SOX, ERP, and BPM: a trifecta that can make your business run better

Strategic Finance, Dec, 2008 by Kenton B. Walker

For IT Upgrades

The upshot of SOX for information systems is that corporate governance issues are encouraging companies to purchase or upgrade ERP systems. Companies that previously couldn't make a business case for ERP can do so now. They are gaining unparalleled business awareness through ERP and a SOX audit as an achievement standard. Firms need to determine if their current systems retain historical information on financial inputs, master record changes, and authorizations/approvals. From this information, an organization can detect unusual business patterns and investigate any problems. Companies should also evaluate data storage methods to determine such things as how records can be deleted, how secure is data, who can access data, and, of those who can, how many have a business purpose. Finally, compliance necessitates that companies assess mechanisms for alerts that would detect irregular business patterns. These alerts range from a portal dashboard to the ability to obtain information from control reports.

To Uncover and Repair ERP System Weaknesses

Being aware of an information system's weaknesses is as important as knowing its strengths. Shortcomings may be inherent to the system, the result of poor implementation, or simply stem from management's failure to fully utilize existing system capabilities. Compliance initiatives can provide an important barometer of the state of information system and business practices. Even smaller firms that use ERP and that aren't required to comply with SOX need proper business controls in place to identify weak spots.

Companies that operate an ERP system are required to have an audit of the system for SOX compliance. Before accounting/finance and IT managers can leverage ERP as a compliance tool, they must evaluate the status of the system's "switches" and the internal controls corresponding to each one in every functional area supported by the ERP package. There are many examples of organizations that spent millions of dollars on ERP but didn't experience its value. After examining the implementation, managers discovered that problems weren't a result of the software failing to perform as advertised but of failure to enable control mechanisms (the switches were turned "off") during the implementation, set-up, and monitoring phases. In order to lower the cost and speed up the implementations, some companies didn't take the time to fully enable their systems. System implementers didn't turn on some of the internal controls now needed for compliance efforts.

One example involves restrictions placed on access to specific modules of the ERP system. In some organizations, employees outside accounts payable can make entries to the AP module. Access wasn't sufficiently restricted during the implementation process and may not be sufficiently documented to satisfy external auditors that the company complies with Section 404. Another example is workflow controls. Many ERP systems can be used to define the level at which a potential accounts receivable write-off must receive approval. If the control "switches" are set properly, write-offs that exceed the threshold will be automatically routed to the appropriate finance manager or controller.