At the very least, once a year you really ought to review the security measures you have in place for your ERP solution. We would suggest quarterly reviews if possible. When reviewing quarter-end stats, managers and auditors need to be assured that users and administrators are working with secure systems. Let’s review the top 5 quarter-end security concerns for ERP solutions:
Journal Entries: At the end of the quarter, additional journal entries may be made to clean up estimates, adjust leftover accruals and deferrals and fix errors. Sometimes year-end bonuses are tied to final numbers, and for that reason journal entries have historically been an area subject to manipulation. Because of the risk, that is an area where auditors will spend a lot of time, so it’s important to make sure that there is a process in place for reviewing journal entries.
Segregation of Duties: Segregation of duties ensures that certain team members don’t gain access unnecessarily to too many parts of a process. Any adjustments can be easily performed and documented for security reviews.
User Security: Hopefully you are keeping on top of user security all year long. If not, at a minimum, year-end security reviews should be mandatory. Employees and processes may change throughout the year, so quarterly reviews help make sure that team members have the access they need to perform effectively.
System Administrator and Super User Access: Extra scrutiny should be given to operations performed by system administrators and power users. Because they are given higher access to the system, they may be able to bypass certain security features. Transaction records for these users will be of particular interest to managers and auditors.
Orphaned Users: At quarter-end, it is important to check your record of users for any who should no longer have access to the system. Some ERP solutions will automatically remove users if they are removed from the active directory. Sometimes users may still be in the directory, but not in a position to be given access to the system. Users may still have an active network account, but be on leave, or users might have changed positions within the organization and should no longer have access. You ought to have a process in place to be sure that access changes are communicated across multiple departments and systems.
If your company has not been practicing ongoing security, now is the time to start. It will set a precedent of best practices going forward. Start with the most important risk-prone areas and address key items first. The improvements you see will add to your peace of mind about security and will help your team move forward with confidence.
If you are having trouble managing all these manually, Fastpath has tools that can help you. Contact our team for more information.