Business is all about taking risks. But intelligent managers know how to manage risks, thus preventing accidental losses as well as other operational, financial, and strategic risks—including fraud.
To manage business risks by using technology, we must first understand and prioritize the risks a specific business faces, and then understand how IT can help that business. Then we can come to understand how those risks intersect with the IT systems a business might already have in place.
One risk within your business may stem from operating in an e-commerce environment. In that case, you want to know how IT is supporting the Web portal. Do people simply view a catalog, or do they order online and log back into your system later to view their order status? How does that portal tie in with your back-end systems and business data?
Or maybe you have multiple business units, several running on a top-tier enterprise resource planning (ERP) system like IFS Applications. But a Mexican unit is still running a homegrown application, passing its data to you in spreadsheets modified to reflect currency exchange. The manual processes involved in this data transfer and data alteration represent a business risk that could be mitigated by the built-in security features of an ERP system.
So, while technology might be designed to assist in risk management, that technology must still be configured and used intelligently to deliver this business benefit.
Indeed, intelligent use of an ERP system can not only help ensure compliance with legal requirements and accounting rules, but it can also help prevent fraud. An ERP application and its user permissions settings can prevent theft. Aggressive and intelligent use of an ERP system's safeguards can save time during auditing. Properly configuring an ERP application can help protect your company from fraud and costly corporate mistakes in a number of ways. Following are three practical approaches a business can take to protect its assets through its ERP system.
1. Use a top-down approach to identify risks.
Business risk management requires a top-down approach. Senior management often focuses its efforts on creating competitive advantages and might not see one in spending extra money on compliance. But even companies not immediately affected by regulations like the US Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 can benefit from applying some of the principles required for compliance to their business. Efforts to comply with basic data security and risk prevention guidelines can even further reduce the risk of financial loss through administrative mistakes or fraud. The specific steps necessary to ensure compliance with these guidelines will differ from one company or business model to the next, but any company needs to pay attention to such basics as good financial statements, data security, privacy, and housing of key information—and how that information affects things like ensuring accurate financial reporting.
Part of this top-down approach involves identifying what information is key to your business. For a manufacturer, this data might consist of accounting, payroll, and health insurance information, plus things like physical plant assets and inventory. In contrast, a professional services environment is much simpler, with key information consisting of things like customer service and payroll data, with the only other real assets consisting of phones and perhaps leased office space.
Of course, this information comes from the heart of a business: its key business processes, or the mechanisms by which resources flow in and out of the company. When these processes differ, they prevent different risks. A company selling a small number of high-value products (industrial equipment, for instance) to a small number of customers faces a very different risk profile than a company selling hundreds of thousands of items to a large number of customers.
A company serving a smaller number of customers with very high-value products needs to make sure that only authorized people are able to set up new customers in their accounting systems. Consequently, the company must be careful to ensure that payment terms, credit limits, and other controls are set up properly.
However, the customer creation process will not be a critical control point for a company with a higher volume of customers and lower value per sale. It is important to understand your business flow and transaction volumes and the implications for relationships with your trading partners. An ERP system can be an excellent tool for formalizing processes for setting up new customers, and perhaps more importantly for setting up supplier relationships in your systems.
Surprisingly, many companies with powerful ERP packages in place circumvent those controls by using Microsoft Excel more than they say they do. Unmonitored use of Excel and other tools outside of an enterprise application may be of special concern during and after mergers and acquisitions. In a merger situation, a company must determine the maturity of the acquired company's IT tools and processes, and how best to integrate them into the existing systems. But at least during an interim period, the primary means of transferring information from the systems of the acquired company to its new parent may be unsecured spreadsheets.
Even without the challenges of mergers and acquisitions, a business might use outside tools like Hyperion as part of its reporting routines. Any time that tools outside an enterprise application are used, you need to ask how your data transfer methods can ensure completeness and accuracy in your business processes as data flows between two or three—or maybe more—separate and distinct systems. Using ad hoc tools like Excel—tools without a lot of built-in controls—means it's harder to guarantee data integrity. Taking measures to reduce alterations to your data outside of the ERP system makes a huge difference not only in preventing incorrect or fraudulent activity, but in streamlining your processes before an audit.
2. Harness the general user controls in your application.
Even when a company keeps 80 percent of its information in a top-tier ERP system and minimizes risks resulting from the use of ad hoc tools, it may not be familiar with the capabilities of its ERP system and how that system can be configured for risk management. Often, these capabilities are overlooked during implementation because risk management was not a main deliverable in the project proposal—and of course the company isn't anticipating an audit or attempted fraud. Because risk management can take a backseat to other deliverables, it's important for project managers and consultants to act as advocates and encourage people to consider three main risk management areas during ERP planning and implementation:
i) Prevent mistakes and fraud through role-based security. This is an ERP feature not everyone understands. You must ensure the right people are assigned to the right activities and prevented from engaging in the wrong activities. Generally, this requires a separation of powers, as you don't want to allow one person to complete every activity within a business cycle—whether that cycle is orders-to-cash or purchase-to-pay. For instance, if a single person can create a supplier, create a purchase order for that supplier, purchase the product, and cut and send a check, how do you ensure that person's cousin doesn't suddenly become a supplier? If that person also has access to inventory records, he or she could make an adjustment to inventory to hide the fact that a product from his or her imaginary supplier was never received. Physical inventory would never catch it, but the company would have paid for the imaginary product, and before the discrepancy is detected, the perpetrator could have inventory-adjusted it out. Some enterprise applications simplify identification and elimination of role-based security risks (see figure 1).
Figure 1. Segregation of duties analysis (provided by IFS North America).
Even some companies that attempt to segregate all the necessary functions to deliver role-based security still employ a financial clerk. This clerk can perform a number of tasks for accounts receivable, accounts payable, general ledger, and inventory adjustments. This violates a number of rules of financial segregation, despite the fact that the company is using a major ERP system designed to deliver financial segregation and role-based security, and in some cases separates those duties in other positions.
Correctly segregating duties to manage risk requires analysis of a company's key business cycles to identify which administrative roles need to be separate and distinct. This is not as simple as it sounds: in a small or midsized department, three people may have different roles in the company, but they are also each other's back-up. As each employee goes on vacation or takes sick leave, others assume the absent employee's duties, often with help from a system administrator. When the employee returns to the office, often there is not a process in place to remove the system permissions. Without diligent attention to assigning and managing these user permissions, before long, role-based security disintegrates.
Role-based security must be built into an application, defined and configured during implementation—and then maintained.
ii) Implement detective as well as preventive controls. Sometimes a company's administrative staff is too small to segregate roles with enough granularity to truly benefit from role-based security; or, it may operate in too complex a manner to make role-based security practical. But even when good preventive controls such as role-based security are in place, it is critical that a company can monitor employees' access to its business systems, and track what they do with that access.
Let's say that according to your role-based security schema, an individual can create customers in the system, but normally does not set up a whole customer record, leaving some of the work for others. It makes sense to monitor this individual on a monthly basis to track that key activity (see figure 2). Another way detective controls can be useful is if a double approval of check is required. The system may have to be altered when the president, for instance, is out of the office. But when the president returns, he or she can review a log to see what checks were cut in his or her absence.
Figure 2. Activity and event tracking (provided by IFS North America).
No comments:
Post a Comment