Why ERP Implementations Fail: UNBIASED (2 of 6) When embarking on a Digital Transformation Project, management strives to avoid becoming a headline in the news due to significant cost overrun or Significant Deficiencies in their first external audit after going live. In this six-part article series we are exploring the six systemic biases working against a successful ERP Implementation. In the first article, […] April 1, 2025
Significant Deficiencies: How the “System” Undermines Secure and Compliant ERP Implementations and What Auditors Overlook Having been in this space for over 25 years, I have seen the good, the bad, and the ugly. The deck is stacked against a secure and compliant ERP system implementation. Most publicly traded organizations implementing a new ERP system likely will have one or more “Significant Deficiencies” in the first year that should be […] February 25, 2025
Why ERP Implementations Fail: UNBIASED (1 of 6) We are witnessing the greatest digital transformation ever as organizations are moving from legacy ‘on-premise’ ERP systems to cloud-based ERP systems (SaaS applications). Though management is investing millions into the implementation of these SaaS applications, experts estimate that up to 90% of them fail. Why? Because “success” isn’t always about going live on time, within […] January 31, 2025
Perpetual Patch Cycles Define Todays Digital Revolution for Saas Applications A digital revolution is upon us! We are witnessing the greatest digital transformation since Y2K thanks to perpetual patch cycles within SaaS Applications. Organizations are ridding themselves of building and managing data centers by moving their legacy applications to hosted data centers. And thus moving many of their legacy applications to modern SaaS applications. Some […] November 27, 2024
Why Identity and Segregation of Duties Are the New Perimeter Managing identity has become one of the most critical elements of enterprise security in today’s complex digital environment September 30, 2024
3 Billion Reasons To Do More Than Just Secure The Perimeter Most organizations have mature processes and controls related to preventing a breech on their internal systems – what we refer to as “securing the perimeter. August 23, 2024
Auditors Are Talking about Segregation of Duties Too Much! Having been in the Security and Controls space for far too long, I have witnessed and am still witnessing a phenomenon that needs to be addressed. Auditors talk WAY too much about Segregation of Duties. Hear me out… In testing access controls, auditors spend way too much time assessing risks related to SoD and far […] July 31, 2024
Top 4 Reasons You Need THIS Cyber Security Approach From our Cyber Security technical expert, Connor Thompson, CIA CISA In the Software as a Service (SaaS) world, cyber security risks extend far beyond traditional perimeter defenses and malware protection. Today, a strong cyber security strategy for SaaS environments must encompass a multi-faceted approach. This includes strong authentication methods, user training against social engineering attacks, […] June 28, 2024
The Irony Related in Oracle’s Latest Article on Cybersecurity There’s a Lack of Native MFA in ERP/HCM Cloud. Oracle released this article in March highlighting the top cybersecurity threats and how to prevent them. In the article, they highlight the number one risk as “Business Email Compromise (BEC).” The article states “BEC is a type of phishing attack. Other phishing scams try to trick […] May 29, 2024
Top 3 Tips for Resovolutions: Setting the Right Objectives The Why Behind Our Tips In the following article, I make the case for why these top 3 tips are crucial action steps for your organization. We call it “turning resovolutions into action.” For 25+ years I have been watching ERP (Enterprise Resource Planning) implementations go live that are half-baked at best. This has created […] March 28, 2024
A Revolution of Resovolutions Part of our 2024 Resovolutions is to revolutionize the way organizations identify, manage, and mitigate risk in their ERP systems. Application security design and management risks produce a significant, immature control within organizations. Management knows these risks are often not being managed properly. The benefits seem to outweigh the risks when you consider: The long-term cost […] February 28, 2024
ERP Risk Advisors’ 2024 New Years Resolutions [Resovolutions] Everyone loves setting New Year’s Resolutions. Given my history having a heart attack in 2019, I encourage you to set goals arounds eating healthy and consistent exercise (link to January newsletter story). You could say I’ve been around the block a few times, having spent 25+ years in the ERP applications space as a client, […] January 26, 2024
The Inner Struggle When Reality Hits: How Crisis Impacts Your Faith New Year – New Me…. In the new year, we like to focus on new goals, new aspirations, even “a new me”. But how do you face the new year when life’s inner struggles impact your mind? Having a traumatic, life-changing medical issue changes you and can challenge your faith in God. In March 2019, […] December 28, 2023
ERP Access Controls and Risk Advisory Services – a Cut Above Without the Additional Cost Application Access Controls form the foundation of your control environment in your ERP system. However, these new SaaS systems have become quite complex. And organizations tend not to have a program to develop and manage these controls. This is why more and more organizations are partnering with outside advisory firms to help. So, what are […] November 21, 2023
Bright Light Shines on Massive Failures of External Auditors with “Painful” Consequences The lack of maturity of external auditing procedures is finally attracting more of the attention it deserves. The US’s Public Company Accounting Oversight Board (PCAOB) and the UK’s Financial Reporting Council (FRC) are publicly challenging external auditors to improve their processes. Two Causes for Concern Emerge in One Month In October 2023, two articles emerged […] October 25, 2023
Lack of Software to Test Access Controls is Systemic and Why It Matters [Part 2] Part 2: In part 1 of this article series, I postulated that there is a systemic issue related to management override of controls. More concerning than the existence of this issue is that it isn’t being addressed by management or the audit community. This issue is systemic. Let’s discuss what changes we would need to […] October 23, 2023
The Impact of SEC Guidance Related to Cyber Risk for Organizations Using SaaS ERP Systems The latest U.S. Securities and Exchange Commission (SEC) guidance on Cyber Security risks have “Cyber” firms buzzing. Those that thought this would be the equivalent of Sarbanes Oxley must have been seriously disappointed. There was no mandatory audit of Cyber risk included. The guidance requires companies “to disclose material cybersecurity incidents they experience and to disclose on […] August 28, 2023
Assessing AI (Artificial Intelligence) Risks & Controls Written By Fred Roth, CISA, Sr. Adjunct Lecture at ERP Risk Advisors What is AI? Artificial Intelligence (AI) is fast, complex, and limitless. The risks and rewards are in the news daily. As with any new technology, security and controls lag technological growth. Who will assess the security and controls of this innovative technology for your […] July 27, 2023
Lack of Control Performer Independence Testing is a Systemic Issue and This is Why it Matters [Part 1] I recently wrote an article called Why Access Controls Must Be Tested for All In-Scope Systems and the feedback has been shocking. I have a decent network of auditors throughout external audit firms who regularly comment “off the record” when I am drafting or have published something. May 5, 2023
Cyber Risks Getting More Attention from Organizations Using SaaS Applications Organizations using SaaS Applications are encountering an increase in fraud risks that traditional cyber security firms are failing to recognize. Most organizations focus on protecting the perimeter and risks related to ransomware and data theft, leaving the organization vulnerable to attack in neglected areas. March 31, 2023
Why Access Controls Must Be Tested for All In-Scope Systems Sarbanes-Oxley and control design best practices require access controls be tested for every in-scope ERP system within an organization’s Risk and Control Matrix (RACM). While this may not be the standard for … March 22, 2023
FAA Failure: A Failure in IT Operations and Governance In early January, FAA software caused US flight operations to halt for several hours. For a summary of the software failure, see Adam Levin’s Bloomberg article “FAA Computer File Caused by People Who Damaged Data File”. February 15, 2023
PCAOB Change in Expectations Driving Increasing Scope for SOC Reports ERP software provides organizations with tremendous benefits including vast configurable processes and standard reports used for reporting on data. ERP software comes in two flavors: those that … March 8, 2022
A Story of Perseverance I did it! My redemption race is done. I AM A IRONMAN!!! Two years, eight months and 20 days from my heart attack in the Oman 70.3 race, I completed my first full Ironman race in Arizona this past week. December 3, 2021
Another Elephant in the Room: “Institutional Bias” in the External Audit Community Last week I wrote a blog talking about how the System Implementation industry is biased against a “Complete and Secure” implementation. This week I’d like to address another elephant in the … April 7, 2020
Why the PCAOB and External Auditors Should be Concerned about Substantive-Only Audits This article is long overdue, but still one I have been dreading to release. I know the audit firms could come under significant additional scrutiny from regulators such as the PCAOB. However, there are … July 4, 2018