ERP System Controls

The Sarbanes-Oxley Act nudged mobile operator and network provider T-Mobile UK, a division of Deutsche Telekom's T-Mobile International subsidiary, toward a startling revelation.

"We realized that we effectively handed out 5,500 keys to our front door, and we didn't know how they were being used," says T-Mobile UK's Hertfordshire, England-based Shelly Sethi. Sethi's title -- SAP NetWeaver and security manager -- sounds less balanced than his background; he's a former finance manager and an Associate Chartered Accountant (ACA), which is the equivalent of a CPA in England and Wales.

The front-door keys he's referring to are the access rights any company with an ERP system grants employees to enable them to conduct specific transactions in the system. The use of those access rights should be carefully monitored and managed, but that frequently doesn't happen at most companies that use an ERP system. That lack of oversight allows segregation of duties (SoD) violations to flourish.

A common SoD violation, for example, occurs when an employee who is allowed to approve an invoice in the ERP system is also allowed to use the system to pay the invoice. That ability, or access, is commonly grouped into "roles." Access controls establish which employees can have certain roles to perform specified transactions within the system. A company can maintain airtight controls around the manual invoice and payment processes that occur before and after process data is entered into the ERP system, but that discipline is undermined if the same controls do not govern the way in which employees use the system. This issue formed the basis of Sethi's business case when he proposed a new way to identify and eliminate SoD and access-control problems at T-Mobile UK.

T-Mobile is hardly alone. The vast majority of ERP-equipped organizations can expect to uncover tens of thousands to hundreds of thousands of SoD violations when they pop the hood of their financial systems. A hefty portion of those breaches can derail regulatory compliance efforts and create even larger risks.

Now, a high-risk SoD violation does not necessarily mean that any fraudulent activity exists or that manual errors will occur. Rather, SoD violations indicate that both problems can occur. SoD violations frequently result from workarounds. They occur when system users circumvent standard roles in the system, usually in favor of quicker, but riskier, ways to pay a vendor, correct an invoice, order materials or perform some other transaction in their process area.

Sethi's initiative, which has since been adopted by other T-Mobile International subsidiaries (and is currently being considered by Deutsche Telekom itself), sought to strengthen regulatory compliance and improve business processes by reducing those workarounds. The approach that his team devised requires a blend of technology, people and processes that befits Sethi's hybrid finance-IT background.