Good Security Management can prevent fraud, streamline your audits – and save time and money
Most companies I speak to consider ERP security management to be a necessary pain. They put up with the cost and don’t ask too many questions about how effective the security is, on the basis that it’s too difficult to fix. Or maybe some of them are simply oblivious to the dangers. Until either an auditor or a fraudster shows up to test their controls…
According to PwC, every US company has a 50% chance of experiencing an internal fraud this year. Do you understand your security well enough to assure your CFO that no-one can commit one of the common ERP frauds? Who could commit the “dummy company fraud?” Who could change a supplier’s bank details to their own and receive the payment in the Cayman Islands?
ERP security management is extremely complex, so these are real problems. But it isn’t a very interesting area, and it rarely features high up on senior managers’ priorities lists. CIOs don’t lie awake thinking about it; they’re more likely to worry about Ransomware, Cloud hackers, and Korean gangsters. Until it all goes wrong.
It doesn’t have to be difficult – and it doesn’t even have be costly. Done well, efficient ERP security can actually reduce your security management costs, as well as helping you to prevent fraud and improve your audit outcomes.
Assess your current ERP security and identify your vulnerabilities
The starting point should always be an audit of your existing security. Where is it good, and where are there weaknesses that leave you exposed?
There are many companies who can undertake such an audit for you for a ridiculous charge. Or your Database Admin can spend a few weeks developing some scripts, and give you some results – which are likely to be incorrect due to the complexities of ERP security.
Or you can use a Cloud based ERP security audit service, which is very easy, and requires no technical effort.
Then you might need help to understand the results. The audit should give recommendations, but mapping the proposed actions to your available resources and skills might be difficult. You need a prioritized security improvement plan with costs and a brief project plan.
Take a pragmatic approach to remediating security
The remediation work required will vary enormously. It depends on the nature of the issues identified by the audit, but it also depends on the level of risk that your organization is prepared to take. Few organizations have the wherewithal to eliminate ALL possible risks, so you need to decide where the main risks in your business lie, and focus on those areas.
The risks will be set out in the audit recommendations, so explain them clearly to your CFO and find out whether he or she will commit cash to fix the main problems. If the results show that you’re exposed to the risk of fraud, who would want to be responsible for taking a decision not to fix the vulnerability…?
An efficient ERP Security Model can cut management costs
The costs of improving your security can be justified by reducing your security management overheads. For example, should you consider implementing Role-Based Access Controls (RBAC), which will significantly reduce your ongoing costs? If you have 500 users and 50 roles, RBAC means that you manage security for 50 roles, rather than 500 users, yielding a 5 to 10-fold increase in efficiency.
Do you want to deskill the job of day-to-day security management and pass it down to help desk staff? If so, you probably need embedded third-party tools for your specific ERP, but this is another area where investment can yield huge savings and free up highly-skilled technical staff.
Have you got good internal controls in key areas such as User and Role Provisioning? There’s often a certain amount of mystique around IT General Controls like these, but they can be very easy to set up if you have the right tools. Proper authorization processes and preventive Segregation of Duties controls are a great way to keep your security clean. This brings long term benefits in terms of fraud control and audit, and with a good toolset, it should not be expensive.
Finally, when I present on this subject, I always focus on visibility and reporting. If he or she hasn’t done so already, your auditor will eventually ask key questions such as “Who has access to particular functions? Who can violate your Segregation of Duties policies?”
You need a security management setup which can deliver immediate answers to questions such as these. This kind of visibility is crucial to protecting your ERP system from fraud – and to achieving positive audit results.
So, in summary, yes, security management isn’t very sexy, but the benefits in terms of cost savings, easier audits and improved fraud prevention can be very interesting. What you need is a security audit, and then a plan. The costs need to be laid out, because it does mean investing now to gain efficiency later, but for the clients I’ve worked with, the longest payback period I’ve seen is 3 years.
And the CIO doesn’t need to worry about insider fraud, or whether his auditor is going to qualify the accounts. That’s what I call a no-brainer.