Presentation on theme: "Overview of the Top Risks & the Keys to a Successful Implementation of an ERP System Government Finance Officers Association 8/19/2014 K. Adam Glover,"— Presentation transcript:
Overview of the Top Risks & the Keys to a Successful Implementation of an ERP System Government Finance Officers Association 8/19/2014 K. Adam Glover, CISA
Professional Involvement: Information Systems Audit and Control Association (ISACA) Florida Government Finance Officers Association (FGFOA) Florida Institute of Certified Public Accountants (FICPA) Areas of Expertise: SSAE 16 SOC 1 & SOC 2 IT Audit Internal Controls Internal Audit
Introduction to ERP ERP Requirements & Characteristics Vendor Selection Managing the Implementation Process Top Risks and Examples of Real World Failures Common Pitfalls of an ERP Implementation Audit Requirements of an ERP Implementation Tips and Recommendations Question & Answer Key Points Agenda
Develop a basic understanding of: ERP Requirements & Characteristics The Top Risks Related to ERP System Implementations Best Practices used to Mitigate the Risks Associated with ERP System Implementations Learning Objectives
Enterprise Business System (EBS) or Enterprise Resource Planning (ERP) Software is a cross- functional enterprise system driven by an integrated suite of software modules that support the basic internal business processes of a company. The Most Important Thing to Remember: You can increase the likelihood of success through proper planning and documentation What does ERP stand for?
What is an ERP System vs. an Accounting System? Traditional Accounting System
What is an ERP System vs. an Accounting System? ERP System Model
What are the Characteristics of an ERP System? Multi-layered structure as opposed to a linear structure Seamless, integrated functionality Automated controls such as three-way match, automated journal entry approval, purchase order management, budgetary controls, etc. Automated workflow Result is a change in the way you do business
Common Examples of ERP Software Oracle SAP Peoplesoft MS Dynamics MS Great Plains Munis Deltek
ERP Implementation Improvement Opportunities The planned changes and implementation of an ERP are intended to improve the Organization’s enterprise risk management including: Improve the Organization’s ability to meet its operational, financial reporting and compliance objectives. Create efficiencies (including cost savings) in managing Organization’s business. Effectively safeguard shareholder/taxpayer assets and demonstrate sound financial stewardship.
ERP Requirement Types Functional Requirements Business processes that users expect to be fully, or at least partially, automated by the new system. These would include such things as three-way match, reasonableness tests for salary increases, automated purchase order management and automated budgetary performance monitoring.
ERP Requirement Types Technical Requirements Capability of the system to conform to and compliment protocols inherent in the current technology infrastructure. Examples would include compatibility of access control methodology with Windows Active Directory and functionality supporting seamless transition to disaster recovery mode. Also, consideration for cloud computing.
ERP Requirement Types Operational Requirements Capability to support the day-to-day functions of business unit users, including certain automated workflow, user-friendly query capabilities, comprehensive audit trail of user activities and flexible reporting capabilities.
ERP Requirement Types Contract Requirements Certain terms and conditions should be addressed in the contract including fee arrangement, performance criteria, maintenance and support capabilities, compliance with federal, state and local regulations, support for new releases and requested enhancements and limits on the cost of annual maintenance increases.
How do you define ERP Requirements? Form a task force with representatives from all stakeholder groups – this is not just an IT project Define Requirements at a granular level This is a bottom-up process Make sure the Requirements reflect the real world Make sure the Requirements look to and accommodate for future growth, expansion and change
Vendor Selection Experience in your Industry Public vs. Private Experience with organizations your size Experience with your organizations IT infrastructure References/Referrals Talk to your peers
Vendor Selection Do they meet all of your defined Requirements? If not, what acceptable alternatives are available from this vendor? Can they meet the defined Requirements with minimal customization? Customizations often times = more $$$
Vendor Selection Are third party integrators available? Certified integrators by system What are the vendors/integrators training capabilities? Contract requirement What is the total cost of implementation and fee arrangement? Contract requirement
Managing the Implementation Select a project executive sponsor or sponsors Tone from the top Migrate the original task force that helped define Requirements into a formal Steering Committee Designate an overall day to day project manager(s) Internal vs. External Full-Time vs. Part- Time How the Project Management Team is set up is an additional cost of the project to factor
Managing the Implementation Define Team Responsibilities and Project Reporting process for all parties Break Up the Project into documented Milestones Tie vendor payments to milestone completion Contract Requirement Define acceptance criteria for your Requirements being met – put it in writing
Managing the Implementation Designate Test Team Members – day to day functions Separate from Project Management Team Define and execute Test Scripts & Document Results Conduct and document User Acceptance Testing Track issues and problems and report periodically Train Users and Support Staff Define knowledge transfer from vendors to staff Contract Requirement
Implementation Type Consider Parallel Processing vs. Cut Over Phased vs. Complete Modular vs. Departmental Develop and implement a migration plan with defined responsibilities (internal vs. external) Include system reconciliations throughout Document a detailed audit trail of the implementation process
Post Implementation Process Continue to track problems and issues Define a Change Management Process Define a New Release Implementation Process Plan for on-going training Define and plan subsequent enhancements Who is responsible for all of these?
Missing Opportunities, Objectives, Errors, & Losses Occur Because? Unseen risk - blindsided Unmanaged risk Controls being relied upon, failed Note that we are not referring to Black Swan events, which are arguably unpredictable, but risk in the ordinary course of business
Top ERP Risks Having a “Good Plan” vs. Just a Plan Not Aligning ERP Requirement Types with Business Processes Part time project management Underestimating resource requirements Decentralizing decision making Project complexity Lack of in house skills User resistance and customization Not Selecting the Appropriate Vendor Not Considering which Implementation Type is right for your Organization Insufficient Testing and User Training
Impact of an ERP Implementation on Enterprise Risks Service delivery risk – inability to meet customer expectations due to poor service quality or inefficiency, unable to balance customer demand vs. capacity. Information Management Risk – In ability to capture, retain, access and disseminate critical information used to run the Municipality/NFP’s businesses. Information Security Risk – Unauthorized disclosure of confidential information e.g., constituent/donor information, donor/constituent or employee data privacy compromise. Business Interruption - Natural Disasters, Fire, Utility Supply, Infrastructure failure, IT failure(s), Labor, Terrorism or industrial sabotage and / or failure of business vendor/counter party. Regulatory Reporting Risk – External financial audit findings, unfavorable findings from Local Government Commission (LGC), OMB/HUD, Periodic State ad hoc reporting, US Treasurer, Rating Agencies (S&P), EMMA (bonds), IRS reporting etc.
ERPs Impact to Enterprise Risks New program/service introduction risk – Inability to timely complete/transition new programs/services into the constituent market place and/or programs/services developed/implemented may not have ready constituent market value (limited use). Sponsorship risk - ineffective oversight of agencies/affiliates or special events/fundraisers results in reputational damage and/or lawsuits Fraud Risk – Exposure to corruption activities, asset misappropriation, or allegations of undue influence. Human Capital – unable to attract, develop and retain qualified employees. Geo/Political risk - Unstable political environment creates potential for an impact on Federal/State program funding and/or risk events that cause reputational damage to the municipality or NFP. Note that any of the other top 9 risk areas can lead to reputational damage and Geo/Political risk.
Real World Examples of ERP Implementation Failures
Additional ERP Failure Examples Hershey, Nike, and HP have all had very public ERP implementation failures costing $100’s of millions. Government of DC – 2 failed Oracle implementations. Approximately 30% of all ERP implementations fail.
Common Pitfalls Never place total reliance on the Software Vendor or Integration Vendor You are ultimately responsible for making all management decisions and performing all management functions, including establishing and maintaining internal controls and monitoring ongoing activities Never agree to a technical solution or product that you do not fully understand.
Common Pitfalls Do not make the mistake of simply duplicating the old system. Learn about and take advantage of all of the new systems’ capabilities, particularly its automated controls. Try your best to set Realistic Deadlines, but when you know that you are going to miss one, plan for it and act accordingly.
ERP Implementation Control Risk & Requirements Change in Enterprise Business Systems aka ERP - the implementation of a ERP system covers most if not all significant business cycles and represents a material change to the organization’s system of internal control. Risk – Change in ERP also increases the Organization’s exposure to unintended consequences affecting many enterprise risk areas e.g., inefficiency, error and fraud until the control environment matures on the new system. Requirements – Auditing standards require that changes to a system of internal control must be considered. In doing so, the effectiveness of key IT General Controls (ITGCs) must be validated to obtain comfort of the ERP systems ability to house, transport, store, and transform data for reliable financial reporting.
ITGCs & ERP Implementation Considerations IT General Controls (ITGC) are pervasive controls that contribute indirectly to the achievement of most financial statement assertions. ITGCs also contribute to safeguarding an Organization’s assets. Our focus is on the Systems Development Life Cycle (SDLC) ITGC area as applied to the ERP project.
Internal Control Criteria & Standards Internal Control Criteria COSO (Committee of Sponsoring Organizations) COBIT (Control Objectives for Information and Related Technology) Examinations of internal control AICPA Standards – SSAE 15 or Agreed Upon Procedures (AUP) PCAOB AS5 Consideration of internal control Government Auditing Standards AICPA Auditing Standards Assessments of internal control Control self-assessment Independent assessment
Assessment Criteria Control Frameworks to implement systems COBIT Framework for ITGCs including SDLC ISO/IEC 12207 Software Life cycle processes IEEE (Standard setter) PMBOK (Standards issued by Project Mgmt. Institute) Control Maturity Models (CMM) CMMs are used to assess control maturity for control areas using a control framework as applied to the ERP project. CMMs are typically tailored to best suit the organization’s needs.
COBIT Review Criteria Training (7.1) Test plan (7.2) Implementation plan (7.3) Test environment (7.4) System and data conversion (7.5) Testing of changes (7.6) Final acceptance test (7.7) Promotion to production (7.8)
High Level ERP Implementation Procedures Review and test the following: ERP Project Plan & Milestones against COBIT 4.1 SDLC ERP Project Risk assessment & evaluation criteria affecting “go” or “no go” decisions Future state internal control design Systems Acceptance Testing (SAT) Systems Integration Testing (SIT) User Acceptance Testing (UAT) Conference Room Pilots (CRP) Interface Testing (Pre/Post) Data Conversion Testing & System Cutover (Pre/Post) Issues, Errors & Remediation (Pre/Post) Business cycle transaction walk-throughs & expected results Mock Financial Close testing!!! (Monthly and Annual) Key report testing
Tips and Recommendations Ensure “Test” environment reflects expected “Production” environment. Use of cloned production data vs. dummy data Just because it worked in “Test”… Performance is slow… Risks/Rewards with “train the trainer” approach… Procurement cycle internal controls (highest risk). Matching controls, GL coding etc… ERP Module inter-dependencies 41
Tips and Recommendations Key report testing… Mock financial close training and testing… “We have a workaround for that…” Post go live production support plan…60 days starting when? Anticipating ERP Project team and unplanned employee turnover. Ensure testing in both Pre and Post go live environments. 42