Auditing and Project Management Co-Exist in an ERP Environment?
Author - Joseph
- September 2, 2003
It is hard to recall the last time an ERP implementation team included an auditor as an active member. Could it be because of availability? No defined role? Never been asked? No perceived benefits? This article explores key points in a project's lifecycle where the audit function should be involved and the deliverables to be expected. Whether internal or external, an auditor, preferably experienced in IT matters, can provide benefits while the software is being implemented and, afterwards, when the software is being used.
For whatever reason, having an auditor as part of the ERP project implementation team is a rarity. In fact, involving an auditor in the selection of ERP software is fairly rare as well. These same folks are going to have to toil in the ERP software fields after the systems go live. Would it not make sense to involve auditors up front and, for sure, when the software is being implemented? Of course, it does and I will make a case as to why this proactive approach can save time and money in the long run.
First, for argument sake, let's define the basic ERP implementation project lifecycle as containing the following phases:
Project Planning and Organization
Business Process Pilot
The following paragraphs will identify how an auditor can be effectively utilized in the various phases and the expected results.
Project Planning and Organization
In the Project Planning and Organization (PPO) phase, the overall workplan and time schedule are defined and training for the project team is completed. As you would do with any business process owner/leader, assurance must be obtained as to the availability of resources to include the audit function. More importantly, in this phase it would be appropriate to specify the audit role or, better yet, have the auditor articulate his or her role.
Business process owners need to understand what the auditor will be examining in terms of input/output and processing controls. This will become more obvious when developing customized business conditions. Training for the auditor must be scheduled and should be held together with the team. While a detailed understanding of the each process may not be required, an overview of the entire ERP function must be gained and understood by the auditor, particularly the process-to-process flows and exchange of data.
If the above observation, namely that an auditor's involvement is, indeed, rare, inclusion of the audit function in the planning phase should become as commonplace as other business process owners. Furthermore, business process owners will be relieved to know that the burden of accountability and control is being shared with the subject expert.
Business Process Pilot
The Business Process Pilot (BPP) phase is where testing is performed solely within the confines of the process. In this phase you take a selfish approach to testing and verify that the process works within its own boundaries. At this point, you are not concerned what happens up or downstream.
Before this testing can be done, however, business conditions must be developed and/or tailored to your company's environment. In this regard, the auditor should review the conditions and suggest additional conditions to substantiate the financial integrity of the software. In the ordering process, a business process owner is concerned that, for each order, an invoice is produced. The audit implication is that the dollar value of order, typically already communicated to the customer, is reconcilable to the value of the invoice.
Whereas the business process owner is worried that the correct products are picked for an order, the auditor is concerned that appropriate costs are relieved from inventory. The former keeps the customer happy but the latter condition keeps the company profitable and the project team gainfully employed. Auditors are attuned to look for these types of checks and balance and are, in fact, the experts. Someone should do it. Why not let the experts do what they are trained to do? Why not let the auditor review the business conditions to ensure that the accountability aspects as well as the operational functions of the software are being verified?
In the Solution Integration (SP) phase, data conversion, enhancements, and reports are designed, developed, and tested. While a case can be made for an auditor's involvement in all three of these areas, let's focus on data conversion and enhancements. When converting data, assurances must be obtained that data has been converted accurately and in total. This can be done electronically via hash totals on significant fields such as customer number and product ID and control totals on financial fields such as accounts receivable balance and on-hand inventory. It is easier to incorporate a control while a conversion routine is being designed and written than to "tick and tack" manually later, which, by the way, would have to be done for each conversion run.
There may be control enhancements that could be made to automate balancing and reconciliation processes, which otherwise would have to be performed manually. Over the lifetime of the use of the software, these types of enhancements could realize recurring savings in terms of personnel time as well as ensuring continuous and consistent application of control procedures.
Integrated Pilot (IP) is the phase whereby all processes are brought together and are tested in an integrated fashion to ensure processes electronically communicate with each other and that there is no loss of data integrity. This may provide the mother load of having the auditor involved. An argument could be made that, when the pilot is controlled by the project manager, objectivity may be lost. Let's face it; the project manager may be too close or too knowledgeable of the subject matter to look for gaps or missing functionality. It is kind of like when you re-write a memorandum so many times that you proofread through your mistakes.
Why not let an independent agent of the company orchestrate and lead the IP phase? This would include responsibility for:
Overseeing the development of testing scenarios
Conducting and supervising the actual test
Monitoring the results and progress
Reconciling financial results into the general ledger
Rendering an opinion as to the satisfactory completion of test
Assuming no major changes in the software, could not this same process be used in the mid-year and year-end audit examination? Of course it could! Consequently, it could be beneficial for the project and beneficial for the company for an auditor to manage this phase of the project.
In the Go Live phase, final user training is completed, data is converted for the last time, and production libraries are refreshed. In this phase you may think that the auditor is just there for the post-implementation celebration party. Hardly! In training, the auditor should ensure that the same controls performed in the business process and integrated pilots are emphasized and repeated on a routine basis.
For the final data conversion, again, the same controls must be run and verified as were done in the integrated pilot. During the initial days of the production operations, the auditor's expertise may be helpful in isolating and resolving issues. This all being done, now the auditor can come to the party.
The auditor should be viewed and can be used as a valuable project resource. Preference would be that this involvement starts in the software selection process to ensure the auditor's commitment to a successful implementation. Regardless, even involving the auditor in the project implementation can result in significant benefits that should not be overlooked. While the involvement of an external auditor may have associated and additional costs, this expenditure should be negotiated and can be offset by a reduction of future audit fees.
J. Strub has extensive experience as a manager and senior consultant
in planning and executing ERP projects for manufacturing and distribution systems
for medium-size and Fortune 100 companies in the food & beverage, chemical,
and CPG process industries. Additionally, Mr. Strub was an Information Systems
Auditor with PricewaterhouseCoopers.
can be reached at JoeStrub@writecompanyplus.com.