Internal Control: Building a Self-Defending System
How to make your ERP system alert you to violations automatically? Insights from 20 years of system architecture experience.
After two decades of implementing ERP, SCM, and HRM systems, I’ve seen CEOs lose sleep over one thing: the fear of the unknown. Most businesses only discover fraud or errors when it’s too late.
Traditional Internal Control relies on signatures and manual checks. But people are fallible, biased, or can be compromised. A truly robust management system must act as a 24/7 digital guardian.
The Trap of “Manual Oversight”
In many enterprises operating under IFRS or VAS, I see approval processes that are complex yet ineffective. Executives sign off on piles of documents without realizing that procurement prices are 20% above market rates or that a customer’s credit limit was breached weeks ago.
“A bad system turns good employees into liabilities; a great system makes it impossible for bad actors to succeed.”
3 Levels of Systemic Alerts
To build a system that “speaks up” when something is wrong, I always implement these three technical layers:
- Hard Validation: Preventing transactions that violate core business rules. For instance, the system blocks a shipment if the inventory level is insufficient or prevents a payment if the invoice doesn’t match the Purchase Order (PO).
- Tolerance Limits: The system allows for minor variances (e.g., 2-5% in price or quantity). Once exceeded, the system freezes the transaction and triggers a mandatory escalation to senior management.
- Exception Reporting: Instead of scrolling through endless reports, management receives real-time Alerts only for indicators outside the safety zone.
Comparison: Manual vs. System-Driven Control
| Feature | Manual Control | System-Driven Control |
|---|---|---|
| Speed | Slow, post-event detection | Real-time, pre-event prevention |
| Accuracy | Subjective and prone to human error | Absolute, based on Logic and Data |
| Cost | High labor cost, prone to corruption | One-time investment, continuous ROI |
| Fraud Risk | High (collusion, forged documents) | Very low (secured by Audit Trail) |
Real-world Case: The “Ghost Inventory” Lesson
I once consulted for a manufacturing firm that was losing millions annually due to raw material leakage. By implementing Three-way Matching (PO - Goods Receipt - Invoice), the system automatically rejected 15% of suspicious payment requests in the first month alone.
The secret wasn’t hiring more security guards; it was embedding Control Points and automated Workflows directly into the ERP core.
Tuong’s Advice: Don’t wait for an audit to find the holes in your bucket. Configure your system to sound the alarm the moment a drop goes missing.