Top 5 Year End Security Considerations for ERP Systems

posted in: Microsoft Dynamics | 0

By: Mark Polino

Regardless of which ERP system you use, there some universal security considerations that always pop up at year end. The bottom line is that auditors and management want to know that administrators understand and can demonstrate that they have control of their systems. With that in mind, here are my top 5 year-end security concerts for ERP systems.

  1. Journal Entries – A lot of extra journal entries are made around year end. These include things like cleaning up estimates, adjusting leftover accruals and deferrals, and fixing errors. Often, items like bonuses are tied to final year end numbers, so year-end journal entries have historically been an area ripe for manipulation. It’s also an area where auditors will spend plenty of time, so make sure that there is a process to review JE’s.
  2. Segregation of Duties – Year end is a great time to review segregation of duties to ensure that individual users don’t have access to too many parts of a process and to ensure that any mitigation processes are being performed and documented.
  3. User Security – Reviewing user security at year end is important, especially if it’s not being reviewed throughout the year. Lots of things can change throughout the year so making sure that users have the right access should be done at least annually, though more often is better.
  4. System Administrator and Super User Access – Operations performed by system administrators and super or power users should get extra scrutiny. The elevated access afforded these individuals gives them the power to bypass many security features, so transactions performed by these users should actually be trusted less.
  5. Orphaned Users – At least once a year, companies should review their list of users for orphaned users. These are users that should no longer have access to the ERP system. Some systems automatically remove users if they are removed from Active Directory and this gives them a false sense of security. Users may still have an active network account, but be on leave. Additionally, users might have changed positions in the organization and should no longer have access. Companies need to have a process in place to communicate access changes across multiple departments and systems.

For companies that have done a poor job of managing security throughout the year, it’s too late to fix everything by year end. But all is not lost, starting now can demonstrate a commitment to improvement next year. Taking a risk-based approach and addressing key items first can provide big improvements in a relatively short amount of time.

About Mark Polino

Mark Polino is a Certified Public Accountant (CPA) and a Microsoft MVP for Business Solutions. He is the author or coauthor of 5 books related to Microsoft Dynamics GP.  Mark also maintains the Dynamics GP focused website He speaks and writes regularly about ERP related topics. Mark has been a controller and CFO for a division of a publicly traded company and he has  worked as a consultant implementing ERP solutions. Mark holds additional certifications including Certified Information Technology Professional (CITP), Certified in Financial Forensics (CFF) , Chartered Global Management Accountant (CGMA). Dynamics Credentialed Professional for Dynamics GP 2015 (Core Install and Core Financials), Xero Certified. He holds a bachelor’s degree in accounting from the University of Central Florida and an MBA from Rollins College. Mark lives with his family in Florida.