Auditing Controls in ERP Systems - 2018

Auditing Controls in ERP Systems - 2018

Edward N Beaver

Final Exam: Take December 18

by

The final exam of the semester will be conducted by Blackboard (you should see the link when you logon to Blackboard).  The exam will be available to take during regular class time on Monday December 18.

Some specifics:

  • Questions mainly focus on course content (on-line and from class) from Week 11  through the end of the semester (topics listed on any ‘Overview’ or ‘Review’ slides.
  • Some questions from prior material (see Review slides from Week 12)may also be included on the exam.
  • Maximum amount of time to complete the exam is 60 minutes
  • Exam is approximately 25 questions (variety of formats i.e. Fill in blank, multiple choice
  • Some of the questions relate to this real-world like small business case.  You are invited to pre-read, print, etc. prior to the exam.

Week 14: Character vs. Controls Wrap-up

by

Continuing great job on the discussions.  I appreciate your responses and I learn from you.  You raised most of the important points but let me summarize my view.

Q1: How much automation of controls is best?  When should they be introduced?  Automated controls are ideal but not always possible or cost effective (e.g. complex scenarios or decision making).  My experience is leverage automation where possible and easily implemented.

As many of you pointed out ‘baking in’ the controls from the start is the easiest and most cost effective.  However they will added to as an organization grows, changes, etc.  Also, as the process matures and the external world changes you need to respond.

Q2: Describe the character of the leaders involved in the Real World control failures we reviewed.   The words you used I agree with: Arrogant, greedy, above control (‘absolute power corrupts absolutely’), self-interested, self-preservation response to pressures, etc.

These leaders were not necessary ‘bad’ leaders – many were very effective in accomplishing the goals of their organization.  However,  good leaders can have ‘bad’ character.  Creating a climate of controls need to balance (e.g. Sox type regulations) when this character drives illegal, immoral, or unethical behaviors.

Q3: A person’s character is very crucial in the audit industry.  How would you build your reputation and maintain a good ethical character in this industry?  This is something you have to do yourself.

I appreciate how Paul phrased it: Paul: ‘IT Governance: which is to “do the right thing, the right way”. Character is doing the right thing because it is the right thing to do.’  Integrity goes beyond the skills you have or knowledge of right things, but always doing the right things.

This integrity requires personal courage to stand up and be independent in our ‘end justifies the means’ world.

Q4: SAP’s GRC module may be important and effective, but can the cost of GRC be justified?

You all outlined in some detail what’s in this functional tool.  However in making the decision where to use you must weigh GRC’s costs vs. the cost of implementing controls other ways (often higher) plus the cost of not having needed controls or strength of controls in place.

 

Thanks for all your work in the participation blog this semester.   I trust it helped your learning.  Also remember to: do the right thing because it is the right thing to do.

Team Member Evaluation (Optional)

by Leave a Comment

All members of a team receive the same points for the exercise submissions. If you feel that one or more members are not doing their fair share, please do the following 2 things:

  1. Send email to all members of your team (.cc me) indicating that you will be submitting a team member evaluation form.  This step gives all members of the team the option of completing a form.
  2. Complete and submit the following form to me by email.

All responses will be kept confidential. 

 

Click Here for the Team Member Evaluation Form

Dow Chemical CIO Comments on ERP Project

by Leave a Comment

Dow Chemical CIO Says Another 8-Year ERP Project Is Unimaginable

By

STEVEN NORTON

Nov 30, 2015 5:26 pm ET

COMMENTS

Dow Chemicalspent eight years and $1 billion implementing a new enterprise resource planning system that didn’t deliver value as quickly as hoped, Chief Information Officer Paula Tolliver said.

While the implementation officially finished at the end of 2014, Ms. Tolliver spent the first half of this year cleaning up messy databases, simplifying code and updating early parts of the implementation with features added later in the process.

Dow Chemical CIO Paula Tolliver

DOW CHEMICAL

Would she attempt another eight-year implementation? “Not in today’s world,” Ms. Tolliver told CIO Journal. “I can’t imagine doing the project we did in the last eight years in a time of such volatility.” With the maturing of cloud computing capabilities and more “as-a-service” offerings, “the change we’ll see in the next three years is unprecedented.”

Along with scrubbing data and simplifying code, during the implementation Dow devoted about $15 million in “inefficiency resources” to keep things running while employees got used to working with the new ERP system. Part of that went toward employee-recommended changes, such as reducing the number of steps needed to complete some business processes, automatically populating data fields and improving reporting, Ms. Tolliver said. The company also invested in hands-on training for many of its employees.

Dow’s example highlights some of the nuts-and-bolts challenges CIOs face as they try to update software and merge disparate data sets to find cost savings and new insights about customers. Whole Foods MarketWal-Mart Stores and General Electric are all in the process of creating or consolidating ERP systems or integrating data across their companies.

Dow’s new ERP system – ECC version 7 from SAP SE – processes 7 million transactions each day and counts more than 16,000 unique daily users. The upgrade consolidated four separate regional systems into a single global ERP. Dow also pulled in some inventory and records tasks that previously took place outside the system.

A spokesman for SAP said the company does not comment on specific customer engagements.

Putting Dow on a single system gave employees more visibility into how their work fit into the company’s broader operations. But it also showed where certain processes got stuck or needed improvement, problems which may not have been noticeable at a regional level. Across the world, “people were performing the same work differently,” Ms. Tolliver said.

With much of the data scrubbing and code consolidation done, Ms. Tolliver now is trying to use the global view of Dow to simplify its core processes such as order-to-cash, supply chain and sales and operations planning. It’s part of the company’s “Dow 10.0” initiative, which aims to make it easier for customers to do business with the nearly 118-year old firm.

Besides change management challenges, Ms. Tolliver said a major lesson is never to underestimate the importance of accurate metadata. The firm created a centralized enterprise data management team that maintains all of the metadata related to customers, vendors, materials and product coding, which has helped as Dow works to ramp up its use of analytics.

Since the implementation, Ms. Tolliver said process cycle times have begun to decrease. Dow is on track to deliver $500 million in annual productivity by the end of 2017, she added. At the same time, she’ll contend with changes that could come as a result of potential deal activity. Separately, Ms. Tolliver said she’s wrapping up a project related to Dow’s “cloud transformation strategy.”

Video

Last December Paula Tolliver, CIO and corporate VP of business services at Dow Chemical Co., talked with CIO Journal’s Steven Norton about her three biggest lessons from the company’s 8-year, $1 billion architecture and ERP implementation.

8 years, $1 Bn ERP System – Worth It?

by Leave a Comment

In a related post I copied an WSJ article that discusses a very large ERP system implementation at Dow Chemical.  The system processes ~ 7 million transactions / day and counts > 16,000 unique daily users.

Note: I was a member of this implementation team (i.e. a very small portion of the $1Bn paid my salary).

You can answer one of these questions as an alternate ? for this week:

  1. Why would an implementation take this long and cost so much?
  2. Given the information shared – why would Dow Chemical company approve such a large investment?

 

Week 13: SAP Futures, Special System Access Wrap-up

by

Continuing great job on the discussions. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: SAP is a world class ERP system provider.  If you are an SAP customer – what would you expect them to provide to support your company’s internal controls?

&

Q2: The ERP systems market is very competitive.  What should SAP and other ERP systems providers be focusing on to make their systems more competitive in the future?

Some good, thoughtful answers and comments. Summary of your class’s responses in updated lecture slides.

Q3: What is best focus, most effort to ensure  controls are adequate?  What factors about an organization would drive this answer?

You rightly pointed out that the regulations and laws that a business is responsible for drives the high priority control focus.  This often is a critical requirement for being in business.  You also need to understand and focus on those risks that can negatively impact the value of your business.

In the end – high quality business oriented knowledge and decisions create the most value.  Hence why I’m proud to be associated with an MIS program that’s in the school of business (where it belongs).

 

Week 12: Table Security, Risk/Control Framework Wrap-up

by

Continuing great job on the discussions. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: Have you ever been involved with an internal audit or audit of your process / project?
Thanks for all the good examples shared – they remind me of the many audits I performed or was involved with (often as the subject of the audit).
In today’s world, there are audits of may kinds and someday I expect everyone will have some experience an and auditee or auditor. I note a lot oa consistency regardless of the subject of the audit: It starts with a defined procedure or expectation of how the process of activity should occur, there’s a methodical way to review how activities occur in the real world to measure vs. that expectation with a defined way to capture the alignment and gaps and address the gaps that are found.

Q2:How is independence maintained when working for the company as an internal auditor?
In my experience independence is taken very seriously. You noted common components: Defined Code of Ethics, organizational separation, Defined audit procedure with lots of documentation – there are even audits of audits. A very important but harder to measure component is the mindset of the auditors and those being audited – we’ll talk more about that in Week 14.

Q3:When is the cost of implementing a compliance control higher then the benefit obtained?  What should an organization do to ensure efficiency and profitability?
Organizations don’t exists just to perform business process controls, audits, etc. They have a responsibility to address their missions (be that making profit or some other defined goal). There can be discussion where the control implementation costs are higher than the benefit. It all starts as many of you noted by doing a good risk assessment (part of you Final Exercise). With this information available management can make better decisions and strike the correct balance of control vs. cost.

 

Week 11: Change Management, Development Wrap-up

by

Continuing great job on the discussions. Keep up the good work.   You raised most of the important points but let me summarize my view.

Q1: What key components of ERP change management controls should auditors review?  You provided some good background and details of the systems change management process.  From my experience the key components to focus on are: 1) defined policies and procedures (and proof they are followed)  2) Solid documentation of requirements (what the change should be) 3) testing and more testing and 4) strong approval / governance process.

Q2: Does your company use blueprints as documentation?  Why important? From the few responses it’s a mixed bag about organizations use of blueprints.  My experience is that the blueprints are very useful in implementing successful, complex processes.  They are excellent communication tools and help define for people new to the process or changing it later how it’s supposed to work.  It takes discipline and work to keep the blueprints up to date but in the long run are very useful as ERP systems and processes outlast those originally developing them.

Q3: How have your seen change mgmt work?  How would you improve? Only a few comments but they highlight some keys of good change management: clear communication about the ‘Why’ of change, Methods that those affected by the change can get their questions answered and employee involvement.

Q4: What questions would you like to ask auditors?   Some very good questions.  We’ll include some of them in coming weeks discussion.

Change management is one of the necessary evils of good systems management.  Doing it well requires lots of discipline, hard sometimes tedious work but in the end ERP systems won’t survive well without it.

Week 11: Change Mgmt Breakout Questions

by Leave a Comment

Below is the consolidation of the breakout session responses from yesterday’s class.  Some excellent comments and useful ideas.

Change Management practices may seem bureaucratic and time summing.  How do you manage the trade-off of added work vs. needed controls?

  • Compliance requirements for highly regulated industries (i.e. Health, Finance and Insurance)
  • By following change management practices it will help ensure the Quality of the product or service is better or at the same standard as it was previously.
  • Software automated testing prior to integration
  • A well-designed schedule – e.g. everyone knows what’s going to happen for preparation
  • Electronic approval process – e.g. IT help desk; approval by email
  • Update the documentation in order to assign approval align with the new work (changes are review)
  • Define option and response document  and clear and concise roles in align with new work
  • The date of when the change management practices are going to occur. what is affected
  • An emergency change process is in place
  • Changes are submitted for approval
  • Categorize everything
  • Quantify controls
  • Identify the risks that not checked.
  • Clients justify very easily
  • Prioritize controls
  • Put automated systems in place to that automated controls can be helpful
  • Training for employees
  • Perform change out of business hours if required so that it does not pile up and miss SLA
  • Prioritize changes based on risks mitigated, criticality of issue & solutions.
  • Perform Changes outside of Business Hours so that work is not affected and neither are large # of users impacted.
  • Streamline the change management process so that there is minimal disruption to services and hence fewer service requests to attend to as well, also changes should be reviewed thoroughly to ensure the change is successful.

What are the ramifications of managing change management in the scenario where the changes (e.g. development, etc.) are outsourced?

  • Cultural differences in the Company and the vendor organization
  • Security issues w.r.t Change performers having high privileged access to the system and messing it up.
  • Whether there is sufficient expertise in the outsourcing vendor implementing the changes
  • Cultural difference will affect process
  • Time zones can be different and hence SLA breach is possible
  • Security and privacy issues during change management
  • Schedule change control-the project schedule has been affected somehow and events in the project are being delayed.
  • Cost change control-the scope contents have not change, but the price for the items in the scope have increased or decreased.
  • Giving up control of the change management process
  • Adjusting to the new team and learning what each individual are skilled in.
  • Communication back and forth could be a challenge if there is a difference in time zone.
  • Granting access to the members who are outsourced to the programs used within the company, could take some time and are there security in place to mitigate risk.
  • Production of quality, control
  • Customer satisfaction of the service
  • Compliance standard align with our business objective
  • Application able to run on their system
  • Confidentiality of our sensitive data can be affected
  • Understanding of the required change (The ‘why’ is not consistently communicated by upper management to all team members)
  • makes monitoring adherence more difficult if things aren’t done in the same standard or by the same protocols that the main organization is enforcing or following
  • They may lack the understanding of the “business” it’s goals and vision of the organization as well as local employees
  • Design and functionality are out of control
  • Increase need of quality assurance
  • Data management issues
  • System uniformity