Implementing an Enterprise Resource Planning (ERP) system is a complex endeavor with far-reaching implications for a company’s operations. Throughout implementation and beyond, the company needs to verify that robust controls are in place to maintain financial and operational integrity, safeguard data, and ensure compliance.
When implementing a new ERP system, a comprehensive review of controls should be completed. This review should cover three primary areas: business process controls, application controls and Information Technology (IT) general controls. The evaluation of business process controls should include identification of changes to processes as a result of the implementation that may require implementation of additional controls or control modifications, as well as the evaluation of current controls to determine whether they are still relevant to the updated process. With the implementation of a new ERP system, application controls built into the system should be evaluated as the automated controls may offer greater safeguards for the organization while also increasing efficiency within the process. IT general controls should also be evaluated to verify that the implementation of the ERP system is following established change management controls and that additional controls, such as data security and system access, are applied to the new system during implementation and beyond.
This article will focus on the evaluation of IT general controls. Business process controls and application controls will be addressed in future articles.
When looking specifically at IT general controls, the following topics should be considered as a part of the ERP implementation. Not every implementation will require all of the following actions to be taken, however, each of these areas should be evaluated to determine which are applicable to the environment prior to implementation.
Access Controls:
- User Roles and Permissions: Define user roles and assign appropriate permissions to restrict access to sensitive data and functionality within the ERP system
- Segregation of Duties: Verify that no single user has too much control or access over critical processes
- Business users should have proper segregation of duties to prevent fraud and errors (e.g. authorization and approval; custody of assets; recording transactions; reconciliation and control activities)
- IT users should have proper segregation of duties to prevent unauthorized or inappropriate changes as well as inappropriate access to the system
- System Authentication: Provide each user with unique credentials in order to securely authenticate to the system
Change Management:
- Change Approval Workflow: Require approvals and documentation for any changes made to system configurations or data
- Data Conversion Testing: Conduct testing to verify that data transfers from legacy systems are complete and accurate
- User Acceptance Testing: Verify that all system functionality and data is performing as expected during user acceptance
- System Interface Testing: Conduct testing to verify that data transmissions interfacing with other systems are complete, accurate and valid
Data Security:
- Data Encryption: Use encryption to protect data in transit and at rest to prevent unauthorized access
- Data Backup and Recovery: Implement regular data backups and a disaster recovery plan to verify data availability in case of system failures
- User Access Review: Review and approval of user access prior to go live to ensure roles are appropriate based on business needs and to ensure proper segregation of duties
- Final Approval: Approval to move to production is granted by key business and IT stakeholders
Logging and Monitoring:
- Activity Logging: Management should evaluate logging capabilities and determine which logs should be turned on prior to go live and which logs should be utilized after implementation is complete. The principle of risk assessment and regulatory compliance should be applied to select and prioritize user activities to be logged within the ERP system. This helps to create an audit trail for monitoring and investigation
- Change Logs: Maintain detailed logs of changes to the ERP system for auditing and tracking purposes
- Review and Analysis: Regularly review audit logs to detect unusual or unauthorized activities
Data Validation and Accuracy:
- Data Validation Rules: Implement data validation rules to confirm that data entered into the system is accurate and meets predefined criteria
Compliance:
- Regulatory Compliance: Verify that the ERP system and related processes comply with industry regulations and legal requirements
- Internal Policy Compliance: Verify that the ERP system aligns with the organization’s internal policies and procedures
Testing of the above controls may be achieved through multiple different methods. Process walkthroughs may be utilized to understand the control environment and the design effectiveness of controls. Inspection of a selection of transactions may be used to evidence control execution and operating effectiveness. A review of implementation documentation or interviews of key personnel involved in the implementation may provide deeper understanding of the implementation project and steps taken to ensure accuracy.
A thorough evaluation of IT general controls, tailored to the unique needs of the organization, is key to unlocking the ERP system’s full potential upon implementation. Designing IT controls while implementing an ERP system is not just a prudent measure; it is a critical aspect of ensuring the success and sustainability of the entire process. By carefully defining and implementing controls, organizations can mitigate risks, streamline operations, and maintain data integrity.