Insight

Where does a new ERP system leave your risk and control environment?

By:
Alex Stepanyants,
Matthew Green
08 May 20266 min read
Quick summary
  • Enterprise Resource Planning (ERP) systems integrate and automate core business processes, but major upgrades or transformations may introduce an entirely new risk and control environment. 
  • When this shift isn’t properly assessed, organisations can face control gaps, audit issues and unexpected remediation costs well after go‑live. 
  • Creating, recording, and evaluating a comprehensive control framework before, during, and after implementation is essential for effective risk management, improving efficiencies and maintaining audit readiness. 
ERP systems automate and integrate core business processes across HR, finance, supply chain, inventory and operations. Like any major technology, they evolve over time.
Contents

Sometimes this is through incremental upgrades and other times it is through large‑scale transformation projects that introduce a new platform.

While keeping systems up to date is critical, the urgency to implement new software can mean the broader risk environment is overlooked. A new ERP system doesn’t just change how a business operates; it often introduces a new risk and control landscape. When project deadlines are pending, risk and control considerations can slip down the priority list. The result is often reactive problem‑solving, rather than a clear understanding of when issues arise and why.

While often thought of as a solely an IT responsibility, a transformation project of this scale is normally owned by business leadership: COO, CFO or CEO. So, it is critical they can show strong ROI and efficiency gains once the project is complete.

For organisations, the challenge is to remain in control throughout and after a digital transformation. Without considering this, business leaders risk facing additional costs to fix the sudden issues and rectify control gaps. 

The old control environment no longer exists

Implementing a new ERP system can also be an opportunity to redesign business processes. However, at a minimum, there should be time taken to remap existing business processes against the new ERP functionality.

When a new system is implemented, the risk environment changes but this is not always recognised in a timely manner. In some cases, issues only surface much later: for example, when auditors conduct control walkthroughs and identify gaps in the updated environment. 

Therefore, there is a need for a deliberate assessment of how controls operate post‑implementation to both confirm control design and control effectiveness or identify opportunities to better leverage the new system.

If done timely (ideally during the transformation or soon after) there is an opportunity to identify and rectify control issues. For example, the following may exist in the new environment:

  • Retired controls: manual checks that have been removed and not replaced with alternative (automated) controls.
  • Orphaned controls: controls that still exist but no longer have a clear owner or operator.
  • Invisible controls: automated controls that are operating in the background but remain undocumented or not properly tested.
  • Shadow controls: workaround controls that have shifted outside the ERP system to suit the outdated business processes.
  • Redundant controls: manual or system‑based checks that are still being carried out even though they may no longer be necessary. They remain because they've always been done that way.

So how can the new system be used to improve the control environment?

Once an ERP system has been implemented it is critical to identify and document which controls now rely on upgraded technology, which ones still remain manual (or still sit outside the system) and importantly, which controls could be transformed by leveraging new system functionality. For example, this could be because there is now a report for a certain process. There is also an opportunity to identify controls that are no longer needed such as manual detective controls replaced by automated preventative ones.  
 
To ensure the new ERP system is used effectively and delivers its intended value, the updated control environment across the end-to-end business processes should be discussed, documented and actively managed with a view to further streamline and optimise as the control environment matures.

The importance of maintaining audit-readiness 

One of the key questions to ask with a new ERP system: do I have controls across all my key business processes clearly identified, documented with clear ownership assigned? Failing to recognise this in a newly transformed environment could result in material control weaknesses and lead to an unfavourable outcome for your next audit. 

Documenting automated flows is another key step in the journey. It is important to sit down with key process stakeholders to understand how their business flows have changed and what the key control points are. 

The next step is to test. This should really be done throughout the project, especially before the new system goes live. When done early and continuously, you can be confident the control design and operating effectiveness are robust enough to send the new system live and satisfy the auditors. 

We’re here to help

Are you considering implementing a new ERP system or have you just undergone this digital transformation? Bring our team of experts along on your ERP system upgrade journey. We’ll work with you to map out your new control environment after the new system has been implemented to ensure that:

  • key business risks are proactively identified and managed
  • the control environment is optimised to unlock efficiency and value from the new system
  • manual effort and overall compliance costs are reduced
  • the business is audit‑ready with confidence.

If you’re interested in discussing an ERP system upgrade for your business, reach out to our team today. You should be confident your digital transformation project considers your new risk landscape. 

Learn more about how our Risk services can help you
Visit our Risk page
Learn more about how our Risk services can help you
TAGS  
Authors
  • Alex Stepanyants Alex has a proven track record in helping clients resolve complex challenges through innovative solutions. He is recognised for his highly approachable management style that fosters collaboration amongst teams and clients. View Profile
  • Matthew Green Matthew brings 19 years’ experience in providing IT risk assurance and advisory services to listed, Government and private enterprise. His extensive IT risk assurance and advisory experience covers business and technology across strategy, governance, operations, service delivery, procurement, major projects, data risk management and 3rd party auditing. View Profile

Related content

View more

Why we can’t keep avoiding real tax reform

Insight

As debate intensifies ahead of the Federal Budget, this insight examines why incremental tax changes are no longer sufficient for Australia. It argues for meaningful, productivity‑focused tax reform that addresses growing reliance on personal income tax, system complexity and long‑term budget sustainability, while carefully considering broader reforms such as the GST to ensure fairness and economic resilience.

Vince Tropiano
| 6 min read | 06 May 2026

AI driven vulnerability discovery is changing core cyber risk assumptions

Insight

AI-driven vulnerability discovery is compressing the time between weakness and exploitation. This insight explores what boards, CISOs and regulated entities need to change in their cyber risk assumptions, governance and oversight models.

Matthew Green
Daniel Farthing
| 4 min read | 05 May 2026

Managing macroeconomic risks through proactive stress testing

Client alert

Proactive stress testing to manage macroeconomic risk, strengthen financial stability and banking

Claire Scott
Tari Makanda
Jamil Saripada
| 4 min read | 01 Apr 2026
    View more