Overview of the Top Risks & the Keys to a Successful Implementation of an ERP System

Overview of the Top Risks & the Keys to a Successful Implementation of an ERP

System

Government Finance Officers Association8/19/2014

K. Adam Glover, CISA

Professional Involvement:• Information Systems Audit

and Control Association (ISACA)

• Florida Government Finance Officers Association (FGFOA)

• Florida Institute of Certified Public Accountants (FICPA)

Click icon to add picture

Areas of Expertise:• SSAE 16 SOC 1 & SOC 2• IT Audit• Internal Controls• Internal Audit

Introduction to ERP ERP Requirements & Characteristics Vendor Selection Managing the Implementation Process Top Risks and Examples of Real World Failures Common Pitfalls of an ERP Implementation Audit Requirements of an ERP Implementation Tips and Recommendations Question & Answer

Key Points Agenda

Develop a basic understanding of:

ERP Requirements & Characteristics

The Top Risks Related to ERP System Implementations

Best Practices used to Mitigate the Risks Associated with ERP System Implementations

Learning Objectives

Enterprise Business System (EBS) or Enterprise Resource Planning (ERP) Software is a cross-functional enterprise system driven by an integrated suite of software modules that support the basic internal business processes of a company.

The Most Important Thing to Remember: You can increase the likelihood of success through proper planning and documentation

What does ERP stand for?

What is an ERP System vs. an Accounting System?

Traditional Accounting System

What is an ERP System vs. an Accounting System?

ERP System Model

What are the Characteristics of an ERP System?

Multi-layered structure as opposed to a linear structure

Seamless, integrated functionality Automated controls such as three-way

match, automated journal entry approval, purchase order management, budgetary controls, etc.

Automated workflow Result is a change in the way you do business

Common Examples of ERP Software

Oracle SAP Peoplesoft MS Dynamics MS Great Plains Munis Deltek

ERP Implementation Improvement Opportunities

The planned changes and implementation of an ERP are intended to improve the Organization’s enterprise risk management including: Improve the Organization’s ability to meet its operational,

financial reporting and compliance objectives. Create efficiencies (including cost savings) in managing

Organization’s business. Effectively safeguard shareholder/taxpayer assets and

demonstrate sound financial stewardship.

ERP Requirement Types

Functional Requirements

Business processes that users expect to be fully, or at least partially, automated by the new system. These would include such things as three-way match, reasonableness tests for salary increases, automated purchase order management and automated budgetary performance monitoring.

ERP Requirement Types

Technical Requirements

Capability of the system to conform to and compliment protocols inherent in the current technology infrastructure. Examples would include compatibility of access control methodology with Windows Active Directory and functionality supporting seamless transition to disaster recovery mode. Also, consideration for cloud computing.

ERP Requirement Types

Operational Requirements

Capability to support the day-to-day functions of business unit users, including certain automated workflow, user-friendly query capabilities, comprehensive audit trail of user activities and flexible reporting capabilities.

ERP Requirement Types

Contract Requirements

Certain terms and conditions should be addressed in the contract including fee arrangement, performance criteria, maintenance and support capabilities, compliance with federal, state and local regulations, support for new releases and requested enhancements and limits on the cost of annual maintenance increases.

How do you define ERP Requirements?

Form a task force with representatives from all stakeholder groups – this is not just an IT project Define Requirements at a granular level This is a bottom-up process

Make sure the Requirements reflect the real world

Make sure the Requirements look to and accommodate for future growth, expansion and change

Vendor Selection

Experience in your Industry Public vs. Private

Experience with organizations your size Experience with your organizations IT

infrastructure References/Referrals

Talk to your peers

Vendor Selection

Do they meet all of your defined Requirements? If not, what acceptable alternatives are available

from this vendor?

Can they meet the defined Requirements with minimal customization? Customizations often times = more $$$

Vendor Selection

Are third party integrators available? Certified integrators by system

What are the vendors/integrators training capabilities? Contract requirement

What is the total cost of implementation and fee arrangement? Contract requirement

Managing the Implementation

Select a project executive sponsor or sponsors Tone from the top

Migrate the original task force that helped define Requirements into a formal Steering Committee

Designate an overall day to day project manager(s) Internal vs. External Full-Time vs. Part- Time

How the Project Management Team is set up is an additional cost of the project to factor

Managing the Implementation

Define Team Responsibilities and Project Reporting process for all parties

Break Up the Project into documented Milestones Tie vendor payments to milestone completion

Contract Requirement

Define acceptance criteria for your Requirements being met – put it in writing

Managing the Implementation

Designate Test Team Members – day to day functions Separate from Project Management Team

Define and execute Test Scripts & Document Results Conduct and document User Acceptance Testing Track issues and problems and report periodically Train Users and Support Staff

Define knowledge transfer from vendors to staff Contract Requirement

Implementation Type

Consider Parallel Processing vs. Cut Over Phased vs. Complete

Modular vs. Departmental

Develop and implement a migration plan with defined responsibilities (internal vs. external) Include system reconciliations throughout

Document a detailed audit trail of the implementation process

Post Implementation Process

Continue to track problems and issues Define a Change Management Process Define a New Release Implementation

Process Plan for on-going training Define and plan subsequent enhancements

Who is responsible for all of these?

Missing Opportunities, Objectives, Errors, & Losses Occur Because?

Unseen risk - blindsided

Unmanaged risk

Controls being relied upon, failed

Note that we are not referring to Black Swan events, which are arguably unpredictable, but risk in the ordinary course of business

Top ERP Risks

Having a “Good Plan” vs. Just a Plan Not Aligning ERP Requirement Types with Business

Processes Part time project management Underestimating resource requirements Decentralizing decision making Project complexity Lack of in house skills User resistance and customization Not Selecting the Appropriate Vendor Not Considering which Implementation Type is right

for your Organization Insufficient Testing and User Training

Impact of an ERP Implementation on Enterprise

Risks

Service delivery risk – inability to meet customer expectations due to poor service quality or inefficiency, unable to balance customer demand vs. capacity.

Information Management Risk – In ability to capture, retain, access and disseminate critical information used to run the Municipality/NFP’s businesses.

Information Security Risk – Unauthorized disclosure of confidential information e.g., constituent/donor information, donor/constituent or employee data privacy compromise.

Business Interruption - Natural Disasters, Fire, Utility Supply, Infrastructure failure, IT failure(s), Labor, Terrorism or industrial sabotage and / or failure of business vendor/counter party.

Regulatory Reporting Risk – External financial audit findings, unfavorable findings from Local Government Commission (LGC), OMB/HUD, Periodic State ad hoc reporting, US Treasurer, Rating Agencies (S&P), EMMA (bonds), IRS reporting etc.

ERPs Impact to Enterprise Risks

New program/service introduction risk – Inability to timely complete/transition new programs/services into the constituent market place and/or programs/services developed/implemented may not have ready constituent market value (limited use).

Sponsorship risk - ineffective oversight of agencies/affiliates or special events/fundraisers results in reputational damage and/or lawsuits

Fraud Risk – Exposure to corruption activities, asset misappropriation, or allegations of undue influence.

Human Capital – unable to attract, develop and retain qualified employees.

Geo/Political risk - Unstable political environment creates potential for an impact on Federal/State program funding and/or risk events that cause reputational damage to the municipality or NFP. Note that any of the other top 9 risk areas can lead to reputational damage and Geo/Political risk.

Real World Examples of ERP Implementation Failures

ERP Failure Example #1

ERP Failure Example #2

Additional ERP Failure Examples

Hershey, Nike, and HP have all had very public ERP implementation failures costing $100’s of millions.

Government of DC – 2 failed Oracle implementations.

Approximately 30% of all ERP implementations fail.

Common Pitfalls

Never place total reliance on the Software Vendor or Integration Vendor You are ultimately responsible for making all

management decisions and performing all management functions, including establishing and maintaining internal controls and monitoring ongoing activities

Never agree to a technical solution or product that you do not fully understand.

Common Pitfalls

Do not make the mistake of simply duplicating the old system. Learn about and take advantage of all of the new systems’ capabilities, particularly its automated controls.

Try your best to set Realistic Deadlines, but when you know that you are going to miss one, plan for it and act accordingly.

Common Pitfalls

Document Everything…

ERP Implementation Control Risk & Requirements

Change in Enterprise Business Systems aka ERP - the implementation of a ERP system covers most if not all significant business cycles and represents a material change to the organization’s system of internal control.

Risk – Change in ERP also increases the Organization’s exposure to unintended consequences affecting many enterprise risk areas e.g., inefficiency, error and fraud until the control environment matures on the new system.

Requirements – Auditing standards require that changes to a system of internal control must be considered. In doing so, the effectiveness of key IT General Controls (ITGCs) must be validated to obtain comfort of the ERP systems ability to house, transport, store, and transform data for reliable financial reporting.

ITGCs & ERP Implementation Considerations

IT General Controls (ITGC) are pervasive controls that contribute indirectly to the achievement of most financial statement assertions.

ITGCs also contribute to safeguarding an Organization’s assets.

Our focus is on the Systems Development Life Cycle (SDLC) ITGC area as applied to the ERP project.

Internal Control Criteria & Standards

Internal Control Criteria COSO (Committee of Sponsoring Organizations) COBIT (Control Objectives for Information and Related Technology)

Examinations of internal control AICPA Standards – SSAE 15 or Agreed Upon Procedures (AUP) PCAOB AS5

Consideration of internal control Government Auditing Standards AICPA Auditing Standards

Assessments of internal control Control self-assessment Independent assessment

Assessment Criteria

Control Frameworks to implement systems COBIT Framework for ITGCs including SDLC ISO/IEC 12207 Software Life cycle processes IEEE (Standard setter) PMBOK (Standards issued by Project Mgmt. Institute)

Control Maturity Models (CMM) CMMs are used to assess control maturity for control areas

using a control framework as applied to the ERP project. CMMs are typically tailored to best suit the organization’s

needs.

COBIT Review Criteria

Training (7.1) Test plan (7.2) Implementation plan (7.3) Test environment (7.4) System and data conversion (7.5) Testing of changes (7.6) Final acceptance test (7.7) Promotion to production (7.8)

High Level ERP Implementation Procedures

Review and test the following: ERP Project Plan & Milestones against COBIT 4.1 SDLC ERP Project Risk assessment & evaluation criteria affecting “go” or “no

go” decisions Future state internal control design Systems Acceptance Testing (SAT) Systems Integration Testing (SIT) User Acceptance Testing (UAT) Conference Room Pilots (CRP) Interface Testing (Pre/Post) Data Conversion Testing & System Cutover (Pre/Post) Issues, Errors & Remediation (Pre/Post) Business cycle transaction walk-throughs & expected results Mock Financial Close testing!!! (Monthly and Annual) Key report testing

Tips and Recommendations

Ensure “Test” environment reflects expected “Production” environment. Use of cloned production data vs. dummy data Just because it worked in “Test”… Performance is slow…

Risks/Rewards with “train the trainer” approach…

Procurement cycle internal controls (highest risk). Matching controls, GL coding etc… ERP Module inter-dependencies

41

Tips and Recommendations

Key report testing…

Mock financial close training and testing…

“We have a workaround for that…”

Post go live production support plan…60 days starting when?

Anticipating ERP Project team and unplanned employee turnover.

Ensure testing in both Pre and Post go live environments.

42

Contact Information:K. Adam Glover

Cell: (386) 527-4039Email: [email protected]