Having been in this space for over 25 years, I have seen the good, the bad, and the ugly.  The deck is stacked against a secure and compliant ERP system implementation. Most publicly traded organizations implementing a new ERP system likely will have one or more “Significant Deficiencies” in the first year that should be reflected in audit findings. However, auditor ignorance often prevents these from being recognized.

The Ongoing Gaps in Auditing Practices

The IIA and ISACA decided long ago to “move on” to hotter topics like AI, assuming financial and IT auditors know how to audit ERP systems. Our blog article, “Auditors Are Talking about Segregation of Duties Too Much!” illustrates just how untrue that assumption is. In fact, only a small percentage of audit teams know how to effectively audit ERP systems.

Over 20 years after the adoption of Sarbanes-Oxley, a massive gap remains. Auditors continue to ignore the lack of Control Performer Independence testing by management. I’ve attempted to communicate this to the PCAOB and, yet, I still hear that external auditors have not been effectively testing for the independence of the Control Performer.  Some auditors have began to warn their clients starting in 2024, that “we are anticipating that the PCAOB will require this in the next year or two”, but the attitude remains that, until then, nothing needs to change.

So, if you are implementing a new ERP system in 2025 – buyer beware…

Recognizing Biases that Lead to Ignorance of Significant Deficiencies

There are significant biases in these industries that are fighting against a secure and compliant implementation:

• ERP Software Development
• System Implementation
• Internal Audit / External Audit / Risk Management Consulting
• Cyber Security

You need to know that your ERP system was, almost assuredly,  inadequately developed to address compliance, cyber security, and data security requirements.

You need to know that most System Integrators will not bid a full implementation that provides you with a Secure and Compliant system at go live.

You need to know that your internal auditors, external auditors, and risk advisory firms alike may not uncover these issues prior to going live due to their ignorance of the gaps left behind by your ERP software firm and system implementation partner. This ignorance is all that stands between you and Significant Deficiencies.

Need some proof?  E-Business Suite still has Significant Deficiencies in its controls. For instance,   just one FUNCTION, one PROFILE OPTION, or one CONFIGURATION could completely undermine your journal entry controls. Additionally, SQL injection risks can grant users unwanted access to sensitive data and system functions. These examples cover only a fraction of the risks in only one ERP system. Imagine the other dangers lurking in the shadows!

Education as the Key to Successful ERP Implementations

So, what’s the solution? Knowledge is power, and one way we can change these systemic issues is through education. If you are an executive implementing a new ERP System, we would like to offer you a free course. This ERP Armor: Learning course, Systemic Issues in ERP Software, System Integrators, and Audit Industries, is available at no charge. This course goes into depth on systemic biases you need to be aware of and address to have a chance at a ‘successful’ ERP implementation.

Fill out the form here, and we will gladly enroll you in the course for free.

If you want a higher degree of certainty about the completeness and accuracy of your security and controls program during your ERP system implementation, let’s talk.

Book a free 30-minute call with me here.