Being aware of the vulnerabilities can help you reduce the risk of fraud or other unauthorized activity
Most businesses rely on the integrity of their ERP systems to operate their applications and to be in alignment with business goals and stakeholder expectations.
To ensure the integrity and reduce the risk of fraud, it is important to understand where or how risks can be introduced so that you can properly secure your system.
These risks can cause:
- Inconsistent processing results
- Unauthorised access to hidden programs or reports
- Loss of data integrity
- Loss of productivity.
5 commons ways risks are introduced
- Changes to Business Processes
As companies grow, we often need to make operational changes to aid efficiency. Without a robust change management process, added risks can be introduced to your ERP system and easily missed.
Your change management process should include:
- Sufficient User Testing
This should include ample time to complete both positive and negative testing for functional processes, security access, and stress test against the system/infrastructures.
- Appropriate Approvers to authorize changes before and after implementation
Approval processes should have multiple check points to ensure the change requests are appropriate and that approvers understand the responsibility they are undertaking. Appropriate approvers can easily identify the risks in a process and whether the change is operationally sound.
- A Backout Plan
In case the implementation runs into errors, preparations should be made prior to implementation to allow restoration back to status quo.
- Trackability and Good Documentation
All changes can be potentially flagged for audit. It is best practice to have well documented changes and ensure it can be traced down to when, how, what, and who.
A successful change management process will provide management assurance that only authorized and tested changes to systems and structures are implemented.
- Custom Applications and Reports
It is common for organizations to develop customized applications and reports to better suit business needs. However, when modified objects are used, it is crucial to follow the same rigorous testing as any other business change. Treating your custom modifications in the same way as you would introduce an entirely new process change will help ensure you are best reducing risk.
- Changes to Existing Staff
It never ceases to amaze me how painful the change process is when staff changes happen. Staff changes include on boarding, off boarding, name changes and change in titles/responsibility. Having a clear and collaborate staff change workflow can remediate any risk the change can cause.
Consider the following:
- Removing applications users no longer need
- Erroneous creation of duplicate user accounts
- Internal and External online access
- Segregation of Duties.
- Not Assessing Your Risk Regularly
You may have all the proper processes and mitigating controls in place, but it is important to keep your risk-health in check. For some processes, checking as often as daily can be crucial to the business. This includes:
- Integrity checking for errors in processes such as user added with no address book number
- SoD reporting on conflicts.
- Unclear understanding of System Configurations Setup
Although the responsibility for the operating control and its proper functionality lies with the Security and/or System Administration team, the accountability inevitably falls on the Business Support team if control fails and risk is materialized.
Watch this on-demand webinar to find out more about specific risks around JD Edwards EnterpriseOne configuration.
I hope you find it helpful!