Disruption in the risk advisory industry has influenced industries time and time again over the years.

Everyone understands how Uber revolutionized the yellow taxi model. Uber sparked competition from Lyft. Both have since faced competition from autonomous vehicle services such as Waymo. 

Think of iTunes taking over the radio industry—and then Spotify. 

Cell phones and texting overtook pagers. iPhones overtook BlackBerrys. 

Streaming services such as Hulu, Sling, Apple TV, Prime Video, and more have taken over traditional TV. 

Even Google searches are being challenged by AI tools such as ChatGPT. 

So, how does this relate to ERP risk management? 

The disrupter the risk advisory industry needs… ERP Risk Advisors is the “Uber” coming for the yellow taxi world. 

Within large firms there are teams that focus on IT controls, those that focus on financial controls, and those that focus on cyber security risks.  Each of these teams look at risks within their own lanes only, which leads to a lack of collaboration to provide a comprehensive view of the entire risk landscape.   

Organizations are undergoing profound digital transformations. System administrators, database management, and application support are being outsourced. Data centers are moving to the cloud, and on-premise ERP systems are being replaced by SaaS solutions. Not to mention, the perpetual patch cycle, along with the exposure created by internet-facing applications, has completely altered the playing field. 

I once thought the Y2K digital transformation was a massive shift. However, in people, processes and technology, we are now rapidly evolving like never before.  

Where does this leave traditional risk advisory services in today’s era? 

Management needs a team.  In traditional risk advisory services that team is made up of multiple teams. 

A traditional approach to risk advisory services is a one-time assessment via a Statement of Work, then re-perform the tests as applications are patched.  However, we now live in the perpetual patch cycle where software providers release quarterly and semi-annual patches.  They provide new functionality and changes to existing functionality – i.e. introducing new risks that need to be identified, managed, and monitored.   

Additionally, auditors are constantly missing these three critical reasons  for why access controls must be tested.   

Another major gap within and between systems is that internal and external auditors fail to identify processes. When ERP systems are being implemented, most testing focuses solely on whether users can do their job or not. In those scenarios, negative regression testing hasn’t been done to ask the question: 

“Does anyone have access to something they shouldn’t?” 

 Believe it or not, negative regression testing IS NOT performed when most ERP systems are implemented. Typically, the only testing done when an ERP system is implemented is for the user to confirm they can do their job with the access they have. Typically, no one tests to see if users have access to things that aren’t required by their job function. 

A Continuous, Holistic Approach 

Is your MIND BLOWN yet…???   

In our experience we have found the most secure formula for a successful implementation is to take a minimum of eighteen (18) months after ‘go live’ to mature the security and controls program. As this maturation process is happening, the software provider is implementing patches / releases quarterly or semi-annually. 

If you wait for the traditional approach to risk advisory services, your monitoring activities will always be two (2), three (3), or four (4) quarters behind. 

When an auditor asks the question “are you keeping current with the risks and new features being introduced by the software company”, management cannot assert that they are until they have brought in their risk advisory firm for their annual updates. 

ERP Risk Advisors has a new and better way… 

For the ERP applications we support, we analyze the patches / releases to identify the new entitlements (security objects) being introduced and understand the risks they present. 

In our Crawl, Walk, Run methodology, we meet you where you’re at and help you build a mature and secure ERP environment.   

Our goal is to work with you to move from the Crawl to Walk to Run phase which can look different from organization to organization.  

What does the Crawl phase look like? 

Crawling starts with the proper design of roles and development of mature joiner, mover, and leaver processes. For clients implementing a new ERP system—or redesigning roles post-go-live—we ensure access controls are not only efficient but also help manage software license consumption. The crawl phase focuses on foundational controls that are often overlooked by traditional advisors. This allows stacked role combinations to be identified per person based on their job/position. Notably, during implementation, implementing a mature security and controls program is extremely rare. Having this level of maturity is already the Achilles Heel for most organizations which is why we focus on the foundation before moving forward. 

What does the Walk phase look like? 

As clients transition to the Walk phase, roles are mapped to jobs/positions and provisioning becomes automated. In this stage, we also begin the process of preparing your organization for audit readiness by analyzing your Risk and Controls Matrix to identify what Sensitive Access Risks and Segregation of Duties (SoD) conflicts need to be considered. 

Additionally, we take into consideration that the Control Performers are Independent in their performance of the manual controls. We often find additional Risks being added to your risk library and controls are implemented. We also work with your CISO and security team to address cyber security risks not likely to be addressed.  

What does the Run phase look like? 

Clients start to “Run” when management becomes proactive at managing risk in the following processes: 

• User Access Reviews / Re-Certifications 

• Role Change Management 

• Patch Change Management 

• Development Change Management 

• Cyber Incident Risk Analysis 

• Testing the Independence of Controls Performers 

• Lookback Procedures 

The goal in an operationally mature organization is to manage movers, leavers, and joiners as well as addressing segregation of duties conflicts, sensitive access risks, and administrative access.  

However, without the right partner to help identify, maintain, and support your software, you are most likely never going to reach the maturity of the Run phase. 

Why ERP Risk Advisors 

Large Risk Advisory firms have three different teams that focus on financial controls, IT controls and cyber security controls.  We have one engagement team that addresses all 3 of these control types. We evaluate new risks and the maturity of your security and controls program with expertise in the specific ERP systems you are using. 

What about customizations? 

We address risks holistically from the perspective of the CFO / CAO, CIO, CISO, and CAE. For applications that allow custom development, we work with management to add these new entitlements into your assessment process going forward. 

At ERP Risk Advisors we are proud to have one team that will identify your risks related to compliance, cyber security (for your SaaS applications), fraud, data security, and operational risks.   

If you are frustrated with an IT audit team, a financial audit team, and a separate cyber security team, maybe it is time to say goodbye to the yellow taxi era.   

If you would like to know more about how we can help you Get Clean and Stay Clean through our Crawl, Walk, Run methodology, book a call with our team of experts by emailing support@erpra.net.