When undertaking a large investment such as an enterprise resource planning (ERP) implementation, there is little margin for error. It is critical for the project to be completed on time and be as effective as possible. An organization cannot afford to miss important aspects of an implementation, such as efficient and effective control design, and hope to “build it in at the end of the project.” Such mistakes will delay the project and substantively increase the cost of the implementation.
Regardless of economic or market conditions, most companies continue to undertake some type of ERP implementation, including enhancement and upgrades. Many tackle full ERP implementations in order to keep pace with the rapid development of technology and anticipated business changes. Clearly, times have changed with regard to project/implementation risk management and internal controls. Previously, risk and control considerations in enterprise system projects often were an afterthought or overlooked altogether. Section 404 of Sarbanes-Oxley and changes in financial reporting standards, including International Financial Reporting Standards, are bringing risk management and internal control considerations to the forefront of any major ERP system change program.
Challenges and Opportunities
ERP project leaders, including major system integration firms, are still adapting to a business environment in which key business risks and effective control configuration of a new system should be integral to the design and implementation. Control design, testing and control framework documentation are important work streams within the project. ERP project leaders usually struggle to understand the impact of risk management and internal controls on their work, as well as implications for estimating, planning and delivering major systems that will comply with financial reporting and internal controls standards. As a result, ERP project leaders may fail to recognize or may underestimate the effort and skills associated with the risk management and internal control design aspects of the project. These knowledge gaps may lead to project delays or an implementation that fails to embed controls properly into the new system. The result can be a system that does not comply with the requirements of Section 404, or one that does comply but in a very inefficient and ineffective manner.
There are several reasons why companies may overlook risk management and internal controls in ERP projects:
- ERP project teams typically are built around deep technology and software expertise. They may lack perspective on risk management or controls, or how the functions and features of the software can be tailored to meet control objectives.
- Practitioners of internal audit and risk management are not proactively involved in ERP project activities.
- Risk management and internal controls affect all aspects of an implementation, including business process, technology and user education, and require control specialists with ERP skills.
- ERP project leaders tend to underestimate or not include risk management, internal control or compliance requirements in requests for proposals for project implementation.
Our Point of View
By effectively addressing these topics up front, it is possible to engineer a “culture of compliance” into the project so that risk management, internal controls and compliance are understood and expected throughout the project lifetime, rather than viewed as a hindrance when the project is operating at full speed.
Continuous focus is required throughout the project lifecycle to manage the risks of project success and embed the necessary activities to ensure effective internal control over financial reporting.
How We Help Companies Succeed
We help companies identify, measure and manage ERP implementation and compliance risks, complement internal audit and project teams, and help leverage ERP investments by:
- Conducting effective front-end risk assessment
- Designing effective systems controls
- Maximizing configurable controls
- Implementing sustainable compliance processes
- Enhancing risk management capabilities
- Optimizing control environment (automated versus manual controls)
- Evaluating and designing effective segregation of duty frameworks and mitigating controls
- Implementing integrated GRC applications
- Delivering ERP audits, and reducing testing time and costs
We help companies select, implement and manage ERP solutions and, by focusing on compliance and managing implementation risk, help ensure that all deployed business processes meet control objectives. This reduces the total cost of ongoing internal controls and compliance activities.
A global manufacturing and retail company implementing an ERP solution was looking to implement controls within its implementation. Protiviti’s ERP control specialists teamed up with implementation project management, internal audit, compliance leaders and the system integrator to identify and mitigate compliance risks. Specifically, we:
- Implemented more than 150 standard configurable controls.
- Standardized financial close reports and desktop procedures for 19 business units.
- Defined segregation of duties and sensitive access requirements.
- Performed regular testing of security and control implementation.
- Updated the control framework prior to go-live.
- Included internal control testing steps in integrated scripts.
- Facilitated compliance discussions with external auditors, who significantly leveraged our control documentation and relied on our deliverables to perform their required pre-implementation testing.
We helped deliver a compliant and well-controlled ERP system for our client that was implemented more effectively with our risk-managed approach. The company immediately realized the benefits of greater emphasis on preventative and system-based automated controls. Our client has been able to reduce its associated controls as well as its compliance and operational costs.