How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London 27 May 2004

Disclaimer This presentation is based solely on my view and not that of my company

Introduction 4Risk Management in BAA corporate governance risk management process and methodology 4The principle of trust 4The ERP rationale and coverage 4The ERP audit the RM way 4Lessons Learnt 4Q&A

BAA Business Activities Airport Management Airport retail management Property Development Duty free retailing Train operations Designer outlets

Turnbull/combined Code Requirements 4BAA must report annually on its’ systems of internal: financial control operational control compliance control risk management process 4The majority of assurance will come from management

Risk Management Process MB XC Corporate Risk Director (Key Corporate Risks) How are these key risks managed ? Residual Operational Risks Key Operational Risks This is how Local Risk Management GIA Audit This GIA Audit This

Risk Management Stages Business Objective Risk The identification of those things that would PREVENT an objective from being achieved Inherent Level The likelihood and consequence of risk crystallisation before mitigating actions (controls) have been put in place Control Those actions that, if taken, will reduce either the likelihood or consequence of a risk crystallising Residual Level The likelihood and consequence of risk crystallisation after mitigating actions (controls) have been put in place Insurance The risk can sometimes be reduced (transferred) by insurance Retained Level The level of risk formally accepted by the organisation.

The Principle of Trust Do you trust your clients?

On What Basis Do We Trust Them? Based on: 4The strength of the control environment organisation methods & practices culture & behaviour 4Previous audits - these indicate strong internal controls The caveat is that: 4We trust but reserve the right to verify

The Rationale of Investing in An ERP IT, HR & Procurement Silo One Silo Two Silo Three The Business Support Centre The Business Support Centre Cultivates Better Customer Relationship s Takes Calculated Risks Control E. R. P.

Scope of the ERP (What does it cover?) 4 Resource, Develop & Manage People (RDMP) 4 Plan & Develop the Business (PDB) 4 Acquire & Maintain Asset (AMA) 4 Others (income and financial ledgers)

Audit Drivers 4 Corporate Governance (Turnbull & LSE) 4 Audit & Assurance 4 Management Requests

Pre-Audit Assessment 8 No formal business risk register 8 Lack of practical experience in assessing risks by process management 4 The ERP system was subject to regular audits before it went live 4 Process management believed that checks and balances are in place and operating

What did we do before the audit? 4 Gave a full day risk management training course to key business process managers 4 Facilitated initial risk assessment workshops 4 Provided feedback on initial risk registers and ongoing advice on the risk management methodology 4 Agreed with management that we would be returning to audit the risk registers and processes

Phase 1 Audit Focus To review how well management identified risks in the ERP processes that could threaten the achievement of business objectives

What did they do? 1/2

What did they do? 2/2 (This example is for demonstration only) AM

How Do We Assess Them? Inherent Risks Status of controls Residual Risks An example)

What We Found? 4 Management gained confidence in the risk management process: All key risks were identified Risks were aligned with business objectives Controls were reasonably well specified 8 However, the control monitors and early warning indicators had not been explicitly identified

Remedial Actions 4 A formal project board was established with Main Board representation and a dedicated project manager to oversee the detailed design of ERP controls 4 More risk assessment workshops were carried out 4 Further controls were improved

Phase 2 Audit Focus To review how well the designed controls and associated embedded monitors address the risks identified in phase 1

What We Found This Time 4 Project Board is working effectively in accordance to the project charter 4 Risks and controls are well designed 8 However, more work is still required in the design of suitable embedded monitors and early warning indicators (Management has sought assistance from GIA to remedy this situation)

What We Did? 4A half day workshop was given to 15 key process managers specifically on the design of embedded monitors and early warning indicators including: good and bad examples 4 case studies relevant to our business for syndicate work group presentation of results to each other 4Provided continuous support to all process managers who required assistance on the risk management methodology

Embedded Monitors Design Methodology

Phase 3 Audit Focus 4 In phase 1, we examined how well management identified risks in the ERP processes that could threaten the achievement of business objectives 4 In phase 2, we reviewed how well the designed controls and associated embedded monitors address the risks identified in phase 1 4 In the final phase,we carried out an audit to review how well the designed controls and associated embedded monitors are working in practice over the ERP processes

Phase 3 – What We Found? No major issues identified in our audits and that: 4 Management has established formal governance structures for reviewing embedded monitors 4 Formal Service Level Agreement (SLA) established between the Business Support Centre (BSC) and BAA airports 4 Key stakeholders have held regular meetings to evaluate SLA performance and to prescribe remedial actions for areas requiring improvement

What We Have Learned 4 Auditors increasingly demand consultancy skills 4 Audit and consultancy work well together if the assurance role is segregated 4 Our method would not have worked in a different organisation culture (we have full support from Top Management) 4 Risk management is the catalyst to facilitate management in achieving their objectives 4 Improving risk management maturity of an organisation requires a vigorous process

Risk Management Maturity Continuum (Among the ERP Process Managers) NoviceCompetentProficientExpert Before After

Could We Have Done It Differently? 4 Yes – except that the audit department would need to be 2-3 times our current size or we would need to reduce the level of assurance provided to Management risking non-compliance to the corporate governance requirement

Questions?

How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London 27 May 2004