Combing Compliance, Controls and ERP

Indeed, businesses can apply what they learn during compliance to make sure they are fully leveraging and optimizing all the functionality available within the ERP as they work through the stages of a typical implementation: design, build, test and deploy.


The design stage typically includes an evaluation of the existing application(s) and internal controls, known deficiencies, and the capabilities of the new ERP package. An organization should first identify their business processes and define and document reporting, interface, conversion and enhancements to obtain an understanding of its current systems.

By comparing the capabilities of the new ERP application to the current state, a company can identify business process redesign opportunities, functionality gaps that may lead to work-arounds, or ERP customization needs. The design stage can then produce a road map of the organization’s requirements for how to configure the ERP application and modify the internal controls environment to build a sound financial-management system.

Existing IT policies and procedures and known security loopholes should be a part of the analysis for exception reporting. The project team should also integrate compliance-management requirements as well as parameters for identifying and prioritizing business opportunities.


The build stage involves installing the hardware, operating systems and communication infrastructure based on the design specifications of the ERP application. It also provides the foundation for testing and implementing a sound ERP application and control environment.

During this stage, the organization needs to determine whether controls are properly configured and built into the ERP application or into the internal-control environment. These controls are intended to validate and authorize all transactions according to the control objectives defined during the design stage.


The test stage of the implementation is critical in determining whether the system performs as expected. In this phase, the organization defines the controls testing approach and test criteria. It tests the configurable and inherent system controls and modify or improve them as needed and also checks for user and infrastructure security vulnerabilities, as well as IT operations and disaster-recovery preparedness. Efforts to sustain ongoing compliance and to conduct internal training are also established during this phase.


Organizations have various options for implementing a new ERP solution, each of which has implications for the validation of the control framework. They can phase in the new system based on business units or geography, or, as most companies often do, pilot some aspect of the new system.

During a pilot project, system functionality and configuration is validated and control techniques are verified. The pilot also validates the control framework.

Following the launch of the new system, the organization monitors and evaluates performance. In addition, a post-implementation control review, focused on the implementation of controls and their effectiveness, will provide additional assurance for ongoing monitoring.

With controls properly integrated into the ERP system, organizations can then use the documentation to update the controls portfolio and the knowledge it provides to assist in further improving and sustaining compliance.


Implementing and optimizing controls in ERP systems is not a simple task, yet it is important to achieving the full benefits of the system and also to help manage and sustain compliance.

Integrating controls into a system implementation project can help enable a business to overcome challenges and deliver a return on the investment. Organizations should pursue an ERP implementation that helps them integrate and optimize controls within finance, operations and compliance processes. By doing so, they will be able to realize process and control efficiencies, cost reductions and sustainable compliance management.

Kenneth Gabriel, based in Chicago, is a partner in KPMG LLP’s IT Advisory Services practice. KPMG LLP is an audit, tax and advisory firm and the U.S. member firm of KPMG International. KPMG International’s member firms have 113,000 professionals, including 6,800 partners, in 148 countries.