It is common for internal audit (IA) functions to play a role in the implementation of enterprise application systems (e.g., enterprise resource planning systems, or ERPs), although historically that participation has generally been limited to reviews of the work immediately before and after the go-live. That said, forward-thinking IA directors and company executives are beginning to recognize that involving IA throughout large and capital-intensive system implementations can add significant value to the software development lifecycle process. In particular, IA departments provide a layer of oversight that is adept at identifying missteps that could delay the project, increase the cost and/or prevent the system from operating as envisioned.
A large U.S. utility company came to that exact conclusion a couple of years ago when it hired Protiviti to prepare for the implementation of a new customer information system (CIS). The CIS upgrade stemmed from a holding company’s acquisition of an independent utility organization, which resulted in multiple utility entities operating separate CIS applications. The parent firm chose to introduce the Oracle Utilities Customer Care and Billing (CC&B) solution at both utilities to generate more efficiency, reduce administrative expenses and improve interaction with customers.
Upon learning of the plans to implement CC&B, the internal audit director at the utility realized that the large-scale investment (in excess of one hundred million USD) would merit a high degree of IA involvement. The department had previously asked Protiviti to conduct a pre-implementation risk review, a common practice in advance of large projects. In the meantime, the company had hired a system implementer (SI) to handle the project, but the IA director, who was impressed by the detailed findings and recommendations in the pre-implementation work, recommended that an experienced third party be involved throughout the 18-month implementation process. The goal: To help the organization identify potential unforeseen risks, create opportunities to address risks on time (preempting time and cost overruns that typically plague such projects) and enhance overall quality and customer experience.
In addition to highlighting specific implementation tasks and tests that the utility should focus on, Protiviti pointed out that the SI’s expertise largely centered on the technical aspects of an implementation but not necessarily on assessing risk generally. The utility still carried a lot of the responsibility to test critical CIS activities and work streams throughout the implementation to ensure they fell within legal and regulatory guidelines.
Being part of a regulated industry, the utility’s IA department certainly understood the hazards. Utility regulators require meticulous documentation and due diligence in projects where the potential exists to affect customer rates. If the utility needed to raise rates in the future to pay for its investment, for example, it would not only need to prove to regulators that it had successfully implemented the CIS program after fully analyzing the investment and its risks, but it would also have to show that the upgrade’s risks were minimized and mitigated and the project served to improve the customer experience.
Armed with that strong insight, the utility’s IA director decided to bring in a four-member Protiviti team with enterprise application systems implementation experience to work with the IA department and put additional eyes on the CIS installation. The group mapped out a plan to scrutinize the implementation’s progress at key lifecycle stages, ranging from:
As the project entered its final phase, the IA department’s foresight to participate in the implementation was already demonstrating benefits. The IA function provided various departments involved in the implementation with progress reports, constructive feedback and calls to action. In turn, the departments were grateful that they were given a chance to rectify potential problems identified by IA in a timely manner. What’s more, the IA department was credited for generating real value in the project by confirming that certain critical requirements of the implementation contract were being fulfilled.
Considering how often IA involvement in large-scale projects is seen as a nuisance or even a barrier to their progress, the appreciation for the utility’s IA department foresight and close involvement in the CIS implementation as a risk overseer stands out among typical implementation projects. Certainly, the decision by an IA director to involve experienced risk consultants during an implementation, as opposed to the typical before-and-after engagement, signals considerable prudence and responsibility toward the ultimate payer for the project, the utility’s customers. For their part, IA functions that take an active role in complex and costly technology implementations early on not only have an opportunity to ensure better outcomes, but demonstrate strongly their ability to deliver greater value to their organizations — a win for all involved.