Disclaimer:
The articles in this blog post are those that I found interesting and
relevant to the topic of ERP and technology in general. I have no
commercial association with any of the entities mentioned in this
article. I may be following a few of these entities on LinkedIn and even
some of these entities may be on my LinkedIn or Social Media network.
These articles are selected purely based on their relevance to the
objective of this blog, to promote ERP. Finally, the summary is mine.
While I stay close to the points in the articles, I also elaborate a few
of them based on my understanding.
The Short URL for this post is https://goo.gl/zwgv8n
The steps in ERP Implementation are:
4. ERP Audit
5. ERP Implementation
6. Integration with external applications
7. Post Implementation Support and Stabilization
This week's theme is ERP Audit.
We start off by looking at why an ERP audit is required. The author says that it is important to regularly compare the objectives with achievements of ERP through and audit. As is the case with many articles, this treads a thin line between why and how of audit. The next article by Tom Miller talks about different types of ERP audits like compliance audit, process audit, waste audit, security audit etc. The third article in this selection talks tabout how to conduct an ERP audit. This is followed by an article on the five benefits an Organization can receive from ERP audit including identification of maturity level, determining the system health and reducing downtime. The final article in this selection is a gold mine for any ERP Auditor. It painstakingly covers the objectives of an ERP audit, the control points that should be identified and is followed by discussing the findings of ERP audit done in five mega corporations in India.
The additional readings in this selection also give nuanced perspectives of different aspects of ERP Audit.
Happy reading. Hope you enjoy reading it as much as I enjoyed collating it for you.
1. Why do you need an ERP Audit?
https://it.toolbox.com/blogs/erpdesk/erp-audits-080416
The purpose of an audit is to ensure the integrity and reliability of information, ensure that organizational assets are safeguarded and that established goals and objectives are met.
The key concern in an ERP implementation is that it will break the established control processes in an organization leaving it vulnerable. So the audit should thoroughly review the process controls and ensure its adequacy. All the main processes and the sub processes should be considered in the above audit.
Auditing process should review user creation process, access assignment and maintenance, change management, interfaces and data privacy. To ensure efficacy, the auditor should be thoroughly familiar with the ERP system that he is auditing. Review the user roles and permissions. As a part of change management, review the process of testing, QA and production migration.
Integration of ERP with other applications has to be thoroughly reviewed to ensure thorough data validation exists before the data moves into the ERP system. Accuracy and integrity of data can be ensured by using control totals and exception reports.
Since ERP system contains sensitive data, checking for data privacy is extremely important. Access permissions should be strictly restricted and any data leaks should be quickly plugged.
This is a short article. As usual with such articles, it quickly moves from 'Why' to 'How'.
2. How to conduct a thorough ERP Audit:
https://www.erpfocus.com/how-to-conduct-a-thorough-erp-audit-4146.html
Confession... I am a fan of Tom Miller's writings in ERP Focus. He presents great content and structures them logically and intuitively. While this article is titled 'How to..', the focus is more on different types of ERP Audits.
First type is the Compliance Audit. There are two types of compliance audits. The internal compliance audit reviews the organizational adherence to the documented SOPs. This audit will identify points where user training and process strengthening is required, or it can also indicate where update to SOPs will be required. The external compliance audit reviews the adherence to statutory compliance requirements like GDPR, Tax Compliance etc.
Second type of audit is the process audit. Here In this case you review the process to see whether the various process controls are in place to meet the objectives. For example, any purchase of a high value inventory has to be preceded by a customer demand for the item. Another example will be the review of approval limits to ensure that no purchase orders fall 'within the cracks' as it were.
Third type of audit is the risk audit. This is more of an access and control audit to ensure that only authorized personnel are allowed to enter the transactions and there are always 'four eyes' to review each transaction entered in the system.
Another type of audit is the Security Audit. We are talking of data ownership and access. It has to be ensured that only authorized personnel has access to the data relevant to their work. Security audit also looks at how ERP is protected from external threats like industrial espionage, firewall protections and protections from virus attacks.
The other audits covered are System Audit (Performance Audit) and Waste Audit.
How do you build an audit team. Author suggests that auditors should be from outside the domain. For example, engineers should not audit the Bill of Materials. In addition, auditing should be a full time activity and management should release the auditors from their current work to focus on their audit.
Finally, do not forget that audit should be followed by actions.
Nice article. Thank you Mr.Miller
3. How to conduct a meaningful ERP Audit
https://psierp.com/conduct-meaningful-erp-audit/
Once you have decided on an audit, it is important to follow a structured approach. First step is to study the processes and KPIs. (If these are not documented, do that before you start the audit). Audit should determine how close the Organization is to achieving its KPIs after ERP Implementation.
Second step is to assess the quality of usage. This includes adoption rate, gaps in usage, how well the users are using ERP features, has the quality of work improved as a result of ERP, Evaluate the workflows. Start with one department at a time and identify trends.
The third step is to identify the control points. These are the points where approvals or alternate action are required. Are the control points creating business bottlenecks?
Once you complete the audit, you will have a fair idea of the risks that Organization is facing. Next step is to prepare a mitigation plan for each identified risks.
The final step is to take action on the audit recommendations and ensure process improvements.
This is a simple article, gives a brief idea of the steps involved in ERP Audit.
4. Five Benefits of an ERP System Review
https://www.cio.com/article/3291781/5-benefits-of-an-erp-system-review.html
We start off by looking at why an ERP audit is required. The author says that it is important to regularly compare the objectives with achievements of ERP through and audit. As is the case with many articles, this treads a thin line between why and how of audit. The next article by Tom Miller talks about different types of ERP audits like compliance audit, process audit, waste audit, security audit etc. The third article in this selection talks tabout how to conduct an ERP audit. This is followed by an article on the five benefits an Organization can receive from ERP audit including identification of maturity level, determining the system health and reducing downtime. The final article in this selection is a gold mine for any ERP Auditor. It painstakingly covers the objectives of an ERP audit, the control points that should be identified and is followed by discussing the findings of ERP audit done in five mega corporations in India.
The additional readings in this selection also give nuanced perspectives of different aspects of ERP Audit.
Happy reading. Hope you enjoy reading it as much as I enjoyed collating it for you.
1. Why do you need an ERP Audit?
https://it.toolbox.com/blogs/erpdesk/erp-audits-080416
The purpose of an audit is to ensure the integrity and reliability of information, ensure that organizational assets are safeguarded and that established goals and objectives are met.
The key concern in an ERP implementation is that it will break the established control processes in an organization leaving it vulnerable. So the audit should thoroughly review the process controls and ensure its adequacy. All the main processes and the sub processes should be considered in the above audit.
Auditing process should review user creation process, access assignment and maintenance, change management, interfaces and data privacy. To ensure efficacy, the auditor should be thoroughly familiar with the ERP system that he is auditing. Review the user roles and permissions. As a part of change management, review the process of testing, QA and production migration.
Integration of ERP with other applications has to be thoroughly reviewed to ensure thorough data validation exists before the data moves into the ERP system. Accuracy and integrity of data can be ensured by using control totals and exception reports.
Since ERP system contains sensitive data, checking for data privacy is extremely important. Access permissions should be strictly restricted and any data leaks should be quickly plugged.
This is a short article. As usual with such articles, it quickly moves from 'Why' to 'How'.
2. How to conduct a thorough ERP Audit:
https://www.erpfocus.com/how-to-conduct-a-thorough-erp-audit-4146.html
Confession... I am a fan of Tom Miller's writings in ERP Focus. He presents great content and structures them logically and intuitively. While this article is titled 'How to..', the focus is more on different types of ERP Audits.
First type is the Compliance Audit. There are two types of compliance audits. The internal compliance audit reviews the organizational adherence to the documented SOPs. This audit will identify points where user training and process strengthening is required, or it can also indicate where update to SOPs will be required. The external compliance audit reviews the adherence to statutory compliance requirements like GDPR, Tax Compliance etc.
Second type of audit is the process audit. Here In this case you review the process to see whether the various process controls are in place to meet the objectives. For example, any purchase of a high value inventory has to be preceded by a customer demand for the item. Another example will be the review of approval limits to ensure that no purchase orders fall 'within the cracks' as it were.
Third type of audit is the risk audit. This is more of an access and control audit to ensure that only authorized personnel are allowed to enter the transactions and there are always 'four eyes' to review each transaction entered in the system.
Another type of audit is the Security Audit. We are talking of data ownership and access. It has to be ensured that only authorized personnel has access to the data relevant to their work. Security audit also looks at how ERP is protected from external threats like industrial espionage, firewall protections and protections from virus attacks.
The other audits covered are System Audit (Performance Audit) and Waste Audit.
How do you build an audit team. Author suggests that auditors should be from outside the domain. For example, engineers should not audit the Bill of Materials. In addition, auditing should be a full time activity and management should release the auditors from their current work to focus on their audit.
Finally, do not forget that audit should be followed by actions.
Nice article. Thank you Mr.Miller
3. How to conduct a meaningful ERP Audit
https://psierp.com/conduct-meaningful-erp-audit/
Once you have decided on an audit, it is important to follow a structured approach. First step is to study the processes and KPIs. (If these are not documented, do that before you start the audit). Audit should determine how close the Organization is to achieving its KPIs after ERP Implementation.
Second step is to assess the quality of usage. This includes adoption rate, gaps in usage, how well the users are using ERP features, has the quality of work improved as a result of ERP, Evaluate the workflows. Start with one department at a time and identify trends.
The third step is to identify the control points. These are the points where approvals or alternate action are required. Are the control points creating business bottlenecks?
Once you complete the audit, you will have a fair idea of the risks that Organization is facing. Next step is to prepare a mitigation plan for each identified risks.
The final step is to take action on the audit recommendations and ensure process improvements.
This is a simple article, gives a brief idea of the steps involved in ERP Audit.
4. Five Benefits of an ERP System Review
https://www.cio.com/article/3291781/5-benefits-of-an-erp-system-review.html
Like human systems, ERP systems can develop inefficiencies. Like human beings go for health check up, and ERP System has to be regularly audited to determine the current state of the system and that will help take corrective action. The five key benefits of an ERP audit are:
It helps you know the health of the system. It will help answer question like is ERP helping your business maintain peak performance, are there any opportunities for improvement and helps you assess the data and process integrity.
It helps you know the maturity level of the ERP system. ERP system go through three levels of maturity. Level 1 is the initiation of the ERP project. Level 2 is the post-implementation stage when functionality is fully exploited across the organization. Level 3 is when ERP is normalized into the business. This is when organization generates strategic value from ERP. ERP Audit helps you determine your maturity level, which in turn, helps to quantify the benefit for each department of the company.
It helps reduce downtime due to ERP performance issues: Most of the time the line managers and users can identify performance issues much early in the cycle before the issues become critical. ERP audit talks to the users and identifies potential issues quickly so that corrective action can be taken.
It ensures the integrity of the data: By bringing out any potential data integrity issues, ERP audit improves the reporting capabilities of the organization
Finally, it helps you decide the next steps: The three decisions after an audit are, one, keep the system as is, two, update the system or three, replace the system.
Even when the system is performing well, an audit can unearth potential savings which will easily pay for the audit.
Nice article. Simple and Crisp.
5. ERP Audit: Case Studies from Indian Mega Corporations:
https://goo.gl/KNJhKQ
Clicking on this link directly downloads a superb presentation into your laptop or mobile. The presentation answers all the question that you may have relating to ERP audit and presents case studies of ERP audit in five of India's mega corporations. The presentation has it all. What is audit? What are the control points? What is the objective of ERP audit?
For the purpose of this summary, I will discuss the findings of one of the companies, one of the Oil giants. The company implemented SAP R/3 in 2004. The ERP has 10000 users spread across 700 sites. The audit covered Finance modules and e-security.
Following were the observations
Security:
1. User profile not properly defined
2. About 10% of user ids were common ids used by more than one person. These user ids carried create / modify / cancel / delete privileges.
3. There was no firewall policy and no corporate security policy. In the absence of policies, different virus and malware protection software were used in different sites.
4. Segregation of user duties and privileges were deficient
5. Unauthorized users were given sensitive transaction codes
6. Password policy allowed simple, trivial, alpha-numeric passwords
Finance:
7. For some assets, date of depreciation was before capitalization date and for some others it was after the capitalization date. This made the depreciation data non-reliable.
8. Quantity was indicated as zero in many assets. This further impacted depreciation calculations
9. In many cases service purchase orders created after the services were delivered.
10. Huge amount was lying unreconciled in the 'Inventory Receiving Temporary Account'.
11. Stock valuation was done outside the system.
12. There were multiple customer codes assigned to the same customer
As you can see, the coverage is exhaustive. This presentation is a must read for any ERP professional.
Great article to end the blog post.
Additional Reading
1. ERP Audit Checklist
2. Case Studies in ERP Audit
3. Will you pass an ERP Implementation Audit?
4. Seven reasons why you should audit your ERP Security
5. An ERP Post Implementation Review: Planning for future by looking back
6. Quality of Post Implementation review for ERP Systems
No comments:
Post a Comment