The implementation of an ERP system (such as SAP, Oracle, JDEdwards, Axapta,…) involves changing to a highly integrated environment, which can be complex. It can also entail significant adjustments to existing processes and your organisation’s set-up. These changes therefore do not just impact the IT organisation and controls but also primary business processes and the organisation itself.
However, the reliability and continuity of (automated) processes and the provision of management information is not guaranteed by implementing ERP software alone. During the project, adequate attention should also be paid to the business benefits that the new system is to deliver and to developing and embedding control measures.
Most organisations focus only on ensuring that the required functionality will be implemented in the new environment. Failure to properly implement and maintain the controls increases the risk with regards to:
The implementation of an ERP system is also an opportunity to implement improved controls & security. Not just to address the type of risks mentioned above but also to improve efficiency of your business processes, quality of the information in your database, etc.
Implementation of control measures in your ERP environment
For every organisation, it is important to evaluate the risks run and to take measures to manage those risks. In implementing a new information system and the attendant processes, these risks and the existing control measures have to be reviewed. To ensure future management of business processes, it is important already to bear in mind the design and implementation of control measures at an early stage, because the system must function reliably immediately after commissioning.
The control measures within and surrounding ERP have to be designed in detail and attuned to the new environment. On the basis of your business objectives, we do an analysis of the risks in and around the ERP system and the business processes. This analysis forms the starting point for working with you to build an optimal mix of control measures to minimise the risks identified. We then implement the control measures as a component of the ERP software implementation project.
A number of control measures can be configured directly in the ERP software, whilst others have to be embedded into the administrative organisation surrounding the system. In addition to the control rules needing to be configured, logical access security constitutes one of the most important control measures in an ERP environment. In particular, one of the main concerns is to allocate rights that are commensurate with user functions within the organisation. In addition, we look into the control measures in relation to interfaces, data-migration and the IT control organisation needing to be set up.
To support the implementation of control measures, we have various internationally developed and maintained security analysis tools available for the main ERP packages, as well as our World Class Controls database, containing best-practice standards for (automated) control measures for each business process. Our security analysis tools comprise internally developed security software that inventories and simulates the complex structure of (desired) sensitive access and segregation of duties access rights. In addition to assessing these control measures, it is also possible to inventory and assess automated controls in an automated manner. With the aid of these tools, we are able to define and design control measures in a very efficient and effective manner.
Our systems and process assurance advisers have extensive experience in implementing and evaluating business & process control measures in an ERP environment and in supporting organisations in implementing ways to manages risk and improve efficiency. Besides having good knowledge of the ERP software, many of them are qualified as Registered Accountants and/or certified IT auditors.