Mitigating the Unique Risks of Accelerated ERP Implementations

8
Mitigating the Unique Risks of Accelerated ERP Implementations

description

The benefits of a rapid ERP implementation are enticing. Rather than spending months defining business processes and considering myriad features and options available in the software, ERP customers agree to accept standard, predefined business processes preconfigured by the system integrator. Due to the high cost and risks inherent in a major ERP implementation, rapid implementation approaches are now becoming more mainstream. This white paper discusses the implications from both a project risk management and internal controls perspective that must be considered and addressed by organizations embarking on this type of project. Related: http://www.protiviti.com/en-US/Pages/ManagingApplications.aspx http://www.protiviti.com/en-US/Pages/Application-Controls-Effectiveness.aspx http://www.protiviti.com/en-US/Pages/Application-Security-and-SoD.aspx http://www.protiviti.com/en-US/Pages/GRC-Implementation.aspx

Transcript of Mitigating the Unique Risks of Accelerated ERP Implementations

Page 1: Mitigating the Unique Risks of Accelerated ERP Implementations

Mitigating the Unique Risks of Accelerated ERP Implementations

Page 2: Mitigating the Unique Risks of Accelerated ERP Implementations

PRotIvItI • MItIgAtIng thE UnIqUE RIsks of AccElERAtEd ERP IMPlEMEntAtIons • 1

IntroductIon

For years, system integrators have sought to differentiate themselves in the enterprise resource planning (ERP) services space by marketing preconfigured “industry templates” and accelerated implementation methodologies intended to help greatly reduce the cost, complexity and duration of implementations.

The benefits of a rapid ERP implementation are enticing, of course. Rather than spending months defining business processes and considering myriad features and options available in the software, ERP customers agree to accept standard, predefined business processes preconfigured by the system integrator. Often, implementation templates are tailored to specific industries, such as consumer packaged goods or life sciences, and are described as incorporating many business process or compliance requirements specific to those industries.

Benefits of rapid implementation are driven through changes to traditional ERP implementation methodology. Due to the limited degree of customization, system integrators plan for much less time in the up-front design phase. In addition, the system integrator will plan limited time for building technical objects such as custom reports, forms and interfaces, since it is assumed the capabilities provided by the preconfigured solution are sufficient. Rapid ERP implementations also seek to compress the overall timeline by assuming that portions of critical streams of work, such as testing, training and data conversion, are executed in parallel.

For years, many ERP buyers were skeptical of the purported benefits of accelerated implementation approaches. However, as the ERP market has matured, numerous success stories and case studies, illustrating the potential benefits of accelerated ERP implementations, have emerged. Due to the high cost and risks inherent in a major ERP implementation, rapid implementation approaches are now becoming more mainstream. But there are significant implications from both a project risk management and internal controls perspective that must be considered and addressed by organizations embarking on this type of project.

ImplIcatIons For rIsk management and Internal controls

Compressed Design Phase

Historically, the early “blueprinting” stages of an ERP implementation have involved the design or re-engineering of business processes. Flow charts are often produced to provide a basis for documenting the functional and technical requirements necessary to implement the new processes. However, in an accelerated implementation model, the review of system requirements is dramatically shortened, as it is assumed the company will adopt standard, predefined business processes. Typically, the system integrator will perform demonstrations of the preconfigured processes, and it is assumed that, unless major gaps are uncovered, the process will be accepted “as is.”

One side effect of a compressed design phase is the limited time available for thoughtful consideration of internal controls and compliance requirements. It is essential to note that some companies are mandated (by

Page 3: Mitigating the Unique Risks of Accelerated ERP Implementations

PRotIvItI • MItIgAtIng thE UnIqUE RIsks of AccElERAtEd ERP IMPlEMEntAtIons • 2

the Sarbanes-Oxley Act, the Federal Information System Controls Audit Manual, etc.) to manage financial risks and industry compliance regulations (the U.S. Food and Drug Administration, the International Traffic in Arms Regulations, etc.). Failure to deliver a system addressing the necessary compliance requirements can result in regulatory exposure and the need to perform significant rework after the new system is deployed. Unfortunately, business process owners are ill-equipped in the design phase to highlight gaps in requirements and controls because they are still in the process of learning the software. Additionally, the functionality demonstrations performed by the system integrator during a compressed design phase typically focus on core “out-of-the-box” functionality and do not address controls or compliance requirements. It is also difficult to understand the assumptions the vendor has made in its pre-configured solution regarding settings, features, and options in the software that may have internal controls impacts. Effective implementation of the three-way match control in SAP, for example, requires consideration of up to seven different parameters and tolerances in order for the system to work effectively. In a rapid implementation, it is likely the implementer has made assumptions about a number of these settings – and perhaps, hundreds more.

To mitigate the risk of an ERP solution with insufficient internal controls, it is important to have an advocate for internal controls (the “controls team”) aligned with and participating in the project. This team helps ensure that internal controls are considered and built into the ERP application across all business processes and technical components enabled by the ERP system. In smaller projects, internal audit may assume this role in a part-time, consultative capacity. On larger implementations, it is common to have an internal controls work stream composed of multiple dedicated resources.

These resources work to develop a vision and an understanding of the end-state control environment, and collaborate with the implementation team to map and reconcile historical risks and controls to the “to be” business processes. These resources also play a key role in educating the business – and the system integrator – about the specific configurable features and options in the software that may be implemented to achieve control objectives. In addition, the controls team may be involved in responding to external auditors’ expectations with regard to business, financial reporting, and controls impacts resulting from an implementation. If possible, requirements for internal controls should be identified in the documentation produced by the ERP project team during the design phase, to help ensure it is accountable for delivering these controls in subsequent phases.

Limited Process and Control Documentation

In the past, flow charts and other documentation produced during an ERP system implementation often had value after the project. For example, these deliverables can provide a basis for updating an organization’s financial compliance and audit documentation. However, this has proven to be less true with accelerated ERP implementations. System integrators typically bring generic flow charts and process documentation to an accelerated implementation, with limited expectations about tailoring it to a customer’s specific environment.

The impact of this issue is that deliverables produced by the project may inadequately document the end-state business processes and associated risks and controls. Buyers of ERP systems therefore should clearly identify expectations about the creation and customization of system integrator-provided documentation in their contracts. The internal controls team on the project may need to assume responsibility for understanding the impact to compliance documentation and providing resources to make the necessary updates.

To mitigate the risk of an ERP solution with insufficient internal controls, it is

important to have an advocate for internal controls (the “controls team”) aligned with

and participating in the project.

Page 4: Mitigating the Unique Risks of Accelerated ERP Implementations

PRotIvItI • MItIgAtIng thE UnIqUE RIsks of AccElERAtEd ERP IMPlEMEntAtIons • 3

Less-Structured System Testing

Typically, on a traditional project, both functional and technical requirements are formally documented. This makes it possible to map requirements one by one to test scripts to ensure all requirements are adequately tested. Under this approach, internal control requirements, compliance requirements, negative testing, and other exception conditions can be called out as specific testable elements in the system (e.g., “The system must provide a delegation of authority functionality for approval of purchase orders.”). The mapping of these requirements to test scripts can provide management with some degree of assurance that the necessary functionality has been built and tested.

However, Protiviti’s experience with accelerated, template-driven ERP implementations is that system integrators tend to employ a scenario-based testing approach rather than a requirements-based testing approach. Under the former, the project team defines and tests a number of business scenarios that are defined at a higher level (e.g., “Create a Purchase Order”). There is not an explicit mapping of business requirements to scenarios, and the completeness of testing is often left to the judgment of the consultants and business process owners.

The drawback of a scenario-based testing approach is the increased risk that system functionality and internal controls are not fully tested. Functional testing of internal controls requires simulation of exception conditions and unusual business events that may be overlooked by the system integrator due to the compressed timeline and informal approach to testing. During one recent SAP implementation review performed by Protiviti, we noted that more than 70 percent of the system-based internal controls requirements identified by the business were not explicitly tested through the scenario-based testing approach employed by the system integrator.

Mitigation of this risk involves tracking the ERP project team’s implementation and testing of internal controls. The role of the controls team as it relates to addressing this risk includes:

• Mapping internal controls to the associated ERP test scripts developed by the implementation team.

• Reviewing the execution of ERP test scripts to help validate the operating effectiveness of internal controls.

• Sampling executed test scripts to help ensure completeness and adequacy of control testing.

• Recommending improvements to test script content and format to help ensure internal controls are adequately tested.

User Security Roles With Excessive Access

Rapid, template-based implementations often tout “pre-built” security roles that will accelerate the creation of user access roles. However, these pre-built roles often are created with very broad access to accommodate the needs of a diverse customer base. In addition, they may not align with the specific roles and responsibilities the organization has defined internally. Despite the allure of pre-built user security roles, Protiviti has observed that most organizations undertaking template-driven implementations end up developing their own customized requirements for user access.

Despite the allure of pre-built user security roles, Protiviti has observed that most

organizations undertaking template-driven implementations end up developing their own

customized requirements for user access.

Page 5: Mitigating the Unique Risks of Accelerated ERP Implementations

PRotIvItI • MItIgAtIng thE UnIqUE RIsks of AccElERAtEd ERP IMPlEMEntAtIons • 4

Unfortunately, the rapid pace of an accelerated implementation often puts the success of the security team in jeopardy. To meet the milestones of an accelerated timeline, the security team is faced with defining security requirements at a stage where business process teams are only just beginning to grasp the “to be” business process. This creates a significant risk that security roles won’t be tested fully prior to go-live. Also undermined is the ability to address segregation of duties and sensitive access risks in the roles prior to go-live.

The controls team should work closely with the security team to address this risk and understand the proposed approach and architecture for defining user security. To avoid false starts with user security, any plans to use pre-built security roles should be validated early in the project to confirm that they are suitable. It is critical to monitor the progress of application security design and development so that it does not become a bottleneck late in the project. It is also important to recognize that when user access security is becoming a risk, it is vital to develop contingency plans early.

Vendor-provided tools supporting the development of user access and provisioning (such as SAP GRC Access Controls and the Oracle GRC Suite) should be included in the scope of the implementation. These tools support the development of “clean” roles from a segregation of duties and sensitive access perspective, and play a crucial role in maintaining the integrity of the user access environment once the system goes live.

Increased Project Implementation Risks

Rapid implementations require a high degree of project management and project governance to be successful. For example, all areas of the business must be on board with the concept of limited customization and with proceeding in a highly choreographed manner through the various phases of the implementation.

One of the most significant and frequently identified risks to project success is lack of communication and slow decision-making among key stakeholders. In an accelerated implementation, the importance of communication and decision-making is accentuated even further. There should be a steering committee with senior executive representation from the business areas affected by the implementation. The steering committee should receive regular updates on the project and be consulted by the project team when key issues or decisions cannot be resolved within the project itself. In addition, steering committee members often play an important role in mentoring and supporting the business process owners involved in the day-to-day activities of the ERP implementation.

The steering committee must provide “tone from the top” with regard to the compressed timeline and low customization objectives of a rapid implementation project. Without this guidance, some areas of the project will be driving toward the desired “vanilla” solution, while others are pursuing time-consuming, complex reengineering objectives that cannot be achieved within the desired timeframe and budget. The compression of the project timeline in an accelerated implementation also increases the need to monitor dependencies between key streams of work such as process configuration, testing and training.

The steering committee must provide “tone from the top” with regard to the compressed

timeline and low customization objectives of a rapid implementation project. Without this

guidance, some areas of the project will be driving toward the desired “vanilla” solution,

while others are pursuing time-consuming, complex reengineering objectives that cannot be

achieved within the desired timeframe and budget.

Page 6: Mitigating the Unique Risks of Accelerated ERP Implementations

PRotIvItI • MItIgAtIng thE UnIqUE RIsks of AccElERAtEd ERP IMPlEMEntAtIons • 5

Finally, depending upon the nature of the contract, a system integrator’s motivations may not always align with those of the customer. If the system integrator is incented to achieve milestone dates, inevitably there will be pressure to cut corners in the methodology or deliverables of the implementation, resulting in increased risks.

This risk can be mitigated through engaging an independent third party in a project risk advisory capacity. By comparing the methodology, project status, and deliverables of a project to generally accepted leading practices, this advisory function can provide management with a unique and independent perspective on the risks and issues facing the implementation – a perspective that is not biased by the contractual interests of the system integrator. Various approaches, including review of project management documents, sampling of project deliverables and interviews with project team members, are used to objectively corroborate the project team’s perspective on the project status, risks and issues. Conducting these “health checks” at several milestones throughout the project allows for some continuity in tracking the development and resolution of project risks and provides a forum for open dialogue with management about project risks.

conclusIon

Accelerated ERP system implementations are emerging as an attractive option for companies seeking to reduce the time and cost of these inherently large and risky undertakings. However, to achieve benefits and reduce the risk of project delays and rework post-implementation, it is important to take a proactive approach to understanding and addressing the internal controls, compliance and project risk issues that an accelerated ERP project may present.

Page 7: Mitigating the Unique Risks of Accelerated ERP Implementations

PRotIvItI • MItIgAtIng thE UnIqUE RIsks of AccElERAtEd ERP IMPlEMEntAtIons • 6

about protIvItI

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

About Protiviti’s ERP Implementation Risk Management Practice

Protiviti’s ERP Implementation Risk Management professionals help organizations reduce the risk and cost of ERP implementations and achieve the return on investment intended from the initiative. Our consultants help organizations to identify, measure and manage the risks they face in executing major ERP system implementations. With our understanding of best practices for ERP implementations and experience with how system integrators accomplish these initiatives, we are uniquely suited to incorporating the needs of the internal and external audit groups into these projects.

For additional information about the issues reviewed here or Protiviti’s services, please contact:

“Internal audit, with support from Protiviti, played an instrumental consultative role in our accelerated SAP implementation. The project moved extraordinarily quickly, and the internal controls support they provided helped ensure a better outcome.”

— Internal audit director, U.S.-based manufacturing company

Carol [email protected]

John [email protected]

John [email protected]

Ronan O’[email protected]

Page 8: Mitigating the Unique Risks of Accelerated ERP Implementations

AsiA-PAcific

AustrAliA BrisbaneCanberraMelbournePerthSydney

ChinA BeijingHong KongShanghaiShenzhen

indiA BangaloreMumbaiNew Delhi

indonesiA** Jakarta

JApAn Osaka Tokyo

singApore Singapore

south KoreASeoul

* Protiviti Member firm ** Protiviti Alliance Member

The AmericAs

united stAtesAlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston

Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento

Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. WinchesterWoodbridge

ArgentinA*Buenos Aires

BrAzil*Rio de Janeiro São Paulo

CAnAdAKitchener-WaterlooToronto

Chile*Santiago

MexiCo* Mexico City Monterrey

peru* Lima

VenezuelA* Caracas south AfriCA*

Johannesburg

euroPe/middle eAsT/AfricA

frAnCe Paris

gerMAny Frankfurt Munich

itAly Milan Rome Turin

the netherlAndsAmsterdam

united KingdoMLondon

BAhrAin* Manama

KuwAit* Kuwait City

oMAn* Muscat

QAtAr*Doha

united ArAB eMirAtes* Abu Dhabi Dubai

©2014 Protiviti Inc. An Equal opportunity Employer. PRo-PkIc-0114-137Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.