Overview of the Top Risks & the Keys to a Successful Implementation of an ERP System Government Finance Officers Association 8/19/2014 K. Adam Glover, CISA
Feb 07, 2016
Overview of the Top Risks & the Keys to a Successful Implementation of an ERP
System
Government Finance Officers Association8/19/2014
K. Adam Glover, CISA
Professional Involvement:• Information Systems Audit
and Control Association (ISACA)
• Florida Government Finance Officers Association (FGFOA)
• Florida Institute of Certified Public Accountants (FICPA)
Click icon to add picture
Areas of Expertise:• SSAE 16 SOC 1 & SOC 2• IT Audit• Internal Controls• Internal Audit
Introduction to ERP ERP Requirements & Characteristics Vendor Selection Managing the Implementation Process Top Risks and Examples of Real World Failures Common Pitfalls of an ERP Implementation Audit Requirements of an ERP Implementation Tips and Recommendations Question & Answer
Key Points Agenda
Develop a basic understanding of:
ERP Requirements & Characteristics
The Top Risks Related to ERP System Implementations
Best Practices used to Mitigate the Risks Associated with ERP System Implementations
Learning Objectives
Enterprise Business System (EBS) or Enterprise Resource Planning (ERP) Software is a cross-functional enterprise system driven by an integrated suite of software modules that support the basic internal business processes of a company.
The Most Important Thing to Remember: You can increase the likelihood of success through proper planning and documentation
What does ERP stand for?
What is an ERP System vs. an Accounting System?
Traditional Accounting System
What is an ERP System vs. an Accounting System?
ERP System Model
What are the Characteristics of an ERP System?
Multi-layered structure as opposed to a linear structure
Seamless, integrated functionality Automated controls such as three-way
match, automated journal entry approval, purchase order management, budgetary controls, etc.
Automated workflow Result is a change in the way you do business
Common Examples of ERP Software
Oracle SAP Peoplesoft MS Dynamics MS Great Plains Munis Deltek
ERP Implementation Improvement Opportunities
The planned changes and implementation of an ERP are intended to improve the Organization’s enterprise risk management including: Improve the Organization’s ability to meet its operational,
financial reporting and compliance objectives. Create efficiencies (including cost savings) in managing
Organization’s business. Effectively safeguard shareholder/taxpayer assets and
demonstrate sound financial stewardship.
ERP Requirement Types
Functional Requirements
Business processes that users expect to be fully, or at least partially, automated by the new system. These would include such things as three-way match, reasonableness tests for salary increases, automated purchase order management and automated budgetary performance monitoring.
ERP Requirement Types
Technical Requirements
Capability of the system to conform to and compliment protocols inherent in the current technology infrastructure. Examples would include compatibility of access control methodology with Windows Active Directory and functionality supporting seamless transition to disaster recovery mode. Also, consideration for cloud computing.
ERP Requirement Types
Operational Requirements
Capability to support the day-to-day functions of business unit users, including certain automated workflow, user-friendly query capabilities, comprehensive audit trail of user activities and flexible reporting capabilities.
ERP Requirement Types
Contract Requirements
Certain terms and conditions should be addressed in the contract including fee arrangement, performance criteria, maintenance and support capabilities, compliance with federal, state and local regulations, support for new releases and requested enhancements and limits on the cost of annual maintenance increases.
How do you define ERP Requirements?
Form a task force with representatives from all stakeholder groups – this is not just an IT project Define Requirements at a granular level This is a bottom-up process
Make sure the Requirements reflect the real world
Make sure the Requirements look to and accommodate for future growth, expansion and change
Vendor Selection
Experience in your Industry Public vs. Private
Experience with organizations your size Experience with your organizations IT
infrastructure References/Referrals
Talk to your peers
Vendor Selection
Do they meet all of your defined Requirements? If not, what acceptable alternatives are available
from this vendor?
Can they meet the defined Requirements with minimal customization? Customizations often times = more $$$
Vendor Selection
Are third party integrators available? Certified integrators by system
What are the vendors/integrators training capabilities? Contract requirement
What is the total cost of implementation and fee arrangement? Contract requirement
Managing the Implementation
Select a project executive sponsor or sponsors Tone from the top
Migrate the original task force that helped define Requirements into a formal Steering Committee
Designate an overall day to day project manager(s) Internal vs. External Full-Time vs. Part- Time
How the Project Management Team is set up is an additional cost of the project to factor
Managing the Implementation
Define Team Responsibilities and Project Reporting process for all parties
Break Up the Project into documented Milestones Tie vendor payments to milestone completion
Contract Requirement
Define acceptance criteria for your Requirements being met – put it in writing
Managing the Implementation
Designate Test Team Members – day to day functions Separate from Project Management Team
Define and execute Test Scripts & Document Results Conduct and document User Acceptance Testing Track issues and problems and report periodically Train Users and Support Staff
Define knowledge transfer from vendors to staff Contract Requirement
Implementation Type
Consider Parallel Processing vs. Cut Over Phased vs. Complete
Modular vs. Departmental
Develop and implement a migration plan with defined responsibilities (internal vs. external) Include system reconciliations throughout
Document a detailed audit trail of the implementation process
Post Implementation Process
Continue to track problems and issues Define a Change Management Process Define a New Release Implementation
Process Plan for on-going training Define and plan subsequent enhancements
Who is responsible for all of these?
Missing Opportunities, Objectives, Errors, & Losses Occur Because?
Unseen risk - blindsided
Unmanaged risk
Controls being relied upon, failed
Note that we are not referring to Black Swan events, which are arguably unpredictable, but risk in the ordinary course of business
Top ERP Risks
Having a “Good Plan” vs. Just a Plan Not Aligning ERP Requirement Types with Business
Processes Part time project management Underestimating resource requirements Decentralizing decision making Project complexity Lack of in house skills User resistance and customization Not Selecting the Appropriate Vendor Not Considering which Implementation Type is right
for your Organization Insufficient Testing and User Training
Impact of an ERP Implementation on Enterprise
Risks
Service delivery risk – inability to meet customer expectations due to poor service quality or inefficiency, unable to balance customer demand vs. capacity.
Information Management Risk – In ability to capture, retain, access and disseminate critical information used to run the Municipality/NFP’s businesses.
Information Security Risk – Unauthorized disclosure of confidential information e.g., constituent/donor information, donor/constituent or employee data privacy compromise.
Business Interruption - Natural Disasters, Fire, Utility Supply, Infrastructure failure, IT failure(s), Labor, Terrorism or industrial sabotage and / or failure of business vendor/counter party.
Regulatory Reporting Risk – External financial audit findings, unfavorable findings from Local Government Commission (LGC), OMB/HUD, Periodic State ad hoc reporting, US Treasurer, Rating Agencies (S&P), EMMA (bonds), IRS reporting etc.
ERPs Impact to Enterprise Risks
New program/service introduction risk – Inability to timely complete/transition new programs/services into the constituent market place and/or programs/services developed/implemented may not have ready constituent market value (limited use).
Sponsorship risk - ineffective oversight of agencies/affiliates or special events/fundraisers results in reputational damage and/or lawsuits
Fraud Risk – Exposure to corruption activities, asset misappropriation, or allegations of undue influence.
Human Capital – unable to attract, develop and retain qualified employees.
Geo/Political risk - Unstable political environment creates potential for an impact on Federal/State program funding and/or risk events that cause reputational damage to the municipality or NFP. Note that any of the other top 9 risk areas can lead to reputational damage and Geo/Political risk.
Real World Examples of ERP Implementation Failures
ERP Failure Example #1
ERP Failure Example #2
Additional ERP Failure Examples
Hershey, Nike, and HP have all had very public ERP implementation failures costing $100’s of millions.
Government of DC – 2 failed Oracle implementations.
Approximately 30% of all ERP implementations fail.
Common Pitfalls
Never place total reliance on the Software Vendor or Integration Vendor You are ultimately responsible for making all
management decisions and performing all management functions, including establishing and maintaining internal controls and monitoring ongoing activities
Never agree to a technical solution or product that you do not fully understand.
Common Pitfalls
Do not make the mistake of simply duplicating the old system. Learn about and take advantage of all of the new systems’ capabilities, particularly its automated controls.
Try your best to set Realistic Deadlines, but when you know that you are going to miss one, plan for it and act accordingly.
Common Pitfalls
Document Everything…
ERP Implementation Control Risk & Requirements
Change in Enterprise Business Systems aka ERP - the implementation of a ERP system covers most if not all significant business cycles and represents a material change to the organization’s system of internal control.
Risk – Change in ERP also increases the Organization’s exposure to unintended consequences affecting many enterprise risk areas e.g., inefficiency, error and fraud until the control environment matures on the new system.
Requirements – Auditing standards require that changes to a system of internal control must be considered. In doing so, the effectiveness of key IT General Controls (ITGCs) must be validated to obtain comfort of the ERP systems ability to house, transport, store, and transform data for reliable financial reporting.
ITGCs & ERP Implementation Considerations
IT General Controls (ITGC) are pervasive controls that contribute indirectly to the achievement of most financial statement assertions.
ITGCs also contribute to safeguarding an Organization’s assets.
Our focus is on the Systems Development Life Cycle (SDLC) ITGC area as applied to the ERP project.
Internal Control Criteria & Standards
Internal Control Criteria COSO (Committee of Sponsoring Organizations) COBIT (Control Objectives for Information and Related Technology)
Examinations of internal control AICPA Standards – SSAE 15 or Agreed Upon Procedures (AUP) PCAOB AS5
Consideration of internal control Government Auditing Standards AICPA Auditing Standards
Assessments of internal control Control self-assessment Independent assessment
Assessment Criteria
Control Frameworks to implement systems COBIT Framework for ITGCs including SDLC ISO/IEC 12207 Software Life cycle processes IEEE (Standard setter) PMBOK (Standards issued by Project Mgmt. Institute)
Control Maturity Models (CMM) CMMs are used to assess control maturity for control areas
using a control framework as applied to the ERP project. CMMs are typically tailored to best suit the organization’s
needs.
COBIT Review Criteria
Training (7.1) Test plan (7.2) Implementation plan (7.3) Test environment (7.4) System and data conversion (7.5) Testing of changes (7.6) Final acceptance test (7.7) Promotion to production (7.8)
High Level ERP Implementation Procedures
Review and test the following: ERP Project Plan & Milestones against COBIT 4.1 SDLC ERP Project Risk assessment & evaluation criteria affecting “go” or “no
go” decisions Future state internal control design Systems Acceptance Testing (SAT) Systems Integration Testing (SIT) User Acceptance Testing (UAT) Conference Room Pilots (CRP) Interface Testing (Pre/Post) Data Conversion Testing & System Cutover (Pre/Post) Issues, Errors & Remediation (Pre/Post) Business cycle transaction walk-throughs & expected results Mock Financial Close testing!!! (Monthly and Annual) Key report testing
Tips and Recommendations
Ensure “Test” environment reflects expected “Production” environment. Use of cloned production data vs. dummy data Just because it worked in “Test”… Performance is slow…
Risks/Rewards with “train the trainer” approach…
Procurement cycle internal controls (highest risk). Matching controls, GL coding etc… ERP Module inter-dependencies
41
Tips and Recommendations
Key report testing…
Mock financial close training and testing…
“We have a workaround for that…”
Post go live production support plan…60 days starting when?
Anticipating ERP Project team and unplanned employee turnover.
Ensure testing in both Pre and Post go live environments.
42
Contact Information:K. Adam Glover
Cell: (386) 527-4039Email: [email protected]