Internal Controls & Compliance in an ERP Environment – Introduction

March 4th, 2010 Categories: Enterprise Applications, Governance, Risk and Control, Uncategorized

Compliance to Sarbanes-Oxley (SOx) and other Internal Control requirement is a business compulsion now. Ongoing compliance is essential to maintain financial certification, making SOx a daily part of transaction processing. If not for SOx, for companies coming under IFRS Convergence, will have to address the same for financial reporting purposes.

Based on the numerous engagements Thirdware was involved in helping companies meet Internal Control requirements, this blog series should help explain the overall approach and execution. While many of the software vendors have provided patches or modules inside their application, unless the overall control process (both business and IT) is understood and addressed in unison, it is never complete.

Coming to the subject:

Internal Controls, for audit and certification purposes, must meet three essential conditions:

1.      Compliance and Controls must be documented

2.      Controls must be implemented and complied on an ongoing basis. It should be made part of the business process.

3.      Evidence must be available to prove compliance with the documented processes

If anyone of these elements is missing, the basic tenet of compliance is not fulfilled.

The foundation of these 3 conditions lies in the following approach

  • Understanding and documenting Business and IT controls and their relationship to the financial reporting process
  • Identifying risks and designing/implementing controls to mitigate risks and continuously monitoring them
  • Ensure the controls are updated (Ongoing) and correspond to business process changes or the financial reporting changes impacting operations

The entire controls process lie both inside and outside the application. While, most companies have completed their initial phase in compliance, the requirement is to change SOx compliance from a project (audit compliance) based approach to that of a business process based approach.  Adopting a process-based approach to SOx compliance helps companies maintain strong internal control over financial reporting and saves money in the long-term and ensures a sustainable controls environment.

At a broad level, Internal Controls and Compliance must address the following:

Understanding Financial Reporting, Business Process and IT ecology
  • Financial reporting requirements of the company i.e., single system / multi system, statutory requirements, financial consolidation process etc
  • Business Processes followed by the company, identification of weak processes, periodic review of important areas
  • IT ecology – multiple system, system integration approach, ability to drill down on data, audit trail etc
  • Dirty Four or typical audit comments
    • Generic ids and access control
    • Segregation of duties
    • Audit trail
    • Data Integrity and Data Integration
Designing Controls and Compliance Process
  • Documentation of process
  • Execution of controls
    • Inside the application
    • Outside the application
  • Exceptions, transgressions and documentation
  • Retention of evidence
Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Tags: ,
Leave a comment | Trackback
No comments yet.

Leave a Comment