Leverage your S/4HANA implementation to digitise your internal control system

Jens Sumlak

Jens Sumlak
Director Finance Transformation Assurance
PwC Switzerland

Introducing a new enterprise resource planning (ERP) system promises many advantages and efficiency gains – but also involves risks. Companies should leverage such transformations to design an internal control system (ICS) more effectively and to digitise it.

Companies are currently faced with economic uncertainty, cyber threats and gaps in their supply chains, as well as rapidly changing regulatory requirements. In this complex risk landscape, effective ICSs help companies to mitigate their risks and ensure the compliance of processes. At the same time, it can create value and help to lead the company into the future in an agile fashion. ERP implementation projects can play an important role in building an efficient control system, since they provide good opportunities to revise, simplify and digitise existing business processes.

A good time for an ICS upgrade

Implementing a new ERP system – or migrating to a more powerful version, such as SAP S/4HANA – involves certain risks. Since some processes change as a result of the new system, the existing ICS will inevitably have gaps. New functionalities may make existing controls ineffective – until new and effective controls are defined and implemented. Most of the time, the implementation of a new ERP system introduces more applications (such as an accounts payable workflow) or creates dependencies on third parties, which adds to the complexity. Likewise, the data migration has to be tested and validated and access to data adapted and secured. It must also be ensured that new or updated business processes meet all of the governance, risk and compliance (GRC) requirements.

A transformation project should therefore be used as an opportunity to comprehensively identify and assess any new operational and financial risks and to build an intelligent ICS. This is particularly true for Finance functions, where quality assurance of processes and data as well as reporting is especially important. Financial reporting regulations require companies to have internal controls in place to prevent material misstatements and fraud and to protect sensitive financial information. In this context, implementing an ERP system such as SAP S/4HANA or Microsoft Dynamics provides the opportunity not only to improve and streamline existing processes but also to digitise internal controls, e.g. through the use of automated controls.

For example, fraud can be prevented by using role-based security functions to prevent unauthorised access to financial data. If required, application controls can help to prevent fraud through a system-enforced, four eyes check and ensure that any changes to critical master data are recorded, reviewed and approved promptly and correctly. Another major advantage of automated application controls is that they minimise the risk of errors because they are preventive. For example, if an employee tries to book a supplier invoice that does not comply with the company’s specifications, the controls will automatically block payment of the invoice. This prevents costly corrective measures and increases the efficiency of the control processes.

Effective monitoring of internal controls supported by a GRC solution

Switching to a new ERP system – where new versions are released on a regular basis – means that business processes are less static and the stability of the internal control system is no longer ensured over extended periods. More and more companies are therefore turning to GRC solutions to automatically monitor and improve their system and process compliance. GRC systems provide automated mechanisms that continuously audit compliance with guidelines, processes and internal controls.

This enables the rapid identification of potential risks and weaknesses in the ICS, which can then be remedied. In this way, GRC systems can help companies to establish robust and effective ICSs, minimise compliance breaches and reduce risks.


If updating and automating the ICS is taken into account at an early stage in the transformation project, the ICS can be adapted to the processes and fulfil all of the regulatory and security-specific requirements. At the same time, potentially high costs are avoided, since it is very costly to introduce controls after the rollout of the ERP. It will be easier to manage the control system, and the management and external stakeholders can rely on the data from their ERP system and on the accuracy of the reporting right from the start. Modern ICSs also help organisations to get a better understanding of their financial processes and risks.

If a company aims to get the maximum possible benefit from implementing a new ERP system, it should therefore consider right from the start aspects such as compliance, security and controls in the transformation strategy as well as in the implementation. This includes performing a thorough risk analysis across all of its processes to identify any potential weak points in the system. Further, the use of existing standard functionalities of the ERP system or data can help automate the ICS and thereby meet the compliance and security requirements.

We recommend considering these factors as early as the planning phase, and then to monitor and adjust them continuously throughout the implementation phase. This will ensure that the – usually significant – investments in these projects create sustainable value for the company.

Finance Transformation Assurance

A successful transformation of your financial processes and systems requires security and trust.

Discover our services


Contact us

Jens Sumlak

Jens Sumlak

Director, Finance Transformation Assurance, PwC Switzerland

Tel: +41 58 792 56 22

Antoine Wüthrich

Antoine Wüthrich

Leader ERP & Business Process Excellence, PwC Switzerland

Tel: +41 58 792 82 27