- (Updated Nov 30) SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
- (Updated Nov 30) The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
- When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
- What aspect of compliance should an organization put the most effort into ensuring their controls are adequate? What factors about an organization (it’s industry, profit / non-profit, international, …) would drive this answer?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control may be higher than the benefit obtained when the control is not standardized. Standardizing a control creates efficiency in implementation of the control. Efficiency helps curb cost increase and drive costs down. As standardization and efficiency both increase in the control implementation and execution, profitability will return and/or increase compared to when the control was first put in place.
Sean,
You made a good point but don’t you think standardizing a control in every situation may also lead to increase in cost. Lets say we need a control for a temporary period, in that case spending cost to make it standardize will not serve the purpose. I Believe understanding the business need to implement a control is the most important thing to manage the cost. Standardization will definitely help to reduce cost if we need the control for a very long time and for a complicated business process.
In your example I agree that standardization would not be recommended. I am not really sure of when a business would have to, or be inclined to, implement a control only temporarily though. Does understanding the business need for a control actual manage the cost of the control? I can see the business understanding the need for a control justifying the cost of the control, but not managing the costs of a control.
4. What aspect of compliance should an organization put the most effort into ensuring their controls are adequate? What factors about an organization (it’s industry, profit / non-profit, international, …) would drive this answer?
The aspect of compliance that an organization should put the most effort into ensuring its controls are adequate are those aspects relating to statutory or regulatory requirements. Laws and regulations requiring specific compliance actions should be of the utmost importance to an organization when implementing control adequacy as failure to do so could cause not only losses due to failure of the controls, but also losses due to fines and lawsuits for failure to meet statutory regulations required by law.
Factors that would drive this decision for an organization would be the type of industry the business is in. The healthcare industry for example has a strict law such as HIPAA that does not pertain to other industries. Whether an organization does business with credit and debit cards could place the business under the guidance of PCI security standard requirements. International businesses have to ensure they are following data collection and storage laws from each nation they do business within the borders of instead of just relying on regulations in its domestic market.
Sean, like you, I agree that regulatory compliance should be of the utmost importance to an organization. I think organizations have much more to lose then by simply skimping out on ensuring the adequacy of those controls. As you mentioned, they will face more damage as a result; not only, monetary loss but reputational loss as well.
Sean,
I agree that the aspect of compliance that an organization should put the most effort into ensuring its controls are adequate are those aspects relating to statutory or regulatory requirements. In fact, an organization must meets local, national and international laws and regulations. As you said failing to do so can lead to financials lost due to lawsuits, customers boycott or fines.
I also agree that it depends on the industry (regulated/non-regulated) in which the organization operates. For example, Pfizer (pharmaceutical industry) would definitely focus more on regulatory compliance than Sony Pictures (entertainment industry).
Overall I think that organization need a compliance plan. In order for that plan to be effective, it must become an integral part of the organization. It cannot simply lay dormant until an auditor shows up or a violation occurs. statutory and regulatory compliance streamline organizations’ business operations, reduce the likelihood of statutory violations, and help to mitigate any damages resulting from a breach.. When compliance begins to be a part of the daily culture maximum results are achieved
When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control may be higher than the benefits in the following case:
• When the Return on investment is miscalculated
• Not monitoring the total cost of implementation of compliance relative to its effectiveness may lead to higher spending.
• Misunderstanding the business requirement and implementing the compliance which is not needed will increase the cost without adding any value to the business. For example, it may not be feasible for an organization to implement segregation of duties so it is very important to understand the needs and feasibility and come up with an alternative solution which keeps the cost low and serves the purpose. In this example an alternative can be implementing compensatory controls to keep the cost low.
To ensure efficiency and profitability, analysis of the business and compliance implementation requirement is very important before making a decision to implement the same. Cost estimation and return on investment must be calculated to ensure that the compliance being implemented will ensure effectiveness.
Well wriiten Deepali.. While the miscalculating compliance cost can be one of the reason why the compliance costs more than anticipated I believe mostly small scaled business tend to overlook compliance as it sometimes can be too costly for them. It may not be required for them by the law sometimes but it is always recommended. If there are any Government regulations then even small scale business also will need to follow.
Hi Binu,
I think you are right that small businesses often overlook compliance, but as you stated, I think compliance regulations are not often targeted toward these smaller organizations. Two larger compliance regulations that we discussed throughout this program are Sarbanes Oxley (SOX) and the Payment Card Industry Data Security Standard (PCI DSS). SOX only applies to those organizations who are publicly traded requiring a certain level of compliance for internal controls. Similarly, PCI DSS is not a federal regulation but suggests two types of evaluations be performed to identify if an organization is PCI compliant or not. These two categories are basically broken down into small businesses and large businesses, where small businesses can do a self-evaluation while large businesses need a PCI audit performed. Therefore, compliance regulations don’t often target small businesses and therefore small businesses don’t spend too much effort on the compliance controls.
Paul, you made a good point here. Definitely compliance regulations often don’t target small businesses and this is the reason small businesses cannot effort to implement those. This is one of the reason small business become less competitive against big business.
Rightly said, Deepali. You mentioned a very good point about miscalculating Return on investment. It never occurred to me that miscalculating ROI was a possibility. Besides these, the compliance cost could be higher than the financial benefits when it comes to implementing regulatory compliance controls. Since many of these controls are to safeguard customers aswell, they are in fact a cost that does not have a corresponding profit or return associated but it would have indirect benefits such as off-setting expenses arising out of litigation or preventing reputational losses.
Nice point. In your example, some kind of Segregation of Duties may be infeasible, especially for those small businesses, because they don’t have too many employees and the price is too high. And I agree with you about miscalculation of Return on Investment, we all know how difficult it is to conduct a quantitative analysis, even for those big companies.
Deepali,
I think to manage the high cost of compliance, every company must be aware of the dynamics
between total cost of ownership (TCO) and compliance costs. It is definitely important to monitor the total cost of compliance relative to its effectiveness. In fact, higher spending do not necessarily mean a higher level of compliance or reduction of risk.
definitely Alex, spending must go on with the business objective in order to find good return. Spending high if not judged properly will increase the cost to business rather serving to get a good ROI
SAP Question 1: Is SAP universally compliant world wide? Since they cater to different regions of the world; or is it just complaint with their targeted region in which their ERP system is stationed?
3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
I believe the cost of implementing a compliance control is higher than the benefit obtained when the controls are not standardized. According to ISACA, “the use of manual controls, or semi-automated or homegrown controls, has become costly, obsolete and simply not sustainable”. By deciding to standardize the internal controls, a company is able to be more efficient. The efficiency stems from their ability to reduce cost in the long run by mitigating risk inherent future risk, which then improve their overall processes in a compliant manner, to overall proactively protect themselves. However, companies must build a business cost-analysis case in order to make sure the return on investment: “time evolution of benefits (the expected benefits of automated controls over time) and time evolution of costs (the initial cost of deployment and recurring costs of operation and maintenance)”.
source: http://www.isaca.org/Journal/archives/2011/Volume-5/Pages/A-Framework-for-Estimating-ROI-of-Automated-Internal-Controls.aspx
4.What aspect of compliance should an organization put the most effort into ensuring their controls are adequate? What factors about an organization (it’s industry, profit / non-profit, international, …) would drive this answer?
I believe, the aspect of compliance an organization should put the most effort into ensuring their controls are adequate is regulatory compliance. Although, they are associated with the constraints, inspections, audits, penalties and laws, they prevent unethical conduct and violations of the law. Inherently, they are a necessary evil that is mandatory. By ensuring the regulatory compliance, it can allow organizations to become more efficient such an establishing customer loyalty and trust, improving operational process, etc. Conversely, factors that would drive this selection would most definitely have to be aligned with the organizations industry. In order for an organization to be profitable they must align their business objective with regulatory compliance. For example, retailers should put the most effort into ensuring their controls are Payment Card Industry (PCI) compliant, because that specifically applies to their industry because, their industry solely runs off of the purchases made by its’ customers.
Laly, for the most part I agree with you. In fact, organizations must meet not only regulatory requirement but also statutory requirement. Both statutory requirements and regulatory are required by law. They are non-negotiable and must be complied with, no matter what. I like that you mentioned the Payment Card Industry Data Security Standard, if companies comply with all its requirements, they run less chances to suffer from major network breaches
I agree with your view point, Magaly. Organizations should put more efforts into ensuring their systems are compliant with regulatory standards. Ofcourse the costs associated with building compliant systems will eventually be passed on to the customers. You rightly pointed out that the type of Industry would drive the controls and selection of control frameworks. Health care company would be required to be HIPAA compliant and e-commerce companies would be required to be PCI-DSS compliant. CPG (Consumer Packaged Goods) would be required to FDA compliant.
Definitely Mansi, It is very important to understand the need of the organization before deciding which control to go for in order to derive the best return on investment. Implement unwanted controls will simply increase the cost without adding any value to the business and will rather lead to decrease in profitability.
The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
I think what can differentiated one ERP system to another is the level of customization and the availability of the system. In fact, more and more companies are looking to customize ERP systems to fit their needs. It would be advantageous for an ERP systems provider to provide more customization options to its clients. Also, it would be better if ERP system like SAP developed “Web-deployed ERP” systems. With that the ERP software is not purchased by or installed at the client company. Instead, it resides on the vendor’s host computer, where clients access it through an Internet connection. Web-deployed ERP centralizes the system, and allow companies to reduce their IT investment on hardware and personnel.
Said, great post. I agree the customization of the ERP system would allow them to be more competitive, as each organization may need different services. I decided to look up the benefits of web-deployed ERP systems vs. on premise development on advantages and disadvantages.
-On-Premise ERP Systems: are most customization and offer more control over data
– Web-Based ERP Systems: are more cheaper initially, stable and easier to use
Overall, I believe an organization must out weight what system works for them, but if ERP Systems are flexible with customization, I believe that will truly make the competitors. Below, I have enclosed an article that analyzes the pros and cons of each ERP system platform, if you are interested in checking it out.
http://www.softwareadvice.com/resources/cloud-erp-vs-on-premise/
Great answer Said, customization for users would be a definite benefit for customers and would make the ERP system different then the competitors. Users would be able to set it up to their needs and make it easily accessible for themselves which would be a benefit. You bought up a good point about making the system an online based instead of having software installed. At my old company that is how we access the system through a host server and it made it easy to get onto the organization software system.
Excellent point about the ‘web-deployed ERP systems’, Said. The reduced initial costs would certainly be a leverage where they are trying to lure SMB market customers. However the vendor company must ensure they have proper security controls in place as security would be of prime concern where the vendor company is hosting the ERP system and data.
Cant agree more with the customization options, it can create the real SAP that fits what an organization really needs Users will be much easier to access SAP. Think about an SAP software where an organization just use a few functions and features, it sometimes confuses the users with too many functions. If SAP can let user customize what they need, SAP will become the biggest competitor in the market.
Nice point Said. Customization definitely is a very important factor for customers, especially considering the fact that most of the companies are spending more money in customizing SAP ERP for their enterprise to bring the project in a great success. If the provider could supply more customization options, including design, change, upgrade, and customer support, it could be more competitive in the market.
2.(Updated Nov 30) The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
As technology evolves, so must ERP system providers. I believe in order for SAP and other ERP system providers to make their systems more competitive in the future are to cater to their customers’ needs of instant results. I believe if the ERP systems are able to provide automatic controls that run on real-time monitoring such as be able to detect vulnerabilities, verify if they are compliant with regulations, if fraud is occurring in the transactions. By providing real-time services, would most definitely make them more competitive in the near future.
I like the idea of a built-in ability to monitor at real-time. If the package came with some type of HUD for management and key personnel to display on their work stations that would make the idea even more attractive. By having the ability to track key metrics to highlight efficiency and potential fraud at real-time would definitely be a great selling and marketable aspect of differentiation for a business that designs and sells ERP packages.
Hey Sean,
Yes, I think if ERP systems were able to cater in that aspect of real-time monitoring, would most definitely set them apart. As we know, technology is constantly evolving and by being able to offer that service ,would get gobbled up by businesses. Not only would they be able to run more efficient on all realms, such as making sure that their systems are constantly in compliant, but would be able to be used as a deterrent, if employees knew that the system instantly detected fraud, they would think twice before even attempting to do anything.
That is a great point Magaly. Automatic fraud detection would be difficult to achieve but may be possible to certain extend. I have mentioned in one of my posts that automated data entry would add level of accuracy. And if any inaccurate data is entered, fraud can be detected.
SAP supports Fraud Management Module. Mass detection transactions exist to detect fraud you specify. SAP checks for detection strategy in detection methods. Detection methods are the user defined rules that should be followed to avoid fraud. Then system checks for the selected detection strategies if the detection methods (rules) apply. SAP detects by assigning a number between 0 and 100 independent of what type of rule it represents. The detection method passes the detection result trough to the strategy. In the detection strategy the detection result of each detection method is divided by 100 and multiplied by the weighting factor that is assigned to the detection method. This is the risk score of the detection method in a given strategy. User will be alerted, if the sum of all detection method risk scores is higher than the threshold.
Source: http://help.sap.com/saphelp_fra110/helpdata
The automatic control that SAP implement is a great idea. I think by adding this function to existed SAP functions, SAP will become more popular to use and reduce less frauds that human-beings can make.
I really like the idea that you suggested. If any enterprise can run an automated controls to check if they are complying with the compliance. If an enterprise knows what they are violating, they can immediately address the issue!
2) The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
In order to make their systems more competitive, SAP and other ERP systems providers should first make sure that their system is flexible. Most of the time sap customers complain about the fact that the system is not flexible. In fact, SAP ERP doesn’t offer the tools to manage master data in the ways required by today’s complex organizations. Yes, it excels at transaction processing, but it isn’t designed for active management of critical master data. Second, it should be user friendly, and adaptable as the company grows. Ideally, companies should be able to begin with the functions they primarily need and unlock additional capabilities as needs change, without having to undergo disruptive and costly revamping of the ERP system.
I agree that ERP system flexibility is a great competitive selling point. Being able to purchase a system that gives the business the flexibility to adjust the system to fit its individual needs is definitely a positive aspect. Having a system in use that is rigid may not provide the streamlined efficiency that a business wants with its ERP system. That system rigidity may force the business to continue to utilize some legacy software to fulfill aspects of its business processes and functions that the ERP system will not allow it to do with the same ease of fluidity. Increasing the flexibility of an ERP offering will help mitigate businesses from writing code to customize the ERP package itself and potentially creating vulnerabilities and interface errors when doing so.
I totally agree with your point. I think SAP should be more flexible in accepting automated data entry.
Automation in data entry would increase efficiency and involve less error points. Scanning barcodes , swiping cards to collect information, and reading barcodes from bills, receipts etc would ensure accuracy to a great extend and simplify data entry process.
I agree with you concerning automation. The more a company can automate in a process the less risk a business is exposed to from manual entry errors from employees. Aside from removing or lessening risks due to entry errors, automation also speeds up many different processes of a business. This increase in speed can translate into cost cutting savings and revenue growing efficiency.
Very well written, Alex. And I agree with you and scalability and ease of use being important criteria for ERP systems. Organizations must not undermine both these points as to a certain extent, they do affect customer’s view points while selecting an ERP system to use for their business. For eg., companies will be hesitant to buy an erp package if there is very low availability of personnel who can manage the system, despite the erp package being cheaper and right for the business need.
Q1: (Updated Nov 30) SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
1. Employee Training – If I am an SAP customer, I would like to ask them to train my employees for the internal control perspectives. Training my employees will significantly help my organization in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.
2. Access Management – SAP would also need to provide me an access control feature of the ERP system. Depending on data classification that I want to gradually give access privilege to each employee. Access Management should be supported by the SAP ERP system.
3. Regularly updating patches – Especially for security perspective, it will be required for SAP to keep updating the latest patches to my ERP system.
Hey Daniel,
I think employee training can be a double edged sword to the extent that during training employee will find eventually some flaws to the system that they will use to commit fraud. Don’t get me wrong, I am not saying that employee training shouldn’t be in place. Quite the contrary, I think it should be mandatory.
However, I also think that some curious and smart employees will take advantage of that training to do things they are not supposed to do.
Hi Said,
I can see your point as to why it might not be the smartest idea to train all employees about how SAP goes about controlling certain processes. It might be better off training only employees with a management or governance responsibility; one who is accountable to make sure fraud and errors don’t occur within a process. By training those individuals responsible for controls/processes, it might be able to create the efficiency and effectiveness that Daniel had mentioned in his comment, while not revealing too much information to those individuals who could potentially circumvent the controls in place.
Hi, Said
Very thoughtful comment. You are right that some employees will probably take the advantage of flows of the system they learned from the training and apply that to commit fraud. However, I think there are more pros than cons to implement SAP training for employees. If I were an employee working with SAP or other ERP systems, I will appreciated if there are training for us to learn how SAP functions and processes. In order to operate efficiently, employees must have knowledge on how ERP systems work.
Great points Daniel. I agree that employee training and patch updating regularly are very important and needs to be done to ensure security. But I am not sure if I would want SAP provider to have access control rights for role delegation and granting permission. This would mean giving control to an external organization. I would want internal team within the organization to have administrative controls for delegating accesses.
Employee training is definitely crucial. However, many organizations conduct training, but do not have a culture to complement it. Proper training can educate and inform employees so they have the knowledge, but it’s not as useful without a culture that supports its goals. An employee may be well informed, but if it is clear the company doesn’t care in practice, then many will be less likely to themselves.
I totally agree with you Daniel. Additionally i think customers expect SAP’s sales staff to have in-depth knowledge of their sector, industry challenges, business processes, and relevant key performance indicators. they need to understand the challenges that their customers face in order to better assist them
I agree with you. Employee training is important. For an effective implementation of SAP system, employees in an organization must be well knowledgeable in all the SAP functions and processes. Employees with inadequate SAP training may not do well in the business processes after SAP implementation, leading to operational inefficiency. This is why training is as important as SAP installation and implementation. Without the sound knowledge of the SAP process, implementation will be greatly affected. There are several training courses available. The type of SAP training your employees go for will be dependent on the business process in your organization.
Q2: (Updated Nov 30) The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
In general, today’s commercial market is very competitive no matter what product you are trying to sell. But one thing I notice that companies that are continuously succeeding and dominating the market have a common. That is they are mostly customer-driven companies. Making things simpler, safer, and more attractive will be the key drivers to be more competitive. This saying is not different from the ERP systems market. The product per se is very sophisticated and complicated, and if you are not experts at it, it won’t be friendly for you to operate it. In short, I can’t say what exactly SAP or other ERP providers need to change or improve; however, just think more about how to make your customer happier, their lives easier, and them to come back again.
I agree with you Daniel about any ERP system should be customer oriented and should have flexibility in terms of customer being able to customize the product as per the customer need. Flexibility and adaptability are two important factors the ERP system market should keep in mind.as companies grow and are prone to new changes, The ERP system be able to adapt to the new changes.
Q3: When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
In my opinion, for some industries where companies are highly regulated, such as pharmaceutical companies, depending on some cases their cost of implementation of a compliance control would be much higher than the benefit that they would obtain. However, for a long-term goal, if the compliance control would benefit the whole company, then I think they should proceed to implement it. For example, if a pharmaceutical company is planning to create a medicine that will help cure many of patients who are suffering from the very specific brain cancer. But the government puts a strict regulation to the company in researching those kinds of medications. The pharmaceutical company should place a compliance control that would most perfectly prevent them from violating the government’s regulation, which might cost them so much money. It might not seem beneficial for them to implement those highly cost controls; however, after they succeed to create the medication for that specific brain cancer, they will have a lucrative market to make revenue. In short, sometime, a company should invest much to meet all the requirement that authorization suggests in order to go for higher benefits.
Great post Daniel,
I agree with you. I just want to add that sometimes the cost of implementing a compliance control are so high that some companies can’t afford it. And the ones who take the risk to spend huge amount of money into compliance controls are not sure to see the positive results in the long run. Let’s take your pharmaceutical company example. What if after investing in controls the company can’t finalize the project for whatever reason?
The bottom line is that some companies will take shortcut to avoid this situation but at the same time they will put themselves in other risks. In this example, it is really hard to ensure efficiency and profitability when the cost of implementing a compliance control is higher than the benefit obtained.
Sometimes the compliance requirements mandating by governments can be in the company’s interest. In your example, if the company produces a drug with great benefits, but does not conduct thorough trials, it may find in later years of negative side effects. Which could ultimately harm its reputation and business. Determining if a drug is safe for consumers is a long and expensive process, but companies should take these precautions regardless of the compliance requirements because the risk is too great.
Q4: What aspect of compliance should an organization put the most effort into ensuring their controls are adequate? What factors about an organization (it’s industry, profit / non-profit, international, …) would drive this answer?
In my opinion, you need to put the most effort to content the compliance that is regulated by the government. This is because for most of time, government policies are the reasons that people can start and terminate their businesses. For example, in a country like South Korea, guns are under the gun restriction policy. However, what if the South Korean government overturns that policy? Then now people can start businesses to sell guns and that will create a new market in South Korea. Or it can be vice versa in the United States. That is why we need to be sensitive about the compliance created by the government entities. To that end, the driver factor is an industry. Most industries compose of their unique compliance due to their different aspects of businesses. For example, a pharmaceutical industry and banking industry are run in very different compliance.
Well said Daniel. Compliance to government is mandatory and should be priority.
I also think, compliance to industry standards is essential. Some governments would mandate compliance to certain standards.
Example, a company may decide to go for ISO27001 compliance, it might not be necessary but they still implement it as best practice. Standard implementation would bring in best policies, well established methods and develop organizations culture. This would be a long term benefit.
Good point Daniel, the government definitely plays an important role in regulating compliance laws for organization to follow. The Government set polices for organizations to follow to make sure that not just that organization but all organization of that type follow the same rules and regulations. This is to make sure everything is safe for their customers and that no organization would be at a disadvantage. So making sure your organization is in compliance with the government will make sure everything is running smoothly.
Definitely agree that government plays a large role in regulating compliance. Often industries look for the government establish standards which or may not be mandatory. It can be beneficial for companies across an industry to rely on a standard framework for some compliance and security areas. It also saves companies from investing resources to establish these themselves.
Dan,
Good point. Also, another reason for ensuring that the compliance regulated by the government is satisfied is the fact that now-a-days companies are doing businesses with other companies by factoring in this exact point. For instance, if I am a communication company like T-Mobile, I would certainly want the company that does credit check for my customers is following the compliance that ensures that safe environment is established for my customer’s critical data. So, companies are making sure that they are doing businesses with such companies to avoid risks like data breach, loss of reputation in the market and legal risks.
SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
SAP has the customize for our company to use. SAP make some manual process become automated. Multiple fragmented solutions working in isolation, rather than integrating with back-end enterprise resource planning (ERP) systems, complicate IT management and maintenance. Data must be entered manually, compromising accuracy. Without an automated system that monitors data directly from an ERP system, control assessments must rely on smaller data samples, and results become less reliable. As the volume and variety of data
continue to increase – including unstructured data from e-mails, Web sites, and documents – it becomes impossible to manage control-evaluation processes manually in Big Data environments.
I agree with you Wenlin. Data entry in SAP is the entry point of errors. Currently, radio frequency (RF) solution is implemented by SAP’s warehouse management. They use mobile RF terminals to automate entry to data into the system. They scan the information that needs to be recorded, using a bar codes. Example to verify the storage bins.
Hey Priya!
Thank you for sharing that. But don’t you think that could bring new risks to the company. What if someone interferes with the RF terminals or the bar codes?
When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
Generally small businesses would face the issue of huge costs in implementing controls. A small scale business or a start up company may not want to implement certain controls for two reasons. One, the cost of implementation is not affordable; two, company might not be sure if they are going to continue with those functions in long term or not. So they would not be willing to invest unless a fixed plan is ready. Company focus should be placed on cost-benefit relationships.
Companies can find alternative solutions to ensure that the missing controls do not cause serious harm.Example, for SOD if a company cannot afford to hire new employee they can ensure the employee’s work is audited frequently and in detail. If a preventive control is costly, at least a detective control must be in place to flag the error so that corrective measure can be taken.
Companies must verify if they can afford to not implement the control as failures can cause much more harm compared to control implementation cost.
2. The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
ERP system should be chosen based on specific industry’s need. An efficient, integrated system is important for the company so that communication is efficient and error/fraud can be reduced to a great extent and secure information is available to concerned person with appropriate rights. An ERP system should make sure that all business functions have access to the same data accurate, complete and with no errors at all time. ERP system provider should make sure that the below is achieved to ensure more customers use the system:
• Security: This is of the greatest concern now as large amount of confidential data is present.
• Flexible: It should be flexible and should have scope for customization Once an ERP system is in place, trying to reconfigure it while retaining data integrity is expensive and time-consuming. So should provide support to customize as per the company’s requirement
• Support all platforms or platform compatible: Like Apple, windows
• Should be apt for the business size: where it is small scale, medium scale or large scale.
• Cost efficient
• Provide continuous support
• Deployment: On premise as well as cloud
2. The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
2. While there are many SAP and ERP systems out there which offer superior benefits when compared to others in the market, below are the ones that stand out.
• Better Integration and ease of Integration with other infrastructure systems – like e-commerce ERP system could be better integrated with external shipping vendor’s ERP system to provide better delivery related information and timelines.
• Ease of customization – SAP offers excellent customization options within individual ERP systems despite having standardized configuration packages. However not all ERP systems offer this customization options which gives SAP an edge over the others to an extent.
• Scalability – A good ERP system should offer ease of scalability as the business and business landscape changes with the dynamics of current trends
• Training – If the ERP vendor can provide training for staff, that would be an added benefit that the customer can consider which would help in narrowing down options.
• More functionalities in areas of analytics and reporting and availability of information in real-time
• Better cost-to-value ratio – For any organization, cost-to-value is always going to be an important criteria while selecting from the range of systems available.
If companies could focus on these facets when designing their products and applications, they would be making a compelling case for their product.
The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
The Internet of Things (IoT) is a concept that provides objects, such as cars and electrical appliances, with the capacity to transfer data over a network without requiring human interaction.In the case of ERP, devices are available that can be attached to tools and even vehicles, feeding data back to applications hosted in the cloud. Information such as location, usage and performance can then be easily accessed, allowing organizations to identify issues like where unused assets are, or if maintenance is required.
4. What aspect of compliance should an organization put the most effort into ensuring their controls are adequate? What factors about an organization (it’s industry, profit / non-profit, international, …) would drive this answer?
The compliance that an organization should put the most effort into ensuring that their controls are adequate relates to law and regulations in which they are operating in. They must know all the laws of their county and make sure that they are in compliance of them, if not they could face severe penalty. Depending on what type of organization it is, they must know the law and regulations no matter if its industry, profit/non-profit or international. For an international company, they must know the law and regulations of the foreign land to make sure they are in compliance with it or else they may have to close down operation and face fines and penalty for non-compliance. So no matter what type of organization the company is, they must learn about the laws and regulations before they begin operations.
I agree with you ! It’s important for an organization to follow rules and regulation compliances. For example, five top regulatory compliance concerns for financial services are:
1. USA Patriot Act
2. Comprehensive Capital Analysis and Review (CCAR)
3. Financial Industry Regulatory Authority (FINRA)
4. Consumer Financial Protection Bureau (CFPB)
5. Office of the Comptroller of Currency (OCC)
Each industry has its own sets of rules and regulations that organizations within the industry must compliance with to ensure their controls are adequate.
When is the cost of implementing a compliance control higher than the benefit obtained?
Businesses often respond to regulatory compliance issues in an ad hoc, one-off manner. This approach is less and less viable as regulatory mandates, such as those of the Sarbanes-Oxley (SOX) Act, continue to multiply. Businesses must approach compliance holistically, creating solutions that work together over the long term. This means assessing compliance practices in light of the total cost of compliance (including the company’s risk exposure), coming up with effective ways of measuring the effectiveness of compliance efforts and creating a compliance governance structure that allows planning for the future.
Recommendations:
Combine compliance requirements and build synergistic solutions. The effort saves time and money as well as establishes a framework for responding to future requirements.
• Monitor the total cost of compliance relative to its effectiveness. Higher spending will not necessarily mean a higher level of compliance or reduction of risk.
• Understand, categorize and communicate the risks of noncompliance to your business. Agree on your preferred risk profile.
• Create a “weather bureau” to forecast changes in governance and compliance requirements.
• Create an explicit link between compliance, performance management and value.
• Manage compliance as a program, not a project. (Regulatory compliance must be continuous.)
http://logic.stanford.edu/POEM/externalpapers/understanding_the_costs_of_c_138098.pdf
2. The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
I think ERP system providers should focus on making user interfaces more user friendly and security for the system. Employees using the system would want things to be easily accessible and understandable. It would make it easier for users to navigate through the system without any issues and they would not be confused to find where things are when working. For myself, I would like it to be easy and concise to understand and find where things are. It would differentiate the system from competitors by making the user interface more user friendly. Security is another important thing, you want the system to be secure so that your work and customers personal information is safeguarded against attack. So making sure you have security features in place to protect the data is important and it would beat out competitors if they have faulty issues that attackers can bypass.
I agree with you Vu Do. Security is one of the biggest concern for any growing/ established organization. ERP today has undergone transformation which makes it highly integrated, more intelligent, more collaborative, web-enabled and even wireless or cloud based too. The ERP system is hence becoming highly vulnerable and needs to maintain high confidentiality.. Many ERP vendors have already integrated their security solution, which may work well internally; while in an open environment, we still need new technical approaches to secure an ERP system.
Security is definitely a vital issue going into the future. One weakness SAP has is that with every user on the system, the risk increases. Because the software is meant to be used across an enterprise, it works against the ERP in a way. In any scenario, more times something is done, or a group size increases, the risk always increases. So one security focus should be addressing how to implement controls and security provisions effectively which can blunt to relationship between size and risk
I ll agree with you Vo! simplicity is the most important point that SAP should focus on. once it becomes simple to use, it will also increase the amount of users and generate more revenue to the company. Security is definitely another point that SAP should focus on. Once the SAP becomes simple to use, it will also reduce some errors that many users may make, and security will also be added value on that!
I agree with you. Security is very important in SAP. Any security vulnerability may result in financial loss, business disruptions, misstatement of financial information. Unlike infrastructure security vulnerability, SAP security vulnerability may directly impact the business. SAP is an integrated system, therefore, any errors may have a widespread impact.
What aspect of compliance should an organization put the most effort into ensuring their controls are adequate?
the five essential elements of a corporate compliance program.
1. Leadership. The point means more than simply “Tone-at-the-top”; a successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by senior management. There should be an unambiguous, visible and active commitment to compliance. But even more than support or the right tone, compliance standards require that companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. And compliance officers must have the ear of those ultimately responsible for corporate conduct, including the board of directors.
2. Risk Assessment,The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.
3.Standards and Controls.
4.Training. Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct.
5.Oversight – including monitoring, auditing and responses. The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. These ongoing efforts demonstrate your company is serious about compliance.
https://www.lexisnexis.com/legalnewsroom/corporate/b/fcpa-compliance/archive/2013/05/23/what-are-the-essential-elements-of-a-corporate-compliance-program.aspx#sthash.fWRYzFXd.dpuf
(Updated Nov 30) SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
The first thing I would want from SAP are pre-configured controls meeting any compliance or regulatory industry requirements, business processes, and common risks. The second thing would be a real-time alerting system, so I could react to any issues that may arise. The third thing I would want is a dedicated account manager. Someone I can develop a relationship with, and will escalate any tickets to the appropriate department, the first time.
SAP offers GRC software to help strengthen your business by simplifying your internal controls. This is something I would investigate.
http://go.sap.com/product/analytics/internal-control.product-capabilities.html
(Updated Nov 30) The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
ERP providers should focus on each business as a unique client. Sure, most medium to large companies need some form or ERP system, but not all businesses are alike. Just like we all must cook or someone will to live, not all families enjoy the same foods.
To remain competitive, ERP providers should listen to the clients and adjust the overall ERP system to the needs, requirements, and risks associated with the unique company.
Full disclosure, this is the first time I have used SAP but in my short time, have experienced several different functions, and can’t believe one person knows all the configurations that can be made. This means tickets are created, recommended changes are reviewed, and initiated based on SAP’s opinion. This could take several months, years, or never happen at all. This isn’t good support.
The quicker and more customizable solution will separate one ERP company from another.
What aspect of compliance should an organization put the most effort into ensuring their controls are adequate? What factors about an organization (it’s industry, profit / non-profit, international, …) would drive this answer?
Industry compliance should be an organization most effort to ensure adequate controls. Obviously, a business out of compliance will be out of business by means of fines or complete government shutdown. Therefore, industry compliance should be the focus.
Industry compliance varies based on a company’s location, and the nations views on the regulation but these leaders set the regulations. Now, if a company can generate more revenue from a weaker regulatory system in another country, well then… now it is more of an ethical matter.
When is the cost of implementing a compliance control higher then the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control is higher than the benefit obtained when the calculated cost of losing a business process risk < the actual cost. A company must determine a few factors to predict this cost. First, they must understand the Impact Level and the Likelihood. This will determine if the process is worth mitigating, accepting, or avoiding all together. High Impact, High Probability may not be worth the compliance control, unless the business process is mission critical. If the process is mission critical and would destroy the company, the company should understand the value of the business process, the contingencies, and standard deviation away from the values. The calculation will determine if the mitigation is cost effective.
To determine if the current spend is enough or too much, you will find out where the marginal cost of mitigation = the marginal revenue of risky process. By charting the points, you will determine if the current spend is producing diminishing returns.
For example, the level of risk will change based on seasons. The probability of a roof collapsing from heavy snow or fallen leaves is higher in the winter and fall.
1. (Updated Nov 30) SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
I think one of the expectations I would have of SAP in helping support my company’s internal controls, is by them assisting in identifying any processes that can be automated and how to go about controlling/monitoring them. I think one of the major attractions to an ERP system is the standardization among applications. However, what is just as important is the various functionalities that the SAP program has to offer. I would expect some business functions, particularly manual entry into applications and manual reconciliations, to go away and while there is a reduction of error, this means a new control must be put in place to monitor and prevent error/fraud in these new automated processes. This is where I would expect SAP’s expertise in developing ERP systems around the world to come in and assist in how SAP’s program can control these new processes.
2. (Updated Nov 30) The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
I believe that one of the ways SAP or other ERP systems providers can become more competitive is by allowing an ERP system to be constructed like building blocks or legos. As we know, ERP systems are costly and complex to configure. Likewise, implementations also seem to be organization wide affecting many different processes all while creating potential company setbacks. While most organizations would rather go all in and standardize their operations in one platform at one time, offering a building block approach will appeal to organizations who need just one or two new applications but have a desire to implement an ERP in the future. For instance, SAP should have applications that are priced to compete with industry/function specific applications such as a payroll application. This will allow SAP to get their foot in the door and will also get them customers who might not have the budget to make a full-fledged ERP system now.
3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
In my opinion, I think the cost of implementing a compliance control is higher than the benefit obtained when the cost is higher than the impact of a threat/risk. When performing a risk assessment one should quantify the impact of a threat/risk if it were to occur. From an information security standpoint, we know that even a slight failure in a control can have a huge impact from say a data breach. This same mindset can be applied to some compliance controls like Sarbanes – Oxley (SO). For example, compliance controls such as SOX require an organization on average to spend about $6 billion a year. From a business standpoint, there are not too many benefits from the SOX implementation that would justify the $6B in expenses. However, the compliance controls are in place to protect the stakeholders and the company itself from overlooking any of the actions of its employees, from the low level employees to c-suite executives. Therefore, SOX compliance controls are most in place to prevent fraud, which even the slightest bit within an organization can cause a stock drop by over a billion for an organization. With that being said, organizations still need to make sure that their operations are efficient and within SOX compliance. From the compliance standpoint, making sure processes are well documented and documentation of a process is well organized, can assist in making the testing of SOX controls a much more efficient process. From the business standpoint, monitoring of such compliance controls is a way to ensure that these compliance controls, which are mandatory, are being performed in a manner that efficiently mitigates the risk that they were designed to do.
Source: https://www.theiia.org/chapters/pubdocs/2/ACost_BenefitAnalysisofSOXOct2007.pdf
4. What aspect of compliance should an organization put the most effort into ensuring their controls are adequate? What factors about an organization (it’s industry, profit / non-profit, international, …) would drive this answer?
I think the one aspect of compliance that an organization should put the most effort into depends entirely on the industry and regulations governing that organization. SOX compliance controls must be implemented and testing per federal regulation over publicly traded companies, and for those organizations, I would argue that SOX compliance would be the most important. However, a small private organization that provides healthcare services might be more concerned with the Health Insurance Portability and Accountability Act (HIPPA) which is a national standard that protects individual’s PII and medical records. While federal regulations are an aspect of compliance that organizations must comply with, one could argue that these regulations are the bare minimum in terms of best practices that organizations must follow. It is important that organizations see this as a baseline and hopefully continue to improve and implement new controls to protect their organization.
1. The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
ERP providers should focus on a semgent of this market and continue to develop core competencies. The ERP market is not homogeneous and needs can vary greatly from customer to customer depending on many factors. For example, a small business may want a SaaS application instead of SAP because of issues of costs which include implementation and procurement. Small businesses may have less complex needs than larger companies and a program such as Salesforce might be a better solution from a cost and resource perspective. However, a large company may want/needs a system such as SAP because if its customizable configurations and robust functions. In addition, more resources will be available to implement and more finances available for procure. Both market segments mentioned have different needs and financial considerations. Salesforce may not be as effective nor have the experience of SAP to develop a a large ERP system for the needs of large enterprises. And SAP may not have the experience with small businesses to develop a separate product for this segment. Typically there is no one size fits all that is best, and each company understands its segment and may risk developing an inferior product and losing market share of its legacy businesses if the products ultimately suffer.
Q1. SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
As a customer, I would expect SAP to work with my organization to understand our businesses processes and the internal controls currently in place, and have recommendations on improving processes and strengthening controls. The most obvious example would be switching manual entry processes over to automatic ones with the system, as well as the monitoring of those processes. As the experts, SAP should be able to bring insight into how an ERP system can enhance our business.
Q2. The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
One way for ERP system providers to be more competitive is to allow greater flexibility with their system. The amount of data that organizations use is continually growing and becoming more complex, while system users expect to be able to complete their tasks easily and quickly. Today, updating ERP systems is a costly and time-consuming process, so many organizations put it off until a big change needs to be made. By allowing an organization to more easily adjust its capabilities, an ERP system provider would set themselves apart from the competition.
That’s a brilliant idea! Working on SAP is too complicated and it is hard to learn. Even you have already learned something, when you work in a real company, its SAP system is still different. So making the entire use of SAP simple and easy to use is a good way to go in the future!
Q3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control is higher than the benefit obtained when, for an organization, the cost of the loss associated with the compliance risk is less than the cost of implementing the control. Risk assessments, including impact and likelihood analysis of each risk must first be completed, which can then help it calculate the expected loss from each risk. Once it understands the cost associated with the risk itself, an organization can make more informed decisions regarding what controls will be worthwhile to implement.
Q4. What aspect of compliance should an organization put the most effort into ensuring their controls are adequate? What factors about an organization (its industry, profit/non-profit, international, …) would drive this answer?
Organizations should put the most effort into ensuring their controls are adequate for aspects of compliance related to laws and regulations. Failure to provide adequate controls for regulatory compliance could lead to major consequences for an organization, such as lawsuits and fines. One large factor that would drive this would be the type of industry an organization is in. For example, medical companies must adhere to the Health Insurance Portability and Accountability Act (HIPPA), which places strict regulations on medical information.
1. (Updated Nov 30) SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
If I am an SAP customer, lets say I am a manager within an organization, I would expect that SAP could not only provide basic uses to our organization, including the capability to manage financial, assets, and cost accounting, production operations, material management, sales and distribution, human resources and customer relationship management, but provide some more functions like, employees training, which means SAP can teach and show to every users how to use it step by step, so we do not need to take related classes outside, employee evaluation function, which can evaluate how much time the employee spends on working, and how the employee does, and security function, which means SAP can also detect and limit access to some unauthorized users.
Yulun Song – I like how you integrated so many useful functions to your company. Expecting the vendor to provide adequate training beyond the basic levels is very helpful. I would imagine that you would identify these expectations initially before any business is conducted with the vendor. Is that right? I would like to know your thoughts.
2. (Updated Nov 30) The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
I would say that SAP and other ERP systems providers should be focusing on to make their systems more competitive in the future by adding more functions. First, SAP should add employee training function. That means SAP can teach and show to every user how to use it step by step, so we do not need to take other related classes. Second, SAP should add employee evaluation function. That means SAP can evaluate how much time the employee spends on working, and how the employee does on his/her job during using SAP. Third, SAP should add more security functions. That means SAP can also check and limit access to some unauthorized users, avoiding data loss.
1 (Updated Nov 30) SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
As an SAP customer, I would expect SAP to provide some clear advice on the audit process of SAP because a good internal control audit can help the business itself monitor and reduce risks. Internal controls are the essence of good governance, taking a policy and translation it into details of day-to-day business practice. Such as timeline of audit process, details of audit process, paperwork, report of SAP audit and examples of other companies. I would also expect SAP to provide training instructions on how an enterprise could clearly identify roles and responsibilities, use of SAP automated monitoring in terms of segregation of duties to maximize the benefits and minimize the risks out of SAP. A lot of time companies may have mixed and unclear roles which may violates some of the requirement. Lastly, I would expect SAP to provide patch update for security purpose.
The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?’
1. Ease of use – make the SAP system easier to use and make SAP users understand the entire systems.
2. Customization – deliver what the customer needs and avoid what they don’t need.
3. A platform of mobile devices that are connected to the network on the same page with company’s computers. This is extremely important nowadays because most companies are utilizing mobile devices to help them achieve their day-to-day operations. The idea to support mobile devices is not a gimmick anymore and it can help employees to engage with business operations anytime, anywhere!
Yu Ming,
Great point about mobile devices. In this mobile-first world, it will be very important for ERP vendors to understand the customer’s pain points. Gartner says that 70% customers will interact with their enterprises through mobile devices. So, for being a successful vendor it is also crucial to predict the customer’s needs in time and develop a mobile friendly enterprise portal for organizations. Cross-platform compatibility, I think, will be critical as organizations use multiple operating systems and this could cause integration and data migration problems.
Nice point about mobility. Adding mobility into the features of ERP system will make it more available and more user-friendly, cause mobile devices are playing a more and more important role in our daily life. It would achieve, such as faster decision making, greater operational efficiency, improved communication and collaboration, anytime access to enterprise, business and manufacturing intelligence, improved workflow and expedited approval process, to gain more market share.
Mobile devices are a good way to improve the ERP competitive. Business benefits of mobilizing business scenarios.
The primary benefits of enterprise mobility are
• Increased efficiency of operations
• Enhanced productivity of the workforce
• Increased customer satisfaction
• Increased flexibility
Delivered via
• Access to key enterprise functions anywhere, anytime
• Access to accurate and faster decision making for white collared users
• Increased reach and proximity to the customer via mobility
• On the go operations in supply chain and field services
Yu Ming, very nice points!
Enterprise mobility is the trend toward a shift in work habits, with more employees working out of the office and using mobile devices and cloud services to perform business tasks. However, enterprise mobility can improve employee productivity, but it also creates security risks. It is very important to have enterprise mobility management products, such as data loss prevention technologies to help IT departments address potential risks that mobile devices might bring in. Also, a strong acceptable use policy for employees is essential.
When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of compliance expected to rise, organizations must find ways to streamline compliance spending to maintain IT operations and IT security service levels. Having the right compliance control can result in valuable benefits such as reducing risks for occupational fraud, ensuring accurate financial reporting and increase operating efficiencies.
The cost of implementing a compliance control is higher than the benefit obtained when an organization does not have the right control. So organizations may perform the following analysis:
1. Streamline Gap Analysis:
Streamline gap analysis to quickly find requirement changes in updated regulations and additional requirements in new regulations that are currently unmet by existing IT security practices.
2. Kick Spreadsheets to the Curb:
Eliminate spreadsheets and automate the information-gathering process necessary to prove compliance with specific regulatory requirements.
3. Mesh Compliance and Security Practices: Overlay security practices on top of compliance efforts to avoid “checkbox compliance” mentality and maximize real security effectiveness through required compliance spending.
3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
Often times, the cost of implementing a compliance control remain a sore point for corporate executives, but consultants say the whirlwind of regulations surrounding businesses means skimping on compliance could end up costing a lot if regulators catch you out. Then, the company will face not only dollar costs, but the cost in time as well, because the time you are spending responding to and monitoring these regulations is increasing. By comparing with skimming implementing a compliance control, reducing the costs is a good way to ensure efficiency and profitability within an organization. The best practices to reduce the compliance: streamline gap analysis, kick spreadsheet to the curb, mesh compliance and security practices, prepare for consultants and auditors, provide executives with business-friendly information.
https://www.lumension.com/Media_Files/Documents/Marketing—Sales/Whitepapers/Guide-to-Reducing-Your-Cost-of-Compliance-(1).aspx
4 What aspect of compliance should an organization put the most effort into ensuring their controls are adequate? What factors about an organization (it’s industry, profit / non-profit, international, …) would drive this answer?
The aspect of compliance that an organization should put the most effort into ensuring their controls are adequate is the regulatory compliance governing the business behavior. It is very important to comply with the law to avoid to prevent unethical conduct and violations.
1. The Sarbanes Oxley Act of 2002 ensure and restrict all companies to conduct successful audit and internal control.
2. Payment card industry PCI, business must take care of customer’s card data properly in accordance to the industry standard and the regulatory laws.
The factor that would drive companies to put effort to ensure their controls are adequate are heavily depending on the industries because most industries would have different regulatory compliance to follow. International and national companies also have different laws to comply with such as the differences in accounting laws. GAAP v.s. IFRS
Yu Ming Keung – The point you made regarding The Sarbanes Oxley Act of 2002 was good. Without this act being passed who knows exactly where the finacial industry would be today? Without it many companies would not have survived the financial crisis of 2008 and unethical practices would still be in full affect without any punishment or people being held accountable. I do believe that a great deal of attention should be placed on a company and the adequacy of their financial, operational and technological controls.
.1. (Updated Nov 30) SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls? Yes. I would expect support for my company’s internal controls because I am paying for a ERP system and that should entail some type of pre-configured internal controls and then these controls should also be customizable. These controls should be controls that address common risks and regulations set for most organizations purchasing/using the ERP systems. The support should either be initiated through my company as a ticket and then sent to SAP as a second tier or all calls should be routed directly to SAP in regards to internal controls and failures so it can be corrected.
SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
Now-a-days regulatory pressures for different businesses are increasing and the cost of compliance are rising and data is expanding in volume. In this time, as a SAP consumer, I will always be concerned as to how SAP can help our organization lower audit costs (with automation, maybe?) and add value through their control and compliance management tools by streamlining compliance management and enhancing controls. I would expect them to understand our key business processes that support our organization and the value and purpose of different controls. Organizations would expect a scalable support for multiple internal control management programs that would facilitate real-time visibility into compliance and internal control processes.
The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
From my own experience, two things, if changed can change the game for ERP vendors is the user interface design and the customization depth. First, I have often heard people complaining as to how “dreary” the interface of many ERP like SAP, NetSuite, etc. are. The interfaces look boring and it appears that there hasn’t been any “outside the box” thinking applied to the ERP GUIs. Focus is more towards the back-end logic of the ERP and the front-end has failed to evolve. Al though, I am aware that “this ERP doesn’t seem to have an enjoyable UI” is something the ERP vendors will not hear in B2B market, but this is something that is certainly if improved can be a big distinguisher. Second, the depth of customization of modules can certainly add value to the product. Companies are looking for more and more flexibility in the software they purchase and flexibility and scalability with proper customer support can also be a big distinguisher for a vendor.
At a certain point, all ERP vendors are matched and rated at similar levels, but the above mentioned points, I think can set them apart from their competitors.
When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
The controls are in place to ensure that an organization is following safer ways to conduct business so that its stakeholders aren’t harmed in any way. Eg: There aren’t any breaches, frauds, etc. Various compliance were introduced when frauds on large scale started happening and the government decided to be the guardian and parent publicly traded companies to ensure that the public is protected if someone decides to carry out a similar or a bigger fraud. Such incidents are categorized as businesses risks for the organizations. The cost of these regulatory compliance can be on the higher side and the process itself can be complicated. Organizations, after a thorough risk assessment can decide whether to accept or mitigate different risks. And, when the cost of the loss associated with the compliance risk is less than the cost of implement the control that is when the cost of implementing a compliance control is higher than the benefit. I think the key is to understand the cost (value) associated with the different risks. FYI, this same question was asked last week as well.
This is a good and very well crafted answer. Security is a very good example to discuss the risk of compliance controls. Although sometimes I feel like it may be hard for certain organizations to correctly assess and monetize the situation therefore they may not correctly evaluate what costs more the implementation of controls or lack of controls. Simply stated that if the cost of non-implementation (fees for non compliance which in your case would be security controls) is higher than that of implementation of the controls then an organization should decide to implement the control. This is however a very complex formula that I have simply stated.
Abhay V Kshirsagar – Your explanation was well thought out and articulated in a great way. I agree with your thought of the process being very complex. Every company has a level of risk they are willing to accept and some that they will absolutely under no circumstance accept. This concept to can make this formula rather complex when it comes to understanding efficiency and profitability.
2. (Updated Nov 30) The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
Since the ERP systems market is so competitive SAP should focus on updating the interface of their ERP systems making them more intuitive and easy to use. They should also provide more training or videos that organizations can use to train their employees and manuals for them to easily and quickly refer back to while trying to complete functions. They should also provide additional security controls and notification systems if someone suspicious logs on and manipulates data or if the data entered seems to be outside of the norm (so adaptive controls). SAP should make updating to the new version of the ERP system or when upgrading a bit simpler for organizations to implement instead of something that takes a lot of thought and planning around. This will make organizations want to upgrade and stick to that specific vendors ERP system.
3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
A cost if implementing compliance controls is higher than the benefit obtained when the fine for not having the control is significantly less (for an extended period of time) than that of implementing the control. As a lot of effort goes into the implementation of controls cost is a large factor and if the cost of not having the internal control implemented is significantly less for an extended period of time it will outweigh the benefit of avoiding fees and penalties for that control being implemented. An organization should try to find an ERP system that has these types of vital controls built into them for little to no cost to the organization this will make the implementation of this system very easy and will not effect profitability and will be efficient to use since its preconfigured.
Hi Jaspreet,
I would agree that a better GUI that is more intuitive will likely help SAP compete with other ERP platforms. In my experience using SAP, the program isn’t the most straightforward and can be clunky at times. For some organizations, this might be a turn off. If SAP or another ERP system utilized a user interface like that of other applications where users are already familiar with (Office, Gmail, Etc.), then the transition of using a new system might not be as significant, saving the ERP user’s time and resources. Likewise, this might make potential buyers more willing to utilize an ERP if they know that users will not have a difficult time adapting to the new software. While SAP might not overhaul its user interface since it is so established, a lesser known ERP platform might be able to differentiate itself from SAP by utilizing a much simpler interface that works just as well as SAP.
Hi Paul,
This is very true. I agree that SAP is well established and doesn’t need to change its GUI as most customers are familiar with it … but if a different company adapted their interface to be more familiar it might give SAP a run for their money therefore SAP might want to make some changes themselves to make themselves competitive.
SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
What I expect from SAP is how it could do to support change management. There are so many challenges the company face to implement successful change management.
How to control the quality of each change?
How to identify those critical business processes may be affected by change events?
How to perform tests with lowest cost and risk?
How to conduct change diagnostics?
How to collect change metrics for further evaluation and improvement?
How to control the risk where the changes are outsourced?
Ming Hu – As the client would you first have a discussion with the vendor and explain your expectations? Or will you expect them to already know that these are the things you expect them to cover? What if they are not capable of fullfilling your requirements? Will you work with vendor until you are on the same page.
SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls? As an SAP customer I would expect the provider to fulfill the user requirements that would have been outlined and identified in the initial contract. This action sort of falls under the user acceptance catergory. If the user is satisfied and aligned to the objective of the customer/client than progress can be made in terms of the life of the project. I would expect the provider to be forward thinking and opened to working in a collaborative setting with the (customer) to further fulfill the goals and objectives of the company.
SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
Firstly, I hope SAP system would be easier to use, The participation of users is very important for successful implementation of ERP projects – hence, exhaustive user training and simple user interface might be critical. but ERP systems are generally difficult to learn. Many new employees will join to the company, and most of them could have no experience with the SAP systems. The easier version of the system ERP system can reduce the training cost of the organization.
Secondly, I would expect shorter deployment period. As we know, ERP deployments are highly time-consuming – projects may take 1-3 years (or more) to get completed and fully functional, which means in the first 1-3 years, the system would not work effectively.
Exactly, I agree with you Jianhui that the easier version of SAP ERP system can enhance the efficiency in daily operation. More importantly, a friendly used ERP system not only offer the trained employees an easier way to deal the daily business processes, but for the entry level employees, this may help them take less time to learn how to use the SAP ERP system, which also save the investment in related training for the company.
When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
In my opinion, the decision would depend on the size of your company. For the publicly traded company, the importance of compliance could outweigh efficiency and profitability. There is a lot of rules that target on publicly traded company, such as SOX act. Enron focus on efficiency and profitability rather than the compliance, which result into bankruptcy. For most of small business, the regulation and rules would not targeted them much, so when the cost of implementing a compliance control higher than the benefit obtained, these some business can take some risk to maintain the efficiency and profitability.
It’s interesting that you targeted this problem from both the perspectives of large size companies and smaller size companies. I believe the cost of implementing a compliance control is higher than the benefit obtained when an organization does not implement adequate control. As you mentioned in the Enron example, obviously there were controls failures. It’s very important to make sure that adequate controls are taking place.
The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
Nowadays, I would say that user-friendliness is one of the main focuses which would make ERP systems more competitive in future. Historically, the term “user-friendly” and SAP are seldom used in the same sentence, companies sacrificed user-friendliness in exchange for integrating business processes and putting everyone in the organization on the same software platform. But that only goes so far. As a new generation of people enter the workforce, a generation who groomed on friendly apps and slick devices from, for example, Apple and Google, their tolerance for such unfriendly interfaces or functionalities will be small. In order to be more competitive in the future, the system suppliers must accommodate this new trend to gain more market share.
1. SAP is a world class ERP system provider. If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?
From the business concern, what I expect from the SAP ERP system apparently is to offer the assistant to improve the working efficiency and help the decision maker make a better decision by considering the records from the SAP ERP system. Indeed, the system is an powerful tool which combine almost every business processes and allows management better understand what’s happening of the real business. However, the SAP ERP system is not easy to fully understand especially for those enter lever employees. To support the company’s internal controls, the SAP could be simplified and offer more inner help to make sure the new users can not only operate the software, but more understand how it works.
Great answer Fangzhou. To add to your point, I would also say that the cost to implement a SAP system is often too high for an organization to make a decision on whether to implement SAP or not. So as an SAP customer I would also expect them to provide my business solutions which can be customized and hence fix inside my cost budget.
2. The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
I think the most attractive factor for the ERP users is whether it is friendly used, which means both entry level users and trained users can easily understand how to use the SAP ERP system. Indeed, the system includes tons of important business data from daily operation, and it’s not that easy to simplify it, however, it doesn’t mean it’s impossible. The factor is, the ERP system is more easy to use, higher efficiency the employees can work. Without some unnecessary steps or confuse settings, the users may save time to do other works. Furthermore, the company could also save more investment in the training. However, it doesn’t mean that the SAP ERP system should be designed as easy to use as it could. The accuracy and other core functions still matter.
3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
One of the most consistent problems organizations face in the procure-to-pay process is undetected financial leakage. Companies often fail to realize the efficiencies that can be gained through the automation of key business processes. For example, invoice payments are typically reviewed through a system of manual approvals. This process is not only time consuming, but it can also fail to take advantage of early payment discounts or avoid late payment penalties. Furthermore, a manual approval process leaves the door open to potential fraud through post-approval modifications. While there is a crop of applications designed to improve this process, few provide the level of security and control that is required by many compliance requirements. In addition, these applications contribute to a heterogeneous IT environment just as most companies move towards one (i.e., a homogeneous) IT platform to better manage IT costs.
Source: http://www.oracle.com/us/products/applications/ebusiness/optimize-procure-to-pay-processes-1855140.pdf
3. When is the cost of implementing a compliance control higher than the benefit obtained? What should an organization do to ensure efficiency and profitability?
The cost of implementing a compliance control is higher than the benefit obtained when an organization does not implement adequate control. Efficiency is the ratio of the output to the input of the resources. Increasingly profitability may come from some combination of increased revenue and decreased cost. Thus, many organizations are simultaneous working on their revenue and cost strategies. In order to ensure efficiency and profitability, an organization must have a clear understand of what the risks that it is facing are and how to mitigate the risk. Risk assessments is the process where you identify hazards, analyze or evaluate the risk associated with that hazard, and determine appropriate ways to eliminate or control the hazard. Risk assessments are very important as they form an integral part of a good occupational health and safety management plan.
Source: https://www.ccohs.ca/oshanswers/hsprograms/risk_assessment.html
The ERP systems market is very competitive. What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?
In order to make SAP and other ERP systems providers be more competitive in the future, they must focusing on to make their systems more “user-friendly”. It should be easy use for both entry level user without any experiences and professionals who are familiar with the ERP systems. End users need to be able to complete their tasks quickly and with comfort and positive attitude towards the use of the product. Historically, software developers have focused most of their effort on ensuring that the data and business/logic layers of a system were stable and functional, didn’t focus much on the presentation/user-interface layer. However, it is necessarily take precedence over ensuring a simple and efficient user interface.
Source: https://www.linkedin.com/pulse/why-oracle-sap-finally-improving-usability-carlos-l-aguilar