Nearly a decade after the implementation of the Sarbanes-Oxley Act (SOX) at publicly traded US-based companies, the verdict is still out on whether or not the law has had a material impact on fraud, breakdown in internal controls, and other problems that the regulation is intended to address. Regardless, SOX is a reality that impacts many organizations in many ways, including how they implement their enterprise applications. Even in cases where a company is not required to be SOX compliant, there are other regulations and internal controls that ERP systems need to address.
When helping our international client base through their ERP implementations, internal controls and regulatory compliance is one of the necessary evils of ERP success. Processes need to be designed in a way that meets regulatory compliance, systems need to be configured to support those processes, and people need to be trained to execute on those compliant processes. In addition, CIOs and CFOs need to institute a framework to ensure that the implemented solution meets SOX and other regulatory requirements after go-live and on an ongoing basis.
Here are three things to consider during an ERP implementation when it comes to SOX, internal controls, and regulatory requirements:
1. Compliance begins during the business blueprint phase of an ERP implementation. While SOX and regulatory compliance may seem like a mysterious finance, CFO or Internal Audit function, compliance begins when creating the business blueprint for your ERP system. Business processes need to be defined in a way that ensures that the segregation of duties, oversight, and other compliance needs are addressed. The designed business processes need to be validated before the blueprint is finalized and before the technical team begins their software configuration. We’ve seen too many companies treat SOX and regulatory compliance like an afterthought, only to have their internal or external auditors raise red flags too late (e.g., after the system was in production or when they failed their first post-go-live audit). This challenge is further magnified by the fact that most modern ERP systems are very flexible and can perform business functions a number of different ways – some of those processes are going to be compliant with your internal our regulatory compliance needs, while others will not. We build this internal compliance, SOX and regulatory review into our ERP business blueprinting methodology for our clients.
2. Organizational change management solidifies SOX and regulatory compliance. Contrary to popular belief, ERP systems can’t always force compliance. They can make it easier to enforce segregation of duties, financial oversight, and approval workflows, but they can’t close off every possible loophole or process breakdown. Organizational change management and employee training is the key not only to ERP success in general but also to getting an ERP implementation to full compliance. These activities help employees understand the need for compliance, clarify the expected business processes, and hold them accountable for executing against those processes and workflows. All the generic software training in the world won’t help create this understanding, but effective organizational change management will. Our clients have found their business processes to be much more efficient, effective and compliant as a result of the organizational change management framework we provide as part of our ERP implementation methodology, toolset and expertise.
3. Include your internal or external auditors throughout the entire ERP implementation project. Just as your executives and employees need to have buy-in into the project, your internal and external auditors also need to support the changes resulting from your new ERP software. As mentioned above, internal audits and controls should be built in to your implementation during the business blueprint phase, but you should also include a number of touch-points in other phases of the project as well. For example, key regulatory and SOX requirements should be defined during your ERP evaluation and selection to ensure you have chosen a system that addresses your needs. In addition, key process controls should be validated during the system design, software testing, user acceptance, and integration testing phases of the ERP implementation. In addition, a formalized compliance audit should be performed as part of a post-implementation benefits realization audit as well.
While Sarbanes-Oxley and regulatory compliance are often one of the last things on the minds of CIOs and relatively low on the list of reasons why organizations typically choose new ERP systems, it becomes very important when it’s time for that first internal and external audit of your business operations and systems. For this reason, it is important to bake these processes into your entire ERP selection and implementation lifecycle to ensure that your organization gets regulatory issues right the first time. It is typically much less costly to invest the time and resources up front rather than finding out after it’s too late.
To find out more about ERP success (and ERP failure), check out our free on-demand webinar series. Subjects include “Tips for Selecting the Right ERP Software for Your Organization,” “Tips on How to Build a Business Blueprint for ERP Systems,” and “Lessons Learned from Failed ERP Implementations.”