How to control your ERP access configuration
ERP systems are complex IT solutions that support business processes within organisations. Such systems support a large spectrum of configurations and customisation. Within the range of configurations, ERP systems also allow for multiple security configurations which, if not addressed correctly, can cause various business disruptions as well as security leaks, eventually resulting in potential fraud, errors, lack of compliance with regulations and/or process inefficiency.
In our practice, we encounter many organisations struggling with their setup and maintenance of provided access rights in their ERP system(s). There are many root causes but, in most cases, the problems are linked to access management and therefore theoretically come under the responsibility of the IT department. However, segregation of duties (SOD) and user access are not solely an IT issue. It is vital that organisations understand that user access should be the responsibility of the business (supported, of course, by IT).
Organisations experience several key challenges to overcome if they are to embed this understanding into their organisations.
1. No insight into SOD compliance
Most organisations struggle with defining and/or monitoring segregation of duty (SOD) conflicts. SODs are referred to as the different steps of the business processes running within the system that should be correctly segregated among employees, ensuring that an employee cannot control an entire or significant portion of a business process
2. Lack of internal control over SOD – exposing clients to risk
Employees with excessive authority can perform too many process steps, potentially leading to errors and/or fraudulent activities.
3. Struggling to get a grip on SOD – new conflicts keep appearing
Whether due to cost or time constraints and/or a lack of skills, the authorisation framework has not been implemented in a way that restricts employee access appropriately, thereby leading to compliance breaches.
4. SOD compliance cannot be monitored inside ERP systems
Most ERP systems do not provide (proper) access management functionality embedded in them from the outset; these have to be established by the company itself.
To address these and other related issues, here at KPMG we have developed our Sofy Access Management solution. Sofy Access Management supports organisations in resolving a variety of business problems regarding governance, risk and compliance in Oracle, SAP and Microsoft Dynamics (AX/NAV) ERP systems. Using a unique cloud-based approach, the security configurations are analysed and exceptions identified in real time. The solution is an accelerator to enable the implementation of solid access control management processes and configurations.
The intuitive, transparent and simple tool has been developed for effective access compliance management in your ERP system. Real-time insights and alerts can be established to detect and also prevent compliance breaches (for example, SOD conflicts, critical access issues).
The cloud service can be integrated into your existing ERP back-end and requires minimal deployment and maintenance. Moreover, its integrated KPMG knowledge base makes user adoption and implementation seamless.
The KPMG Sofy Suite is an example of a SaaS solution which is built on advanced data solutions to help companies make better business choices, increase their efficiency, and also mitigate risk in their decision-making.
Do you want to learn more? Or do you have any questions, let us know and contact us.