SS&E is a formal, expert-led review of your existing or proposed Accounting/ERP system's configuration, processes, and internal controls to determine their efficiency, compliance, and security.

It ensures that the core system acts as a single source of truth globally, unifying processes, maintaining consistent financial controls, and meeting diverse international compliance standards.

We specialize in evaluating major platforms including SAP (S/4HANA), Oracle, Microsoft Dynamics 365, NetSuite, as well as mid-market solutions like Sage, QuickBooks, and Xero.

An IT Audit focuses on technical infrastructure and IT General Controls (ITGCs). SS&E focuses on the application layer and how the system supports financial and operational business processes.

The objective is to identify systemic inefficiencies, control gaps, data integrity risks, and non-compliance areas that could negatively impact financial reporting and operational effectiveness .

No. SS&E is equally critical post-implementation to ensure the system is being used as intended and that business changes (mergers, new products) are correctly reflected in the configuration.

A Gap Analysis is the core deliverable that compares your current system's capabilities and configurations (the "As-Is") against industry best practices, regulatory requirements, or your organization's ideal state (the "To-Be).

By identifying and recommending the automation of manual steps within the system, such as transaction processing or reconciliation, we help reduce human resource time and error rates.

Yes. We specifically evaluate the configuration of currency translation, inter-company elimination rules, and the Chart of Accounts (COA) mapping for accurate global consolidation.

Our location allows us to offer cost-effective, expert resources and leverage the time difference to perform system analysis and configuration changes outside of your primary business hours.

We focus on the Financials (GL, AP, AR), Procurement, Inventory/Fixed Assets, and Order-to-Cash modules, as they directly impact financial statements and controls.

By providing assurance that the underlying data used for Business Intelligence (BI) is accurate, reliable, and timely, it gives management confidence in their reporting and forecasts.

The output is a formal Report detailing Findings, Risk Ratings, and Recommended Action Plans for system and process remediation.

Yes. Our methodology is adapted to evaluate the controls and configurations of both cloud-based (SaaS) and on-premise deployments.

We proactively check the system's audit trail completeness, control effectiveness, and compliance documentation, reducing potential findings during your annual financial audit.

  We analyze core cycles: Order-to-Cash (O2C), Procure-to-Pay (P2P), Record-to-Report (R2R), and Hire-to-Retire (HR/Payroll).

Yes. We evaluate potential systems against your defined requirements, a service commonly known as a Requirements and Feasibility Study.

We analyze the extent of customizations, non-standard configurations, and third-party integrations, which often introduce maintenance challenges and control risks.

It ensures that the system's configuration has not drifted over time due to operational quick fixes and remains compliant with evolving tax and accounting standards.

Yes, limited involvement is required, primarily to provide access to system documentation, configuration settings, and to validate our findings.

We focus on Application Controls—automated controls embedded within the software that ensure transaction accuracy, authorization, and completeness (e.g., automatic three-way match) .

We analyze the combination of user roles, profiles, and permissions to identify and report on conflicting access that allows a single user to initiate, approve, and record a financial transaction .

It ensures that all changes to the production system (e.g., configuration settings, access roles, or code) are properly requested, tested, and approved before deployment, preventing unauthorized manipulation of financial processes.

The primary risk is fraud or material error, as it allows an individual to bypass critical internal checks designed to safeguard company assets and financial data.

We verify that the system is configured to log all critical events (who, what, when, where)—especially around master data changes (e.g., vendor bank details) and transaction reversals—for complete traceability.

Yes. We review user provisioning/deprovisioning processes, password complexity rules, multi-factor authentication setup, and review procedures for privileged access (super-users).

We perform walkthroughs and detailed testing using samples of transactions to ensure the automated controls (e.g., maximum dollar limits on purchases) are functioning as designed.

Risks include data inconsistency, incomplete data, and unauthorized changes, which directly lead to reporting errors, incorrect payments, and control failures.

We check for system configuration of data validation rules at the point of entry (e.g., ensuring a tax ID format is correct or a customer number exists) to promote data integrity.

Yes. For clients targeting the USA, our review focuses heavily on the system's design and operating effectiveness of controls over financial reporting, aligning with SOX requirements.

Best practice dictates a full SOD access review at least Half-Yearly, with continuous monitoring for critical functions like cash and treasury.

Yes. Based on the evaluation, we can recommend and assist in implementing specialized tools that automatically monitor and report on SOD violations .

We focus on reviewing the client's configuration of the Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) security settings, access provisioning, and integration points, as the vendor manages the infrastructure layer.

ITGCs are the foundation—policies around data centers, infrastructure, and core IT processes. While we focus on the application, we evaluate the application's reliance on key ITGCs, particularly change management and backup procedures.

We review the design of the APIs, data transfer protocols, and credential management to ensure data is securely transmitted and logged between integrated systems.

Yes. We review the recovery plan, the frequency of backups, and the results of any DR testing to ensure business continuity can be maintained for critical systems.

We review the system's configuration to ensure strict controls are applied to manual journal entries: mandatory approvals, justification text, and restricted access to post directly to the GL.

Strict SOD must be in place, requiring independent approval for changes to critical fields (e.g., bank account details), ideally by a non-AP user.

Yes. We check the system's configuration for data masking, data retention policies, and access restrictions for Personally Identifiable Information (PII) to support global data privacy compliance.

We recommend and assist with pre- and post-upgrade testing to confirm that critical application controls have not been inadvertently bypassed or disabled by the upgrade process.

RLS restricts which rows of data a user can see (e.g., a manager only sees their region's sales). We test RLS configuration to ensure it effectively restricts access in multi-entity environments.

Yes. We check controls for asset capitalization, disposal, depreciation run approvals, and ensuring no unauthorized changes to depreciation keys.

We provide prioritized, practical remediation recommendations, clearly defining the configuration change, the new control owner, and the expected risk reduction.

High-security controls like multi-user approval for electronic funds transfers (EFTs), mandatory audit logs, and highly restricted access to bank master data.

Yes. We review virtual private network (VPN) requirements, endpoint security, and access controls for users connecting to the ERP system remotely.

This is a high-risk finding, as it destroys the audit trail, making it impossible to attribute actions to an individual, severely impacting accountability and control monitoring.

We review controls ensuring the correct valuation method (e.g., FIFO, Weighted Average) is correctly configured and that inventory adjustments require approval.

Yes. We deliver a detailed Control Matrix listing the control ID, risk addressed, control objective, the test performed, and the final assessment of operating effectiveness.

Super-user accounts are high-risk. We review their access, business justification, and the compensatory controls in place (e.g., management review of their activity logs) .

Yes. We verify that the system effectively logs, routes, and ensures timely resolution of system errors, preventing data loss or process interruption.

We evaluate the potential for increased automation of purchase requisition approvals, three-way matching, and payment batch generation, reducing manual intervention and cycle time.

Opportunities include automating bank reconciliation, standardizing financial reporting templates, and configuring the system for faster Month-End Close processes.

We analyze transaction processing times, report generation speed, and potential data bottlenecks to ensure the system scales efficiently with your global transaction volume.

Yes. We advise on designing a flexible COA that accommodates both detailed operational reporting and streamlined consolidated statutory reporting (IFRS/US GAAP).

We assess if the system effectively integrates actuals with planning models, supports scenario analysis, and provides timely variance reporting against the budget.

Yes. We evaluate if customizations are still necessary, documented, and if their maintenance cost outweighs the business benefit, often recommending a return to standard functionality.

By optimizing configurations for early payment discounts (AP), automated dunning processes (AR), and detailed inventory tracking, we enhance the Cash Conversion Cycle.

Common issues include inconsistent master data definitions, non-standardized process workflows across entities, and incorrect currency translation settings.

We verify the configuration of mandatory document attachments, data retention policies, and the ability to generate compliance-specific reports (e.g., tax data extracts).

Yes. We identify opportunities to configure the system (or integrate extensions) to track and report on non-financial metrics like resource consumption and sustainability data.

We assess the UI/UX based on end-user feedback and system usage logs to identify friction points that hinder productivity and recommend necessary screen or workflow adjustments.

Yes. We review the configuration of contract elements, performance obligations, and the automated scheduling of revenue recognition postings.

We check the specific configuration of the payroll module's interface to ensure compliant and accurate real-time reporting to the relevant tax authorities.

A data dictionary provides a single, agreed-upon definition for every data field, ensuring all users and reports interpret terms (e.g., 'Revenue') consistently.

We identify where operational teams rely on manual spreadsheets or external systems (Shadow IT) due to system gaps, recommending configuration changes to bring processes back into the controlled ERP.

Yes. We review the quality and availability of internal Standard Operating Procedures (SOPs) and training manuals to ensure new and existing users follow the configured processes correctly.

We factor in licensing costs, maintenance fees, customization costs, and internal IT support time, comparing it against the system's current business value.

Yes. We check the configuration for specific regional mandates, such as the mandated format and data fields for e-invoicing and localized reporting.

It provides a fast, objective assessment of the target company's ERP configuration, helping to plan the integration or migration effort and estimate associated control risks.

Yes. We review the documented recovery time objectives (RTO) and recovery point objectives (RPO) and the testing frequency to ensure they meet your business needs.

Daily monitoring focuses on high-frequency controls: reviewing critical access logs, monitoring failed automated jobs (e.g., nightly batch runs), and flagging high-value manual transactions.

Treasury departments, IT security, and compliance officers who require real-time assurance of system integrity and control effectiveness over sensitive functions.

Weekly deliverables include a Security Incident Report, a summary of master data changes (vendor/customer), and a review of open system issues/tickets impacting financial data integrity.

It provides the management team with a concise, recurring report on the health and control status of the core financial systems, allowing for timely intervention.

Monthly focus is on the Record-to-Report (R2R) cycle: reviewing system-generated Month-End Close checklists, analyzing suspense account activity, and testing a sample of GL manual journal entry controls.

By proactively identifying and reporting control breakdowns or configuration errors before final reporting, it accelerates and validates the accuracy of the financial close.

Quarterly includes a deep dive into Segregation of Duties (SOD), a review of user access changes, and an assessment of compliance with quarterly tax reporting configuration.

It simulates an internal audit by testing control effectiveness across key processes, providing documented evidence and remediation status to the internal audit function.

The Half-Yearly service is a comprehensive review covering all IT General Controls (ITGCs) impacting the ERP, a data retention policy review, and a system performance tuning recommendation.

The Yearly service focuses on Annual Planning and Audit Readiness: reviewing the system's ability to handle the new fiscal year's budget, testing the Disaster Recovery Plan, and providing a detailed Control Assurance Report.

Yes. We often recommend Daily monitoring for high-risk modules (Treasury, Cash) and Monthly/Quarterly reviews for stable, lower-risk modules (Fixed Assets, HR).

Yes. We provide flexible, Ad-Hoc services to quickly assess the system impact and required configuration changes for unexpected business or regulatory shifts.

We maintain a living Control Matrix and SOP document which is updated with every Quarterly or Half-Yearly review, ensuring documentation is always current.

Weekly checks include monitoring the volume of invoices that fail the automated three-way match and reviewing unauthorized purchase order creations.

We provide a detailed Action Plan Tracker that clearly assigns ownership, a target completion date, and risk score for every finding, reviewed Monthly with management.

As part of the Yearly review, we evaluate the system's setup for the upcoming year's tax rate and rule changes and recommend necessary configuration adjustments.

Yes. We align our Yearly or Half-Yearly reviews to occur just before the external audit fieldwork, providing them with pre-tested evidence and saving your internal team time.

We use clear, executive-level reports, often leveraging modern BI tools (like Power BI) to present key findings, risk heatmaps, and trend analysis of control failures .

Our consultants hold dedicated knowledge transfer sessions with your IT and finance super-users at least Quarterly, focusing on system changes and new control procedures.

Yes. We recommend a Quarterly post-go-live review during the first year to ensure user workarounds haven't bypassed controls and that all planned functionality is active .

If a critical control fails, we immediately initiate the defined escalation procedure, notifying the designated risk owner and assisting with immediate triage and remediation .

We conduct a Yearly review of actual user access levels versus purchased licenses to ensure compliance and optimize licensing costs.

​ Yes. As part of the Half-Yearly review, we benchmark your system configuration and control effectiveness against industry peers and leading practices.

This is typically a Monthly control check, analyzing system logs for unauthorized changes to critical fields like payment information.

Yes. For clients undergoing migration, we perform a dedicated SS&E to review the ETL (Extract, Transform, Load) controls and data validation protocols.

The outcome is a documented list of users with unnecessary or excessive access, which is then formally tracked for remediation and access removal.

Yes. For systems supporting mobile access, we review the authentication and security policies applied to mobile devices, often as part of the Quarterly review.

We analyze the system's scalability and performance logs to ensure it can efficiently process the high volume and rapid turnover common in Far Eastern markets.

We begin with a Scoping and Risk Assessment Workshop to define the critical processes and systems to be included in the study, aligning the scope with your risk profile .

The SS&E provides a baseline control assessment of your system, allowing us to configure our outsourcing processes to seamlessly integrate with and strengthen your existing system controls.