Corporate governance encompasses the whole system of enterprise management and monitoring, including the organization, its corporate policy principles and guidelines, and the system for internal and external control and monitoring mechanisms. At the moment, in the United States at least, everything is focusing on the implementation and costs of the Sarbanes Oxley Act. Senator Sarbanes, one of the initiators of this act, estimates that the cost of implementing the critical Section 404 of the Sarbanes Oxley Act for the setup of an internal control system in US companies is one percent of sales in the first year. This may sound modest, but according to research by the Hackett Group, it is more or less equivalent to the financial accounting costs in many enterprises.
Documentation tools are at the forefront of the discussions surrounding the software needed for such a control system, and the issue of how to simplify the process of monitoring the controls is being addressed. Unfortunately for companies, these processes are often extremely complex and costly. But the discussion on more efficient checks on the control system tackles the symptoms, rather than the cause. Often, controls do not function efficiently enough because processes are not documented or process information such as approvals is not available, or is stored in formats – such as emails – that cannot be used for reports. One important prerequisite for effective control processes is therefore an integrated ERP (Enterprise Resource Planning) solution. This is something that business processes and the related KPIs hinge on, and a discussion on the control processes must therefore start with an enterprise’s EPR solution.
This opinion appears to be gaining more and more ground. The Business Finance Maga-zine states: “Companies that can’t properly document the controls within their system’s accounting modules are in trouble. Those that can are a giant step closer to their compli-ance goals.”
Traceability is the key element
The key element of all control activities relating to improved enterprise controlling is trace-ability. This traceability has a long tradition in financial accounting: double-entry book-keeping, the voucher principle, and posting controls are used for checking. However, this support must go much further if it is to prove the functional reliability of a control system. Only on the surface is the Sarbanes Oxley Act restricted to accounting processes, because in reality, all activities relevant for valuation affect the financial accounts. An overly extensive interpretation of the Sarbanes Oxley Act, on the other hand, would lead to an unfeasible amount of control work.
However, the issue of controlling mechanisms should primarily be tackled from the per-spective of content rather than form. The challenge is not just to comply with legislation such as the Sarbanes Oxley Act as cost-effectively as possible, but to strengthen trust in the company from outside. It has been shown that effective and trustworthy information on a company’s situation increases the market value. Correspondingly, all external communication, such as forecasting, status reports, or ad hoc announcements and their internal and external consolidation must be ensured through controls. It therefore makes sense to extend the internal control system to cover all critical enterprise processes. From an IT point of view, this includes the whole ERP system, including analytical applications such as planning and reporting.
Known weak points
The support that the different ERP solutions offer here varies greatly. Experts such as Yu-sufali F. Musaji, author of the book “Integrated Auditing of ERP Systems,” outlines prob-lems in several areas. For example, not all processes are documented in full and comprehensibly. Processes for which access to data capture ranges from just a few to all employees, depending on authorizations, are only “loosely” supported and thus difficult to control, for example. Changes to the contents of forms are not logged and are thus difficult or impossible to track. The support is more conclusive if it is possible to control and automate the process flow – that is, the coordination of the individual activities – by means of integrated workflow. A role concept ensures authorized and traceable processing. This approach makes many previously manual controls superfluous.
In addition, accounting data is often stored in ERP solutions in a form that cannot be di-rectly used for evaluations. For the control process, this means either that reports are not comprehensive, or that complex, special reports must be created. With a Business Warehouse, companies are now coming close to having a storage system that covers the requirements of the necessary controls.
Particular attention should be paid to the configuration of an ERP solution. As business information is mainly generated automatically with a solution like this, errors often go un-noticed. In relation to this, companies often report that they notice after a number of years that company statements have to be adjusted retroactively because of incorrect information – in some cases, with drastic consequences for the enterprise value. Tried and tested “best practice” configurations, which the customer can use with just a few modifications, can provide assistance in this respect.
Control mechanisms within mySAP ERP
The control mechanisms cannot be checked and adhered to without a powerful ERP solution. Companies should therefore take a look into an ERP solution’s “engine room” to get an idea of the support offered for corporate governance.
- <sum> mySAP ERP contains many inherent controls. For example, the consistency of in-formation from the upstream systems right through to all financial accounting com-ponents is ensured by the fact that posting vouchers are unique and posted in real time across the whole solution.
- <sum> In addition, configurable controls can be set up to support the principle of dual con-trol, for example. mySAP ERP has the corresponding workflow control. This is an advantage in planning or budgeting, for example, if figures need to be forwarded, approved, and adopted. The more processes that are handled via workflow control, the fewer control activities there tend to be. All actions within workflow control are documented and stored in tamper-proof form. Ideally, the Workflow Engine is integrated with organizational management, so that changes to the organizational structure are taken into consideration immediately.
- <sum> Report controls simplify the comparison of different data sources, for example, the SEM BCS control monitor, which uses graphical symbols to display where problem points occur in the consolidation process.
- <sum> Efficient access controls require a sophisticated access concept. Report systems in an integrated environment use the cross-system security concept on a role basis.
To enable the control process to be checked more effectively, SAP has been providing the Management of Internal Control tool within mySAP ERP since last year. It is often the case that the numerous control mechanisms offered by a solution such as mySAP ERP are not used, or at least not used to their full extend. Changes are all the more difficult to implement if the solution is already up and running. More intensive planning is thus a decisive factor. Example of system settings to be looked at include:
- <sum> In system administration, the “All modifiable” switch is set. This enables parameters to be changed at runtime. Traceability is then no longer guaranteed.
- <sum> Editing and debugging rights have been assigned too generously. A well-versed system specialist can therefore create advantages for him/herself to the detriment of the company.
- <sum> The logging of master data or table changes is not activated. While this saves on resources, it makes it practically impossible to track changes.
- <sum> Rights to delete change documents have been assigned too generously.
- <sum> Users are still using the manufacturer’s standard passwords. As a result, practically anyone can access the ERP solution.
But how can an adequate system structure be guaranteed? The knowledge of control specialists, which as a rule are employees from the internal auditing or controlling departments, must be harnessed in the project. These experts should be involved in the planning of an ERP solution at an early stage, certainly during the implementation project. From the very outset, clear rules must be formulated and the company must make sure that corporate governance and ERP really belong together.