GRC effectiveness in ERP implementations

Modernizing business processes and internal controls

Companies can have a lot riding on their enterprise resource planning (ERP) investments. So why do governance, risk, and controls (GRC) often get left behind? Take a look at some of the common pitfalls of addressing GRC requirements in an implementation, along with five measures you can put into place early on to help mitigate risk and produce better outcomes for your business transformation.

A compliance mindset for ERP implementation

At the center of most finance transformations today is an ERP system implementation waiting to unfold. With so much riding on these large-scale investments, companies need their ERP implementations to contribute to an effective business transformation.

However, opportunities are sometimes missed. One of the most common pitfalls is not adequately addressing the governance, risk, and controls (GRC) requirements of the ERP implementation. It’s also one that can be avoided with adequate planning and perspective.

A compliance-focused mindset can help organizations effectively mitigate risks in business transformations and ERP implementations as a mechanism for value creation and return on investment.1 Approaching the process through the lens of compliance by design can elevate a governance and implementation framework to a controls-conscious transformation.2

Five key considerations for effective risk mitigation and controls effectiveness in ERP system implementations

Why governance, risk, and controls get left behind

Effective GRC processes are foundational to improving the accuracy and reliability of a financial accounting and reporting system. Because an ERP transformation will likely introduce new capabilities and risks, it is important to maintain effective controls in all stages of the rollout and to have effective internal control processes in place once the system is in production. That means addressing governance and controls from the earliest phases—design, during implementation and testing, and finally at and post go-live. All too often, however, controls are an afterthought in the ERP system design and implementation.

But why would an organization neglect such a critical aspect of the implementation? One reason is transformations today likely happen at a dizzying pace. Initiatives that once took five or six years to complete are now being implemented in much less time, thanks to the accelerating pace of business disruption and agile approaches.

In addition, ERP implementations require a level of integration and alignment that many enterprises are not prepared to handle because they may not have experience with these types of projects in house. Moreover, because ERP implementations are such large, complex undertakings, finance teams may not think they have the influence to put their requirements front and center in such a major IT-led undertaking.

Finally, many finance teams harbor the misconception that they can implement or improve system controls after the fact. What they don’t realize is that adding proper controls once the system is operating is an expensive and time-consuming proposition. In the meantime, threats are introduced to the underlying financial control environment, and the organization incurs unacceptable levels of risk to internal controls over financial reporting.

Common pitfalls in addressing GRC requirements

Here is a summary of some additional reasons governance and controls can get left behind in an ERP implementation:

  • Difficulty redesigning complex business processes: Deciding that processes are too complex and time consuming to redesign during a fast-track implementation keeps complex control frameworks in place that could be streamlined.
  • Complex and lengthy financial close and consolidation process: Organizations accept inefficient processes as the way it’s always been instead of taking time to envision the possibility of more efficiently designed processes and a rationalized control framework that mitigates risk.
  • “Lift and shift” implementation approach: Because the system is considered turnkey, or “off-the-shelf,” modules are considered already designed, resulting in reduced interaction with finance and accounting departments.
  • Failure to transform and streamline manual processes: Highly manual accounting and finance processes that aren’t addressed during system design and implementation will invariably result in inefficiencies and data integrity risks as well as manual controls being carried over to the new ERP system.
  • Data deficiencies: Data not structured to achieve desired agility, efficiency, and reporting results will likely lead to shortcomings in the new system such as low data integrity.
  • Project cost: Sometimes organizations are pressured to reduce the cost of the overall project by excluding regulatory or reporting controls from the scope of early project phases. This results in more costly post-go-live projects later to address these gaps.

Some steps to consider for effective GRC management during your ERP system implementation

With the importance of timely GRC activities established, here are five potential measures that can be put into place early in the transformation journey to mitigate risk and produce better system outcomes.

Contact us

  Yes         No

Get in touch

Isa Farhat
Accounting and Reporting Advisory, Partner
Audit & Assurance
Deloitte & Touche LLP
+1 703 251 1109

Courtney Connors
Accounting and Reporting Advisory Senior Manager
Audit & Assurance
Deloitte & Touche LLP
+1 860 725 3368


1. Charmaine Wilson, “Assurance by design: Insights for a controls approach to transformation,” Deloitte, November 2021.
2. Ibid.

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?