Friday, March 9, 2012

Detecting Fraud in your ERP Solution

Fraud and theft are difficult topics to address.  There are so many resources available, so many places to review in your organization.  How often do we just make the assumption that our Enterprise Resource Planning (ERP) solution has all the needed checks and balances? 

ERP systems can help by organizing operations and allowing auditors to spot trends in the data.

This sounds important.  Where do I start?  First of all, this is not meant to be a technical report, nor a complete one.  I only hope to highlight the importance of security and how your system can enable or prevent fraud from occurring.

Does your ERP solution run on a secure platform?  This is the physical stuff, the box, the server, the equipment.  This question must be asked and answered regardless if the solution is in-house or hosted in the Cloud.  Who has physical access to the system?  Who has wired and/or wireless, VPN, or virtual connectivity to the system?

The next step after the physical equipment would be to look at the operating system running on the system.  Many servers have choices in operating systems, some servers have proprietary operating system.  Regardless all operating systems have security settings.  These settings should be based on the user, resource accessed, the device being used, and where the person is located.

The next layer is the ERP software solution itself.  How are controls enabled?  Does each user have a unique login credentials?  How are the modules and the options secured?  Does the software audit and track changes by user, date and time. 

Above this are functional roles.  For example there should be a check and balance (more than one person) processing the billing and the receipts.  More than one person counting inventory and auditing the counts.  There are many such role checks that should be implemented in your organization.  The specifics should be discussed with your audit team.

Where do the threats come from?  Ultimately people are involved.  Are they solo efforts or are they conspiracies?  Do you perform background checks on your personnel?  Do they have gambling problems or prior criminal records?  Men and women of all ages commit fraud. 

Some industries have higher rates of embezzlement than others, but few, if any are exempt from the risk.  It does not matter if it is nonprofit or for-profit.  The incidents often happen over a long period of time.  Small amounts taken regularly versus an armed robbery all-at-once.

Today there are many financial and operational standards, particularly for publicly held companies.  Again, I am not here to tell you which ones or how they should be implemented.  I am suggesting that the ERP solution you have should meet those standards.   The security solution like the software modules should be integrated in the system, not a separate bolt on effort.

The long term solution is to engage with your Certified Public Accountant (CPA) and find a Certified Fraud Examiner (CFE) to take a close look at your organization.  Accountant relationships are one of the select few where you do not like to make changes unless something goes terribly wrong.  No one wants to bear their sole over again with someone new.  However, if the relationship is professional, an independent audit will not offend your finance person and may only need to be done every few years.  This will assure ownership that the proper controls are in place and allow you to keep your advisor.

Dolvin Consulting is available to help you find and implement sound ERP solutions that meet your challenges and budget.  Contact us today to see how we can help.

No comments:

Post a Comment