The Role of the Business in Ensuring a Successful ERP Implementation

By Ronan O’Shea, Managing Director
Global ERP Solutions Practice Leader

 

 

 

As organizations implement new enterprise resource planning (ERP) systems as part of digitization, process improvement and platform modernization, it is becoming increasingly critical not just for IT, but also for the business units themselves, to understand their central role in the overall success of these initiatives. The implementation of an enterprise system, or any other major IT system, should never be viewed as just an IT project because, ultimately, it is a business project with business objectives.

Even when a project is supported by a strong system integrator, it is critical for business stakeholders to assume responsibility for key activities before, during and after the implementation. Failure to do so can lead to project delays, budget overruns, business disruption and low user adoption, among other things.

There are seven key responsibilities that businesses need to understand and accept in any successful system implementation. They are:

Program Management and Governance – Although most system integration firms provide project management capabilities, common gaps include oversight of internal business and IT resources, management of other vendors, and engagement with company leadership. Proper oversight requires a more robust approach, from the establishment of a project management office (PMO) structure and assignment of roles, to the establishment of a comprehensive program-wide plan and a “single source of truth” for program status.

Business Process Readiness and Solution Design – Systems integrators are usually technical experts, not business process experts. Businesses should define the vision and operational expectations of a new system with regard to each business process. Specifically, the business must ensure that the technical solution the system integrator proposes will satisfy the business process vision and future-state goals. To meet operational expectations, the business should design process models for the end-to-end future state of each business process that the new system will impact. This will help system integrators focus on blueprinting rather than designing future processes, which typically is not their core expertise.

Organizational Change Enablement – As the solution design is established, the organizational impact of system and process changes must be determined to ensure that the anticipated benefits are realized. Training alone is not sufficient. Ultimately, the goal is a change enablement plan that will raise awareness with key stakeholders, obtain their buy-in and ensure their commitment to support the changes and the performance improvement objectives of the initiative.

User Acceptance Testing (UAT) – The final and most important phase of system testing, UAT, is designed to ensure that the system does what it was designed to do and that it meets user expectations. UAT must go beyond prior functional and technical testing phases. UAT scenarios should cover all business processes end-to-end, include all critical real-life data variations and be validated by process owners.

Data Conversion – This critical aspect is often overlooked by the business, but it is one of the most critical implementation processes, and a common source of project delays. No two systems are alike, and data from one system will rarely map cleanly or directly onto a new system. Data quality issues in legacy systems can also cause delays. Realistic data is critical to UAT. The business, supported by IT, typically owns data conversion design, mapping, enrichment, validation and cleansing. Start the data conversion process early.

Data Governance – To ensure that master data and transactional data are employed appropriately and consistently throughout the organization from go-live forward, the business should develop a comprehensive data governance program that includes a framework of organizational roles, a “data dictionary,” defined metrics and documented policies.

Business Intelligence (BI) and Reporting – BI and reporting should not be left as an afterthought, with the presumption that they can be addressed after go-live.  For most users, the primary benefit of an enterprise system is ease and accuracy of reporting. Ensure that the BI and reporting requirements are fully incorporated into the design phase of the implementation and tracked throughout. The ease and flexibility of reporting is highly dependent on the quality of the architecture and design. The efficiency and integrity of the business process is dependent on the availability of information at the right time and place.

Enterprise systems can bring remarkable efficiencies and return on investment, or be massive failures – and the business, not the integrator or IT, is ultimately responsible for the outcome. For a more in-depth analysis of these and other implementation challenges, download our recently published white paper, Understanding the Responsibilities of the Business During an ERP System Implementation.

Digital Transformation, Data Governance, and Internal Audit

Ari Sagett

By Ari Sagett, Managing Director
Internal Audit and Financial Advisory

 

 

Digital advances, such as big data analytics, mobility and smart connected devices are radically changing not just business processes, but entire operations. Companies across industries are racing to migrate analog approaches to customer interactions, products, services and operating models to an automated, always-on, real-time and information-rich marketplace. For internal audit, this means that IT risk is no longer limited to the traditional audit focus areas, but now spans the breadth of a firm’s operations (including areas that may not have been featured prominently in internal audit’s annual audit plan). And as companies store and process higher volumes of data in support of these automated routines, data governance remains critical.

Accordingly, internal audit departments need to consider the elevated risks this wave of digitization and automation may bring to day-to-day enterprise operations. Take customer service, for example. If routines are automated and customer service representatives now have lots of personally identifiable information on customers stored on workstations and network servers, then the risk profile of that department is elevated, and internal audit should evaluate controls to ensure that these potentially lower priority business functions are being considered and addressed in the context of technology risk.

We explored these challenges in our September 14th webinar, Digitization: What Does This Mean for Internal Audit. A recorded version is available on our website. More than 1,000 practitioners logged in for the live broadcast, which isn’t surprising considering that technology and data concerns topped the list of internal audit priorities in our 2016 Internal Audit Capabilities and Needs Survey.

Big data has also given rise to new, or emerging, risks. Cybercriminals are working both inside and outside of companies to capitalize on the massive and growing universe of valuable personal and private information. Regulators are promulgating policy and guidelines governing the security and privacy of the expanding universe of valuable and sensitive data. New technology-driven competitors are changing the competitive landscape. And older companies are trying to become more agile and innovative, replacing in-house data centers with cloud infrastructure.

As organizations embark on the digital transformation journey, it is incumbent upon the internal audit function to work with operational managers, risk managers, senior executives and the board to provide assurance that organizations continue to have the right controls, data governance, and compliance practices in place. In some cases, the internal audit function may serve a valuable role in educating stakeholders about the nuances of digitization and the associated risks.

Of course, all of these new responsibilities are over and above the traditional core functions, which cannot be neglected. Chief audit executives should ask themselves the following questions:

  • Does the current internal audit plan consider digitization risks?
  • Does IT leadership have a solid understanding of potential control impacts associated with digitization?
  • Does the audit team understand digitization?
  • Do our auditors have the right skills to effectively evaluate digitization risks and controls?
  • Does the internal audit function understand the impacts that digitization may have on data privacy, cybersecurity and other regulatory compliance obligations?

There is no doubt that by embracing digitization, organizations can maximize opportunities and drive competitive advantage. By providing assurance over the organizational risks posed by digitization, the internal audit department can give senior management and the board the information and confidence they need to embrace the digital future.

Is your internal audit team ready for the digital transformation? Share your thoughts in the comment section below.

Data Analytics in Internal Audit: An Imperative That Can’t Wait

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.

 

Kyle Furtis

By Kyle Furtis
Managing Director, 
Internal Audit and Financial Advisory practice

 

 

 

Data analytics is a hot topic for internal audit departments. In our most recent Internal Audit Capabilities and Needs survey, data analytics figured among the top ten priorities for internal audit professionals, and CAEs ranked big data and business intelligence their number one priority. When we concluded that internal audit has arrived at a tipping point, it’s fair to say that data analytics is one of the items sure to cause the precipitous changes in how we, as internal auditors, do our work.

The profession is aware that businesses are now more data-driven than ever before, and that not utilizing this data can be detrimental to the proper evaluation of risks and controls and, more importantly, meeting stakeholder expectations. Even so, many internal audit departments are still struggling to come up with a formal methodology for integrating data analytics into their work. A formal data analytics program has a mission and a purpose. It also specifies how data is to be identified, acquired and analyzed to determine potential breakdowns of selected controls. But how do you begin?

One recommendation, based on observing successful data analytics programs within internal audit, is to start in areas where you’re comfortable with the data – whether it’s account reconciliations, journal entries, payables, fixed assets, payroll, human resources or threshold/limit controls. It’s easy to test data based on information you’re comfortable with. Just start in an area where enhanced visibility into the underlying data can add value to internal audit findings.

An interesting example of how to begin came from one internal audit shop I worked with. One of the required steps in each audit was for auditors to explain why they didn’t analyze data when performing testing of internal controls. The auditor’s manager and the director of internal audit were also required to sign off on the explanation. The idea was that inserting that step into the audit program forces auditors to think about data in advance of the audit, knowing that they have to answer that question. They couldn’t just give a flip answer, such as “We didn’t have the time,” or “This type of audit is not conducive to data analysis.” It really forces the internal audit staff to think about the risks, the data behind the risks, and whether some data analysis is appropriate.

For those already thinking ahead in this manner, I suggest below a high-level road map that outlines what data analytics may look like in a few years, and how to get there:

  • In Year 1, define your objectives for data analytics and set the basics: Train staff, identify tools, access and normalize data. You may need to prove the value of data analytics through strategies such as pilot and proof-of-concept programs.
  • In Year 2, identify opportunities to fully embed data analytics in internal audit. Define the data-access model, establish key performance indicators (KPIs), and integrate ad hoc analysis.
  • In Year 3 (and perhaps beyond), fully embed data analytics, broadening its use within the organization, and move toward data governance.
  • Next, engage in continuous analytics, fully integrating the analytics program and establishing standard reporting practices. Enable access to analytics reports throughout the enterprise and increase the level of data governance.
  • Finally, introduce predictive analytics. This would be a new frontier for internal auditors, as predictive analytics is not 100 percent accurate, and, as auditors, we’re used to high precision and accuracy when we analyze data – but it will yield interesting results that you can use for discussion.

Incorporating data analytics into internal audit won’t happen overnight. It’s a multistage process, with components introduced over the course of several years. As with everything, the most important step is the first one – so get started on defining your objectives now. By following the road map outlined here, the benefits of more efficient and effective audits will not be too far down the road.

PreView: Checking the Rearview Mirror and Looking Ahead

In risk management, like driving, the safest way forward is to keep your eyes on the road ahead. Every now and again, however, it’s a good idea to check your mirrors. That’s the premise behind the latest issue of PreView, Protiviti’s ongoing series on emerging risks. In our first ever “look-back” edition, we revisit some of the risks we’ve highlighted since we initiated the series in early 2014. We often advise our clients to do a look back on their risk assessments, so it is appropriate for us to take our own medicine. Risks evolve, and checking to see whether we were on track with our predictions is worth the time and effort.

A little background: PreView is a “big picture” publication that focuses on macro-level emerging risks, classified according to the World Economic Forum’s five global risk categories – economic, technological, environmental, societal and geopolitical. Protiviti’s Risk and Compliance Solutions team scans the risk landscape and selects risks they believe have the potential to fundamentally change the profile portrayed in those risk categories.

The risks we revisited in the latest issue include municipal financial instability, Big Data, mobile banking and social media lending. Here, in short, is how these risks have evolved:

Municipal Financial Instability – In December 2014, we warned of municipal instability stemming from a decline in investor appetite for municipal bonds following a wave of defaults. We also warned of a pending debt crisis in Puerto Rico.

Update: Puerto Rico has defaulted on its debt in a case that is currently before the U.S. Supreme Court. At issue: The unprecedented possibility of a state-level debt restructuring – previous restructurings in the United States have all been at the municipal level. What to watch for: If the Supreme Court allows Puerto Rico to restructure its state debt, the bond market will turn a wary eye on the State of Illinois, which is experiencing its own financial crisis.

Big Data – In 2014, “big data” and machine-to-machine communication via the Internet of Things were all the buzz, and we cautioned against over-investing in data analytics without a clear quantification of benefits. We also called for strong data governance, security and management.

Update: Big Data and data analytics have moved from the fringe and into the mainstream due in part to the rapid expansion and dropping costs of data storage, cloud infrastructure and high-speed Internet bandwidth. Using this readily available data strategically promises to fundamentally change everything, from pizza delivery to health care. Big Data also has become the backbone of modern cybersecurity. And 79 percent of business leaders agree that companies that do not adopt Big Data will lose their competitive position and may face the possibility of extinction.

Mobile banking – In our first two issues of PreView, we noted the increasing popularity of mobile banking and suggested that successful financial institutions in the future would be those that found a way to integrate mobile banking and other banking options with traditional brick-and-mortar branch operations to allow customers to choose from multiple ways to conduct their banking.

Update: Trends have continued to show that consumers are interested in an “omni-channel” experience, where they can choose among different banking options, depending on their needs. In addition, nontraditional competitors such as PayPal, Amazon Payments and others continue to disrupt the market and threaten the relationship between the consumer and his or her bank. Cybersecurity and regulatory compliance remain key risks.

Social media lending – In January 2014, we predicted that an individual’s reputation on social media platforms, rather than their traditional credit score, could become a growing basis for lending. In addition, we anticipated that social media lending would create unique and complex fair-lending compliance issues and increase reputation risk with consumers. Lastly, we stated that social media disclosures and behavior might provide lenders with a source for validating information and a predictive profile of creditworthiness in the underwriting process.

Update: We hit two out of three right, as social media lenders in the United States entered and left the market, failing to pass the fair-lending standard. Target customers for this service today seem to be young entrepreneurs outside the United States who are shut out of traditional lending by a lack of a comprehensive credit history.

I know that this short overview doesn’t come close to doing these topics justice. For a more in-depth analysis and bibliographic links, download our Volume 3, Issue 1. In our next edition, we’ll continue to look forward: Technology enabled disruption in financial services, natural resources sustainability and competition, political shifts and climate change effects on the economy are among the topics on our radar. We hope you stay engaged with us to navigate these risks.

Jim

To KYD or Not to KYD: It Is Hardly a Question

Matt McGivernShaheen DilBy Matt McGivern and Shaheen Dil,
Managing Directors

Protiviti’s Data and Analytics practice

 

 

The importance of “know your customer,” or KYC, activities to any AML compliance program is well known. A much less known – but equally crucial – component of an AML program is “know your data,” or KYD, which feeds into KYC and other AML compliance modules.

To run their AML compliance programs, financial firms use a variety of software to review customers, analyze transactions to identify suspicious activities and provide analytical and research capabilities to support suspicious activity reports (SARs). Both SARs and KYC rely on the quality and accessibility of data, which requires knowledge of that data – where it resides, who uses it, what actions are performed on it, etc. While over-stretched AML departments may not want to hear that they now need now to be more proficient in data management, KYD activities are needed and can drive efficiencies inside these departments through better data governance.

Due to the way they grow, financial institutions often are burdened with siloed organizational and technical infrastructure with redundant and difficult to integrate systems and data stores. This creates a particular challenge for AML compliance heads who have to make sense of disparate data that flows into the AML system from a variety of sources.

A recently published Protiviti point-of-view paper, AML and Data Governance: How well do you KYD?, sets out how firms can benefit from putting in place an effective data governance program to alleviate this problem. The paper covers the main challenges firms face with regard to data management in the context of an AML program and summarizes the main steps needed to create an effective data governance function as follows:

  • Institute and enforce effective master- and reference-data management programs
  • Institute enforceable enterprisewide data governance strategy and processes
  • Be proactive in assigning data ownership and monitoring of data quality
  • Create a centralized repository for metadata
  • Support big data initiatives

Financial institutions that take these steps in an effort to create better data governance will not only be better equipped with regard to their AML efforts; they are more likely to achieve good standing with regulators who look favorably on firms that demonstrate data governance efforts.

Case in point: A Protiviti team, while working on a customer repository project at one of our clients, uncovered substantial data integrity and completeness issues across core systems supporting transaction monitoring at the organization. Regulators severely criticized the bank following an AML compliance program examination – a criticism that could have been avoided if effective data governance practices had been put in place. The firm engaged Protiviti to help expedite remediation of the data issues and formulate an effective and proactive data governance resolution to avoid an enforcement action.

We highly recommend reading this paper to gain a clear understanding of how critical KYD is to the long-term success of your AML program. Regulatory scrutiny around AML compliance has intensified after a series of high-profile lapses – so making data governance a priority seems like a prudent approach for financial firms.

New Protiviti Study – Assessing the Top IT Priorities for 2015

Protiviti has released another major research report today – this one details the findings from our annual IT Priorities Survey of CIOs and IT executives and professionals.

Infographic-2015-IT-Priorities-Survey-Protiviti We’ll be exploring some of the key themes that came out of this study, including cybersecurity concerns, in the weeks ahead. For now, I invite you to view our video and infographic here. Please visit our survey landing page for more information and a downloadable copy of our report: www.protiviti.com/ITpriorities.

Jim

 

 

 

 

 

Just-Released Insights on IT Security and Privacy – Board Engagement, Cyber Threats and More

I am pleased to announce that Protiviti released the results of its 2014 IT Security and Privacy Survey today. Our report contains some highlInfographic-2014-IT-Security-Privacy-Survey-Protivitiy noteworthy findings that we’ll be discussing in greater detail in future entries. For now, let me share the key highlights with you:

  1. Board engagement is a key differentiator in the strength of IT security profiles.
  2. There remains a surprising lack of key “core” information security policies.
  3. Organizations lack high confidence in their ability to prevent a cyberattack or data breach (which isn’t a surprise given previous entries we’ve posted on this blog!).
  4. Not all data is equal: Companies can’t protect everything – designating a subset of their data deemed most critical will help with their data security measures, yet many aren’t doing this.
  5. Many are still unprepared for a crisis.

Visit www.protiviti.com/ITSecuritySurvey for more information and to obtain a complimentary copy of our report. And view our video below.