ERP security & controls

The implementation of an ERP system (such as SAP, Oracle, JDEdwards, Axapta,…) involves changing to a highly integrated environment, which can be complex. It can also entail significant adjustments to existing processes and your organisation’s set-up. These changes therefore do not just impact the IT organisation and controls but also primary business processes and the organisation itself.

However, the reliability and continuity of (automated) processes and the provision of management information is not guaranteed by implementing ERP software alone. During the project, adequate attention should also be paid to the business benefits that the new system is to deliver and to developing and embedding control measures.

Most organisations focus only on ensuring that the required functionality will be implemented in the new environment. Failure to properly implement and maintain the controls increases the risk with regards to:

  • the continuity and reliability of your ERP environment, which can result in operational problems as well as financial losses;
  • the reliability of financial and management information, making optimal steering of your business processes impossible;
  • the effectiveness and efficiency of your business processes, raising the costs of running your business;
  • unauthorised use of business resources by means of ERP-functionality access. This can be the result of non-respect of the organisational segregation of duties;
  • statutory and regulatory compliance. Shortfalls could be incurred relative to statutory and regulatory requirements such as VAT, Sarbanes-Oxley and Tabaksblat type regulations..

The implementation of an ERP system is also an opportunity to implement improved controls & security. Not just to address the type of risks mentioned above but also to improve efficiency of your business processes, quality of the information in your database, etc.

Implementation of control measures in your ERP environment
For every organisation, it is important to evaluate the risks run and to take measures to manage those risks. In implementing a new information system and the attendant processes, these risks and the existing control measures have to be reviewed. To ensure future management of business processes, it is important already to bear in mind the design and implementation of control measures at an early stage, because the system must function reliably immediately after commissioning.

The control measures within and surrounding ERP have to be designed in detail and attuned to the new environment. On the basis of your business objectives, we do an analysis of the risks in and around the ERP system and the business processes. This analysis forms the starting point for working with you to build an optimal mix of control measures to minimise the risks identified. We then implement the control measures as a component of the ERP software implementation project.

A number of control measures can be configured directly in the ERP software, whilst others have to be embedded into the administrative organisation surrounding the system. In addition to the control rules needing to be configured, logical access security constitutes one of the most important control measures in an ERP environment. In particular, one of the main concerns is to allocate rights that are commensurate with user functions within the organisation. In addition, we look into the control measures in relation to interfaces, data-migration and the IT control organisation needing to be set up.

To support the implementation of control measures, we have various internationally developed and maintained security analysis tools available for the main ERP packages, as well as our World Class Controls database, containing best-practice standards for (automated) control measures for each business process. Our security analysis tools comprise internally developed security software that inventories and simulates the complex structure of (desired) sensitive access and segregation of duties access rights. In addition to assessing these control measures, it is also possible to inventory and assess automated controls in an automated manner. With the aid of these tools, we are able to define and design control measures in a very efficient and effective manner.

What can you expect from PwC?

Our systems and process assurance advisers have extensive experience in implementing and evaluating business & process control measures in an ERP environment and in supporting organisations in implementing ways to manages risk and improve efficiency. Besides having good knowledge of the ERP software, many of them are qualified as Registered Accountants and/or certified IT auditors.

  • For both the evaluation and implementation of ERP business controls, we have to hand an extensive set of tools and knowledge databases. These include tools like PwC SAP ACE (Automated Controls Evaluator) for SAP, GATE for Oracle and SODA for JD Edwards, and the VAT reporting tool for all ERP environments. The VAT reporter offers the possibility of a fast analysis of your VAT flows and control of your VAT returns in relation to the vouched transactions in your ERP package.
  • PwC is also preferred implementation partner, inter alia for VIRSA systems and Runbook software. These tools enable real-time monitoring of the operation of your logical access security and the monitoring controls to be carried out by users, and documentation of the evidence of correct control-deployment within your ERP system.