Sure, a company can put together an elegant suite of best-in-class solutions for governance, risk, and compliance, but before investing in dedicated solutions, don’t overlook what you might have in place already—an enterprise resource planning suite that may be well suited to cover your GRC needs.

Any entity large or regulated enough to look into GRC suites likely has SAP, Oracle, or some other ERP suite in place already. Those systems have come a long way on GRC. The ERP vendors make bold claims about rich GRC functionality; Oracle offers its Oracle Enterprise Governance, Risk, and Compliance Manager, and SAP its SAP BusinessObjects GRC solutions.

SAP and Oracle are giants, but midmarket ERP vendors claim rich functionality too, and deep expertise. “We’re not just getting serious [about GRC] now,” says Joey Benadretti, president of midmarket ERP provider Syspro USA. “From day one we’ve continued to add functionality. We’re in 60 countries, and the starting point of compliance is often taxation. From there you end up in reporting and government codes, and we’ve always offered recall management with lot traceability for FDA requirements. From there we expanded the functionality of the system to being able to identify non-conformance, go through preventive actions, and conduct audits.”

Syspro is a 30-year-old provider and offers compliance tools across heavily regulated manufacturing industries including medical devices and life sciences; food and beverage; aerospace and defense and oil and gas, plus Sarbanes-Oxley compliance, backed up by full transaction monitoring capabilities. The GRC mandate came naturally to a company with a multinational manufacturing customer base, says Benadretti. “It wasn’t necessarily our goal to offer those things but to enable customers to do what they’ve got to do.”

“Industry-specific compliance, plus regulations like the Sarbanes-Oxley Act, plus globalization and outsourcing, have led users to expect more from GRC features from ERP,” observes Chuck Langenhop, senior director of CFO Advisory Services. “The tools evolved to make that more feasible, “For example, cost reductions in document scanning and retrieval, database management systems, Web services, internal and external e-mail communications, and business intelligence.”

“This topic is very near and dear to me,” says Ed Talerico, Infor Global Solutions’ industry director for aerospace and defense. Infor offers numerous mid-market ERP packages, plus Infor Approva Continuous Monitoring, which integrates both with Infor and other ERP offerings.

“Most A&D contractors as well as any high-tech electronics or high-tech manufacturers deal with the import/export and product/components role of GRC, which has continually grown over the last 10 years to the point that it’s become essential that ERP continuously monitors for possible threats, as well as being able to do an online check when creating a new supplier item,” says Talerico. “When creating an invoice, or typing in a contract or making a shipment, you have to make sure you’re not dealing with a denied party from any number of lists out there today.” Infor recently released Infor Cloud Suite for A&D, an industry-specific suite of solutions to cater to the requirements of A&D contractors, including International Traffic in Arms Regulations (ITAR) compliance, which largely contain information and material about U.S. defense to U.S. entities.

So GRC is on its way to becoming table stakes for ERP vendors because customers demand it, just as they demanded business intelligence, forecasting, and e-commerce that are now part and parcel.

Still, there are best-in-class BI, forecasting, and e-commerce tools that enterprises use instead of the inherent functionalities of ERP. “The Oracles and SAPs are going to work on the generic functionality of access management, configurable controls, and transaction analysis,” says Kent Cowsert, a partner of advisory services with KPMG, who leads the company’s ERP risk consulting practice. “If you have specific requirements, it might be FDA, or Environmental Health and Safety, I think there are probably some boutiques out there that might fit your purpose more robustly.”


Industry-specific compliance plus regulations like Sarbanes-Oxley plus globalization and outsourcing led users to expect more from GRC features from ERP.
Chuck Langenhop, Senior Director, CFO Advisory Services

“ERP is heavily transaction-oriented,” observes Langenhop, “whereas GRC provides a framework for higher-level oversight of enterprise risk factors, planning and managing internal audit programs, planning and monitoring the enterprise’s risk profile, and documenting incidents such as accidents or product recalls. GRC systems also manage key risk indicators and provide reporting and graphical dashboards that go beyond what is normally within the scope of the ERP design.”

Still, the functionality of ERP has grown considerably over the last ten years both natively and through add-on modules. ERP’s basic GRC tools “include low-level user permissions to allow for better segregation of duties and restrict access to sensitive data, alerts, approval workflows, audit trails, and support for the controller’s month end close,” such as the NetSuite Period Close Checklist, Langenhop says. For companies producing pharmaceuticals and medical devices, document management and engineering change control features can meet the electronic signature requirements for FDA 21 CFR Part 11. For companies regulated by an agency such as the FDA, Department of Defense, or the Consumer Product Safety Commission, ERP systems also support traceability based on lot or serial numbers from the time materials are received to the time finished goods are shipped.

All of that is data driven, and ERP solutions lack the database agnosticism inherent in GRC suites warns Joe Oringel, managing director of Visual Risk IQ, a risk advisory firm specializing in audit data analytics. “In a world of homogeneous data sources Oracle GRC does a good job of monitoring a control environment that is 95 percent Oracle,” says Oringel. “As soon as you have a mixed ERP environment—Sage and not Sage, SAP and not SAP, then you don’t have the same control. You’re better off with an independent GRC platform like Approva or Oversight or some of the TM monitoring tools; because most of the things people want to monitor in the real world is a multi-vendor solution.

GRC Questions for ERP Vendors

If a buyer is selecting ERP and wants to use it as a GRC platform, what questions might it ask to ensure that the ERP does the job?
KPMG’s Kent Cowsert advises that “You have to work through your requirements in a diligent way and press on the vendors form a software selection perspective to be sure it’s going to do what you need it to do,” be it to monitor transactions across disparate databases or answer an industry-specific requirement.
CFO Advisory Services’ Chuck Langenhop offers this comprehensive list of questions for ERP vendors promising GRC capabilities:

What types of approval work flows do you provide for purchase orders, invoice approvals, and engineering change orders? Does your ERP have or interface with a more robust business performance management (BPM) solution?

To support exception-based management, how can alerts or special reports be designed for opportunities or risk events such as large sales quotes, formulation changes, credit memos, customer returns or employee injuries?

Is there audit trail control that can show the history of the creation, editing, and closure of every record in the system? (From a fraud perspective, for example, it is important to track changes to vendor and employee addresses.)

Can your ERP integrate with a document scanning solution for automated vendor invoice processing and retrieval later in a state use tax audit? Can it also scan and store other types of documents such as receivers and inspection sheets for retrieval in a regulatory audit?

My company sells products in numerous states. Do you have a solution for automatically calculating the proper sales tax in each jurisdiction?

Do you provide GRC support for period close including journal entry and bank reconciliation approvals, online notes and the ability to close the accounts receivable or accounts payable modules prior to general ledger?

What types of reporting and analytical tools are available for efficiently pulling financial data for testing by internal and external auditors?

How many customers do you have in my industry? How well do you understand the compliance challenges we face every day?

What quality control modules do you offer for aerospace & defense companies like ours?

Do you have many customers that are publicly held companies with SOX reporting requirements? Are any one of them international companies that report in IFRS or European legislative standards? If so, can you support multiple general ledgers?

As a retailer, I am very concerned about credit card security. How does your ERP comply with PCI DSS?
To be fair to ERP vendors, their front line is typically a pre-sales team who can offer a comprehensive demonstration but may be over its head when talking about governance and risk. Tell the vendor in advance that GRC is among your particular concerns, which gives the vendor the chance to send someone knowledgeable (and spare you both wasted time).
—Dann Maurno

“Although software companies are developing big data analytics tools that span platforms and database systems, the ERP world is still highly heterogeneous, particularly when we consider that many have bolt-on solutions that themselves have separate databases,” Langenhop says. “Third-party payroll, fixed assets, cloud-based CRM, and Web portals are some simple examples.”

Then ERP vendors beg to differ. Blending data and mining it “is standard practice,” says Benadretti. “And in our world we deal with it every day, on every implementation. If somebody’s using SAP at the global level and runs Syspro in divisions we can push information up into consolidated accounts. It’s the same thing for a company on Epicor and moving to Syspro,” which necessarily has to migrate its data.

“What has helped over time is the strength of the business intelligence tools out there,” says Benadretti. “I don’t think we’ve ever seen such an increase of information being utilized. Companies dealing with blended organizations faced real challenges and that’s inspired real work” into converging and mining disparate data sets.

“I like Oracle GRC better than not Oracle GRC,” says Oringel. “But I have a preference for transaction monitoring with Approva, Oversight, and CaseWare Monitor that works well in heterogeneous environment because of the ability to send off alerts for red flags in disparate systems.”

Compliance Is a Practice, Not an App

Infor’s Talerico warns against compliance guarantees from ERP vendors. “I can’t guarantee that you pass a [Defense Contract Audit Agency] DCAA audit until I see how you utilize our system. I can tell you my solution is SOX compliant, but if you do not implement it in a compliant fashion you are not compliant. The answer is in how you use the system.” However good the ERP tool is, it only enables compliance—like GRC suites.

So while the goal of many software vendors is to eliminate the horizontal and vertical barriers to transparency, GRC practices are still required. Whatever the solution a company uses, says Langenhop, “Sound management, trained staff, compliance with standard procedures, codes of ethics, an effective risk monitoring program, and a well-organized internal audit team will always be important.”