COVID-19: Technology Adoption and Adaptation

In this blog post, we’ll provide key insights on why organisations should invest in ERP Based Controls. 

Internal Controls – A matter of business risk management

From effective and efficient operations, reliability over financial reporting to compliance with laws and regulations, the benefits of enhanced internal controls are plenty. 

The importance and awareness of internal controls increased globally when the United States of America enacted Sarbanes Oxley Act (also known as SOX) in 2002. This was in response to a series of corporate frauds that occurred in the US including the Enron scandal, which demonstrated the negative impact of poor controls. 

SOX requires management and external auditors to report on the adequacy of the company’s internal controls on financial reporting. Many countries have enacted similar provisions. In Mauritius, for example, the Bank of Mauritius has issued guidelines for Banks on internal control systems.

With the wide use of ERPs many internal controls are embedded in the information systems, which makes a business process far more efficient.

What is ERP Based Controls and how can it increase businesses process efficiency?

Traditional internal controls are manual in nature. These controls generally involve an approver or a maker-checker during a transaction or an event. Such internal controls can be effective but not efficient. In the long run, when the volume of transactions grows, the cost of control can become a concern for the organisation.

ERP controls can make the business process efficient and effective by:

1. Concentrating manual controls at the start of the business process; generally around master data governance; and

2. Automating controls to replace the manual controls at transaction level throughout the business process.

Taking a high-level example of a Revenue and Receivable business process for a manufacturing organisation with traditional manual compared to ERP controls: 

What is the difference between Traditional Controls and ERP Based Controls approaches?

Traditional Controls Approach:

This model relies on human elements at each sub-process to be successful. There is reliance on the effectiveness of the manual controls to avoid errors and frauds. 

Senior / Experienced staff need to be deployed at each sub-process. The efforts needed will have to be increased in line with the volume of transactions. This approach is often followed despite ERP controls being enabled, mainly due to the “comfort” management has over the past years on the “way transactions are processed”.

The manual controls at the “master data” and “business process reviews” may not be performed with the required rigor since management is likely to rely on individual transaction controls for appropriateness. This approach can be highly inefficient and risky in the long run. 

ERP Based Controls Approach:

Under this approach the number of times management will need to exercise manual controls in the business process is greatly reduced, involved at very specific stages only:

• At the updating of master data ie. Credit master and price master.

• At the period-end business performance review.

After establishing governance over master data (including ERP access controls), the process relies on the ERP for valid execution of the transaction as per the master data. Management can concentrate on performing key “business process reviews”, for example at the end of each period, including revenue reviews, budgeted v/s forecast, credit master reviews, etc. 

The difference between both approaches is similar even for other business processes. Ultimately, ERP based controls approach makes business processes efficient and gives management more time to focus on strategy.

What are the challenges for ERP based controls?

The use of ERPs has also increased the risk of “control gaps” or methods where someone can override controls in place to perform a transaction outside the agreed parameters. Despite the known efficiencies to the organisation, ERP based internal controls are often not implemented or weakly implemented. Unlike manual controls, the implementation and monitoring of systems controls can be challenging, including:

Conclusion:

The risk of not having an internal control environment commensurate with the size of the organization remains high. As per the 2020 PwC Global Economic and Fraud Survey (Pdf 1,688kb), 57% of frauds involved an internal perpetrator. As per the survey, nearly half of the reported incidents resulting in losses of US$100 million or more were committed by insiders. Also, frauds committed by management are going up. The survey report states that “major frauds perpetrated by insiders are potentially far more damaging than externally perpetrated crime”

Organisations should act proactively rather than reactively to establish an internal controls framework. Performing a comprehensive risk assessment and establishing the right internal controls in your organisation is important. In this process, ERP controls can be a key differentiator for your business processes as you evolve and grow. 

Contact Us:

PwC Mauritius provides comprehensive solutions for Internal Controls Framework and ERP Assurance. 

Subcribe to receive our latest thought leadership, product releases, and more in your inbox.

Related services: 

• Customer Experience
  
• Digital Transformation
• Emerging Technologies
• Fit for Growth
• Strategy, transformation and risk
• Management Consulting