Minimizing fraud exposure with effective ERP segregation of duties controls
Segregation of duties controls risks can result in more investment following ERP implementation
WHITE PAPER |
Fraud is a major concern within every organization, as control environments often fail to keep up with emerging threats. The strongest reviews and reconciliations simply cannot completely eliminate fraud, and significant exposures can occur at any company, regardless of size. With major enterprise resource planning (ERP) systems increasing functionality and complexity, companies must pay more attention to the design and monitoring of automated controls.
In particular, organizations must explore risks related to segregation of duties (SOD) controls that can enable fraudulent behavior. SOD vulnerabilities often occur due to a lack of awareness or concern during ERP design and implementation, as well as ineffective governance processes. Security and controls are frequently an afterthought during ERP implementation, and many implementation teams lack the right amount of experience with risk and controls.
Discovering a vulnerability or incident after implementation often requires the retrofit of a control framework into the system. This can result in the loss of key institutional knowledge, and more effort and investment than if appropriate controls were included in the initial design. However, companies can recover from an ineffective implementation by implementing proper automated controls and focusing on monitoring.
Effective ERP SOD control is an ongoing process, requiring continuous maintenance and improvement. Companies should undergo a comprehensive risk assessment to understand threats and customize and validate existing rule sets. In addition, CCM/GRC tools can enhance SOD controls and fraud mitigation efforts, but strong governance processes are key, with processes and data more important than the tool itself.