The Role of the Business in Ensuring a Successful ERP Implementation

By Ronan O’Shea, Managing Director
Global ERP Solutions Practice Leader




As organizations implement new enterprise resource planning (ERP) systems as part of digitization, process improvement and platform modernization, it is becoming increasingly critical not just for IT, but also for the business units themselves, to understand their central role in the overall success of these initiatives. The implementation of an enterprise system, or any other major IT system, should never be viewed as just an IT project because, ultimately, it is a business project with business objectives.

Even when a project is supported by a strong system integrator, it is critical for business stakeholders to assume responsibility for key activities before, during and after the implementation. Failure to do so can lead to project delays, budget overruns, business disruption and low user adoption, among other things.

There are seven key responsibilities that businesses need to understand and accept in any successful system implementation. They are:

Program Management and Governance – Although most system integration firms provide project management capabilities, common gaps include oversight of internal business and IT resources, management of other vendors, and engagement with company leadership. Proper oversight requires a more robust approach, from the establishment of a project management office (PMO) structure and assignment of roles, to the establishment of a comprehensive program-wide plan and a “single source of truth” for program status.

Business Process Readiness and Solution Design – Systems integrators are usually technical experts, not business process experts. Businesses should define the vision and operational expectations of a new system with regard to each business process. Specifically, the business must ensure that the technical solution the system integrator proposes will satisfy the business process vision and future-state goals. To meet operational expectations, the business should design process models for the end-to-end future state of each business process that the new system will impact. This will help system integrators focus on blueprinting rather than designing future processes, which typically is not their core expertise.

Organizational Change Enablement – As the solution design is established, the organizational impact of system and process changes must be determined to ensure that the anticipated benefits are realized. Training alone is not sufficient. Ultimately, the goal is a change enablement plan that will raise awareness with key stakeholders, obtain their buy-in and ensure their commitment to support the changes and the performance improvement objectives of the initiative.

User Acceptance Testing (UAT) – The final and most important phase of system testing, UAT, is designed to ensure that the system does what it was designed to do and that it meets user expectations. UAT must go beyond prior functional and technical testing phases. UAT scenarios should cover all business processes end-to-end, include all critical real-life data variations and be validated by process owners.

Data Conversion – This critical aspect is often overlooked by the business, but it is one of the most critical implementation processes, and a common source of project delays. No two systems are alike, and data from one system will rarely map cleanly or directly onto a new system. Data quality issues in legacy systems can also cause delays. Realistic data is critical to UAT. The business, supported by IT, typically owns data conversion design, mapping, enrichment, validation and cleansing. Start the data conversion process early.

Data Governance – To ensure that master data and transactional data are employed appropriately and consistently throughout the organization from go-live forward, the business should develop a comprehensive data governance program that includes a framework of organizational roles, a “data dictionary,” defined metrics and documented policies.

Business Intelligence (BI) and Reporting – BI and reporting should not be left as an afterthought, with the presumption that they can be addressed after go-live.  For most users, the primary benefit of an enterprise system is ease and accuracy of reporting. Ensure that the BI and reporting requirements are fully incorporated into the design phase of the implementation and tracked throughout. The ease and flexibility of reporting is highly dependent on the quality of the architecture and design. The efficiency and integrity of the business process is dependent on the availability of information at the right time and place.

Enterprise systems can bring remarkable efficiencies and return on investment, or be massive failures – and the business, not the integrator or IT, is ultimately responsible for the outcome. For a more in-depth analysis of these and other implementation challenges, download our recently published white paper, Understanding the Responsibilities of the Business During an ERP System Implementation.

Revenue Recognition Webinar Series: Systems and Data Challenges

Siamak RazmazmaSiamak Razmazma, Managing Director
IT Consulting Practice




Good news for companies getting a late start preparing for the new Financial Accounting Standards Board (FASB) revenue recognition rules. As we predicted, the effective date for the new rules has been pushed back a year. The new rules will now apply to reporting periods beginning after December 15, 2018.

Although the effective date has been pushed back, there’s a lot of work to be done between now and then (a prime reason why the effective date is being delayed!). Protiviti launched the Revenue Recognition webinar series in November last year, to help organizations understand what needs to be done well ahead of the deadline. In this series, we continue to work through the Six Elements of Infrastructure, delineating the probable impacts of the transition process in each area. The fourth installment of this five-part webinar series — Systems, Data, Reporting and a Transparent Audit Trail — was held on May 21.

Below, Siamak Razmazma, Managing Director of IT Consulting at Protiviti and one of the webinar speakers, answers some of the top questions raised by webinar participants:

Q: Can my core ERP system properly account for revenue under the new rules, or do I need a dedicated revenue recognition solution?

A: Most likely you’ll need a dedicated solution. Core ERP systems are transactional. When you sell a product or service and generate an invoice, the transaction is recorded in accounts receivable. When you receive a payment, it is posted against that invoice. Invoice and payment.

The accounting for how a customer payment transitions across the balance sheet from liability (advance payment received) to asset (revenue earned), is a separate process requiring its own tracking. For revenue recognition purposes, a payment received is an obligation to perform some contractual task. An advance payment, therefore, is a liability. It doesn’t become revenue until the obligation is met. The new FASB rules are designed to better align revenue recognition on the books with the underlying contractual obligation and the risks associated with it — manufacturing costs, cash flow, etc. Those obligations are defined by contracts and may involve several sales orders or transactions over time.

Combinations of sales transactions over time, or other criteria — such as risk — are totally unknown to the core ERP accounts receivable application. Revenue recognition requires an entirely separate sub-ledger, with a different architecture, capable of applying the appropriate criteria to record complex transactions.

Q: How do companies monitor compliance with revenue recognition rules when their ERP systems lack the capabilities to do so systematically?

A: There are several revenue recognition applications — both third-party and ERP-integrated. A lot of companies, especially smaller ones, use Excel or some kind of homegrown database. These do-it-yourself solutions may work for isolated cases, but if your company does any kind of volume at all, an automated solution is really the only way to achieve consistency, efficiency, transparency and data integrity.

Every calculation should be able to be tracked and the entire process should be transparent. Automated tools allow these things to happen at a fraction of the time that a manual audit requires. A single transaction that might take 30 or 40 hours to track manually only takes an hour with a revenue tracking application and automated reporting tools. When you consider an audit that takes 100 hours to perform with automated tools, you can imagine the enormous amount of time and cost saved.

Q: What are some third-party applications created for the new revenue recognition process?

A: Some of the more popular third-party applications include RevPro, RevStream,
and Softrax. A few ERP systems, including Oracle, NetSuite and Intacct, have integrated revenue recognition applications, and Microsoft has integrated a certified third-party application into Dynamics AX.

Q: When is the right time for companies to start elaborating their system strategy and related design to support the revenue recognition process?

A: The sooner the better, and strategy and design should develop simultaneously. Developing a strategy in the absence of system capabilities could lead to costly workarounds. The best way forward is to become familiar with the various revenue recognition solutions on the market and develop a compliance strategy that leverages existing capabilities as much as possible.

The final webinar in our Revenue Recognition series, which looks at the industry and cross-functional implications of the new rules, is scheduled for July 23 at 11:00 a.m. CST (12:00 noon EST). You can register here.

Here are the links to our previous webinars:

Webinar #1 – Revenue Recognition: It’s Here, Are You Ready? Transitioning to the New Revenue Recognition Standard

Webinar #2 – Revenue Recognition: The People Element – The Collaborative and Cross-Functional Employee Education Process

Webinar #3 – Revenue Recognition: Using a Methodology to Identify Gaps in Current Business Processes

Embracing the Digital World with SAP S/4HANA – What It Means to You

Global market dynamics – including an economically challenging environment along with changing consumer needs and buying behaviors – are forcing companies to rethink how they operate in a digitally connected world. To meet this challenge, many organizations are looking for innovative and adoptable ways to embrace digital disruption, especially around analytics, mobile, social media, the so-called “internet of things,” and of course, “big data.”

SAP’s recent release of SAP S/4HANA – which focuses on creating a digital enterprise – is the future of the global ERP giant. SAP S/4HANA enables organizations to respond quickly to their customer needs, enhance service levels, improve efficiencies, and enable the workforce with intuitive technologies to elevate performance of the organization.

SAP S/4HANA offers exciting opportunities for companies with decades-long investments in the SAP platform. In HANA, data is stored in memory as opposed to hard disk, increasing the speed of data retrieval for faster transaction processing and analytics. HANA’s innovative data storage structure facilitates the processing of large volumes of data at unprecedented speeds.

So, how is SAP S/4HANA different from various technology solutions in place from SAP? And what do SAP customers need to know prior to migration? Join Protiviti’s SAP Data Management and Advanced Analytics experts on July 15, at 11 a.m. Pacific Time. We will provide guidance on various deployment options, and discuss how this will help you better prepare to take advantage of S/4HANA.

An archived version of the live webinar will be available for those unable to attend. You can register on our website.

New Protiviti Study – Assessing the Top IT Priorities for 2015

Protiviti has released another major research report today – this one details the findings from our annual IT Priorities Survey of CIOs and IT executives and professionals.

Infographic-2015-IT-Priorities-Survey-Protiviti We’ll be exploring some of the key themes that came out of this study, including cybersecurity concerns, in the weeks ahead. For now, I invite you to view our video and infographic here. Please visit our survey landing page for more information and a downloadable copy of our report:







A Global Look at IT Audit Best Practices from ISACA and Protiviti

Brand.jpgby David Brand
Managing Director – Leader, IT Audit Practice



There is no disputing technology’s role in business today as an enabler of virtually every process and function. With this enablement and the advantages IT brings also come global risks – security, cyberattacks, privacy issues, data breaches, governance, asset management and much more. The critical question we ask is: Are IT audit practices keeping pace in order to assess, monitor and mitigate critical risks coupled to a technology-enabled business? This is what ISACA and Protiviti set out to determine in conducting the fourth annual IT Audit Benchmarking Survey.

Our 5 key findings from this year’s study:

  1. Cybersecurity and privacy are primary concerns – This area is rated as the top technology challenge and also may be driving trends such as increasing involvement from audit committees in IT auditing activities.
  1. Companies face significant IT audit staffing and resource challenges – Not only is this issue ranked among the top technology challenges, but it is an undercurrent in many of the survey findings, including the use of external resources to support IT auditing efforts.
  1. Audit committees, as well as organizations in general, are becoming more engaged in IT audit – More organizations have a designated IT audit leader, and over the past three years, the percentage of IT audit leaders that regularly attend audit committee meetings has doubled.
  1. IT audit risk assessments are not being conducted, or updated, frequently enough – Given the dynamic nature of technology change and risk, it is surprising to find that some companies still do not conduct IT audit risk assessments. Not only must IT audit risk assessments be performed, but they also should be reviewed and, if necessary, updated on a quarterly basis or more frequently. However, a majority of companies are conducting these reviews annually or even less frequently.
  1. There’s room for growth in IT audit reports and reporting structures – A majority of companies do not issue enough IT audit reports, and many still have the IT audit leader in a less-than-ideal reporting structure.

IT Audit Benchmarking Survey Infographic

Check out our infographic here. To view and download our report with detailed results from our study, visit


Developing an Effective, Scalable Third-Party Anti-Corruption Program

Scott Moritz - Protiviti NY 2013 (hi res) Scott Wisniewski - Protiviti Chicago -hi res 2012




by Scott Moritz and Scott Wisniewsk

Scott Moritz and Scott Wisniewski are Managing Directors with Protiviti. Moritz leads the firm’s Investigations and Fraud Risk Management practice, while Wisniewski is the head of Protiviti’s Risk Technologies group.

Honesty and trust aren’t what we want to be thinking about when it comes to the global partner ecosystems we are building out today. We’d rather be thinking about economies of scale, increased efficiency and agility, and a time to value that blows away the competition. Unfortunately, third parties represent a major and constant risk, and are the source of the majority of violations of the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act and other international anti-corruption laws. Because of this, an effective third-party anti-corruption program is now an essential component of the overall corruption program at many companies. An effective third-party anti-corruption program helps you to understand the risk that each third party represents, identify potential bad actors, and apply a heightened standard of care to these organizations, or even terminate the business relationship.

A successful program is all about designing sustainable, consistent global processes based on an understanding of which parties should be included in the program; applying a risk-scoring methodology to group the parties into high-, medium- and low-risk categories; and applying standard due diligence processes to all parties and enhanced due diligence processes to those that fall into the high-risk group.

Implementing a successful program also requires a global technology platform that centralizes – and can scale – all third-party anti-corruption activities across the global ecosystem. This is why Protiviti has just released the Governance Portal for Third-Party Anti-Corruption v4.1, a new Protiviti Governance Portal solution that makes it simpler, faster and easier to reduce risk and ensure compliance on a global scale. From creating a centralized repository for all program data and activity, to creating the required scorecards for vendors and partners, to managing workflow and maintaining an audit trail of activities, the Governance Portal for Third-Party Anti-Corruption enables key stakeholders to identify third parties with heightened risk and track investigations and resolutions – regardless of where the stakeholders or third parties are located.

By centralizing the third-party anti-corruption program and managing the processes more effectively, companies can more confidently focus on the business benefits of their ecosystems. For more information about third-party anti-corruption programs, check out Are Third Party Vendors Putting Your Company at Risk?” a July 15, 2014, webinar featuring Chris McClean, principal analyst and research director with Forrester Research, Inc. The webinar provides a detailed account of how to effectively apply best practices to identify potentially problematic commercial partners and the importance of an enabling technology platform.

IT Risks Are Prevalent – Do You Have Enough IT Audit Coverage?

Brand.jpgBy David Brand
Managing Director – Leader, IT Audit Practice



IT risk is everyone’s problem. By “everyone,” we mean the board of directors, senior management, process owners and internal auditors. Internal audit departments play a critical role in ensuring that mitigating processes and procedures are in place and working effectively to manage the organization’s risks. An alarming number of organizations, however, are not maximizing the input internal audit can have in helping to manage their IT risks. This neglect results in embarrassing incidents to the top of the organization, CIO organization and the owners of affected processes.

With the rapid evolution and propagation of social media, cloud and mobile technologies, IT departments are often stretched to their limits. Under pressure to implement, it’s easy to miss vulnerabilities and potential security breaches.

Examples – such as the website launch debacle and any number of corporate mea culpas regarding security breaches exposing customer financial data – illustrate vividly how quickly a glitch or vulnerability can escalate from an IT problem to a critical business problem and a huge reputational risk.

When it comes to IT audit programs and practices, our annual IT Audit Benchmarking Survey consistently reveals that organizations leave themselves significant room for improvement. Too many fail to plan and institute the IT audit coverage necessary to ensure an available, secure and efficient IT environment.

Furthermore, some organizations don’t house their IT audit resources in their internal audit departments, and others lack such resources entirely. We have found that just 1 in 4 companies have an IT audit director or someone in an equivalent role focused on technology risks.

I could say a lot on this topic, but our benchmarking survey provides a much more thorough and detailed analysis. I encourage you to read it. For now, let me close with five key questions that every CEO and audit committee member should be asking about their organization’s IT audit capabilities:

  1. Is our internal audit function performing an effective IT risk assessment at least once a year, and are people who are knowledgeable of infrastructure, applications and IT involved in the process?
  2. Has our internal audit team reviewed the COSO (2013 update) and COBIT 5 frameworks, and are our audit plans based on those recognized policies and practices?
  3. Does our IT audit team have a clear understanding of our organization’s short- and long-term IT objectives?
  4. How do we quantify our IT risks? What industry benchmarks and best practices are used?
  5. Does our IT audit risk assessment process coordinate with other risk assessment areas, including financial, operational and compliance?

As with any growing or rapidly changing risk, it is important for organizations to stay ahead of the risk management curve – and make this a sustainable effort.

For more about Protiviti’s IT Audit Benchmarking Survey, watch our video. I also invite you to see how you rate in auditing your IT risks at