Audit Model: The Key to Identifying and Managing Risk in your ERP
If you are involved with an ERP system – whether you use it, support it or simply rely on it to produce your company’s financial figures – you need to understand your risks.
You have a 1-in-3 chance of someone committing fraud on your ERP system this year, and the consultancies tell us that the average loss is $½m, so I think you’ll agree that it’s a good idea to know how to manage the risks.
Auditing your ERP system is the best way to understand your vulnerabilities
Typically, companies pay external auditors a lot of money to advise them on risks, but it is now much easier to control them in-house – and that is where the Audit Model comes in. In summary, it is the set of controls that you build to manage the risks, and thereby save yourself that $½m, and probably your job as well.
Many equate the Audit Model to another interesting term, the Risk Model.
The Risk Model defines the problems that you perceive could occur in your business. But please don’t ever start your Risk Model from scratch! Build on the experience of others and learn from someone else’s mistakes. But always remember: it is now your model, so you need to adapt it to your business, and to get the business to own it. And fraudsters are smart; they move with the times, so you need to do the same with your model.
The Audit Model builds on your Risk Model of potential problems and identifies processes and controls to prevent the risks from being realized in your company. As you can see in this short video, an Audit Model comprises the rules and security settings that determine how users can access your ERP system.
It primarily involves limiting access to your ERP system according to the principle of “least privilege,” and imposing Segregation of Duties rules that prevent individuals from carrying out risky combinations of tasks. If a user doesn’t need access to do his or her job, remove it. If a technician says he must have access, the response should always be “Why?” And if he does need the extended access, you must be able to keep track of what he’s doing with it.
Your Audit Model helps you to identify weaknesses
Above all else, an Audit Model is about how you keep a track of these processes. How do you know if your risk controls are effective? You need to be able to compare your Audit Model against your live security to report on any violations that make you vulnerable to risk.
At this point, most medium sized and some large businesses are squealing, “great idea, but this is so difficult, so expensive.” The perception is that building an Audit Model is a very long process, and that it’s very expensive to maintain. There are certainly some IT companies who would like you to continue to believe this… but the great news is that now you can use technology to overcome these barriers. Now you can learn to love your Audit Model because solutions exist that can be deployed in minutes, not months.
Imagine being able assess how your ERP system stacks up against a model that has been refined through use by dozens of other businesses. With almost no technical effort, you can find out what you need to do to close the gaps that a fraudster can exploit.
Technology can be a potent force in helping you to rapidly reduce your likelihood of being one of the 1-in-3. If you would like to explore the possibilities, find out more about audit solutions for your ERP.