There is truth to this statement; ERP systems are intended to help make your organisation more efficient and effective with built-in controls that prevent erroneous or invalid transactions from taking place. Your organisation has already invested considerable resources in implementing controls and maintaining your ERP systems, so building the case for additional control monitoring can be challenging. The myth here is that your ERP’s embedded system controls eliminate risk and the controls are 100% effective.
ERP controls are not designed to prevent fraud. No control is fool proof, and worse yet, the stricter your ERP controls become, the greater the risk of employees seeking workarounds simply to get their jobs done. Consider the common case requiring purchase orders (POs) and goods receipts to issue payment to an invoice. If goods are delivered where no PO exists, nothing stops a request for a PO being created with a few calls, which now meets your control criteria to issue a goods receipt leading to kicking off the payment process. Your ERP might be happy, but your business processes are open to exploitation. Continuous control monitoring helps to reveal where your business processes are being undermined. Workarounds are just one risk, but also consider these other common risk exposures in your ERP system:
Missed controls from your initial implementation, control settings that weren’t enabled on implementation, or controls that are out-of-date with new policies. Keeping your ERP controls up-to-date is like playing a frustrating game of whack-a-mole. Although your processes may have been standardized with embedded controls, you risk losing your system’s additional complexities.
Multiple ERP systems or instances can hide weaknesses and control gaps. The result is data mismatches and errors that make reconciliation a challenge for year-end reporting. This scenario can lead to challenges in enforcing segregation of duties, increasing potential for fraud, waste and abuse.
Data entry errors not caught by controls. These errors are almost impossible to eliminate, leaving you open to undetected fraud and errors impacting your bottom line. However, these are easily caught by control monitoring.
Your ERP system implementation is part of a shared service implementation and likely does not take your organization’s unique policies and processes into account.
Abuse of policies that can’t be detected by point-in time checks in ERP configuration controls. For example, if you have a policy that receipts are not required for purchases under R200, at the time, these transactions appear valid, but overtime monitoring the trends and frequency can indicate patterns of abuse.