Risks in ERP Risks in ERP implementation implementation

ERPERPA highA high--end solution featuring integration end solution featuring integration of information technology and business of information technology and business application. application. Seeks to streamline and integrate Seeks to streamline and integrate operational processes and information operational processes and information flows in the organization to integrate the flows in the organization to integrate the resources. resources. The whole is greater than the sum of its The whole is greater than the sum of its parts. parts. Each implementation is unique and is Each implementation is unique and is designed to correspond to the designed to correspond to the implementer's various business processes. implementer's various business processes.

Major functionalities of ERPMajor functionalities of ERPBridges the information gap across the Bridges the information gap across the organisationorganisation..Facilitates enterpriseFacilitates enterprise--wide Integrated Information wide Integrated Information System covering all functional areas like System covering all functional areas like Manufacturing, Sales and distribution, Payables, Manufacturing, Sales and distribution, Payables, Receivables, Inventory, Accounts, Human resources, Receivables, Inventory, Accounts, Human resources, Purchases etc. Purchases etc. Helps in eliminating most of the business problems Helps in eliminating most of the business problems like Material shortages, Productivity enhancements, like Material shortages, Productivity enhancements, Customer service, Cash Management, Inventory Customer service, Cash Management, Inventory problems, Quality problems, Prompt delivery etc. problems, Quality problems, Prompt delivery etc. Provides avenues of continuous improvement and Provides avenues of continuous improvement and refinement of business processes. refinement of business processes. Helps in laying down Decision Support Systems Helps in laying down Decision Support Systems (DSS), Management Information System (MIS), (DSS), Management Information System (MIS), Reporting, Data Mining and Early Warning Systems to Reporting, Data Mining and Early Warning Systems to the organizationthe organization..

ERP and BPRERP and BPR

Implementation goes closely with business Implementation goes closely with business process reengineering and organizational process reengineering and organizational remodellingremodellingUnderstanding the full import of going for Understanding the full import of going for ERP; whether enough organizational ERP; whether enough organizational resilience and flexibility to undertake the resilience and flexibility to undertake the project. project. Mismatch between the management Mismatch between the management aspirations and organizational compliance. aspirations and organizational compliance.

Characteristics Characteristics The database is usually centralized and as the The database is usually centralized and as the applications reside on multiple users the system applications reside on multiple users the system allows flexibility in customization and configuration. allows flexibility in customization and configuration. The processing is real time online whereby the The processing is real time online whereby the databases are updated simultaneously by minimal databases are updated simultaneously by minimal data entry operations. data entry operations. The input controls are dependent on pre data The input controls are dependent on pre data acceptance validation and rely on transaction acceptance validation and rely on transaction balancing; time tested controls such are batch totals balancing; time tested controls such are batch totals etc are often no longer relevant. etc are often no longer relevant. Since the transactions are stored in a common Since the transactions are stored in a common database the different modules update entries into the database the different modules update entries into the database. Thus database is accessible from different database. Thus database is accessible from different modules. modules.

CharacteristicsCharacteristicsThe authorization controls ere enforced at the level of The authorization controls ere enforced at the level of application and not the database; the security control application and not the database; the security control evaluation is of paramount importance. evaluation is of paramount importance. Auditors have to spend considerable time Auditors have to spend considerable time understanding the data flow and transaction understanding the data flow and transaction processing. processing. System heavily dependent on networking on a large System heavily dependent on networking on a large scale. scale. Vulnerability by increased access is a price that is paid Vulnerability by increased access is a price that is paid for higher integration and faster processing of data in for higher integration and faster processing of data in an integrated manner. an integrated manner. The risk of single point failures is higher in ERP The risk of single point failures is higher in ERP solutions; Business Continuity and Disaster Recovery solutions; Business Continuity and Disaster Recovery should be examined closely. should be examined closely.

Broad areas to lookBroad areas to look

Process integrity, Process integrity, Application security, Application security, Infrastructure integrity and Infrastructure integrity and Implementation integrity. Implementation integrity.

Implementation Integrity Implementation Integrity Project Planning, Project Planning, Business & Operational analysis including Gap Business & Operational analysis including Gap analysis,analysis,Business Process Reengineering, Business Process Reengineering, Installation and configuration, Installation and configuration, Project team training, Project team training, Business Requirement mapping, Business Requirement mapping, Module configuration, Module configuration, System interfaces, System interfaces, Data conversion, Data conversion, Custom Documentation, Custom Documentation, EndEnd--user training, user training, Acceptance testing and Acceptance testing and Post implementation/Audit support.Post implementation/Audit support.

Case Study Case Study –– GSM in WHO GSM in WHO

To improve operational efficiency, To improve operational efficiency, streamline processes and effectively streamline processes and effectively decentralize authority and responsibility decentralize authority and responsibility --replace the fragmented computerized replace the fragmented computerized information systems with an integrated information systems with an integrated system for global management and system for global management and administration administration GSMGSM-- both a major business change and a both a major business change and a major technological change for WHO. major technological change for WHO.

Reference Frame Reference Frame Oracle EOracle E--BIZSuiteBIZSuiteUse of PRINCE2, Oracle AIM, PJM Use of PRINCE2, Oracle AIM, PJM and ITIL by Management and ITIL by Management Audit : Audit : CoBIT/SDLCCoBIT/SDLC

PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Define the IT organisation and relationshipsPO5 Manage the IT investmentPO6 Communicate management aims and directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risksPO10 Manage projectsPO11 Manage quality

AI1 Identify automated solutionsAI2 Acquire and mantain application softwareAI3 Acquire and maintain technology infrastructureAI4 Develop and maintain IT proceduresAI5 Install and accredit systemsAI6 Manage changes

M1 Monitor the processM2 Assess internal control adequacyM3 Obtain independent assuranceM4 Provide for independent audit

DS1 Define service levelsDS2 Manage third-party servicesDS3 Manage peformance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and attribute costsDS7 Educate and train usersDS8 Assist and advise IT customersDS9 Manage the configurationDS10 Manage problems and incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations

IT RESOURCES

IT RESOURCES

• Data• Application systems• Technology• Facilities• People

• Data• Application systems• Technology• Facilities• People PLAN AND

ORGANISEPLAN AND ORGANISE

ACQUIRE ANDIMPLEMENT

ACQUIRE ANDIMPLEMENT

DELIVER AND SUPPORT

DELIVER AND SUPPORT

• Effectiveness• Efficiency• Confidenciality• Integrity• Availability• Compliance• Reliability

• Effectiveness• Efficiency• Confidenciality• Integrity• Availability• Compliance• Reliability

Criteria

Business ObjectivesCOBITFramework

MONITOR ANDEVALUATE

CoBITCoBIT HLCOsHLCOs for ERP Audit for ERP Audit

The objectives of the reviewThe objectives of the reviewWhether the GSM application development Whether the GSM application development and implementation processes have adhered and implementation processes have adhered to the best practices and procedures including to the best practices and procedures including governance, risk management and controls.governance, risk management and controls.Determine the effectiveness of preparedness Determine the effectiveness of preparedness for the implementation of GSM application.for the implementation of GSM application.The scope was restricted to focus on risks The scope was restricted to focus on risks

associated with the project processes and associated with the project processes and preparedness for implementation of GSM preparedness for implementation of GSM project. Other risks associated with IT project. Other risks associated with IT controls over individual modules or the controls over individual modules or the functionality aspects of GSM were not included.functionality aspects of GSM were not included.

Audit methodologyAudit methodology

The focus of audit was on risks associated The focus of audit was on risks associated with project processes and preparedness with project processes and preparedness for implementation of GSM project. for implementation of GSM project. The audit was conducted in accordance The audit was conducted in accordance with the with the CoBITCoBIT framework. framework. The key areas of risk identified , analyse The key areas of risk identified , analyse these risks and plans for their mitigation. these risks and plans for their mitigation.

Areas covered Areas covered Project managementProject managementContract management Contract management GSM Budget and staffGSM Budget and staffSolution readiness and User AcceptanceSolution readiness and User AcceptanceOrganizational readiness and trainingOrganizational readiness and trainingIT readinessIT readinessData conversion, cutover and transitionData conversion, cutover and transitionSystem security issuesSystem security issuesPost implementation reviewPost implementation review

Project managementProject management

Multiple slippages in goMultiple slippages in go--live deadlineslive deadlinesGSM planning GSM planning visvis--aa--visvis GSC planningGSC planningInvolvement of ITTInvolvement of ITTProject Management MethodologyProject Management MethodologyUser RequirementsUser RequirementsManpower resourceManpower resourceTotal cost of GSMTotal cost of GSM

Project managementProject management

ToleranceToleranceInvolvement of Health Technical Involvement of Health Technical Units (Units (HTUsHTUs))Adoption of International Public Adoption of International Public Sector Accounting Standards Sector Accounting Standards ((IPSAS)IPSAS)Regression testingRegression testingParallel testingParallel testing

Contract managementContract management

Budget and staffBudget and staffSystem Integrator CostsSystem Integrator CostsStaff CostsStaff Costs

Solution readiness and User Solution readiness and User Acceptance Acceptance

UsersUsers’’ Acceptance TestingAcceptance TestingSolution readiness for UAT Solution readiness for UAT Data sufficiency and Quality in UATData sufficiency and Quality in UATSIT and UATSIT and UATTest Director MethodologyTest Director MethodologyE2E scenarios for UATE2E scenarios for UATRemediation of Health Technical UnitsRemediation of Health Technical Units

Organizational readiness and Organizational readiness and trainingtraining

Global Service Centre (GSC)Global Service Centre (GSC)Disaster Recovery and Business Disaster Recovery and Business Continuity Planning for the GSCContinuity Planning for the GSCInsurance arrangement for Global Insurance arrangement for Global Service CentreService CentreGlobal Service Desk (GSD)Global Service Desk (GSD)Maintaining existing servicesMaintaining existing servicesTrainingTraining

IT readinessIT readiness

Knowledge managementKnowledge managementGlobal Private Network (GPN)Global Private Network (GPN)

Data conversion, cutover and Data conversion, cutover and transitiontransition

Data availability from BusinessesData availability from BusinessesLoss of Audit Trail Loss of Audit Trail Quality assurance of the Quality assurance of the converted dataconverted dataCutover procedures Cutover procedures Legacy system decommissioning Legacy system decommissioning and database archivingand database archiving

System security issuesSystem security issues

Information Security Information Security Management System (ISMS)Management System (ISMS)Data classification and patch Data classification and patch managementmanagementSystem security testingSystem security testing

Post Implementation Post Implementation

PostPost--implementation review of implementation review of GSMGSM

Questions ?Questions ?

Dr. Ashutosh Sharma CISA, CIADr. Ashutosh Sharma CISA, CIAAshutoshSharma@cag.gov.inAshutoshSharma@cag.gov.in