ERP and internal control

ERP systems are not the only way to comply with corporate governance rules and legislation and enhance the quality of internal control. However, Morris [2011] studied the relationship between the use of ERP and reported material weaknesses in internal control for US listed companies, and he found that firms with implemented ERP systems are less likely to have to report such material weaknesses. The characteristics of ERP are beneficial for internal control.

Firstly, corporate governance rules and legislation on the one hand, and ERP systems on the other hand share a process-oriented approach. Corporate governance rules and legislation require companies to assess their internal control and publish their assessment in the in-control-statement of their annual report. In order to be able to do this, they have to evaluate their processes, risks and controls. One of the characteristics of ERP is exactly the support for best practice processes: when an organization uses one of the best practices of the ERP system, the whole process including related information processing is taken care of. ERP encourages a high level of internal control.

Secondly, the data integration characteristic of ERP mitigates a wide variety of risks, and thereby makes a large number of manual controls redundant. In companies that do not have ERP, several applications may be used in parallel. A well-known risk of parallel applications is inconsistencies between the data in the parallel applications. In a manufacturing company, the stock level of finished goods in the financial application is not necessarily the same as the stock level of finished goods in the production application, which is a risk for the reliability of the financial reports. In such cases, the accounting department of the organization will reconcile the stock every month during the financial close, and correct any differences that they may find. he data integration characteristic of ERP prevents such differences. When organizations have implemented ERP the time-consuming data reconciliation controls become obsolete.

The advanced ERP systems do not only provide data integration, but they provide a plethora of other automated controls. The risk of incorrect data entry by unauthorized or unskilled employees is reduced in ERP by restricting the access to certain menu options or functions of the system. The risk of order entry for non-existing products, with wrong order quantities, or with wrong prices is reduced in ERP by extensive automated data validation. In addition to these preventive controls, modern ERP systems have detailed audit trails that enable auditors to track which employee has changed, added or deleted data in the ERP system.

Lastly, the partners of ERP suppliers closely follow trends in the market and adapt their services to those trends. One of the important consequences of stricter corporate governance is the increasing number of audits. In a Sarbanes Oxley project it is not unusual that every control is audited three times per year: one self assessment by the employee responsible for executing the control, one assessment by the internal audit department, and one assessment by the external auditor. Various external suppliers now offer tools for so-called audit automation, the automation of audits of internal controls. When audit automation software is used, an auditor no longer has to check all authorizations in an ERP system to see if employees have access to menus that go beyond the requirements of their job or create violations of segregation of duties. he audit automation software simply generates a report that indicates which authorizations create potential conflicts with internal controls.

In Figure 11.4 an example is presented of a company that applied ERP to simplify compliance with corporate governance legislation. Loral Space & Communications is a medium-sized American company in the telecommunications industry that has to comply with Sox. The company use their ERP system in several ways to attain Sox compliance. They use best practices, such as the four eyes principle through combination edits, to firmly root internal control in business processes. Additionally, they use audit automation in the procurement module: if a purchaser exceeds his or her purchase limit the internal audit department gets an automated notification. Lastly, they use the internal control module in the ERP system to document and test controls in a uniform way. Because of their use of ERP, Loral has not only complied with Sox on time, but the company has also laid the foundation for compliance with future corporate governance rules for the telecommunications industry.