Checklist for ERP Audit Readiness

Preparing your ERP system for an audit can be overwhelming, but it’s essential to avoid compliance issues, delays, or financial risks. Here's a quick guide to make your ERP audit-ready:

• Documentation: Keep detailed records of project management, data migration, and security processes.
• Real-Time Reporting: Automate financial reports to ensure accuracy and cut audit stress.
• Access Controls: Use role-based permissions and segregation of duties to prevent fraud.
• Process Testing: Test key workflows like purchase-to-pay and order-to-cash to spot errors early.
• Regulatory Compliance: Configure your ERP for SOX 404 and GDPR requirements.
• Continuous Monitoring: Set up alerts for unusual activity and track issues with ticketing systems.

Step 1: Gather Pre-Audit Documentation

Preparing for an audit starts with assembling detailed documentation that demonstrates how your ERP system was governed and controlled. Auditors want to see a clear, organized trail of records showing how decisions were made, how data was managed, and how security was upheld throughout the ERP project.

With poor data quality costing businesses around $12.9 million annually[1], thorough documentation doesn’t just ensure compliance - it protects your bottom line. The key is to treat documentation as a core part of the project from the beginning, rather than scrambling to pull it together when an audit is imminent.

Project Management and Change Records

Your project governance documentation acts as a roadmap for how your ERP implementation was managed. Steering committee minutes should highlight major decisions, the rationale behind them, and the stakeholders involved. These records show auditors that your project had proper oversight and accountability.

Change logs are equally important. They provide evidence that adjustments to scope, budget, or timelines were managed responsibly. Each entry should outline what was changed, why the change was necessary, and who approved it. This demonstrates that your organization stayed in control, even when adapting to new challenges.

Risk registers are another essential piece of the puzzle. They show that your team anticipated potential issues and actively worked to address them, rather than reacting after the fact. Together, these records paint a picture of a well-controlled implementation process, which is vital for audit readiness.

One effective strategy is to assign a dedicated individual or small team to oversee audit readiness from the very start of your ERP project.

Data Transfer and Accuracy Records

Data migration is one of the riskiest parts of any ERP project, often accounting for 10–15% of the total system cost[2]. To satisfy auditors, you need to provide documentation that proves data was transferred accurately and completely from your old systems to the new ERP.

Start with data mapping documentation. This should outline how information from your legacy systems aligns with the structure of the new ERP. Include details like field-by-field mappings, transformation rules, and any format changes. This helps auditors verify the integrity of historical data.

Reconciliation reports are another must-have. These reports should compare record counts, financial totals, and key data points before and after migration. They should also explain any discrepancies and how they were resolved. Additionally, document the validation processes used to confirm data accuracy before loading it into the new system.

Error tracking records are crucial as well. These should show how your team identified, investigated, and resolved any data quality issues during migration. As ERP Focus puts it:

"Processing bad data in a good new system is not going to produce the results that they should be looking for and demanding." - ERP Focus

Be sure to document all data cleansing efforts, such as removing duplicates, fixing inaccuracies, and updating outdated records. This ensures your data is reliable and sets the stage for a smooth audit process.

Security and User Access Records

Security documentation is critical for proving your ERP system has proper access controls in place. A user access matrix is a good starting point - it provides an overview of who has access to what within the system, organized by role and responsibility. This forms the foundation for effective role-based monitoring.

Segregation-of-duties (SoD) reports are particularly important for compliance. As security expert Frank Vukovits explains:

"A segregation of duties matrix is a key building block for SoD analysis that is required for regulatory compliance. Even companies that aren't bound by regulations can benefit from an SoD matrix to help maintain identity security best practices and a strong internal control system." - Frank Vukovits

Your records should include details on how the SoD matrix was developed and how it’s used to identify and address potential conflicts in user access. Make sure to document any exceptions to your SoD policies, including who approved them and what additional controls were put in place to manage the risks.

Finally, maintain user lifecycle audit trails and records of regular access recertifications. These demonstrate that access changes were properly requested, authorized, and implemented.

Keep all documentation well-organized by topic and date so auditors can easily find what they need. Ultimately, auditors are looking for proof that your project was managed responsibly, risks were handled proactively, data was secure and accurate, and decisions were well-documented.

At Phoenix Strategy Group, we recommend implementing these practices early to simplify audits and protect your financial integrity.

Step 2: Set Up Real-Time Financial Reports

Real-time financial reporting turns your ERP system into more than just a data storage tool - it becomes a reliable, audit-ready resource. When your system generates accurate, compliant reports automatically, auditors can access what they need instantly, cutting down on both time and stress during audits.

The secret lies in designing reporting capabilities that emphasize accuracy and compliance right from the start:

"ERP design should focus on end-state reporting and operational needs rather than replicating current processes…You can only report on the infrastructure you put in place - so reporting should be at the forefront of every decision." - Ashley Honeyman, COO/CFO at Consero Global

Building this foundation ensures your ERP system is ready for automation and compliance.

Automate General Ledger Updates

Automating general ledger updates eliminates manual errors and ensures consistent, reliable financial reporting. Your ERP system should handle transaction entries, approvals, and reconciliations automatically, creating a dependable framework for your financial data.

• Streamline workflows for accounts payable, receivables, and payroll by automating processes. Include built-in approval steps that route transactions to the right managers based on factors like dollar amounts or transaction types. This reduces the risk of unauthorized entries and keeps oversight intact.
• Schedule ledger-to-subledger reconciliations at regular intervals. Automated reconciliations can flag discrepancies immediately, generating exception reports for investigation. This helps catch errors early, keeping your financial data accurate.
• Define user roles carefully, granting access only as needed. Sensitive areas like journal entries and account modifications should have additional controls. This segregation of duties helps protect the system and ensures compliance.
• Enable real-time monitoring of automated workflows. Alerts should notify your team when workflows fail, thresholds are breached, or unusual patterns emerge. Addressing these issues immediately prevents surprises during month-end close.

For example, Insurity successfully integrated three acquisitions onto a single ledger in just a few months using automated workflows. Similarly, PixelMEDIA went live in 60 days by prioritizing automated processes over manual workarounds.

Add Compliance Labels

Automation simplifies processes, but compliance labels ensure every action is traceable. These labels create the audit trails auditors rely on.

• Set up revenue recognition rules within your workflows. Your ERP system should automatically apply the correct accounting standards based on transaction type, customer, and timing. This ensures consistency and reduces compliance risks.
• Implement audit trails for all financial transactions. Your system must capture every change - what was modified, who made the change, when it happened, and what authorization was given. This complete accountability aligns with SEC or SOX requirements, making audits smoother.
• Establish data governance policies to maintain accuracy and consistency. Define how data is entered, who can modify it, and the approval steps required for changes. Automated data quality checks should flag issues before they affect your reports.

Investing in compliance labeling does more than prepare you for audits:

"Your ERP investment is about efficiency, accuracy, and strategic improvements, rather than immediate financial return." - Ashley Honeyman

Step 3: Check Access Controls and Duty Separation

Having strong access controls in place is a cornerstone of an audit-ready ERP system. These controls not only reduce compliance risks but also help guard against fraud. Combined with earlier steps like thorough documentation and automated reporting, solid access controls ensure your ERP system remains secure and compliant. The goal here is to ensure every user has the right level of access while avoiding conflicts that could jeopardize financial integrity.

Managing access effectively requires both careful planning and ongoing oversight. Your ERP system should strictly regulate who can access specific information, when they can do so, and what actions they are allowed to perform.

Review User Permissions by Role

Regularly reviewing user permissions is critical to ensuring that individuals only have access to what their roles require.

Begin with detailed access mapping. Generate comprehensive reports that outline user access to databases, applications, and sensitive data. Most ERP systems can create User and Role Access Audit Reports, which show the specific privileges assigned to each user or role. Share these reports with key stakeholders, such as department heads or system administrators, for a thorough review.

Engage all relevant stakeholders in the review process. This includes IT, security teams, HR, and department leaders. Each group offers unique insights: HR tracks employee role changes and exits, department heads understand the access needs tied to specific job functions, and IT can identify technical anomalies or risks.

Adopt Role-Based Access Control (RBAC). Grouping users into roles with predefined permissions simplifies the review process and ensures consistency across similar positions.

"The Role-Based Access Control (RBAC) model streamlines the user access review process by organizing users into roles rather than managing individual user accounts. With RBAC, each role is assigned a specific set of access privileges, making it easier to review and manage user access." - Keri Bowman

Document changes thoroughly and act quickly. If reviews reveal excessive permissions, adjust them immediately and confirm the changes with asset owners. Maintain clear records of all role assignments, changes, and access activities - these are invaluable during audits and can help detect security issues over time.

Leverage automation wherever possible. Automated tools can make assigning roles, granting permissions, and reviewing access more efficient. These tools can identify inactive accounts, flag unusual access patterns, and produce exception reports for further investigation.

Once user access is optimized, the next step is addressing duty separation concerns.

Find and Fix Duty Separation Issues

Segregation of Duties (SoD) is a critical safeguard against fraud and errors, ensuring that no single person handles multiple stages of key processes. Your ERP system should be configured to detect and resolve SoD conflicts automatically.

Use an automated SoD matrix to identify conflicts. This matrix maps roles to tasks and highlights where separation is needed. For instance, in a purchasing department, roles like "Create requisition", "Approve requisition", "Create PO", and "Approve PO" should be assigned to different users. The system should flag any instance where one person can both create and approve requisitions or purchase orders, as this poses a higher risk.

Define roles and responsibilities clearly. Your ERP system needs a well-organized structure of roles, duties, and reporting relationships. Each role should align with actual job responsibilities, forming the foundation for effective SoD management.

Assess risks systematically. Create a matrix that evaluates risk levels - low, medium, or high - when the same person performs multiple functions. Focus your attention on high-risk combinations that could lead to fraud or major errors.

Resolve conflicts methodically. When SoD violations occur, you can reassign responsibilities, implement compensating controls like additional approvals, or document exceptions with proper oversight. Each conflict must be addressed and documented to ensure control measures remain effective.

Monitor SoD regularly as roles evolve. Routine scans for SoD violations should be part of your compliance activities. Address any issues promptly to maintain system integrity and audit readiness.

"A least privilege model ensures that users have access only to the data they need to do their jobs. This approach reduces the risk of data breaches by minimizing the amount of data that is accessible to any individual user." - Delinea Team

Step 4: Test Transaction Processes

It's time to dive into testing your ERP system's transaction processes. This step ensures your financial workflows function smoothly from start to finish and that any manual interventions are properly logged for audit purposes.

Test Complete Business Processes

Testing your end-to-end business processes is essential to ensure transactions run without errors.

Start with critical transaction cycles. Focus on high-impact workflows like purchase-to-pay, order-to-cash, and record-to-report. These processes often span multiple departments and ERP modules, making them more prone to errors or compliance risks. Run tests from the initial transaction entry all the way to final financial reporting to confirm that data flows correctly at every stage.

Use real-world data for testing. Instead of relying on simple test cases, simulate actual business scenarios with realistic transaction volumes and data patterns. This approach helps uncover performance bottlenecks and processing errors that might not appear during basic testing. Don’t forget to include peak transaction volume scenarios to identify potential issues before they impact live operations.

Leverage automated testing tools. Automation can save time and improve accuracy for repetitive test scenarios. Companies using test automation often reduce manual testing by over 50%, allowing teams to focus on more complex tasks. Automated tools also ensure consistent validation across different ERP modules and processes.

Document everything. Record test scenarios, outcomes, and any discrepancies. This documentation is critical for audits, as it shows your commitment to system integrity and provides clear evidence of your testing efforts.

Check integration points between modules. Pay close attention to how data moves between ERP modules, such as from inventory management to accounting or from sales to fulfillment. Integration issues can result in inaccurate financial reporting and compliance risks.

Here’s a breakdown of key testing types to consider:

These tests help establish a strong audit trail and ensure your system meets operational standards. Once the automated tests are complete, make sure to document all manual overrides as part of your compliance strategy.

Track Manual System Changes

In addition to testing processes, it's crucial to monitor and document every manual change made in the system. Proper tracking ensures audit readiness and compliance.

Standardize manual journal entries. Set clear protocols for authorizing, documenting, and reviewing manual entries. Each entry should include a business justification, supporting documents, and necessary approvals. This prevents unauthorized changes and ensures legitimate adjustments are properly recorded.

Enable real-time monitoring for manual changes. Configure your ERP system to flag unusual manual entries or deviations from established processes. Alerts like these help catch potential compliance issues early, ensuring manual interventions receive proper scrutiny.

Maintain detailed logs. Record every manual change, including who made it, when it was made, and why. Include information about the business impact of the change and any compensating controls applied. This level of detail reassures auditors that your organization maintains tight oversight of manual activities.

Use monthly reconciliation checklists. Create systematic checklists for monthly, quarterly, and year-end journal entries to ensure nothing is overlooked during closing processes. These checklists serve as both operational tools and audit documentation, demonstrating your adherence to consistent procedures.

Centralize manual controls documentation. Instead of handling manual processes in isolation, consolidate their documentation and monitoring. This reduces errors and ensures all manual interventions align with your compliance goals.

"Compliance isn't just a buzzword - it's the foundation of trust in today's business landscape." - CompliantERP

Testing your processes thoroughly and documenting manual changes meticulously creates a strong foundation for audits and regulatory compliance. With these steps, your ERP system will be prepared to handle industry-specific requirements while ensuring accurate financial reporting.

sbb-itb-e766981

Step 5: Meet Regulatory Requirements

Once you've established solid documentation, automated reporting, and thorough transaction testing, it's time to tackle regulatory compliance. This step ensures your ERP system is audit-ready and avoids costly compliance violations. Two key areas to focus on are internal controls under SOX 404 and data protection under GDPR.

Set Up SOX 404 Controls

The Sarbanes-Oxley Act (SOX) mandates that public companies establish and maintain effective internal controls over financial reporting. Section 404 specifically requires these controls to function properly to ensure accurate and reliable financial statements.

Your ERP system plays a central role here. It should be configured to:

• Log configuration changes to track system modifications.
• Enforce approval workflows for updates and changes.
• Maintain audit trails for transactions across interfaces.

Automating processes like account reconciliations, exception reporting, and variance analysis can significantly reduce errors and streamline audits. For example, automated reconciliations ensure consistency without the need for manual checks.

Start with a top-down risk assessment by examining your financial statements to identify critical processes and controls within your ERP system. This helps you prioritize resources where they matter most.

Additionally, document precise control thresholds. For instance, a $500,000 variance threshold might work for a company with $3 billion in revenue but would be inappropriate for a smaller business with $25 million in revenue and an audit materiality of $100,000.

To strengthen your internal controls, implement management review controls. Configure your ERP system to generate reports highlighting exceptions, unusual transactions, and key performance indicators that signal potential issues. Regular testing and monitoring of these controls are essential. Schedule periodic reviews to evaluate their effectiveness, and document details like who performs each control, how often, and the review's scope.

With SOX compliance in place, the next step is ensuring your ERP system adheres to GDPR requirements for data protection.

Protect GDPR and Personal Data

Data privacy laws like GDPR demand ERP configurations that prioritize safeguarding personal information. The centralized nature of ERP systems makes data security a critical concern, both legally and financially.

To comply with GDPR, configure your ERP system to:

• Automate data retention policies and apply data minimization principles to ensure personal data is collected, stored, and processed only when necessary.
• Use role-based access control (RBAC) within a zero-trust framework to restrict data access by job function. Regularly review and update access privileges as roles change.
• Implement data masking and encryption protocols to protect sensitive information. Mask personal data in non-production environments and encrypt data both in transit and at rest.
• Set up automated breach detection and notification systems to monitor for unusual activity. GDPR requires breaches to be reported within 72 hours, so real-time monitoring and alerting are essential.

Your ERP system should also support the "right to be forgotten." This means it must allow for the complete deletion of personal data upon request while ensuring system integrity. This might involve cascading deletions or anonymization processes.

Non-compliance with GDPR can lead to fines of up to 4% of global revenue or €20 million - whichever is higher. With 78% of companies anticipating stricter compliance requirements in the future, investing in proper ERP configurations for data protection is not just about meeting current regulations but also staying prepared for what's ahead.

Regular audits are key to maintaining compliance. Schedule quarterly reviews of data access logs, test breach response procedures, and conduct annual assessments of your data protection measures to ensure everything remains up to standard. These steps will help you stay ahead of evolving privacy regulations.

Step 6: Set Up Ongoing Monitoring

After achieving compliance, the next step is to establish continuous monitoring to maintain audit readiness. By leveraging automated reporting and access controls, you can ensure your ERP system stays vigilant every day. Considering that fraud often goes undetected for up to 18 months, real-time monitoring becomes critical for catching issues early - before they escalate into major problems.

This approach shifts your ERP system from merely reacting to problems to actively safeguarding financial integrity. By combining forensic techniques with advanced technology, continuous monitoring can identify high-risk behaviors, ensure policy adherence, and spot internal control failures as they occur - not months later during an audit. To make this work effectively, your system should generate targeted alerts for any deviations.

Create Alerts for Unusual Activity

Focus on setting up alerts for high-risk activities and significant configuration changes. These alerts should highlight transactions that exceed predefined thresholds or deviate from standard processes. Examples include payments outside approved workflows, post-close journal entries, and vendor payments without proper documentation.

Your system should also flag transactions with risky characteristics, such as round-dollar amounts, irregular timing, or payments to new vendors lacking supporting documentation.

Access monitoring is especially important for three types of users:

• IT administrators and superusers: Their extensive access makes them critical to monitor.
• Business superusers: Their deep knowledge of processes could allow them to manipulate systems.
• Non-human accounts: Automated accounts can be exploited since they don't follow typical user behavior patterns.

"We process a huge number of transactions every day, and it would be impractical to review each and every one for error or fraud. Oracle Cloud Risk Management automates this process and helps us create a culture of continuous monitoring with advanced access controls, advanced financial controls, and financial reporting compliance." - Rich Christensen, SVP and Chief Accounting Officer, TrueBlue

Additionally, any changes to critical settings - like user permissions, security roles, approval hierarchies, or chart of accounts structures - should trigger immediate alerts. These changes could undermine segregation of duties or open the door to compliance risks.

Cash flow anomalies should also be monitored closely. Keep an eye out for unusual trends in accounts receivable aging, shifts in inventory valuation, or significant discrepancies in expense categories. These patterns often reveal deeper issues that could affect financial stability.

When anomalies are flagged, it’s crucial to address them systematically using an integrated ticketing system.

Use Ticketing Systems for Issue Resolution

Once your monitoring system identifies a potential issue, you need a structured process to resolve it quickly and document every step. Integrated ticketing systems provide an efficient way to track, address, and document control issues.

By connecting your ticketing system directly to your ERP, you can unify data, transaction histories, and resolution tracking. When an alert is triggered, the system automatically generates a ticket with all relevant details, such as transaction information, user activity, and any potential policy violations. This automation eliminates manual data collection and ensures no issue is overlooked.

Workflow automation within ticketing systems further streamlines the resolution process. Tickets are routed to the appropriate team based on the type of issue, its severity, and the department responsible. For instance, segregation of duties violations might go to the internal audit team, while unusual payment patterns could be sent to accounts payable managers.

The benefits of this integration are significant. Companies using workflow automation with ERP systems report a 20% boost in operational efficiency and a 30% reduction in manual errors. Additionally, automation improves data accuracy by 88% and reduces capture process errors by 37%.

Every action, decision, and resolution should be recorded with timestamps, user IDs, and supporting evidence. This thorough documentation not only satisfies auditors but also reduces the effort needed for compliance reporting.

"An integrated ticketing system is the compass that guides customer support. It unifies chaos into clarity, ensuring every query finds its rightful resolution, agents work seamlessly, and customers experience excellence." - Brad Butler, Contact Center Software Consultant @NobelBiz

Establish escalation procedures for unresolved issues. Critical compliance violations should escalate to senior management within hours, while less urgent problems might have a 24-48 hour resolution window. Clear escalation paths ensure accountability and prevent minor issues from spiraling into major compliance failures.

Regularly monitor your ticketing system’s performance to identify bottlenecks and refine processes. Track metrics like average resolution time, escalation frequency, and recurring issue patterns. This data helps improve your monitoring rules and resolution workflows over time.

Lastly, implement corrective action tracking to ensure identified issues are properly addressed. Your ticketing system should link related incidents, track policy changes, and verify that corrective measures effectively prevent similar problems in the future. This systematic approach demonstrates to auditors that your organization is committed to maintaining and improving its compliance standards.

With 91% of organizations planning to implement continuous compliance strategies in the next five years, having a robust monitoring and resolution system now positions your company ahead of the curve and ensures ongoing audit readiness.

Summary and Final Checklist

Getting your ERP system audit-ready demands a structured approach to ensure compliance is built into every layer of your operations. This six-step checklist covers all the essential elements, from compiling documentation to setting up continuous monitoring, creating a pathway to seamless audit readiness.

Start with documentation - it’s the backbone of any audit-ready ERP system. Even the most advanced systems can fall short without thorough and organized records.

Real-time financial reporting is another game-changer. By automating financial updates, you avoid the last-minute chaos often associated with audits. Plus, this kind of automation not only supports better corporate governance but also boosts investor confidence with accurate, up-to-date insights.

Once your documentation and reporting are solid, access controls and segregation of duties come into play. These measures protect your organization from both internal and external threats. A great example comes from the New Hampshire Department of Revenue Administration, which cut research time for taxpayer inquiries by 50% after implementing proper access controls and real-time reporting tools. With 80% of its workforce actively using the system, the department saw significant operational improvements.

Next, focus on process testing to ensure your ERP system performs under real-world conditions. For instance, Los Angeles County reduced its data processing time from hours to just 15 minutes by adopting rigorous testing protocols and leveraging real-time analytics. This highlights how testing can drastically improve efficiency.

Regulatory compliance is non-negotiable in today’s business landscape. Whether it’s adhering to SOX 404 or GDPR standards, your ERP system should be designed to meet these requirements seamlessly.

Finally, continuous monitoring acts as your safety net. It identifies irregularities early and ensures your organization stays aligned with ever-changing regulations.

"An ERP audit only adds value if it leads to action." - Tom Miller

Navigating ERP audit preparation often requires expert guidance. Phoenix Strategy Group offers tailored financial and strategic advisory services, including fractional CFO support, FP&A systems, and data engineering expertise. Their services can help ensure your ERP system not only meets compliance standards but also supports your broader business goals.

To wrap it up, make sure all six steps - documentation, real-time reporting, access controls, process testing, regulatory compliance, and monitoring - are in place and functioning effectively. This way, you can turn audit season into a smooth, routine process rather than a stressful scramble.

FAQs

What key documents should I prepare to ensure my ERP system is ready for an audit?

To ensure your ERP system is ready for an audit, focus on organizing and maintaining these key documents:

• Financial Statements: Include balance sheets, income statements, and cash flow statements to provide a comprehensive view of your financial health.
• Audit Trails: Keep detailed logs of system changes, such as timestamps and user activities, to track any modifications.
• Compliance Records: Make sure all regulatory compliance documentation is up-to-date and easy to access.
• Access Control Logs: Document user permissions and access levels to show how your system handles security.
• Policies and Procedures: Clearly outline your data management, security, and operational policies in written form.

Keeping these records current and well-organized not only simplifies the audit process but also highlights your system’s compliance and preparedness.

How does real-time financial reporting make audits easier and less stressful for my organization?

Real-time financial reporting takes the headache out of audits by delivering accurate, up-to-the-minute financial data. This minimizes errors and ensures compliance, making it easier for your team to handle auditor requests. Plus, with instant access to current information, you can skip the time-consuming manual reconciliations and corrections, keeping the process smooth and efficient.

On top of that, automating routine tasks through real-time reporting eases the pressure on finance teams working under tight deadlines. It not only simplifies operations but also fosters a more relaxed work environment. With less time spent on repetitive tasks, employees can shift their focus to strategic priorities. In short, real-time reporting boosts clarity and keeps your organization audit-ready without the usual stress.

How can I ensure my ERP system complies with SOX 404 and GDPR requirements?

To make sure your ERP system aligns with SOX 404 and GDPR regulations, pay close attention to these critical areas:

• Internal Controls for SOX 404: Establish and maintain robust internal controls over financial reporting. This involves documenting workflows, ensuring data accuracy, and conducting regular risk assessments. External auditors will need to review and confirm these controls to verify compliance.
• Data Privacy for GDPR: Safeguard personal information by using tools like encryption, access restrictions, and routine audits. Be transparent about how data is processed, ensure it's handled lawfully, and keep detailed records of all processing activities. Additionally, respect individuals' rights, such as their ability to access or correct their data.

By addressing both financial reporting and data privacy, your ERP system will be in a stronger position to meet compliance expectations.

Related posts

• SOX Compliance with ERP Systems
• ERP Audit Controls for Financial Reporting
• 5 Steps to Audit-Ready Financial Records with ERP
• Checklist for ERP Integration in Global Bookkeeping