By: Mark Polino
Regardless of which ERP system you use, there some universal security considerations that always pop up at year end. The bottom line is that auditors and management want to know that administrators understand and can demonstrate that they have control of their systems. With that in mind, here are my top 5 year-end security concerts for ERP systems.
- Journal Entries – A lot of extra journal entries are made around year end. These include things like cleaning up estimates, adjusting leftover accruals and deferrals, and fixing errors. Often, items like bonuses are tied to final year end numbers, so year-end journal entries have historically been an area ripe for manipulation. It’s also an area where auditors will spend plenty of time, so make sure that there is a process to review JE’s.
- Segregation of Duties – Year end is a great time to review segregation of duties to ensure that individual users don’t have access to too many parts of a process and to ensure that any mitigation processes are being performed and documented.
- User Security – Reviewing user security at year end is important, especially if it’s not being reviewed throughout the year. Lots of things can change throughout the year so making sure that users have the right access should be done at least annually, though more often is better.
- System Administrator and Super User Access – Operations performed by system administrators and super or power users should get extra scrutiny. The elevated access afforded these individuals gives them the power to bypass many security features, so transactions performed by these users should actually be trusted less.
- Orphaned Users – At least once a year, companies should review their list of users for orphaned users. These are users that should no longer have access to the ERP system. Some systems automatically remove users if they are removed from Active Directory and this gives them a false sense of security. Users may still have an active network account, but be on leave. Additionally, users might have changed positions in the organization and should no longer have access. Companies need to have a process in place to communicate access changes across multiple departments and systems.
For companies that have done a poor job of managing security throughout the year, it’s too late to fix everything by year end. But all is not lost, starting now can demonstrate a commitment to improvement next year. Taking a risk-based approach and addressing key items first can provide big improvements in a relatively short amount of time.