Addressing Internal Controls in State ERP Systems: Being Proactive Aaron Erickson, Chief Operating...
-
Upload
isabella-mclain -
Category
Documents
-
view
213 -
download
1
Transcript of Addressing Internal Controls in State ERP Systems: Being Proactive Aaron Erickson, Chief Operating...
Addressing Internal Controls in State ERP Systems: Being Proactive
Aaron Erickson, Chief Operating OfficerState of Ohio, Office of Budget and Management
Christian Fuellgraf, DirectorGrant Thornton, Global Public Sector
Tom Dale, DirectorGrant Thornton, Global Public Sector
Our panelists' point of view
Our personal experiences have shaped our perspectives.
Indiana Encompass
The Ohio State University
Marriott
French Ministry of Finance
Ohio OAKS
U.S. National Park Service
City of MilwaukeeAlameda County, CA
Riverside County, CA
Kentucky HRIS
ImplementerClient U.S. Department of the Interior FBMS
Overview
• Internal controls and ERP implementation strategy
• The State of Ohio experience
• Putting it together going forward
Sharing the message of internal controls
Internal controls comprise both a structure and a systematic methodology to help financial, technology and program managers achieve their mission results and safeguard the integrity of programs.
They are a means of managing the risk and improving efficiency associated with programs and operations – done properly they are widely accepted and followed.
ERP drivers and internal control objectives complement each other
Achieve better and more efficient fiscal, program and technology managementAchieve better and more efficient fiscal, program and technology management
Improve fiscal accountability and safeguard public assetsImprove fiscal accountability and safeguard public assets
ERP Drivers
Utilize technology to streamline operations, transaction accuracy, and processing timesUtilize technology to streamline operations, transaction accuracy, and processing times
Obtain reasonable assurance of the integrity of all fiscal processes via improved systemsObtain reasonable assurance of the integrity of all fiscal processes via improved systems
Create greater visibility and confidence in state data via technology and technology-enabled processes
Create greater visibility and confidence in state data via technology and technology-enabled processes
Blueprint for better and more efficient fiscal, program and technology managementBlueprint for better and more efficient fiscal, program and technology management
Methodology to ensure fiscal accountability and safeguard public assetsMethodology to ensure fiscal accountability and safeguard public assets
COSO IC
An approach that aligns an organization’s processes and procedures to reporting, rules and legal requirements
An approach that aligns an organization’s processes and procedures to reporting, rules and legal requirements
Set of standard practices to provide reasonable assurance of the integrity of all fiscal processes
Set of standard practices to provide reasonable assurance of the integrity of all fiscal processes
A means to create greater visibility and confidence by legislative leadership, opinion leaders and stakeholders into the fiscal and operational integrity of an agency
A means to create greater visibility and confidence by legislative leadership, opinion leaders and stakeholders into the fiscal and operational integrity of an agency
Common ERP approach
This is a good start, but not a complete strategy.
PlanPlan AnalyzeAnalyze DesignDesign BuildBuildTest
DeployTest
DeploySDLC
Phases
Project Management
Change Leadership
Process Design and Configuration
Internal ControlsInformation Technology
Training and Documentation
ERPImplementationWork Streams
Ohio's implementation approach
• Elected to do a plain vanilla implementation where business processes are adapted to function within the COTS software
• Focused on meeting requirements and technical compliance rather than significant re-engineering for leading practices
Finance and Supply ChainPurchasingGeneral LedgerAccounts PayableAccounts ReceivableFinancials Data Warehouse/EPMBilling and ReceivingAsset ManagementBudgeting and Planning
Human Capital ManagementCore HRPayrollTime and LaborePayHCM Enterprise Performance Management (EPM)Benefits Administration COBRAEPM for Benefits Admin & COBRA
Results
• Risk assessment identified 108 issues from across State organizations and applications
• Multiple SAS-70 findings
• Management Letter comment in statewide single audit - "significant deficiency in IT controls for HCM application"
Risk Categories Rating
Asset Management
Budget Management
Claims Management
Financial Reporting
Information Technology
Payroll
Personnel & Organizational Support
Program Management
Procurement/Expenditures
Revenue Management
Implications
• Vulnerability ratings based on assessment comments and experience
• Categorized issues into domains:
- 14 critical
- 27 high priority
• Remediation plan in process
• Four people dedicated to corrective actions plans for next fiscal year
Estimated costs of additional changes
• Enterprise risk management activities - $1.7 million
• Process-based assessments of four critical risk areas
• Estimates do not include performing corrective actions, state project team time or agency time
Risk area Hours
Financial Reporting 1,250
IT 3,000
Payroll 1,400
Procurement & Expenditures
1,550
Risks of not including internal controls initially
Project Delays – System testing will likely show weakness in security and other controls
Data Reliability and Process Integrity Issues – Many potential risks from lack of system acceptance to outright fraudulent activity
Audit Findings – Audits may comment upon material weakness in the various functional areas
Post Go-Live Rework – On average it is 3-5 times more expensive to address issues post-implementation
ERP approach with internal control work stream
PlanPlan AnalyzeAnalyze DesignDesign BuildBuildTest
DeployTest
DeploySDLC
Phases
Project Management
Change Leadership
Process Design and Configuration
Internal Controls
Information Technology
Training and Documentation
ERPImplementationWork Streams
Be control conscious
Internal controls should be an integral part of the solution analysis, requirements, design and delivery lifecycle – not an afterthought – involve your auditors
Actively involve internal control experts throughout the project lifecycle
Build internal control work streams into ERP system solicitation requirements
Educate and work with your state and agency CIO's – better internal controls are a good thing for everyone!