Overview of the Top Risks & the Keys to a Successful

Overview of the Top Risks & the
Keys to a Successful
Implementation of an ERP System
Government Finance Officers Association
K. Adam Glover, CISA
Areas of Expertise:
SSAE 16 SOC 1 & SOC 2
IT Audit
Internal Controls
Internal Audit
Professional Involvement:
• Information Systems Audit and
Control Association (ISACA)
• Florida Government Finance
Officers Association (FGFOA)
• Florida Institute of Certified
Public Accountants (FICPA)
Key Points Agenda
Introduction to ERP
ERP Requirements & Characteristics
Vendor Selection
Managing the Implementation Process
Top Risks and Examples of Real World Failures
Common Pitfalls of an ERP Implementation
Audit Requirements of an ERP Implementation
Tips and Recommendations
Question & Answer
Learning Objectives
 Develop a basic understanding of:
 ERP Requirements & Characteristics
 The Top Risks Related to ERP System Implementations
 Best Practices used to Mitigate the Risks Associated with ERP
System Implementations
What does ERP stand for?
 Enterprise Business System (EBS) or Enterprise
Resource Planning (ERP) Software is a crossfunctional enterprise system driven by an integrated
suite of software modules that support the basic
internal business processes of a company.
 The Most Important Thing to Remember: You can increase
the likelihood of success through proper planning and
What is an ERP System vs. an
Accounting System?
 Traditional Accounting System
What is an ERP System vs. an
Accounting System?
 ERP System Model
What are the Characteristics of an
ERP System?
 Multi-layered structure as opposed to a linear
 Seamless, integrated functionality
 Automated controls such as three-way match,
automated journal entry approval, purchase order
management, budgetary controls, etc.
 Automated workflow
 Result is a change in the way you do business
Common Examples of ERP Software
MS Dynamics
MS Great Plains
ERP Implementation Improvement
 The planned changes and implementation of an ERP are
intended to improve the Organization’s enterprise risk
management including:
 Improve the Organization’s ability to meet its operational, financial
reporting and compliance objectives.
 Create efficiencies (including cost savings) in managing
Organization’s business.
 Effectively safeguard shareholder/taxpayer assets and demonstrate
sound financial stewardship.
ERP Requirement Types
 Functional Requirements
 Business processes that users expect to be fully, or at least
partially, automated by the new system. These would include
such things as three-way match, reasonableness tests for
salary increases, automated purchase order management and
automated budgetary performance monitoring.
ERP Requirement Types
 Technical Requirements
 Capability of the system to conform to and compliment
protocols inherent in the current technology infrastructure.
Examples would include compatibility of access control
methodology with Windows Active Directory and
functionality supporting seamless transition to disaster
recovery mode. Also, consideration for cloud computing.
ERP Requirement Types
 Operational Requirements
 Capability to support the day-to-day functions of business unit
users, including certain automated workflow, user-friendly
query capabilities, comprehensive audit trail of user activities
and flexible reporting capabilities.
ERP Requirement Types
 Contract Requirements
 Certain terms and conditions should be addressed in the
contract including fee arrangement, performance criteria,
maintenance and support capabilities, compliance with
federal, state and local regulations, support for new releases
and requested enhancements and limits on the cost of
annual maintenance increases.
How do you define ERP
 Form a task force with representatives from all
stakeholder groups – this is not just an IT project
 Define Requirements at a granular level
 This is a bottom-up process
 Make sure the Requirements reflect the real world
 Make sure the Requirements look to and
accommodate for future growth, expansion and
Vendor Selection
 Experience in your Industry
 Public vs. Private
 Experience with organizations your size
 Experience with your organizations IT infrastructure
 References/Referrals
 Talk to your peers
Vendor Selection
 Do they meet all of your defined Requirements?
 If not, what acceptable alternatives are available from this
 Can they meet the defined Requirements with
minimal customization?
 Customizations often times = more $$$
Vendor Selection
 Are third party integrators available?
 Certified integrators by system
 What are the vendors/integrators training
 Contract requirement
 What is the total cost of implementation and fee
 Contract requirement
Managing the Implementation
 Select a project executive sponsor or sponsors
 Tone from the top
 Migrate the original task force that helped define
Requirements into a formal Steering Committee
 Designate an overall day to day project manager(s)
 Internal vs. External
 Full-Time vs. Part- Time
 How the Project Management Team is set up is an additional cost
of the project to factor
Managing the Implementation
 Define Team Responsibilities and Project Reporting
process for all parties
 Break Up the Project into documented Milestones
 Tie vendor payments to milestone completion
 Contract Requirement
 Define acceptance criteria for your Requirements
being met – put it in writing
Managing the Implementation
 Designate Test Team Members – day to day functions
 Separate from Project Management Team
Define and execute Test Scripts & Document Results
Conduct and document User Acceptance Testing
Track issues and problems and report periodically
Train Users and Support Staff
 Define knowledge transfer from vendors to staff
 Contract Requirement
Implementation Type
 Consider Parallel Processing vs. Cut Over
 Phased vs. Complete
 Modular vs. Departmental
 Develop and implement a migration plan with defined
responsibilities (internal vs. external)
 Include system reconciliations throughout
 Document a detailed audit trail of the implementation
Post Implementation Process
Continue to track problems and issues
Define a Change Management Process
Define a New Release Implementation Process
Plan for on-going training
Define and plan subsequent enhancements
 Who is responsible for all of these?
Missing Opportunities, Objectives,
Errors, & Losses Occur Because?
 Unseen risk - blindsided
 Unmanaged risk
 Controls being relied upon, failed
Note that we are not referring to Black Swan events, which are
arguably unpredictable, but risk in the ordinary course of business
Top ERP Risks
Having a “Good Plan” vs. Just a Plan
Not Aligning ERP Requirement Types with Business Processes
Part time project management
Underestimating resource requirements
Decentralizing decision making
Project complexity
Lack of in house skills
User resistance and customization
Not Selecting the Appropriate Vendor
Not Considering which Implementation Type is right for your
 Insufficient Testing and User Training
Impact of an ERP Implementation on
Enterprise Risks
 Service delivery risk – inability to meet customer expectations due to poor
service quality or inefficiency, unable to balance customer demand vs. capacity.
 Information Management Risk – In ability to capture, retain, access and
disseminate critical information used to run the Municipality/NFP’s businesses.
 Information Security Risk – Unauthorized disclosure of confidential information
e.g., constituent/donor information, donor/constituent or employee data privacy
 Business Interruption - Natural Disasters, Fire, Utility Supply, Infrastructure
failure, IT failure(s), Labor, Terrorism or industrial sabotage and / or failure of
business vendor/counter party.
 Regulatory Reporting Risk – External financial audit findings, unfavorable
findings from Local Government Commission (LGC), OMB/HUD, Periodic State ad
hoc reporting, US Treasurer, Rating Agencies (S&P), EMMA (bonds), IRS
reporting etc.
ERPs Impact to Enterprise Risks
 New program/service introduction risk – Inability to timely complete/transition
new programs/services into the constituent market place and/or
programs/services developed/implemented may not have ready constituent
market value (limited use).
 Sponsorship risk - ineffective oversight of agencies/affiliates or special
events/fundraisers results in reputational damage and/or lawsuits
 Fraud Risk – Exposure to corruption activities, asset misappropriation, or
allegations of undue influence.
 Human Capital – unable to attract, develop and retain qualified employees.
 Geo/Political risk - Unstable political environment creates potential for an impact
on Federal/State program funding and/or risk events that cause reputational
damage to the municipality or NFP. Note that any of the other top 9 risk areas
can lead to reputational damage and Geo/Political risk.
Real World Examples of ERP
Implementation Failures
ERP Failure Example #1
ERP Failure Example #2
Additional ERP Failure Examples
 Hershey, Nike, and HP have all had very public ERP
implementation failures costing $100’s of millions.
 Government of DC – 2 failed Oracle implementations.
 Approximately 30% of all ERP implementations fail.
Common Pitfalls
 Never place total reliance on the Software Vendor or
Integration Vendor
 You are ultimately responsible for making all management
decisions and performing all management functions, including
establishing and maintaining internal controls and monitoring
ongoing activities
 Never agree to a technical solution or product that
you do not fully understand.
Common Pitfalls
 Do not make the mistake of simply duplicating the old
system. Learn about and take advantage of all of the
new systems’ capabilities, particularly its automated
 Try your best to set Realistic Deadlines, but when you
know that you are going to miss one, plan for it and
act accordingly.
Common Pitfalls
 Document Everything…
ERP Implementation Control Risk &
 Change in Enterprise Business Systems aka ERP - the implementation of
a ERP system covers most if not all significant business cycles and
represents a material change to the organization’s system of internal
 Risk – Change in ERP also increases the Organization’s exposure to
unintended consequences affecting many enterprise risk areas e.g.,
inefficiency, error and fraud until the control environment matures on
the new system.
 Requirements – Auditing standards require that changes to a system of
internal control must be considered. In doing so, the effectiveness of
key IT General Controls (ITGCs) must be validated to obtain comfort of
the ERP systems ability to house, transport, store, and transform data
for reliable financial reporting.
ITGCs & ERP Implementation
 IT General Controls (ITGC) are pervasive controls that
contribute indirectly to the achievement of most financial
statement assertions.
 ITGCs also contribute to safeguarding an Organization’s
 Our focus is on the Systems Development Life Cycle (SDLC)
ITGC area as applied to the ERP project.
Internal Control Criteria & Standards
 Internal Control Criteria
 COSO (Committee of Sponsoring Organizations)
 COBIT (Control Objectives for Information and Related Technology)
 Examinations of internal control
 AICPA Standards – SSAE 15 or Agreed Upon Procedures (AUP)
 Consideration of internal control
 Government Auditing Standards
 AICPA Auditing Standards
 Assessments of internal control
 Control self-assessment
 Independent assessment
Assessment Criteria
 Control Frameworks to implement systems
COBIT Framework for ITGCs including SDLC
ISO/IEC 12207 Software Life cycle processes
IEEE (Standard setter)
PMBOK (Standards issued by Project Mgmt. Institute)
 Control Maturity Models (CMM)
 CMMs are used to assess control maturity for control areas using a
control framework as applied to the ERP project.
 CMMs are typically tailored to best suit the organization’s needs.
COBIT Review Criteria
Training (7.1)
Test plan (7.2)
Implementation plan (7.3)
Test environment (7.4)
System and data conversion (7.5)
Testing of changes (7.6)
Final acceptance test (7.7)
Promotion to production (7.8)
High Level ERP Implementation
 Review and test the following:
 ERP Project Plan & Milestones against COBIT 4.1 SDLC
 ERP Project Risk assessment & evaluation criteria affecting “go” or “no go”
 Future state internal control design
 Systems Acceptance Testing (SAT)
 Systems Integration Testing (SIT)
 User Acceptance Testing (UAT)
 Conference Room Pilots (CRP)
 Interface Testing (Pre/Post)
 Data Conversion Testing & System Cutover (Pre/Post)
 Issues, Errors & Remediation (Pre/Post)
 Business cycle transaction walk-throughs & expected results
 Mock Financial Close testing!!! (Monthly and Annual)
 Key report testing
Tips and Recommendations
 Ensure “Test” environment reflects expected “Production”
 Use of cloned production data vs. dummy data
 Just because it worked in “Test”…
 Performance is slow…
 Risks/Rewards with “train the trainer” approach…
 Procurement cycle internal controls (highest risk).
 Matching controls, GL coding etc…
 ERP Module inter-dependencies
Tips and Recommendations
 Key report testing…
 Mock financial close training and testing…
 “We have a workaround for that…”
 Post go live production support plan…60 days starting
 Anticipating ERP Project team and unplanned employee
 Ensure testing in both Pre and Post go live environments.
Contact Information:
K. Adam Glover
Cell: (386) 527-4039
Email: akg1884@ufl.edu