Enterprise resource planning software is designed to reach into all corners of an organization and integrate the data throughout the whole company. But when it comes to compliance, cracks remain.
ERP systems can show good return on investment for the pieces of compliance that they handle well, such as transaction compliance, segregation of duties, and access control, says Chris McClean, an analyst at Forrester Research. Operational compliance—training requirements, regulatory filings, policy documentation, and the like—is where ERP systems can fall short.
McClean
“As far as having the flexibility needed for large areas of compliance, the GRC [governance, risk, and compliance] vendors are still on top,” McClean says.
Kulicke & Soffa, a maker of equipment for producing semiconductors, considered a GRC management module from Oracle, its ERP vendor. Seeking to document all of its key controls, both IT-related and business process-related, the company instead decided to deploy specialized GRC software from BWise Inc.
Golden
“Having [compliance tools] integrated with our ERP is potentially a great idea, but we wanted something that is going to best-in-class today,” says Joshua Golden, director of internal audit at Kulicke & Soffa. “We felt that integrating the data wasn’t as important as having a best-in-class system. BWise’s core competence is GRC.”
Kulicke is based in Pennsylvania, with 33 facilities in Asia, Europe, and the United States. Main selling points for a third-party GRC solution were flexibility and easy customization, Golden says. With BWise, the manufacturer can tweak the software’s interface and recording fields. Users can be added easily, approval flows can be entered, and the issue tracking capability is excellent, he says.
“Going forward, because compliance is going to change, there’s going to be enough space for both ERP and GRC.”
— Karl Kispert,
Director,
Huron Consulting Group
Kulicke & Soffa’s decision to use a GRC specialist for help with compliance tasks isn’t unusual among large enterprises. ERP technology is geared toward the transaction- and process-oriented requirements of financial regulation. The way to get the most compliance power out of them is to make full use of the access controls, segregation-of-duties controls, and other transactional compliance capabilities, McClean says.
“The ERP systems have a lot of content and information about transactions in them. The best value from a compliance perspective is implementing the controls related to that content,” McClean says. “They are fairly good at helping reduce audit costs because the documentation of controls is all in one place. You can look pretty closely and pretty quickly at how the controls fared.”
To some extent, a company can take the business rules in its ERP systems for transaction-related compliance—say, policies for how a product is purchased, to satisfy trade regulations—and adapt them into rules for operational compliance as well. But exactly how much an ERP can address those other compliance needs varies considerably, according to the company and the industry it operates in. The more highly regulated the industry (think healthcare, energy, or pharmaceuticals) the more likely it will need specialized GRC software.
“When we talk about ERP, it’s great for what it does. It is great for managing the finances of an organization,” says Karl Kispert, a director at Huron Consulting Group. When it comes to customizing ERP modules for other areas of governance and compliance, however, companies often find the chore too rigid, too time consuming, and too costly, he says.
The addition of an ERP module and customization is often more expensive than separate GRC tools themselves, Kispert says. An ERP implementation can often take 18 months or longer, with exasperating phased-in approaches and testing—and in that case, Kispert says, companies figure they might as well purchase a separate GRC system in the meantime.
Analysts widely expect the large ERP vendors to continue to beef up their GRC-related offerings in the coming years, primarily by snatching up any GRC software vendor with a proven product. For now, however, these vast systems typically offer less comprehensive tools than third-party GRC software.
“As businesses changed over the last eight years, the ERP software solutions began incorporating controls and compliance into their offerings. It’s just a question of whether they are mature enough,” Kispert at Huron Consulting says. “Going forward, because compliance is going to change, there’s going to be enough space for both ERP and GRC.”
The Centene Example
Centene Corp., which provides services to Medicaid beneficiaries, is a public healthcare company subject to regulations under Sarbanes-Oxley regulations, the Health Insurance Portability and Accountability Act, numerous state contracting rules, and more. For its wide range of federal and state obligations, Centene uses GRC software from Compliance 360.
“What I’ve found is that [ERP systems] are really generic across a lot of different industries,” says Robert Miromonti, vice president of ethics and compliance at Centene. “They’re very beneficial from an internal audit perspective, but from a compliance perspective I didn’t find them that useful.”
In particular, Miromonti says he has not found a sufficiently effective workflow management capability in ERP systems, and customizing modules requires considerable outside help. “My concern with [customizing an ERP module] is the amount of consulting dollars we would spend,” he says.
While ERP systems tend to be maintained by the IT department, specialized GRC software is often managed by the compliance professionals, giving them greater command over it.
“One of the things we’ve found is that if we control the system, we are able to customize it ourselves and understand it better,” Miromonti says. “If one of my compliance officers brings an issue to me, I know enough about the system to manage it.”
Still, some companies—particularly in less-regulated industries—are ready to embrace all of the compliance power available through the ERP system. Sharp Electronics, which deployed a system from SAP about 18 months ago, is enthusiastic about the software’s GRC capabilities.
“Our position is that SAP is our main system of record, and SAP’s GRC tools function well with it,” says Wyatt MacManus, senior manager for process management and business controls at Sharp. “Where we’re using SAP, which is in the majority of our processes, SAP does it all.”
Sharp’s ERP system allows the company to standardize business practices and processes throughout 11 different sales and marketing, manufacturing, research and development, and administrative divisions. The process control functionality provides a repository for all of Sharp’s control documentation, and allows MacManus’s team to monitor the performance of the controls.
“We’re one of the few companies that has this process control in place and is using it,” he says.
SAP’s access control capability allows the company to monitor its users and implement mitigating controls if segregation-of-duties violations appear. It doesn’t monitor all Sharp’s systems, however, and in those instances the company uses a separate access control, MacManus says. But he ultimately wants to roll SAP’s governance capabilities out to all systems because that is the most practical option, he says.
No comments yet