ERP Access Controls and Risk Advisory Services – a Cut Above Without the Additional Costin Blog Article by Jeff Hare
Application Access Controls form the foundation of your control environment in your ERP system. However, these new SaaS systems have become quite complex, and organizations tend not to have a program to develop and manage these controls. This is why more and more organizations are partnering with outside advisory firms to help. So, what are your options?
Most Advisory firms, from the Big 4 Accounting firms and tier 2 providers, tend to use an approach we like to call “Land and Expand.” These firms like to start out charging $40k to $100k for a single scan to assess the health of their system. Additional fees can be added to make improvements, and there is usually a continued string of projects following.
There is another option. This is why ERP Risk Advisors created ERP Armor: an annual subscription starting as low as $15k to $40k per year for “unlimited use” software and content. Our risk content is made up of Licensing, Roles, Rules, and Learning designed to help reduce licensing cost and identify, manage, educate on, and mitigate risk in ERP systems. We provide access to highly skilled US resources with experience in most ERP systems including ERP/HCM Cloud, Workday, NetSuite, Dynamics, E-Business Suite, SAP, and any other COTS or custom ERP systems. In addition, we have built relationships with some of the best Access Control software companies and can seamlessly deploy our content on their platforms.
What has changed? Perpetual Patching of SaaS Applications
Management has a new set of challenges with SaaS software. SaaS software providers typically patch their systems two to four times per year. As they introduce change, organizations need to re-evaluate their access controls. In a SaaS application world, one could never afford to have the big guys manage their access controls for every quarterly or semi-annual patch. The price would be astronomical! Yet management SHOULD be evaluating access controls each time a patch/release is applied to an environment.
Our bundled approach comes with unlimited risk advisory services related to:
- Segregation of Duties (SoD) and Sensitive Access (SA) comprehensive rulesets
- Application access controls / role design feedback
- Suggested remediation of roles related to risks (remediation not included)
- Depending on ERP Armor level, standard custom roles library
- Audit preparation related to what SoD/SA rules are in scope – tied to the ITGC / ITACs in the RACM.
- Updates to the ERP Armor: Rules with each patch/release based on new abilities added by the software provider and new customizations.
- Quarterly calls to discuss what is new in ERP Armor and any outstanding remediation identified.
- Mapping of customizations to risks – and building of sensitive access and SoD conflicts.
- No need for any Statement of Work for the above services ever again as these services are covered in the ERP Armor annual subscription.
- Access to relevant ERP Armor: Learning courses and licensing reporting
If you are interested in a cut above approach and partnership, perhaps now is the time to consider the lower cost and higher quality option offered by ERP Risk Advisors. Book a time with me here to learn more about how ERP Armor and our bundled solutions can help your organization.