The implementation period is the perfect time to start securing your ERP system against compliance risks. Examples of these risks are:
- unnecessary access to specific parts of the ERP system,
- undesired or not allowed combinations of role access (separation of duties), and
- unauthorized access to sensitive data.
Designing the Access (authorization) model should be managed as an integral part of the implementation project. This can be done from scratch or using already pre-defined roles in the ERP system or provided by the implementer. Utilizing predefined roles is more efficient, as defining custom roles can be a complex and time-consuming process.
The authorizations of pre-defined roles can be done by the internal auditor or the person with assigned responsibility for Risk Management and/or Compliance. The assessment comprises a review of the ERP application accesses (such as sessions, forms, tables) per pre-defined Role. This review should be done against a set of Controls or Rules which defines which accesses are conflicting. Each Role should be validated that such Role does not contain any conflicting accesses.
A second step is to identify which ERP sessions give access to sensitive data, such as a Bill-of-Material and Employee data. A list of sensitive ERP accesses is cross checked and for each Role is determined if access to this data is required. Many ERP systems allow access restriction to e.g. read-only.
Last test on the Role definitions is to check the authorizations per employee (who can fulfill more than one Role) against possible violations of segregation of duties. Undesired combinations should be filtered out. Per combination is determined if access can be removed, restricted or mitigated by internal controls.