The ERP landscape is changing fast. Currently, most organizations use hybrid models of on premise and cloud (SaaS, private, etc.). This brings new inherent risks that have to be addressed by the controls framework. The business process controls framework has to be standardized across the organization, irrespective of the geography, and yet help achieve compliance with legislations like GDPR, SOX, etc.

In most ERP projects, implementation or upgrade focus is on access controls, i.e. segregation of duties and business process controls are left for design and implementation post go-live of the ERP system. This means that go-live happens without identifying the risks and controls from a business process perspective.

Organizations that want a robust ERP business process controls framework that is proactive and resilient rather than reactive before go-live, should think of security by design across the ERP from the blueprinting/requirements gathering phase to ensure that controls are designed in a timely and effective manner at lower costs.

Security by design in ERP needs to focus on continuous controls that are inline, real-time, detective and preventive across all transactional systems to ensure that the ERP is designed to achieve internal controls, regulatory compliance, and accounting standards.

The business process control journey

In an integrated business applications environment where transactions flow seamlessly across in-house and third party applications, platforms, ERPs, modules, cross-functions, and departments, the controls need to be embedded in the business processes. The suggested steps to identify the risks and controls across the business should be as follows:

• Understand the current business process and data flow
• Understand the future business process and data flow
• Understand the future ERP design for the business process and data flow
• Perform risk assessment against the process and classify risks as high/medium/low
• Design the control as required to meet the business control objectives
• Design and document the control as automated/semi-automated/manual and arrive at residual risk, if any

In brief, the need is to identify the risks, and propose controls across below-given activities in the ERP project to achieve a robust business process control framework across an ERP landscape:

• Installation
• Integration with various in-house and third party applications and platforms
• Configurations
• Customization of standard codes and packages
• Customization of interfaces
• Customization of out of box, functionality in ERP
• Customization to build controls for input and output of data i.e. electronic fund transfer files in banks
• Migration of legacy data
• Migration of master data
• Data in transit and at rest

Best approach to business process control

Security by design for business process controls across an ERP should begin in phase one of the project when a business process like procure to pay order to cash is being designed. These business process controls will ensure that risks at both the entity/business-process level are identified, and controls options i.e. configuration, customization or compensating controls are evaluated during business process design itself. This will lead to a one-time effort with little need to redesign business processes and controls later, after go live.

Below are the key business process control focus areas during various phases of the ERP project to ensure security by design:

Before the upgrade or implementation

• Identify the impacted business processes
• Identify and quantify risk against the business processes
• Identify the control options (automated, semi-automated, manual)
• Include the new controls in L1 to L6 business process documentation

During the upgrade or implementation

Design and build technical controls as per the L1 to L6 design during this phase. During the build and test, look at proactively identifying additional risks at both the entity and business-process level, which might be product specific, so that additional controls can be designed accordingly. This is an iterative process until the risks are mitigated or are down to an acceptable level.

After the upgrade or implementation

Go live with all critical risks already addressed in the ‘to be ERP system’ using the security by design approach. Look at building best practices for monitoring transactions to identify additional risks and build new controls if required.

Conclusion

The secure by design approach for business process controls helps the organization with cost savings and business benefits. Any other approach would mean revisiting entire project lifecycle, beginning with business process controls design, build, test, and migration to production.

Rajesh Udayamurthy

Practice Head - ERP GRC, Consulting & Advisory Services -Cybersecurity & Risk, Wipro Limited.

Rajesh is a qualified CPA and certified CISA with 20+ years of experience in the domain of finance, auditing, and ERP implementation and security. He has extensive experience in security design and implementation across ERP landscapes. He provides consulting and advisory services for Design of Access and Business Process Controls across ERP in greenfield and business transformation projects. He can be reached at rajesh.udayamurthy@wipro.com