A running ERP answers one question: “Is the system live?”
It does not answer the harder ones: “Is it controlled, compliant, and defensible?”
Most organisations confuse system uptime with system health. The ERP processes transactions, generates reports, and nobody complains. But beneath the surface, silent failures accumulate. These are not the kind that crash servers, but the kind that damage credibility when auditors, investors, or regulators come knocking.
The Risks Hiding in Plain Sight
User access that was “temporarily” granted two years ago and never revoked.
The same person who creates vendors also approves payments.
Critical master data modified without approval workflows.
Journal entries posted with generic descriptions that make audit trails meaningless.
GST configurations that worked for the earlier rate structure but were never updated.
Month-end reconciliations happening in Excel because “the ERP report does not give us what we need.”
None of these trigger system alerts. None of these stop operations. All of these create exposure.
When Do These Issues Surface?
Almost always at the worst possible time.
During statutory audit, when the auditor asks for a user access matrix and you realise it was last reviewed eighteen months ago.
During internal audit, when segregation of duties violations reveal that controls exist on paper but not in practice.
During due diligence for funding or acquisition, when the buyer’s team starts asking uncomfortable questions about data integrity and process discipline.
During regulatory scrutiny, when you need to prove that your numbers are not just accurate, but defensible.
The Distinction Most Organisations Miss
System implementation is a project.
System governance is a discipline.
The implementation team left years ago. The consultants signed off. But the system continued to evolve. New users were added, configurations were adjusted, workarounds were created, and patches were applied. Without continuous governance, every change introduces drift. Over time, unchecked drift becomes risk.
The Real Purpose of an ERP Audit
An ERP audit is not about finding faults. It is about identifying gaps before they become audit findings.
A periodic system health check highlights where controls have weakened, where configurations have moved away from statutory requirements, and where manual interventions have quietly replaced automated workflows. It is preventive risk management, not an indictment of the IT team or the implementation partner.
The question is not whether your ERP is running.
The real question is this: if someone audited your ERP tomorrow, not your financial statements, but your system controls, access logs, and data governance, would you be confident in what they would find?
I would be keen to hear from CFOs, auditors, and finance leaders. What was the most unexpected ERP control gap you discovered, and how did it come to light?
CA Darshil Surana
Consulting Director
Digital Transformation/Audit & Assurance
Kreston OPR, India
CA Darshil Surana is a finance and technology professional with over a decade of experience in IT advisory, systems audit, and digital transformation. As a Chartered Accountant, Information Systems Auditor, and Forensic Accountant, he focuses on ERP implementations, process automation, data analytics, and technology-driven compliance and risk advisory engagements.
For more such insightful perspectives on international business, taxation, and advisory topics, visit kreston.com. Stay tuned to krestonopr.com and follow Kreston OPR on LinkedIn for regular updates, expert insights, and thought leadership from our global network.