United States

Minimizing fraud exposure with effective ERP segregation of duties controls

Segregation of duties controls risks can result in more investment following ERP implementation


Download white paper

Fraud is a major concern within every organization, as control environments often fail to keep up with emerging threats. The strongest reviews and reconciliations simply cannot completely eliminate fraud, and significant exposures can occur at any company, regardless of size. With major enterprise resource planning (ERP) systems increasing functionality and complexity, companies must pay more attention to the design and monitoring of automated controls.

In particular, organizations must explore risks related to segregation of duties (SOD) controls that can enable fraudulent behavior. SOD vulnerabilities often occur due to a lack of awareness or concern during ERP design and implementation, as well as ineffective governance processes. Security and controls are frequently an afterthought during ERP implementation, and many implementation teams lack the right amount of experience with risk and controls.

Discovering a vulnerability or incident after implementation often requires the retrofit of a control framework into the system. This can result in the loss of key institutional knowledge, and more effort and investment than if appropriate controls were included in the initial design. However, companies can recover from an ineffective implementation by implementing proper automated controls and focusing on monitoring. 

Effective ERP SOD control is an ongoing process, requiring continuous maintenance and improvement. Companies should undergo a comprehensive risk assessment to understand threats and customize and validate existing rule sets. In addition, CCM/GRC tools can enhance SOD controls and fraud mitigation efforts, but strong governance processes are key, with processes and data more important than the tool itself.         


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.


Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.

Learn more