Perspectives

GRC effectiveness in ERP implementations

Modernizing business processes and internal controls

Companies can have a lot riding on their enterprise resource planning (ERP) investments. So why do governance, risk, and controls (GRC) often get left behind? Take a look at some of the common pitfalls of addressing GRC requirements in an implementation, along with five measures you can put into place early on to help mitigate risk and produce better outcomes for your business transformation.

A compliance mindset for ERP implementation

At the center of most finance transformations today is an ERP system implementation waiting to unfold. With so much riding on these large-scale investments, companies need their ERP implementations to contribute to an effective business transformation.

However, opportunities are sometimes missed. One of the most common pitfalls is not adequately addressing the governance, risk, and controls (GRC) requirements of the ERP implementation. It’s also one that can be avoided with adequate planning and perspective.

A compliance-focused mindset can help organizations effectively mitigate risks in business transformations and ERP implementations as a mechanism for value creation and return on investment.¹ Approaching the process through the lens of compliance by design can elevate a governance and implementation framework to a controls-conscious transformation.²

Five key considerations for effective risk mitigation and controls effectiveness in ERP system implementations

Why governance, risk, and controls get left behind

Effective GRC processes are foundational to improving the accuracy and reliability of a financial accounting and reporting system. Because an ERP transformation will likely introduce new capabilities and risks, it is important to maintain effective controls in all stages of the rollout and to have effective internal control processes in place once the system is in production. That means addressing governance and controls from the earliest phases—design, during implementation and testing, and finally at and post go-live. All too often, however, controls are an afterthought in the ERP system design and implementation.

But why would an organization neglect such a critical aspect of the implementation? One reason is transformations today likely happen at a dizzying pace. Initiatives that once took five or six years to complete are now being implemented in much less time, thanks to the accelerating pace of business disruption and agile approaches.

In addition, ERP implementations require a level of integration and alignment that many enterprises are not prepared to handle because they may not have experience with these types of projects in house. Moreover, because ERP implementations are such large, complex undertakings, finance teams may not think they have the influence to put their requirements front and center in such a major IT-led undertaking.

Finally, many finance teams harbor the misconception that they can implement or improve system controls after the fact. What they don’t realize is that adding proper controls once the system is operating is an expensive and time-consuming proposition. In the meantime, threats are introduced to the underlying financial control environment, and the organization incurs unacceptable levels of risk to internal controls over financial reporting.

Common pitfalls in addressing GRC requirements

Here is a summary of some additional reasons governance and controls can get left behind in an ERP implementation:

Difficulty redesigning complex business processes: Deciding that processes are too complex and time consuming to redesign during a fast-track implementation keeps complex control frameworks in place that could be streamlined.
Complex and lengthy financial close and consolidation process: Organizations accept inefficient processes as the way it’s always been instead of taking time to envision the possibility of more efficiently designed processes and a rationalized control framework that mitigates risk.
“Lift and shift” implementation approach: Because the system is considered turnkey, or “off-the-shelf,” modules are considered already designed, resulting in reduced interaction with finance and accounting departments.
Failure to transform and streamline manual processes: Highly manual accounting and finance processes that aren’t addressed during system design and implementation will invariably result in inefficiencies and data integrity risks as well as manual controls being carried over to the new ERP system.
Data deficiencies: Data not structured to achieve desired agility, efficiency, and reporting results will likely lead to shortcomings in the new system such as low data integrity.
Project cost: Sometimes organizations are pressured to reduce the cost of the overall project by excluding regulatory or reporting controls from the scope of early project phases. This results in more costly post-go-live projects later to address these gaps.

Some steps to consider for effective GRC management during your ERP system implementation

With the importance of timely GRC activities established, here are five potential measures that can be put into place early in the transformation journey to mitigate risk and produce better system outcomes.

Contact us

First name*

Last name*

Email*

Company*

Title*

Location*

I agree to receive emailed reports, articles, event invitations and other information related to Deloitte products and services. I understand I may unsubscribe at any time by clicking the link included in emails.*

Yes No

The submission of personal information through this page is subject to Deloitte's Privacy Statement and Legal Terms. I have read and accept the terms of use.*

*Required

Get in touch

Isa Farhat
Accounting and Reporting Advisory, Partner
Audit & Assurance
Deloitte & Touche LLP
+1 703 251 1109

Courtney Connors
Accounting and Reporting Advisory Senior Manager
Audit & Assurance
Deloitte & Touche LLP
+1 860 725 3368

Endnotes

^1.Charmaine Wilson, “Assurance by design: Insights for a controls approach to transformation,” Deloitte, November 2021.
^2.Ibid.

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Viewing offline content

Tax

Consulting

Audit & Assurance

Deloitte Private

M&A and Restructuring

Risk & Financial Advisory

AI & Analytics

Cloud

Consumer

Energy, Resources & Industrials

Financial Services

Government & Public Services

Life Sciences & Health Care

Technology, Media & Telecommunications

Spotlight

Topics

Industries

More from Deloitte Insights

Careers

Students

Experienced Professionals

Job Search

Life at Deloitte

Alumni Relations

GRC effectiveness in ERP implementations

Modernizing business processes and internal controls

A compliance mindset for ERP implementation

Why governance, risk, and controls get left behind

Common pitfalls in addressing GRC requirements

Some steps to consider for effective GRC management during your ERP system implementation

Contact us

Get in touch

Endnotes

Recommendations

SOX and internal control over financial reporting services

SOX modernization

Link your accounts

Viewing offline content

GRC effectiveness in ERP implementations

Modernizing business processes and internal controls

A compliance mindset for ERP implementation

Why governance, risk, and controls get left behind

Common pitfalls in addressing GRC requirements

Some steps to consider for effective GRC management during your ERP system implementation

Contact us

Get in touch

Endnotes

Latest news from @DeloitteAcctg

Share the latest research, events, and more.

Recommendations

Link your accounts

You previously joined My Deloitte using the same email. Log in here with your My Deloitte password to link accounts. | | Deloitte users: Log in here one time only with the password you have been using for Dbriefs/My Deloitte.

You've previously logged into My Deloitte with a different account. Link your accounts by re-verifying below, or by logging in with a social media account.

Looks like you've logged in with your email address, and with your social media. Link your accounts by signing in with your email or social account.