed a conceptual technical architecture for building

continuous auditing systems that combine the use of

audit data warehouses and audit datamarts together with

analyticaltools. They identified the potential implications

of continuous auditing and its likely impact on auditing.

Vasarhelyi et al. (2004) provideda series of hypotheses for

the implementation of continuous audit systems. They

positioned continuous assurance as a methodology for

the analytic monitoring of an organization’s business

processes that leverages automation and integration

enabled by information technologies, in general, and ERP

systems, in particular. Alles et al. (2006) presented a

pilot implementation of continuous monitoring of

business process controls as a proof of concept in a large

transnational company. Best, Rikhardsson and Toleman

(2009) proposed a conceptual model for continuous

fraud detection in ERP systems and demonstrated

its application using a case study of a real-world

organization.

Debreceny and Gray (2010) explored emerging

research issues relating to the application of statistical

data-mining to fraud detection in journal entries. They

established that there was a need for research on a variety

of interrelated areas in data-mining of journal entries.

They identified access to real-world data as the biggest

impediment to research in this area. Jans, Alles and

Vasarhelyi (2013) explored the use of process mining to

extract event logs maintained in an ERP system. They

examined the value added by process mining when

applied to the audit process. Jans, Alles and Vasarhelyi

(2014) conducted a field study in a large European bank

that focused on the procurement process. The study had

the advantage of using previously audited data. Several

Correspondence to: Kishore Singh, Department of Accounting, Finance

& Economics, Griffith Business School, 170 Kessels Road, Nathan QLD

4111, Australia. Email: kishore.singh@griffith.edu.au

International Journal of Auditing doi:10.1111/ijau.12051

Int. J. Audit. 19: 307–317 (2015)

© 2015 John Wiley & Sons Ltd ISSN 1090-6738