The Role of the Business in Ensuring a Successful ERP Implementation

By Ronan O’Shea, Managing Director
Global ERP Solutions Practice Leader

 

 

 

As organizations implement new enterprise resource planning (ERP) systems as part of digitization, process improvement and platform modernization, it is becoming increasingly critical not just for IT, but also for the business units themselves, to understand their central role in the overall success of these initiatives. The implementation of an enterprise system, or any other major IT system, should never be viewed as just an IT project because, ultimately, it is a business project with business objectives.

Even when a project is supported by a strong system integrator, it is critical for business stakeholders to assume responsibility for key activities before, during and after the implementation. Failure to do so can lead to project delays, budget overruns, business disruption and low user adoption, among other things.

There are seven key responsibilities that businesses need to understand and accept in any successful system implementation. They are:

Program Management and Governance – Although most system integration firms provide project management capabilities, common gaps include oversight of internal business and IT resources, management of other vendors, and engagement with company leadership. Proper oversight requires a more robust approach, from the establishment of a project management office (PMO) structure and assignment of roles, to the establishment of a comprehensive program-wide plan and a “single source of truth” for program status.

Business Process Readiness and Solution Design – Systems integrators are usually technical experts, not business process experts. Businesses should define the vision and operational expectations of a new system with regard to each business process. Specifically, the business must ensure that the technical solution the system integrator proposes will satisfy the business process vision and future-state goals. To meet operational expectations, the business should design process models for the end-to-end future state of each business process that the new system will impact. This will help system integrators focus on blueprinting rather than designing future processes, which typically is not their core expertise.

Organizational Change Enablement – As the solution design is established, the organizational impact of system and process changes must be determined to ensure that the anticipated benefits are realized. Training alone is not sufficient. Ultimately, the goal is a change enablement plan that will raise awareness with key stakeholders, obtain their buy-in and ensure their commitment to support the changes and the performance improvement objectives of the initiative.

User Acceptance Testing (UAT) – The final and most important phase of system testing, UAT, is designed to ensure that the system does what it was designed to do and that it meets user expectations. UAT must go beyond prior functional and technical testing phases. UAT scenarios should cover all business processes end-to-end, include all critical real-life data variations and be validated by process owners.

Data Conversion – This critical aspect is often overlooked by the business, but it is one of the most critical implementation processes, and a common source of project delays. No two systems are alike, and data from one system will rarely map cleanly or directly onto a new system. Data quality issues in legacy systems can also cause delays. Realistic data is critical to UAT. The business, supported by IT, typically owns data conversion design, mapping, enrichment, validation and cleansing. Start the data conversion process early.

Data Governance – To ensure that master data and transactional data are employed appropriately and consistently throughout the organization from go-live forward, the business should develop a comprehensive data governance program that includes a framework of organizational roles, a “data dictionary,” defined metrics and documented policies.

Business Intelligence (BI) and Reporting – BI and reporting should not be left as an afterthought, with the presumption that they can be addressed after go-live.  For most users, the primary benefit of an enterprise system is ease and accuracy of reporting. Ensure that the BI and reporting requirements are fully incorporated into the design phase of the implementation and tracked throughout. The ease and flexibility of reporting is highly dependent on the quality of the architecture and design. The efficiency and integrity of the business process is dependent on the availability of information at the right time and place.

Enterprise systems can bring remarkable efficiencies and return on investment, or be massive failures – and the business, not the integrator or IT, is ultimately responsible for the outcome. For a more in-depth analysis of these and other implementation challenges, download our recently published white paper, Understanding the Responsibilities of the Business During an ERP System Implementation.

Top Technology Challenges for Internal Audit: Results From Protiviti’s IT Audit Survey

By Gordon Braun, Managing Director
IT Audit

 

 

 

Process automation and digital transformation are near the top of most corporate agendas, and the IT audit function has never held a more crucial role. The results of the 6th Annual IT Audit Benchmarking Study from ISACA and Protiviti illustrate the increasingly integrated role IT audit leaders and professionals are assuming in regard to technology initiatives in their organizations.

I had the opportunity, along with my colleague David Brand and ISACA director Ed Moyle, to discuss the results at length in a recent webinar. You can view an archived version by registering here. In the meantime, I wanted to give you a quick rundown of the top technology challenges expressed by respondents, and how those challenges compare with the previous year’s results.

No surprise on the top tech challenge: Nearly all organizations are struggling with data privacy and cybersecurity. It’s an area where boards want assurance — even with an understanding that assurance can never be 100 percent, regardless of the amount of money spent. The challenge for IT audit, therefore, lies in determining the right amount of IT audit time and focus to be dedicated to cyber risk and ensuring coverage is in alignment with the risk appetite and priorities of the organization. Though cybersecurity is always a business issue, the risk is typically assigned to IT. IT audit’s effectiveness in this area is strongly related to the experiences and discreet knowledge that the IT auditors in the group bring to the audit. There continues to be a strong push for education and for using the right tools, frameworks, approaches and resources; all are critical elements to ensuring IT auditors to stay in front of the cyber risks they are auditing.

Emerging technology (automation, digitization, cloud, etc.) remains a top challenge for IT auditors, though not ranked as high as last year. Effective IT governance in the face of emerging tech remains a goal for many organizations, and those that ignore it or get it wrong are going to struggle. IT auditors can help their organizations in this area by challenging the effectiveness of IT governance from both a design and operating perspective — this healthy and critical evaluation of the  alignment between the business and IT is required in today’s environment. In organizations with enterprise risk management (ERM) functions, there may be a natural overlap in interest between IT governance and ERM and IT auditors are well-positioned to seek out this partnership to share and receive perspectives from the ERM group.

Infrastructure management, regulatory compliance, and budget/cost concerns all moved up the list this year — a risk triumvirate that I think contributed to the return of third party/vendor management as a top-ten challenge, after dropping below the top ten last year. Infrastructure management and third-party vendor management are closely related as organizations increase reliance on infrastructure as a service (IAAS) and software as a service (SAAS) providers in an attempt to reduce their IT footprint. To ensure maturity in third-party risk management and ease related challenges, IT audit should be involved in the early stages of significant infrastructure projects, evaluating the processes and controls around third-party vendor management, ensuring upfront due diligence activities are completed, and reviewing service level agreements (SLAs) and contracts before they are signed. There are a number of efforts in the market to provide IT auditors with more avenues for assurance for these relationships – an area I fully expect will continue to see growth.

Missing from this year’s top-ten list is big data — a surprise, to say the least. In all my conversation with colleagues, big data remains a top priority, and is closely tied to many of the other top ten challenges. Its absence on the list, in my opinion, has more to do with the temporary elevation of other priorities, and a growing familiarity with the features, risks and benefits of big data, rather than any lessening of focus. Big data also looms large in this year’s Internal Audit Capabilities and Needs Survey, so the conversations around it are certainly not over.

Last, but certainly not least, staffing and skills cut across every other top technology challenge mentioned. Although it dropped slightly from last year’s ranking, it remains a top-five challenge — a reflection of the critical need for internal audit functions to hire and train tech-savvy auditors capable of understanding IT risks. This is particularly relevant for addressing the top challenge of cybersecurity, where expertise is key to gaining the cooperation and trust of IT. Co-sourcing, or even outsourcing of IT audit, can provide that expertise without straining internal resources. Each organization must decide on whether and how to augment its skills based on its specific level of reliance on technology.

Clearly, there is much to unpack from this year’s IT Audit survey results, and we will continue to analyze the findings and track progress in how companies address them. For the full ranking of challenges and a more in-depth analysis, visit our 6th Annual IT Audit Benchmarking Study page.

 

Answer Fundamental Questions and Beware of Overconfidence Before Moving to the Cloud

By Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

For any business, migrating to the cloud is an essential step in the digitization journey. The baseline cloud benefits, such as reduced costs, greater efficiency and enhanced customer service, are important objectives to strive for, of course. The latter is especially attractive to consumer products and services companies. But there are many considerations, in addition to the benefits, that businesses must keep in mind when shifting to the cloud if they are serious about achieving true digital transformation.

To begin with, companies must have a thoughtful — and even an aspirational — strategy behind any cloud migration project if they are to realize measurable value from it. Protiviti’s white paper, Cloud Adoption: Putting the Cloud at the Heart of Business and IT Strategy, emphasizes this key point: Executives need to recognize cloud adoption as a strategic business issue, not an IT issue. To ensure that such a move will enable true business and IT transformation, executives must have clarity on what they expect the cloud to accomplish for the organization. They also need to understand their digitization priorities within their specific industry and regulatory contexts.

Consumer products and services companies leading the cloud race

Cloud adoption is accelerating across all industries, but for consumer products and services companies the pace is quicker. According to Protiviti’s latest annual Technology Trends and Benchmark Study, nearly two in three companies today are now focused on investing in cloud adoption. For consumer products and retail companies that participated in the study, that number is 80 percent. These businesses also reported that they are currently focusing on and investing in digitization.

Interestingly, despite being on the forefront of cloud adoption, consumer products and services companies don’t appear to be overly concerned about risks that may accompany such a dramatic move. Executives from these businesses who responded to the Executive Perspectives on Top Risks for 2017 survey from Protiviti and North Carolina State University’s ERM Initiative did not cite the following as a top five risk for their industry, even though it was fourth on the overall list of top risks in the survey:

Rapid speed of disruptive innovations and/or new technologies may outpace our organization’s ability to compete and/or manage the risk appropriately, without making significant changes to our business model.

On the surface, this finding seems positive: Consumer products and services companies believe they have a handle on this top risk. However, it might also be a signal of overconfidence. And overconfidence is a risk in and of itself, and could potentially undermine the success of any digital project. To help those feeling confident test their preparedness, a recent issue of The Bulletin suggests that executives ask themselves the following questions:

  • Directionally, do we know as an organization where we’re going and why?
  • Are we prepared for the journey we are undertaking?
  • Do we possess the ability, will and discipline to cope with change along the way?

Pondering these questions can help organizational leaders think more critically about their goals, the risks associated with the changes they want to undertake, and whether they fit within the risk appetite of the company. Answering these questions will also help them to think more critically about what to move the cloud, how and when, to realize the most value for the company.

For example, back-office operations are often overlooked as potential candidates for cloud migration in favor of more customer-facing functions. This oversight could result in the business missing out on some significant benefits, like building greater resiliency into its core operations. The inverse is another common mistake: Rushing to migrate a back-office function and then realizing, too late, that the legacy technology supporting it can’t be cloud-enabled. Yet another pitfall is jumping on the cloud bandwagon before properly considering privacy, security or compliance issues.

Even more questions to consider

In addition to the “soul-searching” questions above, organizations should seek to answer some other key questions to help them develop their cloud strategy:

  • Why should we adopt the cloud?
  • What are the business needs, and what are the outcomes we expect?
  • What are the use cases?
  • What portions of the business should we move to the cloud, how, and when?
  • Which cloud model is most appropriate for this initiative and for our organization (e.g., private, public, hybrid, or multi-cloud)?
  • What is the economic and operational value proposition?
  • How would this project impact IT’s approach to its current business model?
  • What vendors should we work with?

The bottom line of this discussion can be summed up in a word: preparation. Well-placed confidence, clear business-driven goals and a well-thought-out strategy will position organizations to execute their cloud migration project successfully, achieve the desired value from them, and be another step ahead in their digital transformation journey.

Assessing the Expectations of Internal Audit Stakeholders at The IIA GAM Conference

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

Panel Session at the 2017 IIA GAM Conference:
Stakeholder Expectations (Updates from CBOK Stakeholder Studies)

Today at The IIA 2017 GAM Conference, Brian Christensen, Executive Vice President, Global Internal Audit for Protiviti, participated in a panel discussion before more than 1,000 conference attendees, on the expectations of internal audit stakeholders and how internal audit can continue to improve its performance. The panel was moderated by Paul Sobel, Vice President and Chief Audit Executive, Georgia-Pacific LLC. Panelists were Angela Witzany, Chair, IIA Board of Directors and Head of Internal Audit at Sparkassen Versicherung AG; Larry Harrington, Vice President, Internal Audit at Raytheon Company; and Brian Christensen, Executive Vice President, Global Internal Audit at Protiviti.

Following are some highlights from Brian’s comments:

  • Are we in the so-called “golden age” of internal audit? Membership in The IIA is at an all-time high. Conferences and programs are near capacity. As internal auditors, we are part of the conversation in the boardroom and management circles. And internal audit has been rated one of the 10 best professions to start a career. But, it’s important to ask, what can we do better? How do we remain relevant and serve our constituents better? Answering these questions was the goal of the 2016 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study.
  • Stakeholders agree that internal audit is focused on the most significant areas in their organizations. Internal audit is keeping up with changes in the business and is communicating well with management and the board.
  • Internal audit needs to further leverage its positive reputation for quality in other areas of the business where it can add value.
  • Management and the board want internal audit to “move beyond its comfort zone” to help organizations bring internal audit perspective on strategic initiatives and changes – digitalization, cybersecurity, Internet of Things and more. Change is all around us. In light of these many changes, what are new and emerging risks that organizations need to understand and manage? Internal audit can and is expected to provide information and insights to board members and management on these new risks.

Brian also offered some calls to action:

  • As internal auditors, we need to rise up to the expectations of our stakeholders. We’ve been told we’re doing a great job, but we can do more, and our stakeholders want us to do more.
  • We need to break out of historical thinking and approaches. We’ve earned a solid reputation – we now need to build on it.
  • We need to focus on and embrace the four C’s – Culture, Compliance, Competitiveness, Cybersecurity.
  • We need to ask ourselves: Where do we want to be in five years? In 10 years? How do we continue our “golden age”? The answer: Take on bold ideas and new concepts.
  • Finally, we need to own the discourse to fulfill the expectations of our stakeholders.

We have a great opportunity – not just for ourselves, but to create a path for those behind us. Stakeholders have given us a road map to success. Let’s fulfill our destiny and continue our golden age.

Listen to Brian Christensen summarize the highlights:

Share on Twitter

Partly Cloudy: Outage Raises Resiliency Concerns

By Jeff Weber, Managing Director
Technology Strategy and Operation

 

 

 

Everyone needs a little downtime – critical IT infrastructure, not so much. Security and reliability have long been the two primary enterprise concerns when it comes to the cloud. And while security has been the dominant concern over the past couple of years, recent high-profile cloud outages have brought reliability front and center.

A recent outage affected almost 150,000 sites. In the not so distant, cloud-less past, most companies would have had in-house servers, and the disruption would have been limited and isolated. Included in the outage was an internet messaging and chat service popular among IT professionals, who were quick to notice and spread the word. More importantly, this service enables IT services and communication and impacted organizations in their ability to maintain service levels.

Even companies with on-premise enterprise systems could find themselves unexpectedly cut off from critical services, vendor portals and clients, in the event of a service interruption at a cloud-based communications provider.

Cloud functionality affects virtually everyone. These days, if any company thinks it doesn’t have significant cloud exposure, it needs to think again. Now is the time for companies to be asking themselves whether their risk management framework is robust enough to identify risk exposure they may not have thought about.

The worst time to discover a critical exposure to a cloud outage is…well, always. Protiviti recommends that companies act now to conduct a cloud risk assessment and impact analysis and develop an effective response plan. Key elements include:

  • Conducting a thorough process review to identify any hidden cloud exposures
  • Identifying and prioritizing “crown jewels” – in this case, critical functions that must be protected from disruption
  • Comparing exposures against the company’s risk appetite and establishing a remediation threshold – for example, frequency and duration of outage
  • Creating an awareness of susceptibilities and developing response procedures

Although for many companies this type of exercise is new when it comes to cloud computing, it is essentially the same process they have applied in the past to telecommunications, infrastructure and other “always-on” systems and applications. The chief information officer should lead, or at least be at the table for this discussion, and ensure that the right people are involved in the conversation. Furthermore, the discussion should be conducted in business-relevant terms (risk, effect on operations) rather than IT terms (systems downtime, for example).

Public reaction to cloud outages, to date, has been relatively muted. That is likely to change, and quickly, as connectivity increases and digitization and the Internet of Things transforms existing business models. No one is really shocked that cloud outages happen, but now that they are on the radar, it is important to plan for the occasional yet inevitable “inclement weather.”

Customer Loyalty Through Better Security — and How to Achieve It

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

Customer loyalty programs are among the basic building blocks of successful consumer products and services companies today. These programs are not only competitive differentiators, but also key drivers of revenue and profits for retailers, restaurants, hotels, airlines and many other businesses. The success of loyalty programs, however, hinges on more than inspiring customers to opt in and offering them rewards that they find compelling. Consumer trust is also essential.

Consumers want to be assured that the companies they interact with through various touch points — online, offline and through mobile applications — are doing everything possible to protect their personal data and privacy. Even millennial consumers, who are generally more willing than customers in other demographic groups to share personal information with businesses in exchange for rewards, have high expectations that companies will keep their data secure and respect their privacy. And if the companies don’t, they are quick to hold them accountable.

Privacy concerns are weighing on the minds of executives in the consumer products and services industry this year, according to a survey, Executive Perspectives on Top Risks for 2017, from Protiviti and North Carolina State University’s ERM Initiative. Representatives of this industry group who took the survey ranked the following concern third among the top five risks: Ensuring privacy/identity management and information security/system protection may require significant resources for us.

Digitalization, the IoT and cyberthreats add to the challenge

Like most things related to information security in a digital world, privacy, customer identity management and information security are all easier said than done. In fact, they are becoming only more challenging for consumer products and services companies as these businesses:

  • Introduce more mobile and digital offerings to their customers
  • Collect, store and analyze more and more customer data from applications and devices
  • Develop and use applications and devices designed for the rapidly emerging and highly interconnected Internet of Things (IoT)
  • Embrace digitalization and migrate “analog” approaches to customers, products, services and operating models to an “always-on,” real-time and information-rich marketplace

It is hardly surprising then that consumer products and services businesses face a constant barrage of sophisticated and stealthy cyberthreats designed to target customer and payment information.

Recent high-profile data breaches and targeted hacks involving major retailers, fast food chains and hotels are just the latest headache-causing wrinkle as consumer products and services companies are scrambling to evaluate their ability to protect customer and payment information. (Executives no doubt had these incidents on their minds when responding to the latest risk survey: they also ranked cyberthreats among the top five risks for their industry in 2017.)

Drive results through strategy and collaboration

Certainly, there is no getting around the need for consumer products and services companies to devote more resources toward ensuring privacy, addressing identity management issues, and protecting information and systems. This is an imperative for any business that handles customer and financial data in a digital world. But organizations also must be very strategic when aligning and deploying these resources if they want to see results.

Developing the right strategy requires effective collaboration between the business and IT. If they are not doing so already, business executives in consumer products and services organizations should resolve to reach out to their counterparts in IT sooner rather than later.

Another party to include in discussions about privacy risk and cyberthreats this year: internal audit. We are seeing more organizations increasing business, IT and internal audit collaboration not only to address known risks, but also to help the business prepare for new challenges related to digitalization and the IoT. As Protiviti’s white paper, The Internet of Things: What Is It and Why Should Internal Audit Care?, explains, “Businesses developing and using applications and devices within the IoT must be aware of how the data they are collecting, analyzing and sharing impacts user privacy.”

Engaging business, IT and internal audit leaders to share their perspectives on these risks will help consumer products and services companies to ensure they are doing everything necessary to protect their customers’ privacy and information in a digital and hyperconnected world. It will also give them more confidence to interact with consumers through more channels, and to innovate programs and other offerings that will earn — and keep — their business.

Digital Transformation, Data Governance, and Internal Audit

Ari Sagett

By Ari Sagett, Managing Director
Internal Audit and Financial Advisory

 

 

Digital advances, such as big data analytics, mobility and smart connected devices are radically changing not just business processes, but entire operations. Companies across industries are racing to migrate analog approaches to customer interactions, products, services and operating models to an automated, always-on, real-time and information-rich marketplace. For internal audit, this means that IT risk is no longer limited to the traditional audit focus areas, but now spans the breadth of a firm’s operations (including areas that may not have been featured prominently in internal audit’s annual audit plan). And as companies store and process higher volumes of data in support of these automated routines, data governance remains critical.

Accordingly, internal audit departments need to consider the elevated risks this wave of digitization and automation may bring to day-to-day enterprise operations. Take customer service, for example. If routines are automated and customer service representatives now have lots of personally identifiable information on customers stored on workstations and network servers, then the risk profile of that department is elevated, and internal audit should evaluate controls to ensure that these potentially lower priority business functions are being considered and addressed in the context of technology risk.

We explored these challenges in our September 14th webinar, Digitization: What Does This Mean for Internal Audit. A recorded version is available on our website. More than 1,000 practitioners logged in for the live broadcast, which isn’t surprising considering that technology and data concerns topped the list of internal audit priorities in our 2016 Internal Audit Capabilities and Needs Survey.

Big data has also given rise to new, or emerging, risks. Cybercriminals are working both inside and outside of companies to capitalize on the massive and growing universe of valuable personal and private information. Regulators are promulgating policy and guidelines governing the security and privacy of the expanding universe of valuable and sensitive data. New technology-driven competitors are changing the competitive landscape. And older companies are trying to become more agile and innovative, replacing in-house data centers with cloud infrastructure.

As organizations embark on the digital transformation journey, it is incumbent upon the internal audit function to work with operational managers, risk managers, senior executives and the board to provide assurance that organizations continue to have the right controls, data governance, and compliance practices in place. In some cases, the internal audit function may serve a valuable role in educating stakeholders about the nuances of digitization and the associated risks.

Of course, all of these new responsibilities are over and above the traditional core functions, which cannot be neglected. Chief audit executives should ask themselves the following questions:

  • Does the current internal audit plan consider digitization risks?
  • Does IT leadership have a solid understanding of potential control impacts associated with digitization?
  • Does the audit team understand digitization?
  • Do our auditors have the right skills to effectively evaluate digitization risks and controls?
  • Does the internal audit function understand the impacts that digitization may have on data privacy, cybersecurity and other regulatory compliance obligations?

There is no doubt that by embracing digitization, organizations can maximize opportunities and drive competitive advantage. By providing assurance over the organizational risks posed by digitization, the internal audit department can give senior management and the board the information and confidence they need to embrace the digital future.

Is your internal audit team ready for the digital transformation? Share your thoughts in the comment section below.