Presentation on theme: "Addressing Internal Controls in State ERP Systems: Being Proactive Aaron Erickson, Chief Operating Officer State of Ohio, Office of Budget and Management."— Presentation transcript:
Addressing Internal Controls in State ERP Systems: Being Proactive Aaron Erickson, Chief Operating Officer State of Ohio, Office of Budget and Management Christian Fuellgraf, Director Grant Thornton, Global Public Sector Tom Dale, Director Grant Thornton, Global Public Sector
Our panelists' point of view Our personal experiences have shaped our perspectives. Indiana Encompass The Ohio State University Marriott French Ministry of Finance Ohio OAKS U.S. National Park Service City of Milwaukee Alameda County, CA Riverside County, CA Kentucky HRIS Implementer Client U.S. Department of the Interior FBMS
Overview Internal controls and ERP implementation strategy The State of Ohio experience Putting it together going forward
Sharing the message of internal controls Internal controls comprise both a structure and a systematic methodology to help financial, technology and program managers achieve their mission results and safeguard the integrity of programs. They are a means of managing the risk and improving efficiency associated with programs and operations – done properly they are widely accepted and followed.
ERP drivers and internal control objectives complement each other Achieve better and more efficient fiscal, program and technology management Improve fiscal accountability and safeguard public assets Improve fiscal accountability and safeguard public assets ERP Drivers Utilize technology to streamline operations, transaction accuracy, and processing times Obtain reasonable assurance of the integrity of all fiscal processes via improved systems Create greater visibility and confidence in state data via technology and technology- enabled processes Blueprint for better and more efficient fiscal, program and technology management Methodology to ensure fiscal accountability and safeguard public assets COSO IC An approach that aligns an organizations processes and procedures to reporting, rules and legal requirements Set of standard practices to provide reasonable assurance of the integrity of all fiscal processes A means to create greater visibility and confidence by legislative leadership, opinion leaders and stakeholders into the fiscal and operational integrity of an agency
Common ERP approach This is a good start, but not a complete strategy. Plan Analyze Design Build Test Deploy SDLC Phases Project Management Change Leadership Process Design and Configuration Internal ControlsInformation Technology Training and Documentation ERP Implementation Work Streams
Ohio's implementation approach Elected to do a plain vanilla implementation where business processes are adapted to function within the COTS software Focused on meeting requirements and technical compliance rather than significant re-engineering for leading practices Finance and Supply Chain Purchasing General Ledger Accounts Payable Accounts Receivable Financials Data Warehouse/EPM Billing and Receiving Asset Management Budgeting and Planning Human Capital Management Core HR Payroll Time and Labor ePay HCM Enterprise Performance Management (EPM) Benefits Administration COBRA EPM for Benefits Admin & COBRA
Results Risk assessment identified 108 issues from across State organizations and applications Multiple SAS-70 findings Management Letter comment in statewide single audit - "significant deficiency in IT controls for HCM application" Risk CategoriesRating Asset Management Budget Management Claims Management Financial Reporting Information Technology Payroll Personnel & Organizational Support Program Management Procurement/Expenditures Revenue Management
Implications Vulnerability ratings based on assessment comments and experience Categorized issues into domains: -14 critical -27 high priority Remediation plan in process Four people dedicated to corrective actions plans for next fiscal year
Estimated costs of additional changes Enterprise risk management activities - $1.7 million Process-based assessments of four critical risk areas Estimates do not include performing corrective actions, state project team time or agency time Risk areaHours Financial Reporting1,250 IT3,000 Payroll1,400 Procurement & Expenditures 1,550
Risks of not including internal controls initially Project Delays – System testing will likely show weakness in security and other controls Data Reliability and Process Integrity Issues – Many potential risks from lack of system acceptance to outright fraudulent activity Audit Findings – Audits may comment upon material weakness in the various functional areas Post Go-Live Rework – On average it is 3-5 times more expensive to address issues post-implementation
ERP approach with internal control work stream Plan Analyze Design Build Test Deploy SDLC Phases Project Management Change Leadership Process Design and Configuration Internal Controls Information Technology Training and Documentation ERP Implementation Work Streams
Be control conscious Internal controls should be an integral part of the solution analysis, requirements, design and delivery lifecycle – not an afterthought – involve your auditors Actively involve internal control experts throughout the project lifecycle Build internal control work streams into ERP system solicitation requirements Educate and work with your state and agency CIO's – better internal controls are a good thing for everyone!