Addressing Internal Controls in State ERP Systems: Being Proactive Aaron Erickson, Chief Operating Officer State of Ohio, Office of Budget and Management.

Addressing Internal Controls in State ERP Systems: Being Proactive

Aaron Erickson, Chief Operating OfficerState of Ohio, Office of Budget and Management

Christian Fuellgraf, DirectorGrant Thornton, Global Public Sector

Tom Dale, DirectorGrant Thornton, Global Public Sector

Our panelists' point of view

Our personal experiences have shaped our perspectives.

Indiana Encompass

The Ohio State University

Marriott

French Ministry of Finance

Ohio OAKS

U.S. National Park Service

City of MilwaukeeAlameda County, CA

Riverside County, CA

Kentucky HRIS

ImplementerClient U.S. Department of the Interior FBMS

Overview

• Internal controls and ERP implementation strategy

• The State of Ohio experience

• Putting it together going forward

Sharing the message of internal controls

Internal controls comprise both a structure and a systematic methodology to help financial, technology and program managers achieve their mission results and safeguard the integrity of programs.

They are a means of managing the risk and improving efficiency associated with programs and operations – done properly they are widely accepted and followed.

ERP drivers and internal control objectives complement each other

Achieve better and more efficient fiscal, program and technology managementAchieve better and more efficient fiscal, program and technology management

Improve fiscal accountability and safeguard public assetsImprove fiscal accountability and safeguard public assets

ERP Drivers

Utilize technology to streamline operations, transaction accuracy, and processing timesUtilize technology to streamline operations, transaction accuracy, and processing times

Obtain reasonable assurance of the integrity of all fiscal processes via improved systemsObtain reasonable assurance of the integrity of all fiscal processes via improved systems

Create greater visibility and confidence in state data via technology and technology-enabled processes

Create greater visibility and confidence in state data via technology and technology-enabled processes

Blueprint for better and more efficient fiscal, program and technology managementBlueprint for better and more efficient fiscal, program and technology management

Methodology to ensure fiscal accountability and safeguard public assetsMethodology to ensure fiscal accountability and safeguard public assets

COSO IC

An approach that aligns an organization’s processes and procedures to reporting, rules and legal requirements

An approach that aligns an organization’s processes and procedures to reporting, rules and legal requirements

Set of standard practices to provide reasonable assurance of the integrity of all fiscal processes

Set of standard practices to provide reasonable assurance of the integrity of all fiscal processes

A means to create greater visibility and confidence by legislative leadership, opinion leaders and stakeholders into the fiscal and operational integrity of an agency

A means to create greater visibility and confidence by legislative leadership, opinion leaders and stakeholders into the fiscal and operational integrity of an agency

Common ERP approach

This is a good start, but not a complete strategy.

PlanPlan AnalyzeAnalyze DesignDesign BuildBuildTest

DeployTest

DeploySDLC

Phases

Project Management

Change Leadership

Process Design and Configuration

Internal ControlsInformation Technology

Training and Documentation

ERPImplementationWork Streams

Ohio's implementation approach

• Elected to do a plain vanilla implementation where business processes are adapted to function within the COTS software

• Focused on meeting requirements and technical compliance rather than significant re-engineering for leading practices

Finance and Supply ChainPurchasingGeneral LedgerAccounts PayableAccounts ReceivableFinancials Data Warehouse/EPMBilling and ReceivingAsset ManagementBudgeting and Planning

Human Capital ManagementCore HRPayrollTime and LaborePayHCM Enterprise Performance Management (EPM)Benefits Administration COBRAEPM for Benefits Admin & COBRA

Results

• Risk assessment identified 108 issues from across State organizations and applications

• Multiple SAS-70 findings

• Management Letter comment in statewide single audit - "significant deficiency in IT controls for HCM application"

Risk Categories Rating

Asset Management

Budget Management

Claims Management

Financial Reporting

Information Technology

Payroll

Personnel & Organizational Support

Program Management

Procurement/Expenditures

Revenue Management

Implications

• Vulnerability ratings based on assessment comments and experience

• Categorized issues into domains:

- 14 critical

- 27 high priority

• Remediation plan in process

• Four people dedicated to corrective actions plans for next fiscal year

Estimated costs of additional changes

• Enterprise risk management activities - $1.7 million

• Process-based assessments of four critical risk areas

• Estimates do not include performing corrective actions, state project team time or agency time

Risk area Hours

Financial Reporting 1,250

IT 3,000

Payroll 1,400

Procurement & Expenditures

1,550

Risks of not including internal controls initially

Project Delays – System testing will likely show weakness in security and other controls

Data Reliability and Process Integrity Issues – Many potential risks from lack of system acceptance to outright fraudulent activity

Audit Findings – Audits may comment upon material weakness in the various functional areas

Post Go-Live Rework – On average it is 3-5 times more expensive to address issues post-implementation

ERP approach with internal control work stream

PlanPlan AnalyzeAnalyze DesignDesign BuildBuildTest

DeployTest

DeploySDLC

Phases

Project Management

Change Leadership

Process Design and Configuration

Internal Controls

Information Technology

Training and Documentation

ERPImplementationWork Streams

Be control conscious

Internal controls should be an integral part of the solution analysis, requirements, design and delivery lifecycle – not an afterthought – involve your auditors

Actively involve internal control experts throughout the project lifecycle

Build internal control work streams into ERP system solicitation requirements

Educate and work with your state and agency CIO's – better internal controls are a good thing for everyone!