ERP Risk Advisors’ 2024 New Years Resolutions [Resovolutions]

ERP Risk Advisors’ 2024 New Years Resolutions [Resovolutions]

in Blog Article by Jeff Hare

Everyone loves setting New Year’s Resolutions. Given my history having a heart attack in 2019, I encourage you to set goals arounds eating healthy and consistent exercise (link to January newsletter story).

You could say I’ve been around the block a few times, having spent 25+ years in the ERP applications space as a client, consultant, auditor, and running ERP Risk Advisors. I have seen the good, the bad, and the ugly.

At ERP Risk Advisors we have coined a new phrase – Resovolution. A Resovolution is a combination of a Resolution and a Revolution (feel free to add the word Resovolution to your Microsoft Office dictionary as you will be seeing a lot of it this year in our newsletters 😉). Our Resolution for 2024 is to start a Revolution of change to see people, processes, and technology to mature such that risk is better identified, managed, and mitigated.

There are four major industries that have systemic flaws in them allowing for risk to be poorly managed: ERP software, System Integration, Cyber security, and Auditing. ERP Risk Advisors’ RESOLUTION for 2024 is to create a REVOLUTION in these industries. Get on board with the RESOVOLUTION yourself. Don’t miss this train!

Here are some of the systemic issues within these industries that I will addressing in the upcoming year:

ERP Software:

  • Software is often released before it is fully mature

  • Software is built with inadequate logging to support security and compliance requirements – inserts, updates, delete, view, etc.

  • Logging is not retained for a sufficient amount of time to meet compliance requirements

  • Although roles are built to meet their job requirements, they are often significantly overprovisioned, not built for all organizations (since organizations inherently have different business processes and requirements), and not tied to specific jobs or positions (an essential element of RBAC principles)

System Integration:

Some SI’s get leads from the ERP software providers and are afraid to reveal the warts in the applications for fear of losing the referrals from the software company.

Furthermore, most SI’s have a proposal response strategy that does not consider all the work that management needs; thus, a complete implementation is often not bid.  The following are examples of activities not covered by the SI and needed by management:

  • P2T/T2T processes

  • Data protection in non-production environments

  • Processes to manage patch cycles

  • Supplementing the logging of inserts, updates, deletes;

  • Retention of logging needed for compliance and security requirements

  • Full training documentation / job aids

  • Integrating logs into SIEM processes

  • Monitoring cyber security risks

  • Implementation of Access Control monitoring software

  • External Audit / Internal Audit preparation

  • Internal Audit Training

  • Workflow walkthroughs

Cyber Security:

  • For some organizations, SaaS applications are not analyzed because the “perimeter” and significant administrative privileges are “covered” by the SOC report.

  • The industry is focused on securing the perimeter from external threats and implementation of malicious code, but it does very little to nothing to help management evaluate internal threats including those related to fraud, data theft, and malicious code.

  • Application role design is not typically evaluated for cyber risks including what users and roles have elevated / admin privileges.

Auditing (External / Internal Auditors):

  • Audit methodology often ‘scopes out’ in scope systems because of the perceived simplicity of the software.

  • Auditors often fail to properly identify and assess risks associated with the unique properties of each ERP system they audit.

  • Auditors fail to test that the control performers do not have the ability to execute activities they oversee to evaluate if the control performer independence is compromised.

  • Application access control testing is not tied back to specific risks and IT dependent controls.

  • Application security risks are not tested for all in scope systems.

Stay tuned for more on these topics throughout 2024. And hold on to your seat because this Risk Resovolution is going to ruffle some feathers.

Share this post:
ERPRA Become Our Partner

Please select your preferred datasheet and download it: