Jeffrey T. Hare, CISA, CPA, CIA
Organizations implementing new enterprise resource planning (ERP) systems make a major investment in their enterprise. Much of the impetus for such an investment comes from a desire to streamline their business processes and adopt best practices in the use of applications. Unfortunately, the trail is littered with case studies of failed or less-than-perfect implementations. Choosing the right ERP system that will best meet an organization’s business requirements is obviously the first and most important decision toward accomplishing a successful implementation. The second most important decision is the choice of the systems integrator to shepherd the implementation process.
During the implementation of an ERP system, an organization has several significant challenges to overcome, including the reconfiguration of existing controls and the adoption of new internal controls. This article focuses on the types of risk advisory services that are common during an ERP implementation. In doing so, the importance of integrating a robust risk management methodology is recognized as one of the keys to success for all ERP system implementations. Also discussed are approaches to risk management, including the use of a risk advisory firm.
It is important to first define what is meant by risk advisory services in the context of an ERP implementation. In a typical implementation cycle, the project management office (PMO) is engaged in a variety of risk assessment processes. The PMO may use a variety of approaches and frameworks to help mitigate risks within the project. Some of the more common risk management standards are ISO 31000:2009 from the International Organization for Standardization and the Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk Management— Integrated Framework (COSO ERM).
Perhaps the most obvious risk that the PMO assesses is whether a project is ready to go live. In a most simplistic view, risk advisory services assess various types of risks throughout the life of a project and help management determine whether and how to mitigate such risks. The outcome of a risk assessment process is often the development of policies and procedures to help mitigate the risk(s) or the automation of controls to eliminate the risk. Management can also decide to do nothing and assume the risk after considering the organization’s risk capacity and risk appetite.
There are three different risk scenarios related to fraud risk that may be addressed during an ERP implementation (see figure 1).
First, the risk of fraud in the payables department whereby a payables clerk has the ability to enter a new supplier and enter an invoice related to that supplier should be considered. In response, management may develop two policies to help mitigate the risk. The first policy requires new suppliers to be approved by someone outside of the payables department. The second policy requires supplier data entry to be audited by someone apart from the data entry process to ensure that only approved suppliers are entered. Once these policies are developed, procedures, such as a supplier maintenance procedure to address the first policy and a supplier maintenance audit procedure to address the second policy, would need to be defined.
Next, in a case of the use of an automated control to prevent or detect fraudulent purchases, the risk is that a purchasing agent can approve or enter a receipt of an item or service that they procured. In response, management should establish a policy that all purchase orders (POs) must be independently verified and a receipt must be entered against the PO by someone other than the buyer. This is commonly referred to as a “three-way match”—the PO must be matched with a receipt that must be matched to an invoice for it to be paid. Some ERP systems allow the automation of this control by configuring the ERP application. Once the configuration is set, the system does not allow an invoice to be paid without a receipt being entered against the PO. In other words, the control is automated.
A configurable control is automated via the setting of a particular configuration. One risk associated with configurable controls is that the automation of this control is dependent on the underlying configuration. Therefore, to maintain the integrity of the automated control, one must ensure that the configuration is not changed. A common response to the risk of the change in this configuration is to place it under change control, i.e., it must go through the change management process for the change to be made. In some ERP systems, the configurations can be changed manually, and in some systems, the configuration can be put under change control whereby it cannot be changed manually through the user interface.
The third example continues the thread related to configurable controls, and considers a case in which management may decide to accept a risk (likelihood x consequence). In some systems, configurable controls can be changed through the application’s user interface. Therefore, there is a risk that the configuration can be changed without going through the change management process. Because the cost of automating the control (i.e., preventing a change from being made through the user interface) exceeds the perceived risk, management may decide to accept the risk (i.e., not do anything about it). In this case, management would trust those employees who have access to the user interface that can change the configuration to follow the change management process.
Over the past few years, people have associated risk advisory services with US Sarbanes-Oxley Act compliance. Sarbanes-Oxley compliance has been a significant effort for many organizations; however, risk management goes well beyond compliance with Sarbanes-Oxley. There are significant risks beyond Sarbanes-Oxley compliance that need to be evaluated. Some examples are:
It is also necessary to recognize that compliance requirements are not the same for every organization. Some organizations may be private, and some may be heavily reliant on manual controls. Therefore, the scope of each engagement has to be tailored to each organization.
Having given an overview of the problem, this article now turns to the solution. How can one effectively identify and manage risks in the context of an ERP implementation? The following are three suggested approaches and their positives and negatives.
Not all system integrators (SIs) are the same. Some SIs have qualified risk advisory staff and appropriate methodology, and some do not. If an organization is relying on its SI to provide risk advisory services as well as traditional SI services, the organization must make sure that it gets qualified references and resumes for both areas of expertise.
Pros of option 1 include:
Although this is a common approach, it too has its pros and cons. One of the most significant challenges audit firms face is evaluating risks below the materiality level.
Independent risk advisory firms can offer focused expertise and financial advantages.
Regardless of the chosen option, what types of services are typically needed, apart from those already provided by the organization’s SI? Following is a summary of some of the more common risk advisory services.
Comprehensive Risk AssessmentThe cornerstone of the engagement should be a comprehensive risk assessment. A well-defined risk assessment helps management identify strategic and tactical risks associated with the project and should identify those that require controls to be revised or additional controls to be put in place.
Risks during an ERP implementation can be generic in nature or specific to an ERP system. Following are examples of generic risks that need to be considered:
Targeted Risk Assessment ServicesManagement and/or the PMO may want to focus on specific risks, rather than perform an overall risk assessment process. In those cases, following are some of the more common services that can be provided:
When implementing a new ERP system, an organization makes a substantial investment in its enterprise applications with an expectation that it will implement a system that meets both its operational objectives and its control objectives. An independent risk advisory firm can assist by performing traditional risk advisory services as well as providing a QA role for the implementation.
Jeffrey T. Hare, CISA, CPA, CIAis the chief executive officer and founder of ERP Risk Advisors. ERP Risk Advisors provides risk advisory services and training for companies that run Oracle Applications. Hare is a respected authority on the subject and is the author of the book Oracle E-Business Suite Controls: Application Security Best Practices. He can be contacted at jhare@ erpra.net.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.