ERP Security & Controls Solutions End-to-end security and controls throughout the lifecycle of ERP systems Highlights
• Assure controls are built into the system and maintained throughout the system lifecycle
• Reduce rework for missed controls
• Assure PII/SPI/BSI is adequately protected
• Assure audit logs, etc. are activated and processes in place to review and sign-off
• Assure appropriate segregation of duties is established and maintained
• Assure compliance with regulatory frameworks
•Improve the system’s audit posture
• Manage data security and privacy risks throughout the system lifecycle ERP Risk Exposure An enterprise resource planning (ERP) system is a commercial software package that can integrate all information flowing through the entity. ERP systems contain functional modules (e.g., financial, accounting, human resources, supply chain and customer information) that are integrated within the core system and often interfaced to external systems. ERP implementations can create IT and business risk exposure through:
• Failure to implement application and IT controls into the new system
• Lack of segregation of duties • Audit risk -- failure to comply with required regulations Common Problems During the development lifecycle of a new ERP system, it is critical to design and implement controls that assure data security and privacy. Many ERP implementations share common gaps that result in risks which are subsequently identified as audit findings. These include:
• The use of unmasked production data in development and/or test environments.
• Failure to identify business controls in the requirements and design resulting in later audit gaps and rework
• Failure to identify and incorporate required IT controls. For example, PCI requirements for encryption of credit card data in transit and at rest.
• Failure to identify and manage segregation of duties risks and conflicts during the system design, test and implementation, as well as those implemented in the system. For example, an approver should not be able to approve a purchase order that they submitted
• Inadvertent exposure of business sensitive information (e.g., exposure of user credit card or bank account information, or, even a report of personal data left on a desktop). • Failure to manage privileged user access and default system user accounts (e.g. SAP_ALL).
Alex Erickson Authentic Jersey