Deploying one or more ERP systems, whether it be SAP, Oracle, Infor, Microsoft or any other provider, is a challenge. Implementation teams are working hard to reach the go-live date. Often, security and compliance safeguards are sacrificed to prevent undesired delay of the project. At the go-live date, managements main concern is if the production line or services will not be interrupted. Compliance and security concerns might be raised by controllers or internal auditors, but they are rarely strong enough to influence the project timeline.
It is not uncommon that at go-live, ERP users have too much access in the ERP system, exposing the company to risks, such as fraud. Although there might have been a wish to clean up the granted access after go-live, typically the granted access is only expanding, based on changes in functions and employee role changes. The external auditor will ask the company to provide evidence of a properly defined and maintained ERP access policy, ensuring that employees have the proper access and this access does not result in segregation of duties conflicts. Many times, external auditors are only taking samples to validate required segregation of duties.
Many companies are only inclined to invest in compliance and security after serious external pressure. This can be from external auditors or externally enforced regulations in specific industries (Health Care, Aerospace & Defense) or even worse from fraud that reached the headlines in the newspapers.
It is therefore crucial that compliance is an integral part of the implementation plan and methodology, to ensure that at go-live this issue is addressed. Addressing compliance after go-live will result in significant implementation rework and additional costs.