|
Corporate governance
Risks and control challenges in ERP implementation - collaborative efforts are the sure way to achieve success and compliance
¡@
¡@
Rapid advances in technology and business innovations have obliged many organisations in China to implement new ERP (enterprise resource planning) systems or upgrade their existing ones. A number of them have also discovered that putting such systems in place requires them to make wide-ranging changes to their technology, business processes and organisational structures, all within a very tight time frame. Unless they are handled carefully, these changes can be massive undertakings that are fraught with risks.
Our practice group's experience has shown that the biggest challenge in most ERP implementation projects is not technology; it is the effective management of risk, people and change. Listed companies - especially those listed in the US where compliance with Sarbanes-Oxley (SOX) has been required for a number of years - also need to take risk and internal control and embedded compliance issues into account in their projects.
What causes the risks?
The managements of many organisations tend to base their implementation of ERP systems on timelines and budgetary considerations. They do not address business, risk-management and compliance expectation issues at the outset. As a result, their plans fail to deal with these aspects adequately. This may create "scope creep" (uncontrolled changes), extra work and potential delays in the project's implementation.
ERP implementation often requires process owners to undertake concurrent BPR (Business Process Reengineering), and this plays a key role in the decisions they make about how to achieve business objectives and improve the business process flows that are inherently associated with risks and internal controls. However, they sometimes lack the skills needed to enable these process and control integrity in a way that minimises risk. It is therefore essential for them to collaborate with consultants and internal control experts to ensure that the implementation is carried out in a cost-effective manner.
The technologists and ERP consultants who provide knowledge about specific technical and business functional areas sometimes lack an overall perspective of business and compliance requirements. They may understand the built-in, added-on or configurable controls that come with ERP packages pretty clearly - you either turn them on or you turn them off - yet they often fail to tailor the package to meet their clients' business and other objectives.
The internal audit departments of some companies use their independence as an excuse to avoid becoming involved in ERP implementation. Also, their practitioners often come from traditional accounting or audit backgrounds, and they are unfamiliar with ERP implementation, which encompasses both business processes and technology. However, most organisations are not interested in hearing about "what should have been done" after all the big decisions have been made. So, the timely and effective participation of the internal audit function is a key element in the success of an ERP implementation project.
What are the risks?
To optimise the success and compliance of a new ERP system, the following primary risks need to be identified and
minimised:
 |
lack of alignment between the ERP system and an organisation's business processes, structures and objectives; |
|
|
 |
loss of
control over the project and potential delays in its
implementation; |
|
|
|
process, control and data-integrity issues; |
|
|
|
post-going-live rework and cost issues; |
|
|
|
lack of in-house skills and knowledge; and |
|
|
|
compliance issues. |
Who is ultimately responsible?
An organisation needs a collaborative culture to integrate and implement an ERP project successfully throughout the entire enterprise. This should be based on cross-functional teams who work closely together, as well as strong support and encouragement from the board and management. Also, business, organisational and compliance requirements must be clearly addressed during the first phase of the project's initiation.
The internal audit function should be involved in various stages of the project. It must take responsibility for facilitating risk-management decisions during the ERP's implementation. The organisation needs the internal audit function's expertise to help it establish and promote the development of internal controls across various business functions and processes.
The project team should also serve as an intermediary between the owners of business processes, the audit committee, third-party implementation partners and external auditors.
What controls are relevant in each phase of implementation?
Project risk assessments should be conducted and the compliance culture should be promoted by educating the project team about internal control concepts during the initial preparation phase. Once a project plan is in place, milestones and control check points should be set for its implementation.
The design phase of the business blueprint is often carried out in conjunction with BPR. Risks are often introduced during this phase because traditional controls are eliminated without being replaced with effective new ones. The reengineered process flow and security design should therefore be mapped in a way that satisfies internal control objectives during this stage. The ERP system's control-related features and functions should be discussed and evaluated in order to achieve a set-up decision. In cases where the automation of internal controls is not practical, manual controls or SOD (Segregation of Duties) should be redesigned to replace or complement them. It is very useful to involve the internal audit function or those with expertise in control functions to review the blueprints at this stage, before they are signed off by the management. After all, they are the security and audit experts who are responsible for facilitating risk management decisions within an organisation.
Various rounds of testing should be carried out as the project progresses towards the realisation stage and when the final preparations are being made before the system goes live. While other project teams test technology, system functionality and data integrity (including data conversion), the internal audit function must focus on the area of significant control points. It should review the test plans and test results to ensure that all the control features in the ERP system have been tested effectively and are ready to go into operation, and it should perform further tests if necessary.
The next stage of the journey begins when the system goes live. It is advisable to conduct a post-implementation review after the new system and processes have been in operation for a reasonable period of time (usually a number of months or process cycles). From a compliance perspective, this aims to review the operational effectiveness of its key controls (both manual and automated) to ensure process and control integrity. Finally, the organisation's policies and procedures and compliance documentation need to be updated in order to stay in line with the new processes and controls.
Ron Ho
Business Risk Services
ron.ho@gthk.com.hk
|
