Integration = Efficiency
ERP systems have been around for a long time. And for a good reason. The out-of-the-box integrations within an ERP system allow companies to reach high levels of efficiency. Integration of the sales, planning, purchasing, production, delivery and accounts receivable processes is not only very effective in an integrated environment, it also diminishes the probability of human errors along the process. On top of that, an integrated system allows for all types of automated checks and balances, which makes the process more robust from an integrity perspective.
Despite waves of criticism and skepticism on the one hand, and popularity of Service Oriented Architectures and Best-of-Breed strategies on the other hand, ERP systems are still the main systems many companies rely on.
Integration = Risky
The integration and highly automated processes within an ERP system has also a down side. Human errors in critical data or tasks, whether unintentional or on purpose, can have significant impact. Some small changes in critical master data can have big consequences, in terms of logistics, finance and eventually reputation. Because of highly integrated processes, the reliability of configuration and master data is of paramount importance.
Therefore, internal auditors should be aware of the critical areas within an ERP system. Preventive controls, such as controlled access to these application components, as well as detective or corrective controls should be in place, to safeguard the system and to prevent potential damage to the company.
Critical areas highlighted
In this article, some -generally applicable- critical areas are classified and explained. Internal auditors could map the critical areas to their ERP system. However, before diving into the critical areas, let’s clarify the other term: sensitive. Data is sensitive if the accessed information is confidential. Although sensitive and critical often are used interchangeable, it makes sense to distinct between the two. So, Sensitive refers to confidential data, critical refers to the potential high impact if misused.
Some Master Data Changes
Some changes of master data are critical, because it can alter data that is going to be used in potentially high-volume processes. Examples are changes of work centers, credit limits, materials, price lists, etc. The effects of these changes typically are large. Even more if the used function is a so-called ‘mass change’, affecting many tables.
Developer Access to ERP systems (such as ABAP for SAP or Tools for Infor LN), in which application changes could be made, is another critical domain. The company would be wise to implement the so-called DTAP-street (Development, Testing, Acceptance and Production) to control changes to the system. Developer access only should be allowed in Development environments, to prevent disruption of production instances. Example of developer access is to create, modify or delete classes, function builders, data dictionary management, script and form editors, execution of operating system commands, etc.
Access to the database opens a backdoor to potentially all company data. Direct database access can be very efficient to apply changes but is very vulnerable as it can circumvent defined business rules, automatic controls and other form-related functions. It is also vulnerable as it can give access to sensitive data, as it potentially circumvents the standard permissions.
Application management covers a wide spectrum of different tasks.
- Tasks related to the permissions and roles. It is good business practice to implement a role change procedure with approval steps, and not allow application managers to change permissions on their own behalf.
- User and profile maintenance
- Authorization objects
- Setup of archiving.
- The maintenance of instances and databases (companies).
- Client administration tasks
- Generic import and export functions
- Data browsers
- Locking of transactions
- System messages
- (Business) Rules maintenance (e.g. for monitoring of controls) or (de)activation
- (Approval) Processes
- Log files
All of the functions above (and the list could be easily extended), are entry points to jeopardize the integrity and confidentially of company data.
Access to configuration tasks of the bookkeeping system typically is vulnerable because it can have a direct effect on revenues as well as the financial reporting. Especially for listed public companies, financial reporting is directly related to reputation and shareholder value. Therefore, according to legislation such as Sarbanes-Oxley, these companies have the obligation to safeguard the processes that contribute to the financial statement. This comprise access to bank accounts, sequence numbers, closing financial periods, allowing posting to previous periods, general ledger, financial integration settings, account payable, etc.
Human Resources and Privacy
This domain is more related to the sensitivity of data than to the critical nature of transactions. Human resources data can contain highly sensitive private data, such as applications resume’s, employment contracts, salaries, employee files etc. Also, customers and contact data is vulnerable, as this data is interesting for competition.
Although the above categories are generally applicable, the relative weight can be different for different companies and industries. And there can be other categories that are applicable for specific -highly regulated- industries, such as food, aerospace and defense, automotive, etc. Specific regulations might forbid foreign employees to have access to Bill-of-Material data, for example. Therefore, on a case-per-case basis a risk assessment is needed to identify and prioritize the risks. In a next blog post will be explained how to execute such a risk assessment.