Auditing transactions in your ERP/CRM System is not something that should be taken lightly. There can be significant business and system performance ramifications for making a wrong choice. Many things should be taken into consideration when setting up audit trails. Whether you are using something that comes out of the box, or you purchase software from a 3rd party vendor, be sure to consider the topics below.
- Audit only what is necessary - One of the keys to the successful use of auditing software is setting it up correctly. Common fraud and control points are well known by auditors and provide an easy starting point for setup. For example, vendor setup is typically audited to provide some prevention for false vendor creation. Similarly, vendor address changes are normally audited to help prevent the fraudulent redirection of legitimate payments. Although vendor data is a common control point there are certain vendor fields, like FAX number, that are likely not critical and may not need to be tracked. Be specific as every field that is tracked has an impact on system performance and the amount of data that needs to be stored.
- Involve the business process owners (BPOs) – So many times IT departments set up the audit trail tool that your company has chosen without taking into consideration what information the business process owners need to review. While the business process owners might not even use the ERP in their daily job, they will be the one reviewing the reports. So make sure your IT team is communicating with your BPOs during the set up process.
- Performance – If you incorrectly set up audit trail software, it can hurt the system performance. Often, we hear people say “I just want to track everything”. All audit trail software creates data, and recording information is, of course, the purpose of audit trail software. The problem comes when companies overzealously try to audit everything, bringing the accounting system to a crawl. This is why we suggest auditing only what is necessary.
- Report and Review – What good is an audit trail solution if you never review the reports? By following the first three tips, you will know you are getting the information you are looking for, but, be sure to continually review, follow up, and sign off on the resulting reports on a consistent basis. This will not only help you quickly identify anomalies, it will help come audit time.
- Data Maintenance – Audit trails create data and that data needs to be stored and maintained. Make sure you develop a retention policy for your audit trail data. And remember that not all data will fall under the same retention policy. How long do we need to keep vendor changes? Customer changes? Payroll changes? 1 month? 1 year? 7 years? Once you have defined your retention policy, develop a plan to archive and purge your audit data based on your policy.