ERP Crashes the SOX Party

Dormant for years, the best of breed (BOB) vs. ERP debate has rekindled now that enterprise resource planning vendors have awakened to the importance of beefing up their business suites with compliance and risk-management capabilities.

After letting stand-alone software vendors vie for customers in the first four years following the passage of the Sarbanes-Oxley Act, SAP, Oracle, Lawson, Microsoft, and other ERP vendors unveiled new controls monitoring, policy management, and process management functionality at different points within the past 18 months.

What do these new offerings mean for buyers? More confusion, initially, followed by some tough decisions. If finance executives complete those technology investment decisions thoughtfully, they will help to strengthen their organization's governance, risk management, and compliance (GRC) capabilities while streamlining business processes.

Honeywell Aerospace did just that while providing a novel answer to the "BOB or ERP?" question: both. The largest business within the manufacturing giant currently uses GRC functionality within SAP and a stand-alone application from Approva to achieve three objectives, notes Karen Chirico, manager, financial center of excellence, Honeywell Aerospace:

• Identify segregation of duties (SOD) violations before and after a user gets access to the company's ERP system;

• Document which SOD violations have been remediated and what the remediation plan is; and

• Monitor and flag certain ERP system changes and sensitive transactions that have been executed by support personnel.

"Our auditors have been able to rely on the tools we implemented to reduce the amount of time spent reviewing SAP for SOX compliance," reports Chirico, who also is vice president of finance for the board of the Americas' SAP Users' Group (ASUG).