Combing Compliance, Controls and ERP

By Kenneth Gabriel

(Back to article)

Most corporate executives no doubt view their organizations’ recent efforts to comply with the Sarbanes-Oxley Act as one of the more significant management challenges they've ever faced. They also know that compliance has come at a high cost.

To assess the effectiveness of internal controls, organizations had to invest an extraordinary commitment of human and financial resources just to achieve compliance. In doing so, a number of corporate leaders found that many key controls had deteriorated over time or were largely manual.

They also discovered monitoring capabilities were either nonexistent or inadequate and, as a result, control failures often went undetected.

Moving forward from these lessons learned, companies are looking to reduce compliance costs and avoid additional remediation work as they work to improve the efficiency and effectiveness of a sustainable compliance program. Such an effort should leverage IT to help drive process and control efficiencies and related cost reductions.

Efficiencies and performance improvements gained from effectively integrating IT into an organization’s compliance program will also help provide a competitive advantage over its competitors.

Today, many corporate leaders are evaluating ways to integrate their internal controls with their enterprise resource planning (ERP) software systems as a way to improve performance. Because of the demand of new regulatory rules, organizations installing or upgrading ERP systems now have the opportunity to establish good controls from the beginning so they can be monitored and sustained throughout the life of the system.

ERP Controls Integration

Historically, risk and control considerations have often been under-funded or overlooked during the implementation of an ERP system. This resulted in decreased organizational benefit and added risk. However, in an environment where companies face numerous and evolving regulations, and are making changes to business controls and operations as a result, consideration of such issues is critical if a company is to implement an effective and efficient internal-control environment to sustain compliance.

System implementations often have a significant impact on the way processes and controls are designed and monitored. As a result of these design changes, new automated and manual controls should be introduced into the control environment, affecting compliance documentation, testing and monitoring plans.

Consequently, system implementations and changes offer opportunities to integrate controls that enable effective use of resources and allow the organization to reconsider the way it does business so that it may derive greater value from the change.

Adding improved controls within ERP systems can result in many tangible benefits including (but not limited to):

  • Lower cost of operation by eliminating less-effective manual controls. Manual controls are subject to human error or neglect, requiring additional supervisory costs. Implementing automated controls improves control performance.
  • Controls are configured and maintained centrally rather than within every operating unit, eliminating duplicate controls.
  • Automated controls require less testing and provide greater assurance. ERP systems can generate reports to help test the performance of certain manual controls.
  • Cost to identify and correct data errors are high; good controls reduce the volume of errors and eliminate the need and cost to correct.
  • Quicker and more reliable information for management enables more precise and responsive business decisions.
  • A Typical Implementation

    Implementing or upgrading an IT system requires aligning the software functionality with business processes and controls along with the organization’s compliance program in a manner that can help realize business value and sustain compliance.

    The documentation from the compliance program. Specifically, a business controls portfolio and related analysis, can be highly leveraged when organizations seek to integrate controls into an ERP implementation.Indeed, businesses can apply what they learn during compliance to make sure they are fully leveraging and optimizing all the functionality available within the ERP as they work through the stages of a typical implementation: design, build, test and deploy.


    The design stage typically includes an evaluation of the existing application(s) and internal controls, known deficiencies, and the capabilities of the new ERP package. An organization should first identify their business processes and define and document reporting, interface, conversion and enhancements to obtain an understanding of its current systems.

    By comparing the capabilities of the new ERP application to the current state, a company can identify business process redesign opportunities, functionality gaps that may lead to work-arounds, or ERP customization needs. The design stage can then produce a road map of the organization’s requirements for how to configure the ERP application and modify the internal controls environment to build a sound financial-management system.

    Existing IT policies and procedures and known security loopholes should be a part of the analysis for exception reporting. The project team should also integrate compliance-management requirements as well as parameters for identifying and prioritizing business opportunities.


    The build stage involves installing the hardware, operating systems and communication infrastructure based on the design specifications of the ERP application. It also provides the foundation for testing and implementing a sound ERP application and control environment.

    During this stage, the organization needs to determine whether controls are properly configured and built into the ERP application or into the internal-control environment. These controls are intended to validate and authorize all transactions according to the control objectives defined during the design stage.


    The test stage of the implementation is critical in determining whether the system performs as expected. In this phase, the organization defines the controls testing approach and test criteria. It tests the configurable and inherent system controls and modify or improve them as needed and also checks for user and infrastructure security vulnerabilities, as well as IT operations and disaster-recovery preparedness. Efforts to sustain ongoing compliance and to conduct internal training are also established during this phase.


    Organizations have various options for implementing a new ERP solution, each of which has implications for the validation of the control framework. They can phase in the new system based on business units or geography, or, as most companies often do, pilot some aspect of the new system.

    During a pilot project, system functionality and configuration is validated and control techniques are verified. The pilot also validates the control framework.

    Following the launch of the new system, the organization monitors and evaluates performance. In addition, a post-implementation control review, focused on the implementation of controls and their effectiveness, will provide additional assurance for ongoing monitoring.

    With controls properly integrated into the ERP system, organizations can then use the documentation to update the controls portfolio and the knowledge it provides to assist in further improving and sustaining compliance.


    Implementing and optimizing controls in ERP systems is not a simple task, yet it is important to achieving the full benefits of the system and also to help manage and sustain compliance.

    Integrating controls into a system implementation project can help enable a business to overcome challenges and deliver a return on the investment. Organizations should pursue an ERP implementation that helps them integrate and optimize controls within finance, operations and compliance processes. By doing so, they will be able to realize process and control efficiencies, cost reductions and sustainable compliance management.

    Kenneth Gabriel, based in Chicago, is a partner in KPMG LLP's IT Advisory Services practice. KPMG LLP is an audit, tax and advisory firm and the U.S. member firm of KPMG International. KPMG International’s member firms have 113,000 professionals, including 6,800 partners, in 148 countries.