 |
| Consultant's Corner |
by Paresh Shah |
| The ERP system is at the core of business processes in most public companies. As companies face regulatory and operational compliance requirements, ERP systems are subjected to increased scrutiny on a routine basis. Over the last 6 years, Sarbanes-Oxley 404 (SOX) compliance requirements have brought ERP systems to the fore-front of compliance needs, as core financial and manufacturing systems. Other compliance requirements, including ISO, FDA, HIPAA and PCI, have been imposing similar control requirements upon specific data elements (Financial, Patient Health Records, Credit Cards, etc.) within the systems. Though the various compliance initiatives are focused on different risks, the underlying requirements for the ERP system are related to mitigating risks to system functionality and data. Specific to the SOX 404 requirement, the key compliance areas for the ERP system are grouped into IT General Computing Controls, Segregation of Duties and Automated Business Controls. |
| As a critical system impacting business processes, it is important to control the IT processes underlying the ERP system. The key is to ensure that only managed and authorized changes and access to the functionality and data is allowed. The IT General Computing controls are focused on change management, access-security and computer operations areas. At a high level, the change management process ensures that all changes to the systems go through a standardized process, whereby they are approved and tested by appropriate business owners before they get deployed in the production environment. The access-security process ensures that only authorized individuals have appropriate access to the systems and underlying data. It also ensures that security layers (database, operating system, application, physical access to the servers, internal and external network layers) are appropriately controlled to avoid unauthorized access. The computer operations process ensures that backend jobs are monitored and controlled. It also ensures that backups and recovery procedures are in place to be able to recover in case of rollback or disaster situations. |
| To achieve effective monitoring and auditing of the ERP system, with respect to IT General Computing Controls, it is necessary to extract the following from the system: |
- system log of changes (application, database, reports)
- system log of access changes (end user, administrative – application and database)
- system log of changes to key configurations
- system reports for current access.
|
| The majority of ERP systems struggle, without an add-on module or third party system, to be able to provide one or more of the details mentioned above. An alternative is to work closely with your IT team to write custom scripts and extract data for these items. As the complexity and volume of transactions grow within the ERP system, companies will be better served by leveraging third party monitoring systems or vendor compliance modules, rather than customized scripts. |
| Reporting is a key component of the system and needs to be controlled like any other functionality. Reports should be treated like other system programs and should be subjected to similar IT controls. |
| It is imperative to ensure that individuals have appropriate access within the ERP system and the access they have does not pose specific fraud risks to the company. As a best practice to minimize fraud potential, access within the ERP system is split across individuals to effectively segregate the various duties that need to be performed for any key transaction. For example, you might not want the same person to be able to create an invoice and generate payments as that would create a fraud potential. Though most organizations define the job responsibilities to avoid fraud conflicts, they also need to ensure that the access within their ERP system supports this segregation. ERP systems have traditionally been designed to be operationally friendly systems and, hence, generally the out of the box default access roles do not satisfy the segregation requirements. The ideal way to achieve the segregation is to perform a risk assessment and identify key risks within your major business processes. Once that is achieved, identify the key activities that need to be segregated based on the identified risks. With the list of key activities to be segregated and associated risks, IT should define the underlying functions that need to be segregated within the system. As a best practice IT should use these rules to define role based security. Depending upon the ERP system, the complexity of this exercise can vary. For a system like Oracle, where you have thousands of functions, this can be an onerous task; while for Tier II systems like Expandable, you can achieve this in a relatively easier manner. As part of the audit exercise, auditors would want to extract access related data from the system and ensure that none of the rules are being violated. If any rules are violated, due to organization limitations, you should consider mitigating the risk by other manual controls. As a best practice, it is recommended to automate the audit of segregation of duties access within an ERP system. With automation, companies also are able to evaluate the conflicts on a periodic basis, rather than just once or twice a year. |
| ERP systems come with a large set of configuration options for various business processes that allows the organization to set appropriate automated controls within the processes and workflows. A sample automated control can be “ERP system prevents a duplicate invoice number from being entered for the same supplier” to avoid duplicate payments for the same invoice. Generally organizations do not effectively leverage the control levers built into the ERP system and rely largely on the manual controls. Automated controls are more reliable than manual controls and less costly to manage and audit. At least annually, companies should review their key business processes and the associated manual controls in an effort to maximize the utilization of their ERP system features. |
| As companies face regulatory requirements throughout the year, the associated costs rise significantly. One way to manage the costs in the long run is to implement a continuous monitoring and auditing strategy around the systems. On a routine basis, companies should evaluate their set of controls with respect to the cost associated with executing and testing the control. The organization can then choose the top 20% of the controls with highest associated cost and evaluate strategies to automate those controls and also implement continuous monitoring and auditing processes. Continuous monitoring at the transactional level is a way to automate auditing and be more effective at identifying failures in the internal controls in a near real-time manner. The challenge with implementing continuous monitoring is the ability of the ERP system to support that without degrading performance. You can achieve continuous monitoring by either implementing monitoring modules within the ERP system, using a third party monitoring system or writing customized scripts at the database level. As large organizations look at using monitoring capabilities of Governance, Risk and Comliance (GRC) modules within their ERP system, smaller companies should evaluate the ROI in developing customized scripts instead. Compliance requirements are here to stay and will get more demanding over time. One of the key ways to get ahead of the game is to generate business value out of your compliance efforts. Implementing controls automation and continuous monitoring of the controls within your ERP system is one of the ways to generate measurable business value from your compliance efforts. |
About the author
Paresh Shah is a Vice President in Accretive Solutions’ Business and Technology practice and is responsible for managing the ERP and the IT Compliance groups in the Northern California region. Paresh has a strong technical and comprehensive industry background in providing IT Strategy, IT audit and Business consulting services to Healthcare, Software, Semiconductor, Clean Tech and Financial Services organizations. In the last 4 years at Accretive Solutions, Paresh has supported over 50 engagements for IT compliance efforts. Paresh also has a strong IT Strategy background and assists clients with developing an Enterprise Systems Roadmap, Disaster Recovery Planning, IT Organization evaluations, developing and evaluating PMO’s, and other IT strategic services. Accretive Solutions is a national consulting and executive search firm that delivers business solutions to help companies manage and improve their financial, operational and IT performance. Accretive Solutions has consultants with in-depth business process experience and systems experience with ERP vendors like Oracle, SAP, PeopleSoft, JDE, Microsoft Dynamics Great Plains, Microsoft Dynamics Solomon, Expandable and NetSuite. Paresh can be reached at: |
Paresh Shah
800 W El Camino Real, Suite 320
Mountain View, CA 94040
pshah@accretivesolutions.com |
|
  |
|
|
|
|