For organizations that do utilize audit logs, system administrators can configure customized audit reports that employ simple logic to identify "outliers" - system transactions that fall outside of normal parameters, such as date and time, location of the user logging into the system and checks larger than a predefined setting.
While it's time consuming to customize these reports, they provide hundreds of data points to manually process and are invariably riddled with false positives. Each flagged event requires manual human analysis of the event because the audit reports cannot analyze the event to determine the cause for concern.
When you consider that the average business loses 3 percent to 6 percent of annual revenue due to fraud, most agree that the ERP security features listed above are not working. Worse yet, businesses suffer additional losses through duplicate payment errors. The average enterprise submits duplicate payments for 2 percent of its total accounts payable. Of these duplicate payments, 10 percent are never recovered, which leads to total losses equivalent to 0.2 percent of total accounts payable.
The fact remains that applications remain highly vulnerable to external security threats. Weak passwords can be broken with simple dictionary attacks; buffer overflows can flood an application until it allows a hacker in the door. However, some of the most damaging hacks come in the form of social engineering where users are tricked into freely divulging their credentials. And of course, the real danger of external hackers comes once they enter the system as authorized users with the ability to divert payments for their benefit.
Most organizations fail in their ERP security efforts because they implement systems with a plan that leaves controls design and implementation until the end of the process. However, ERP projects are invariably over budget and behind schedule, so strict internal controls are often glossed over to keep costs down and make up time.
Some organizations decide against stringent controls because internal controls can introduce additional overhead by making it hard for employees to do their jobs with process inefficiencies.
The biggest drawback of relying on internal controls for ERP security comes from the costly and time-consuming maintenance of those controls. As employees are promoted, reassigned or terminated, organizations must continually update their business systems with each employee's correct authorization level. The advent of new business partners, the creation of new business departments or entry into new markets also requires new or modified procedural rules. Maintenance of the ERP system can turn into a never-ending resource drain.
A recent Gartner audit of several SAP systems noted that "because SAP is used to process financial accounting information including purchasing, accounts payable, accounts receivable, general ledger and human resources, security breaches in these areas could lead to unauthorized, undetected access to confidential financial and employee data." The study audit revealed two important points:
- Duties within the purchasing process have not been adequately segregated. As a result, personnel could gain control of the entire purchasing cycle, resulting in errors, irregularities or fraud.
- A lot of users have been granted inappropriate authorities in the Financial Accounting and Controlling modules.