What is segregation of duties in an ERP system?

Segregation of duties (SoD) is the control principle that no single user should be able to initiate, approve, and record a transaction. In an ERP, this is enforced through role-based access controls: the user who creates a purchase order cannot approve it, and the user who approves it cannot reconcile the invoice. Auditors flag SoD violations during reviews; they are the most common ERP audit finding.

What audit trail requirements apply to ERP systems in NZ and AU?

In NZ and AU, financial-records retention requires immutable audit logs of every transaction, with user, timestamp, before-and-after values, and source IP. Records must be retained for at least 7 years (Inland Revenue NZ, ATO AU). Modern ERPs satisfy this via event-sourced ledgers or append-only audit tables; legacy ERPs sometimes only log creates, not updates — a common gap.

Does an ERP need ISO 27001 certification?

Your ERP itself doesn't need certification, but the vendor (or your hosting provider) typically does. ISO 27001 certification of the platform demonstrates that information-security controls — access control, encryption, incident response, vendor management — meet international standard. NZ and AU enterprise buyers regularly require it; SMBs often don't, but it's a strong supplier-due-diligence signal.

How do you implement approval workflows in an ERP?

Approval workflows are configured per transaction type: purchase orders over a threshold need manager approval, journal entries need a second sign-off, supplier master changes need finance director approval. Modern ERPs use a workflow engine that supports conditional routing (amount, supplier, GL account) and parallel approvers. Hard-coded approval logic is a customisation red flag — it should always be data-driven.

What is the difference between ERP governance and ERP security?

Security prevents unauthorised access (authentication, authorisation, encryption). Governance ensures authorised users follow correct business processes (workflow enforcement, SoD, approval thresholds, audit trail). A secure ERP can still have weak governance — and vice versa. Auditors test both: penetration tests for security, walkthrough sampling for governance.

ERP Governance and Internal Controls

Your controls Are Only As Good As Your ERP Configuration#

If you're a CFO, Internal Audit Director, or Compliance Officer, you know that ERP systems are where internal controls live or die. The best-documented policies mean nothing if the ERP configuration allows someone to both create vendors and approve payments.

The uncomfortable truth: Most ERP implementations prioritise functionality over control. Go-live pressure pushes security and segregation of duties to "phase two"—which often never arrives. The result? ERPs that enable rather than prevent fraud, that create audit trail gaps rather than audit trails, that generate compliance risk rather than compliance assurance.

What's at stake: A single segregation of duties breach can enable six-figure fraud. A missing audit trail can turn a routine audit into a forensic investigation. A control failure in your ERP can mean regulatory penalties, restated financials, and personal liability for directors.

This article provides a practical framework for ERP governance—covering segregation of duties, approval workflows, audit trails, and compliance monitoring—designed for people who are responsible for control effectiveness, not just system functionality.

---

Governance as Foundation#

The Governance Framework#

1. Segregation of Duties (SoD)#

Segregation of duties ensures that no single individual can complete a transaction cycle without independent verification.

Key principles: - Custody of assets separate from recording - Authorisation separate from execution - Reconciliation performed by someone independent of processing

ERP implementation: - Role-based access control - SoD conflict matrices - Automated conflict detection - Compensating control documentation

2. Approval Workflows#

ERP systems enforce approval hierarchies that ensure appropriate authorisation.

Workflow design principles: - Approval thresholds aligned with authority levels - Escalation paths for exceptions - Delegation mechanisms for absences - Audit trail of all approvals

3. Audit Trails#

Comprehensive audit trails enable investigation and compliance verification.

Audit trail requirements: - User identification - Timestamp - Before and after values - Transaction context

Retention considerations: - Regulatory requirements (typically 7 years) - Legal hold capability - Tamper-proof storage

4. Data Integrity Controls#

ERP systems must maintain data accuracy and completeness.

Control types: - Input validation - Referential integrity - Calculated field verification - Reconciliation processes

Compliance Monitoring#

Continuous Controls Monitoring#

Automated monitoring of control effectiveness:

SoD monitoring: Real-time detection of conflicts.

Threshold monitoring: Alerts when transactions exceed limits.

Pattern monitoring: Detection of unusual patterns that may indicate fraud.

Periodic Control Testing#

Regular testing of control effectiveness:

Design testing: Are controls appropriately designed?

Operating effectiveness: Are controls operating as designed?

Remediation tracking: Management of identified issues.

NZ/AU Regulatory Context#

New Zealand#

Financial Markets Conduct Act: Requirements for NZX-listed entities.

Companies Act: Director responsibilities for internal controls.

Privacy Act 2020: Data protection requirements.

Australia#

Corporations Act: Director duties and financial reporting requirements.

ASX Corporate Governance Principles: Governance standards for listed entities.

Privacy Act 1988: Australian privacy requirements.

Governance Roles and Responsibilities#

Management#

Design and implement controls
Monitor control effectiveness
Remediate identified issues

Internal Audit#

Independent assessment of controls
Recommendations for improvement
Follow-up on remediation

External Audit#

Audit of financial statements
Assessment of internal controls over financial reporting
Management letter findings

Audit Committee/Board#

Oversight of control environment
Review of audit findings
Approval of significant control changes

ERP Configuration Best Practices#

Role Design#

Roles based on job functions
Minimal necessary access
Regular access reviews
Documented role definitions

Workflow Configuration#

Approval thresholds aligned with delegation of authority
Exception handling procedures
Timeout and escalation rules
Mobile approval capability

Change Management#

Controlled transport process
Testing in non-production environments
Documentation of changes
Approval before promotion

Monday Morning Action Plan#

This week:

Run the SoD Quick Scan: List all users with "super user" or "administrator" access. Each one is a control gap waiting to happen.

Check Your Audit Trail: Can you answer: "Who changed customer X's credit limit last month, what was it before, and who approved it?" If not, your audit trail is inadequate.

Review Critical Workflows: For your top 3 highest-risk processes (typically: procurement, payments, journal entries), document what controls exist in the ERP vs. manual workarounds.

Schedule the "Phase Two" Conversation: If security was deferred during implementation, schedule the meeting to define what "phase two" means and when it happens.

Test Your Compliance Reporting: Run your standard compliance reports. Do they actually work? Are they accurate? Fix before auditors ask.

---

Conclusion: Governance Enables Trust#

ERP governance is not bureaucratic overhead. It is the foundation of trust in organisational data and processes. Effective governance protects the organisation, enables compliance, and supports decision-making with reliable information.