How to control your ERP access configuration

ERP systems are complex IT solutions that support business processes within organisations. Such systems support a large spectrum of configurations and customisation. Within the range of configurations, ERP systems also allow for multiple security configurations which, if not addressed correctly, can cause various business disruptions as well as security leaks, eventually resulting in potential fraud, errors, lack of compliance with regulations and/or process inefficiency.


In our practice, we encounter many organisations struggling with their setup and maintenance of provided access rights in their ERP system(s). There are many root causes but, in most cases, the problems are linked to access management and therefore theoretically come under the responsibility of the IT department. However, segregation of duties (SOD) and user access are not solely an IT issue. It is vital that organisations understand that user access should be the responsibility of the business (supported, of course, by IT).


Organisations experience several key challenges to overcome if they are to embed this understanding into their organisations.

1. No insight into SOD compliance

Most organisations struggle with defining and/or monitoring segregation of duty (SOD) conflicts. SODs are referred to as the different steps of the business processes running within the system that should be correctly segregated among employees, ensuring that an employee cannot control an entire or significant portion of a business process

2. Lack of internal control over SOD – exposing clients to risk

Employees with excessive authority can perform too many process steps, potentially leading to errors and/or fraudulent activities.

3. Struggling to get a grip on SOD – new conflicts keep appearing

Whether due to cost or time constraints and/or a lack of skills, the authorisation framework has not been implemented in a way that restricts employee access appropriately, thereby leading to compliance breaches.

4. SOD compliance cannot be monitored inside ERP systems

Most ERP systems do not provide (proper) access management functionality embedded in them from the outset; these have to be established by the company itself.


To address these and other related issues, here at KPMG we have developed our Sofy Access Management solution. Sofy Access Management supports organisations in resolving a variety of business problems regarding governance, risk and compliance in Oracle, SAP and Microsoft Dynamics (AX/NAV) ERP systems. Using a unique cloud-based approach, the security configurations are analysed and exceptions identified in real time. The solution is an accelerator to enable the implementation of solid access control management processes and configurations.


The intuitive, transparent and simple tool has been developed for effective access compliance management in your ERP system. Real-time insights and alerts can be established to detect and also prevent compliance breaches (for example, SOD conflicts, critical access issues).


The cloud service can be integrated into your existing ERP back-end and requires minimal deployment and maintenance. Moreover, its integrated KPMG knowledge base makes user adoption and implementation seamless.



The KPMG Sofy Suite is an example of a SaaS solution which is built on advanced data solutions to help companies make better business choices, increase their efficiency, and also mitigate risk in their decision-making.


Do you want to learn more? Or do you have any questions, let us know and contact us.


Start finding the value in your data

Request a free demo and one of our experts will take you on a little tour! During the demo, we will show you all the functionalities within the Sofy platform. Find out how Sofy can help you optimize your workflows and make better business choices!

© 2020 KPMG N.V., registered with the trade register in the Netherlands under number 34153857, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ('KPMG International'), a Swiss entity. All rights reserved. KPMG International Cooperative ('KPMG International') is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.