Imagine this scenario: Fraudsters learn about a large construction project your organization is undertaking through news reports. Claiming to be one of your employees, they call the construction firm you're working with to ask about outstanding invoices. An employee at the construction firm believes the caller is on your staff and gives the fraudsters your outstanding invoice numbers and amounts due.
The typical organization loses some 5 percent of revenues per year through fraud, with an average loss per case of $2.7 million.
Next, while claiming to be one of the construction firm’s employees, the criminals call your organization and demand immediate payment for the invoices, wired to a new bank and account number. With your controller on vacation, and your staff member wanting to fulfill the vendor's request promptly, tens of thousands of dollars are transferred — straight to the criminals' account.
Unfortunately, these scenarios are not uncommon. According to a recent Association of Certified Fraud Examiners Global Fraud Study, the typical organization loses some 5 percent of revenues per year through fraud, with an average loss per case of $2.7 million. Those figures are only likely to climb as cybercriminals gain access to new tools and darker internet hiding places.
Statistics like these keep many business executives and CFOs awake at night. But, even as their businesses invest in ERP systems to streamline processes and gain efficiencies, baking in strong controls — the very controls that lower the risk of these events — often gets lost in the hurried shuffle of ERP implementation.
Training should be a key part of a larger, coordinated organizational change management effort that accompanies the most successful ERP implementations.
Whether you're transitioning from a legacy system to an ERP system, changing ERP platforms, or upgrading your current ERP system, implementation presents your organization and its internal audit function with an opportunity not to be missed. It's easy to Monday-morning quarterback and say, "Oh, we should have...." once fraud is discovered. Instead, take a proactive approach to minimize the risk.
While most top-tier ERP platforms have an array of “application controls” as part of their configuration options, they must be designed appropriately to fit into the overall business control processes. Often, we see these controls, and the necessary design steps, overlooked or ignored altogether during the implementation process. Focusing on controls during these key ERP implementation phases can help your organization get the most out of your technology investment and help prevent fraud.
An ERP implementation involves coordinated effort among a number of groups: the software vendor/integrator, the client, and other third-party stakeholders. For this reason, implementing effective business process and IT controls needs to be embedded in the overall project approach rather than performed as an isolated set of activities.
But, the concept of controls may be foreign to many individuals involved in an ERP implementation. There's often a real need to educate everyone involved on the activities to be performed to ensure proper controls are built into redesigned business processes. This can be accomplished through the development and communication of a controls plan, which identifies the controls framework, approach, activities, deliverables, and roles and responsibilities for each phase of the ERP implementation. Additionally, buy-in from the various stakeholders is critical to ensure the acknowledgement of and support for controls as an integral part of the project.
Design and development
The initial step of the design phase is to develop a current-state (as-is) understanding of existing business processes and related policies and controls. This activity transitions into the development of “to-be” processes and associated controls designed to ensure that risks associated with those newly defined processes are appropriately considered.
By the end of the design phase, you should have a roadmap — in the form of a system design document or blueprint — that lays out several things: how you're going to execute the controls design, what the system will look like in terms of application (system) controls, and how the system will be configured to ensure effective controls.
Your roadmap should include development of a controls catalogue, an associated risk register, and an approach identified for the implementation of an effective security structure that’s approved by the business process owner. It's critical to build effective controls into the design document during this design phase — retrofitting control processes after design is much more costly.
During the development phase, design documents incorporating controls-related decisions made during the design phase serve as your guide to building a useful controls framework. This framework becomes part of the deployed system, including workflows, reports, security, system configurations, user access, and more.
The test phase ensures that what you’ve designed has been built correctly. This phase relies on system, integration, parallel (for certain business processes), performance, and user acceptance testing.
During testing, test scripts and scenarios are developed and executed to encompass control design elements built into the design documents and communicated in the controls catalogue. This includes testing of workflows, user access, and application controls.
If the system wasn't configured, or doesn't have the capability, to address all controls, now is the time to develop new controls around specific business processes to close any remaining gaps. These include business controls that use best practices to develop appropriate risk mitigation strategies and processes intended to identify gaps, or to strengthen application controls.
User acceptance testing provides the opportunity for staff to learn how to input data and carry out routine tasks and transactions in a nonproduction environment. This is also a good opportunity to test new controls and to identify the individuals who will “own” the new control processes.
Once you've tested the system, process owners need to get comfortable using it. Staff must be trained on new codes and how to carry out transactions, while supervisors need to learn how to manage those transactions. Clear communication during training is paramount when it comes to controls, particularly when privileges change and employees can no longer enter or access data or perform a transaction they previously could.
Comparing design documents to training documents ensures all processes, controls, and best practices are conveyed to staff during training. Keep in mind that training should be a key part of a larger, coordinated organizational change management effort that accompanies the most successful ERP implementations.
Go-live and post go-live review
In preparation for system go-live, the implementation team develops a readiness checklist and reviews it to confirm that all areas required for a successful go-live have been completed. This includes assurance that all controls-related decisions made during the design phase have been developed, tested, and implemented and that staff have been trained adequately on newly designed processes and associated controls.
The post go-live review is a crucial phase to make certain that the controls that have been implemented fully address the risks previously identified and have been adopted by users. Go-live reviews are commonly performed several months after go-live since many additional decisions are likely to be made that result in process and controls changes.
Identifying and integrating appropriate controls throughout the ERP implementation helps mitigate organizational risk while business processes are being migrated from one system to another. Baking in controls that properly align with your organization's needs within a well-managed risk environment should go hand in hand with any ERP implementation. That is, if you want to assure the integrity of your data and business processes — and a good night's sleep.