We are witnessing the most significant digital transformation in global history – surpassing the massive Y2K tech boom. This shift is largely driven by evolving cyber security risks in our work from home era and modernization of business processes. 

Why do some organizations pursue ERP implementations to reduce costs? That’s not always the case.   With the shift to subscription-based ERP pricing models, many organizations are now paying more compared to legacy perpetual license models. 

But cost isn’t the only concern. The success rate of delivering projects on time, on budget, and with the promised functionality is low. Outcomes often include project delays, cost overruns, and reduced functionality compared to what was originally planned. To the C-Suite making these decisions – buyer beware… 

28+ Years of Lessons Learned 

Over nearly three decades, I have seen the good, the bad, and the ugly. I have been on almost all sides of this industry.  I’ve been a client, a consultant, and a subject matter expert (SME) in the post-SOX audit world. 

One biblical truth stands firm: Ecclesiastes 1:9 says, “What has been, will be again, what has been done, will be done again; there is nothing new under the sun.”  If you think ERP projects today are more predictable, more successful or more cost effective, I have a bridge to sell you 

Why Fully Customized Roles are Non-Negotiable 

At ERP Risk Advisors, we are experts in ERP security and controls delivered through our assessments, risk content, and managed services. We advocate that organizations implementing a new ERP system, use only fully customized roles.  

Here’s Why: 

 1. Seeded Roles are Overprovisioned 

These out-of-the-box (or “seeded”) roles are designed for ease of implementation which provides users with activities that are not appropriate for their job function. These overprovisioned roles cause risks for: compliance, cyber security, fraud, data security, and operational inefficiencies. Seeded roles are not based on the principle of least privilege, nor do they address common Segregation of Duties conflicts within roles. Most commonly, users are assigned multiple roles, which compounds these risks.  Fully customized roles remove unwanted and risky entitlements and ensure only least privilege roles are assigned to minimize SoD conflicts. 

2.  License Optimization  

In many ERP systems, licenses are consumed when a user is assigned certain entitlements – even if they don’t use them.  Seeded roles almost always trigger license overages and unexpected usage that vendors can later audit.      Some software providers regularly snapshot your environment and may use that data in future audits. The customization of roles can ‘license optimize’ the roles your organization isn’t paying for to avoid these traps by ensuring you only use what you’ve paid for—nothing more.  

3. Protection from Patches and Upgrades 

Using seeded roles means those roles will be automatically updated with every patch or release. That sounds good—until your roles gain new entitlements you didn’t ask for, potentially introducing:  

• New SoD conflicts 

• Inappropriate access  

• Audit exposure 

This perpetual patch cycle MUST be managed. When a patch / release is applied management needs to be aware of what roles CAN be impacted by the patch. Then for those that are impacted, management needs to evaluate if the updates are appropriate for all users AND they need to make sure that no new SoD conflicts are being introduced.  For most organizations, this means executing a process during the patch / release process to test all Sensitive Access risks and Segregation of Duties to make sure nothing crept in by accident. With fully customized roles, you maintain full control. These roles won’t be touched during upgrades, so ther is no need to retest or scrable during tight upgrade windows (like Oracles two-week Fusion Cloud patch window). This saves time, money and stress. .  

A Clean Audit Starts with Clean Roles  

Auditors want to see that roles are built using the principle of least privilege and that SoD conflicts are minimized. Again, seeded roles are meant for ease of implementation and nine times out of 10, seeded roles fail this test.   

With fully customized roles: 

• You control when new features are introduced 

• You prevent unauthorized updates 

• You reduce compliance and cyber risks 

• You’re better prepared for internal and external audits 

Don’t Fall for the Sales Spin 

During the sales cycle, your ERP vendors and their favored system integrators will insist that seeded roles are ‘good enough’ or that customization is not necessary. They try to convince you of this to make it seem like THEIR ERP system will be easier to implement than the next guy. And 98% of the time the system integrator partner will sing to the same song sheet so they don’t screw up the deal and so the software company will walk them into the next deal. 

BUYER BEWARE! BUYER BEWARE! BUYER BEWARE! 

On another note: If you are using a large SI firm, do NOT rely on their risk advisory team to implement ‘least privilege’ and SoD free roles without at least having a firm like ours verify whether they have met the high standard expected by you, your internal auditors, AND your external auditors. We cover this topic in this article “Don’t Let the Fox Watch the Hen House: Why your Risk Advisory Firm Should NOT be your SI Firm” 

Final Thoughts: Buyer Beware 

If your organization is going through an ERP transformation, don’t fall into the trap of using seeded roles. The risks to security, compliance, and cost are too great. Invest in fully customized roles—built and tested by specialists like ERP Risk Advisors—to ensure a secure, compliant, and cost-effective implementation.