Can you be sure that your AP Manager isn’t able to enter vouchers and create payments for a fake vendor? Do you know if anyone has unauthorized access that would allow them to change supplier bank account numbers? If you don’t conduct ERP security audits, the chances are that you don’t know whether such events – or many other similar ones – could occur. You need to be sure that all employees have appropriate access rights – and to identify any who don’t, so that you can resolve the risks.
But it’s not only about preventing fraud or satisfying your auditors – there are other important business benefits for organizations of all types and sizes.
You need to identify anyone with access that would allow them to use your ERP system to commit internal fraud. 50% of fraudulent incidents are committed by insiders, and statistics suggest that each year every company has a 35% chance of falling victim to fraud.
If you’re subject to SOX or similar regulations, you’ll be expected to demonstrate that you’ve implemented stringent Segregation of Duties controls to reduce the risk of fraudulent activity.
Even if you’re not subject to SOX, auditors recommend Segregation of Duties(SoD) as the most effective way to prevent internal fraud. Regular SoD audits identify users with SoD violations.
Whether by accident or through malicious intent, if an unauthorized employee changes critical configurations, it could bring your manufacturing and distribution operations of the industrial products to a screeching halt, causing huge financial loss.
For example, if an unauthorized user makes erroneous updates to your manufacturing data, it could result in a failure to buy enough raw materials to keep up with production demand.
For example, unauthorized changes to automated accounting instructions that route costs to the wrong accounts could make business activities look profitable, when actually they are running at a loss.
There’s a big danger that inaccurate financial reporting gets carried through to misstated results, leading to penalties and reputational damage.
So why don’t all organizations do it?
The main reason is that it’s just too difficult. Without specialized tools, it often involves complex SQL reporting and complicated spreadsheets – and lots of hassle – and it’s not as if most IT departments are short of work. And despite frequent horror stories in the financial press, some people seriously still believe that it couldn’t happen to them.
Pathlock offers a suite of solutions that can help you monitor user activity, detect suspicious user behaviour, and log all access to sensitive data and transactions. Our modules enable you to implement fine-grained controls at the page, field, and transaction level to ensure sensitive access is granted only to authorised users and such access is always monitored across your ERP applications. Many of our solutions also provide audit and compliance reports, including SOX, right out of the box.
Talk to our ERP security compliance experts to understand how Pathlock can enhance your audit-readiness.
Share