When undertaking a large investment such as an enterprise
resource planning (ERP) implementation, there is little mar-
gin for error. It is critical for the project to be completed on time and be as effective as possible. An organization cannot afford to miss important aspects of an implementation, such as efcient and effective control design, and hope to build it in at the end of the project. Such mistakes will delay the project and substantively increase the cost of the implementation. Issue Regardless of economic or market conditions, most compa- nies continue to undertake some type of ERP implementa- tion, including enhancement and upgrades. Many tackle full ERP implementations in order to keep pace with the rapid development of technology and anticipated business changes. Clearly, times have changed with regard to proj- ect/implementation risk management and internal controls. Previously, risk and control considerations in enterprise system projects often were an afterthought or overlooked altogether. Section 404 of Sarbanes-Oxley and changes in nancial reporting standards, including International Finan- cial Reporting Standards, are bringing risk management and internal control considerations to the forefront of any major ERP system change program. Challenges and Opportunities ERP project leaders, including major system integration rms, are still adapting to a business environment in which key business risks and effective control conguration of a new system should be integral to the design and imple- mentation. Control design, testing and control framework documentation are important work streams within the project. ERP project leaders usually struggle to understand the impact of risk management and internal controls on their work, as well as implications for estimating, planning and delivering major systems that will comply with nancial reporting and internal controls standards. As a result, ERP project leaders may fail to recognize or may underestimate the effort and skills associated with the risk management and internal control design aspects of the project. These knowledge gaps may lead to project delays or an implemen- tation that fails to embed controls properly into the new system. The result can be a system that does not comply with the requirements of Section 404, or one that does comply but in a very inefcient and ineffective manner. There are several reasons why companies may overlook risk management and internal controls in ERP projects: ERP project teams typically are built around deep technology and software expertise. They may lack perspective on risk management or controls, or how the functions and features of the software can be tailored to meet control objectives. Practitioners of internal audit and risk management are not proactively involved in ERP project activities. Risk management and internal controls affect all aspects of an implementation, including business process, technology and user education, and require control specialists with ERP skills. ERP project leaders tend to underestimate or not include risk management, internal control or compliance requirements in requests for proposals for project implementation. Our Point of View By effectively addressing these topics up front, it is possible to engineer a culture of compliance into the project so that risk management, internal controls and compliance are understood and expected throughout the project lifetime, rather than viewed as a hindrance when the project is operat- ing at full speed. Continuous focus is required throughout the project life- cycle to manage the risks of project success and embed the necessary activities to ensure effective internal control over nancial reporting. Managing Risk as Part of ERP Implementations POWERF UL I NSI GHT S About Protiviti Protiviti (www.protiviti.com) is a global business consulting and internal audit rm composed of experts specializing in risk, advisory and transaction services. The rm helps solve problems in nance and transactions, operations, technology, litigation, governance, risk, and compliance. Protivitis highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacic, Europe and the Middle East. Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. PROVEN DEL I VERY How We Help Companies Succeed We help companies identify, measure and manage ERP implementation and compliance risks, complement internal audit and project teams, and help leverage ERP investments by: Conducting effective front-end risk assessment Designing effective systems controls Maximizing congurable controls Implementing sustainable compliance processes Enhancing risk management capabilities Optimizing control environment (automated versus manual controls) Evaluating and designing effective segregation of duty frameworks and mitigating controls Implementing integrated GRC applications Delivering ERP audits, and reducing testing time and costs We help companies select, implement and manage ERP solutions and, by focusing on compliance and managing implementation risk, help ensure that all deployed business processes meet control objectives. This reduces the total cost of ongoing internal controls and compliance activities. Example A global manufacturing and retail company implementing an ERP solution was looking to implement controls within its implementation. Protivitis ERP control specialists teamed up with implementation project management, inter- nal audit, compliance leaders and the system integrator to identify and mitigate compliance risks. Specically, we: Implemented more than 150 standard congurable controls. Standardized nancial close reports and desktop procedures for 19 business units. Dened segregation of duties and sensitive access requirements. Performed regular testing of security and control implementation. Updated the control framework prior to go-live. Included internal control testing steps in integrated scripts. Facilitated compliance discussions with external auditors, who signicantly leveraged our control documentation and relied on our deliverables to perform their required pre-implementation testing. We helped deliver a compliant and well-controlled ERP system for our client that was implemented more effec- tively with our risk-managed approach. The company immediately realized the benets of greater emphasis on preventative and system-based automated controls. Our client has been able to reduce its associated controls as well as its compliance and operational costs. 2011 Protiviti Inc. An Equal Opportunity Employer. PRO-0611-107033 Protiviti is not licensed or registered as a public accounting rm and does not issue opinions on nancial statements or offer attestation services. Contacts Scott Gracyalny +1.312.476.6381 scott.gracyalyny@protiviti.com
Carol Raimo +1.212.603.8371 carol.raimo@protiviti.com Ronan OShea +1.415.402.3639 ronan.oshea@protiviti.com
John Harrison +1.713.314.4996 john.harrison@protiviti.com