Insights on Business Management Software and ERP

SYSPRO Smarter ERP Blog

Posts by Topic

More...

Subscribe to Email Updates

Making auditors happy: Business software security and controls

Posted on 19 September 2013 by Simon Griffiths

Find me on:

auditing-security-governance-controlsHave you heard the phrase “risk is the new black”? It refers to the fact that what people thought was safe has now changed radically. As a result, organizations are now expected to provide investors, customers and regulators verifiable assurance that there are the necessary controls to manage risk, by ensuring segregation of duties, integrity of operations and auditability.

It is becoming increasingly common to hear auditors ask about:

  • Oversight and control over transactions and operations
  • Monitoring and documentation of information flows and business transactions
  • Detection and prevention of accidental, and purposeful, changes that would increase risk and compromise business operations.

Before you ask your auditors to do a governance, risk and compliance assessment for your business you should consider whether your software system has addressed some key security issues:

  1. Access
  2. Control
  3. Monitoring
  4. Auditing

Access
This is a standard tool for software that includes logins and passwords and should give you access security for various levels within the application. These levels are, from widest to most detailed:

  1. The system
  2. Company
  3. Program
  4. Transactions
  5. Activity
  6. Field

This means that a user’s access can be limited down to a fine level – not just to a program, but also to details of the data, such as specific warehouses, and branches.

Control
Your software system should be configured to suit your organization’s control requirements. These controls enable business to ensure a much greater level of accountability, to promote segregation of duties, and tom implement traceability of activities throughout the system.

Operator control enables security to be managed at the individual level. Operators can be put into groups and sub-groups to align security administration to organizational division, such as departments and teams.

You can streamline controls further with role-based security. A default organogram provides a starting point for role management which can then be customized for different hierarchies.

Business processes can be defined against a general ledger code to ensure the code is used for appropriate transactions only.

Electronic signatures (e-signatures) secure transactions by authenticating the operator that performs specific transactions. E-signatures also provide traceability of who performed a transaction and when.

Monitoring
Monitoring can be done via:

  • Event logging and management
  • Triggers and alerts
  • Role conflicts

These can be automated to provide continuous controls monitoring.

Events refer to activities on the system, whereas triggers and alerts can be applied in a client user environment. This functionality enables the identification of abnormal events which may potentially point to fraudulent activity.

Auditing
Does your system have a logging and recording facility which tracks when programs are accessed, and when changes are made to critical data, such as master file, company setup and operator information?

You don’t have to be a big or well established business to need good security and control. But you need to have a level of organizational maturity to effectively implement a proper governance and controls regime. The test is whether your auditors are happy that the necessary controls and standards are in place.

Have you asked your auditors to do a governance, risk and compliance assessment yet?

 

Topics: data security, security, Governance and Compliance, Business software, Access control


Simon Griffiths

Simon is Product and Industry Marketing Consultant at SYSPRO, working in their Corporate Services division. He joined the company in 2007 after having interrupted a previous spell with SYSPRO to sell other ERP software.

After completing a Masters degree in Climatology at University of the Witwatersrand in Johannesburg, his first job involved working on a mini-computer where he was taught programming by an ex-NASA engineer.

With over 20 years in enterprise IT, he has worked in programming, database management, project management, consulting, marketing and sales. In 1983, when Time magazine named the computer as its Person of the Year, he was responsible for supporting the then newly introduced IBM PC at university. He seriously entered the IT field when he obtained a post graduate Diploma in Computer Science.

In 1995 he spent some time in Silicon Valley where he got his first experience in high-tech marketing and soon after that entered the field of Enterprise Resource Planning (ERP).

As Product and Industry Marketing Consultant of SYSPRO, he assists the Corporate Services Director to provide all SYSPRO offices with product and technical support. This includes developing product-based messaging and collateral to highlight value proposition of the SYSPRO product. He is also extensively involved in social networking activities and the development of product strategies.

 

Subscribe to Email Updates