menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Student Benefits & Join
Educators
Model Curriculum
Downloads
Bookstore
IT Audit Basics
Career Centre
spacer image
Print this page
spacer image

Home Students & Educators IT Audit Basics

IT Audit Basics

Auditing Governance in ERP Projects

By S. Anantha Sayana, CISA, CIA
Volume 2, 2004

Over the last two years, this column has covered various elements of information systems audit relating to security and controls.

The role of information systems in business has grown from being a support function to something much more: information technology has the potential to redefine how an enterprise does business and alter its competitive advantage. Information systems that are inefficient, inadequate or inappropriate can also severely hamper the fortunes of the business.

In recent years, most businesses have made large investments in IT and the major area of such investments has been ERP or similar packages that are integrated and span across many functions and geographic locations of the enterprise, impacting every activity of the business. Many enterprises have also embarked on projects to implement the next level of specific systems that sit on the foundation of the ERPs. In such a scenario, the dependence on IT by the business is increased to such an extent that it is not enough if the security and control risks pertaining to IT (confidentiality, integrity and availability) are addressed and mitigated. The business needs much more from IT, namely in the areas of business—IT alignment, benefit realization and value and service delivery; therefore the scope of IS audit needs to be broadened to also cover these aspects.

Characteristics of ERP Projects

An ERP is an integrated software application that covers literally all functions of an enterprise, including sales and marketing, distribution and logistics, procurement, manufacturing, finance, and accounts, personnel and management reporting.

The key characteristics that make ERP projects different and challenging are:

  • The significant impact that the ERP project has on almost all the business processes and the people in the organization spanning across functions and geographic locations
  • The long implementation period, i.e., anything from six months to two years
  • The large investments of time, effort and cost made in the project

Although the focus here is on ERP projects, the points mentioned in this article are applicable to nearly any other project that has similar characteristics, such as impact on many functions and all parts of an organization.

An ERP implementation project is a major event in the life of an organization. An ERP project is expected to change a lot of processes/activities in the organization and is often initiated with much fanfare and many expectations about the benefits and the transformation that the project would bring to the organization.

IT Governance

Elevating IT from a pure managing level to the governance level has been the natural fallout of the recognition of the pervasive influence of IT on all aspects of business. With significant increases in investments in IT by the business, it has become very important and necessary to ensure that tangible benefits for the business are derived from these investments. Accordingly, IT governance is concerned with objectives that focus on such areas as:

  • Alignment of IT with business
  • Value and benefits of IT to the business
  • Management of the risks associated with IT
  • Performance measures for IT services to the business

IT governance of an ERP project should not be confused with ERP project management. The mere presence of a high-level steering committee is not governance. Often it is felt that a high-power steering committee with representation from the CEO and other heads of functions can ensure IT governance. However, unless there is a clear requirement and understanding backed by a focused effort, IT governance of ERP projects will not happen.

Project management is essentially concerned with ensuring that the implementation is done within the planned time frames and within budget without sacrificing any of the key requirements, including quality, training and ensuring the defined coverage in terms of functionality and locations. Bodies such as project management and steering committees only ensure that suitable interactions take place when there are problems or issues, interdepartmental conflicts are resolved, and special approvals or sanctions are required.

There is no doubt or question whatsoever that ERP implementations need good project management, ensuring adherence to time and cost budgets, but IT governance addresses a totally different set of issues.

The Need for Governance in ERP Projects

It has been observed that ERP projects that have been completed within budget and well within the estimated time frames have left companies wondering about the benefits realized and the transformation that was promised. Many ERP implementations have left marginal impact on the business, and at times there have even been negative fallouts.

It is also notable that IT governance of ERP implementations is not a substitute for good project management. IT governance is complementary and should sit on top of project management to ensure that the benefit realization happens in tangible, measurable and qualitative ways, the alignment with the business objectives remains, the service to the users is enhanced and the risks are mitigated.

Auditing Governance in ERP Projects

It is very important for an IS auditor to carry out an audit of the governance aspects of an ERP project, for it is often a neglected area. The audit of governance should be done ideally at different stages throughout the life of the project, beginning with the initiation stage.

For a typical ERP project, the audit of governance aspects may be covered at four stages:

  • Initiation
  • Midterm, i.e., midway through the implementation when most of the new business processes have been defined and configured in the system
  • Project completion, a month or two after "go live" and project completion
  • Post-stabilization, i.e., after about a year after project completion

The best time to do an audit of the governance of an ERP project is at the initiation stage. It is at this stage that the scope of the project and the corresponding benefits and expectations are defined.

The focus of the governance audit during the initiation phase should be on:

  • Clear definition of gains and benefits expected from the implementation—Unfortunately the expectations from the ERP project by persons at various levels and functions of the organization are vastly different and at times can also be grossly at variance with the real and correct picture. Therefore, it is necessary that during the initiation stage of the project, the expectations are clearly defined. This should go beyond the usual project vision and charter statements that use grand words to convey more intent than tangible benefits that can be quantified and measured. The expected benefits should be categorized with respect to the various functions. At least some of the benefits should be quantifiable and measurable; those that relate to improvements in processes should be converted to some measures of increased efficiency, such as cycle time and number of events, and the other nonquantifiable benefits and advantages should be listed together with the favorable impact that they will produce on the business for achievement of the objectives of the business.
  • Scope definition—The definition of the scope of the project should ensure that the real needs of the business (in the functions and locations that are critical to the enterprise's success and where there are major pains for the organization) are included. The audit should also check the extent of the participation of users in the scoping. Often scope definitions are guided by the limitations of the existing feature set of the chosen package and ease of implementation to ensure early success. This may result in key areas of the business being left out or marginally covered by the ERP, resulting in minimal benefits in the critical areas. This area of audit aims to check the alignment of the ERP project with the business.
  • Current levels of the metrics that are expected to be improved—The auditor should also check whether various metrics on which improvements and benefits are expected to flow after the ERP implementation are recorded accurately at their current levels, together with the conditions and assumptions. Typical areas would be inventory, working capital, cycle times for various processes and other productivity measures. This will provide a proper basis for checking the improvements after the implementation.
  • The organization structure for ensuring governance— At this stage, the auditor should check whether the responsibility for ensuring governance is entrusted to a capable senior person or a committee. Ideally, it should be a senior management committee that is fairly distant from the IT and project management organization.

Once the audit is completed at the initiation stage, the next audit of governance should be done at the interim stage midway through the implementation, to ensure that the project is progressing without dilution in scope and the critical business needs are covered to realize the achievement of key result areas for these functions. At this stage of the audit, it is very important for the auditor to get feedback from the managers and users of the various functions as to how they see the ERP assisting them in performance of the business processes in their areas and in efficiency improvements.

The next audit of governance in an ERP project should be done post-implementation and should cover the areas described in the two previous paragraphs. This will be the time to assess whether the ERP covered all the key processes and locations, as per the scope, and the impact of changes to business processes with a view to see if efficiencies improve. It may be too early to actually compute the benefits and improvements at this stage.

In addition, during this phase of the project, the audit should focus on the IT service delivery. The ERP users need to be suitably assisted in using the system and the system should deliver the promised levels of uptime and response to user problems. This audit would also cover the method of computing the service level agreement (SLA) metrics and their adherence.

The post-stabilization audit should focus on two key areas of governance: the alignment with the business and the benefits realization. The documentation of the expectations and objectives at the initiation stage together with the metrics should be used as reference points during this audit. The auditor should also determine if there have been any changes to the business scenario during the period to impact the ERP and whether or not suitable changes have been made.

The methodology for doing this audit may involve using certain instruments and surveys at user and manager levels suitably corroborated by evidence from the system regarding actual usage. This audit can be a useful tool to make adjustments to configurations, fine-tune the changed business processes, implement complementary software solutions for meeting specific needs and do some integration of the ERP with a few simple home-grown solutions that are too important and user-intensive to dispense.

It is not necessary that audits of governance of ERP projects be carried out as special assignments. All these audits can actually be combined with the traditional IS audit that would be conducted during these periods. The only difference is that instead of covering only security, controls and other aspects, the audit would also include, under a separate section, the points as mentioned in the previous paragraphs.

IT is too important and too expensive to the business to think that only its security and control risks need to be managed and audited. The audit of the governance aspects of ERP implementations is necessary to ensure that IT helps the enterprise in the achievement of its business goals.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2008 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA