Risk and Governance Issues for ERP Enterprise Applications

Risk and Governance Issues for ERP Enterprise Applications

Enterprise resource planning (ERP) applications such as SAP, Oracle Financials and PeopleSoft can deliver significant change in enterprise information processing and significant benefits for organizations astute in managing change. While ERP applications can resolve a number of control issues associated with a fragmented legacy systems environment, not surprisingly, they can introduce new risks of their own. This article explains:

· Why ERP systems are different

· Risk and governance issues associated with the implementation of ERP

· The fundamental changes in fiscal and operational controls accompanying ERP implementations

Why ERP Systems Are Different

Prior to ERP systems, an organization’s legacy systems were typically organized around functions or departments, e.g., sales, purchasing, inventory and finance (figure 1) and not the business processes, e.g., purchase to pay, order to cash. Functions evolved independently of other functions. Each function may have had an individual computer system or a number of systems to support it, with interfaces between systems. This resulted in time delays, additional cost, data redundancy and noncurrent data. Business controls had a high manual component. Purchase orders (POs), for example, were approved when generated. When the invoice arrived, the PO was either printed out again or retrieved from filing and stapled to the invoice. The invoice was then approved for payment. The documents may have, once again, been scrutinized and approved during the check payment process.

Legacy systems also suffer from a design problem. Typically they are designed around disparate and independent modules that merely populate transaction data among them by interfaces that are normally summarized in nature. In cases like these, further details of transactions are often difficult to ascertain. This is unlike the ability to drill down as provided by ERP systems.

ERP systems, on the other hand, have a business process focus. Their relational database tables are designed around a complete set of core functions rather than disparate modules that merely pass transaction data from one module to another. The financial accounting modules are tightly integrated into a logistical chain that begins with purchasing and ends in sales and distribution. Every business transaction is recorded in the financial accounting and controlling (or management reporting) module automatically. For example, in SAP:

· A purchase requisition in the materials management (MM) module creates a commitment in the controlling (CO) module (figure 2). This purchase requisition also can be evaluated in the controlling component.

· The placement of the purchase order will confirm the commitment in the CO and cash management (CM) systems simultaneously.

· Receipt of the goods ordered will generate an accounting document in financial accounting (FI) and CO. The receipt also will update the material masters (stock records) in MM.

· Receipt of the invoice generates an accounting document in FI accounts payable and updates CO and CM.

It is clear the ERP environment is operating online and in real time in line with the business. Management has access to online, up-to-date information on how the business is performing. That information is shared among application modules and among users from different departments simultaneously. Following implementation of an ERP, organizations typically report completion of period or year-end closes in one or two days as opposed to two to three weeks under their legacy system environment.

Risk and Governance Issues with ERP

Organizations face several new business risks when they migrate to a real-time, integrated ERP system. Those risks include:

· Single point of failure–Since all of the organization’s data and transaction processing is within one application system

· Structural changes–Significant personnel and organizational structure changes associated with reengineering or redesigning business processes

· Job role changes–Transition of traditional user roles to empowered-based roles with much greater access to enterprise information in real time and the point of control shifting from the back-end financial processes to the front-end point of creation

· Online, real-time–An online, real-time system environment requires a continuous business environment capable of utilizing the new capabilities of the ERP application and responding quickly to any problem requiring recovery or reentry of information (e.g., if field personnel are unable to transmit orders from handheld terminals, customer service staff may need the skills to enter orders into the ERP system correctly so the production and distribution operations will not be adversely impacted).

· Change management–It is challenging to embrace a tightly integrated environment when different business processes have existed among business units for so long. The level of user acceptance of the system has a significant influence on its success. Users must understand that their actions or inactions have a direct impact upon other users and, therefore, must learn to be more diligent and efficient in the performance of their day-to-day duties. Considerable training is therefore required for what is typically a large number of users.

· Distributed computing experience–Inexperience with implementing and managing distributed computing technology may pose significant challenges.

· Broad system access–Increased remote access by users and outsiders and high integration among application functions allow increased access to applications and data.

· Dependency on external assistance–Organizations accustomed to inhouse legacy systems may find they have to rely on external help. Unless such external assistance is properly managed, it could introduce an element of security and resource management risk that may expose the organization to greater risks.

· Program interfaces and data conversions–Extensive interfaces and data conversions from legacy systems and other commercial software are often necessary. The exposures of data integrity, security and capacity requirements for ERP are therefore often much higher.

· Audit expertise–Specialist expertise is required to effectively audit and control an ERP environment. The relative complexity of ERP systems has created specialization such that each specialist may know only a relatively small fraction of the entire ERP’s functionality in a particular core module, e.g., FI auditors, who are required to audit the entire organization’s business processes, have to maintain a good grasp of all the core modules to function effectively.

More recently, some of the additional risks and governance issues introduced by the e-enabled ERP environments concern:

· Single sign on–It reduces the security administration effort associated with administering web-based access to multiple systems, but simultaneously introduces additional risk in that an incorrect assignment of access may result in inappropriate access to multiple systems.

· Data content quality–As enterprise applications are opened to external suppliers and customers, the need for integrity in enterprise data becomes paramount.

· Privacy and confidentiality–Regulatory and governance issues surrounding the increased capture and visibility of personal information, i.e., spending habits

Fundamental Changes in Controls

An ERP implementation, and its associated business process changes, transforms critical elements of the business. These changes affect the control environment. Some of the reasons for the change include:

· Batch-oriented controls are inapplicable in an online, real-time environment.

· Loss of traditional audit trails

· Access requirements have vastly expanded to include field personnel and, increasingly, suppliers and customers.

As a result, the integrity and control structure supporting ERP-enabled business processes must be transformed. This is to ensure that changes in business processes do not adversely affect the fiscal and operational control of the business.

Editor’s Note:

ISACF is planning to commission a series of ERP Technical Reference Guides to provide information systems audit professionals with control techniques that will assist them in the management of these risk and governance issues.

Stephen Addison, CISA
is a Certified Information Systems Auditor and the national director of the ERP audit and assurance services delivered by Deloitte Touche Tohmatsu, Australia. The ERP audit and assurance team provides internal audit support services to clients with enterprise applications, such as SAP, Oracle Financials, PeopleSoft and JD Edwards. He has more than 10 years of experience in the auditing and the implementation of controls, along with experience in IT consulting, product management, marketing and systems engineering. Prior to joining Deloitte Touche, Addison served as the head of internal audit for TNT Australia and senior audit manager for Westpac Banking Corp.

Our Essay Format
  • Times New Roman, 12 pt
  • 1 Inch Margins
  • Double/ Single Spacing
  • 275/ 550 Words Per Page
  • MLA/ APA/ Turabian/ Chicago style, etc

A standard double-spaced page contains 275 words

Free Features
  • Hiring a preferred expert
  • Bibliography & cover page
  • Revisions within 14-30 days
  • 24/7 customer support

Team of Professional Essay Writers

With our essay service, you'll find an essay writer for any task. Their rating is based on previous customer reviews and successful orders. Before you hire a writer, you can familiarize yourself with their track record in detail.