1 / 27

Effective Internal Controls During ERP and Other Enterprise System Implementations

Effective Internal Controls During ERP and Other Enterprise System Implementations. March 22, 2012 . Agenda. The Security and Control Challenge An Approach to Security and Controls Benefits & Challenges Summary. The Security and Controls Challenge. New ERP Systems: Introducing Risk.

reia
Download Presentation

Effective Internal Controls During ERP and Other Enterprise System Implementations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Effective Internal Controls During ERP and Other Enterprise System Implementations • March 22, 2012

  2. Agenda • The Security and Control Challenge • An Approach to Security and Controls • Benefits & Challenges • Summary

  3. The Security and Controls Challenge

  4. New ERP Systems: Introducing Risk • “As Is” Processes vs. “To Be” Processes • Controls, either manual or system-based, may not be documented in “as is” environment; when the “to be” is being mapped, these controls may be lost. • Data Integrity in Legacy Systems vs. Integrated Systems • Older systems use many separate data files and manual procedures to detect errors; integrated systems increase the exposure for data interfaces (especially for phased implementations) and risk of data integrity issues. • Up-front Controls Required • If robust data and validation checks are not “built in”, the impact is immediate and pervasive rippling throughout the system(s). Data mapping and data conversion control weaknesses can result in “garbage in, garbage out” when the new system is implemented. • Integrators Focus on Feature/Functions, Not Controls • Integrators do not focus on controls or security. Controls specialists are required to design and implement a robust control environment.

  5. New ERP Systems: Mitigating Risk • Migration from the “As Is” to “To Be” environment and ERP presents a controls challenge, especially for phased implementations • How do we ensure effective controls are in place? • Purpose of a control is to prevent (system-based control) or detect (manual control) a risk in the business processes or the systems used to facilitate the process. • How do we ensure controls are efficient? • Manual controls may be effective, but are they efficient? • How do we make the best use of controls in the new packages being implemented: JDE’s ERP, i2’s SCP and CAS’ CRM? • Need to prevent duplication of manual and system-based controls. • How do we deliver a controlled business environment? • Ensure controls are documented and reviewed proactively throughout the project using a structured, comprehensive methodology.

  6. The Security and Controls Challenge System implementation brings about numerous risks to the organization and may disrupt the overall control environment. Reputation Risk Financial Risk Project Management Risk System Development Risk Data Integrity Risk Statutory & Regulatory Risk Technology Risk User Preparedness Risk Business Operations Risk Product Risk Security Risk Support & Maintenance Risk

  7. The Security and Controls Challenge • Management’s responsibility is to ensure that controls remain effective throughout the implementation and after go-live. • ERP implementations raise many control issues for management including: • Optimizing controls associated with streamlined business processes • Effective use of the control features of the enterprise software package • New IT skills and processes required to administer and operate distributed computer platforms and networks • High system availability and business continuity requirements • Controlling the creation and maintenance of shared master data • Maintaining data integrity during conversion and interface processes • Ensuring authorized transactions and segregation of duties through application security • Protection of confidential information in a distributed environment • Administration of user security across multiple platforms

  8. The Security and Controls Challenge • What is the potential value of including a security and controls perspective in an implementation? • Optimize system business process controls that: • Maximize reliance for management and audit (e.g., data integrity, information availability, data confidentiality, and reliability), • yet are streamlined for increased efficiency. • Effective use of the system control features • Imbedded process controls (approval limits, data validation, etc.) • Secured environment that meets the business requirements and is efficiently and effectively administered. • Enabling authorized transactions and segregation of duties through application security. • Strong IT operational infrastructure framework to support the implementation and production operation (e.g., change management, continuity of service, operation management, management and communication, monitoring, and training). • Data conversion process that enable the accurate and efficient transfer of corporate information from existing systems.

  9. An Approach to Security & Controls

  10. An Approach to Security and Controls IT Operations Business Process Project Management Data Integrity Security

  11. Business Process Controls • Evaluation and design of operational and functional controls around application business processes. • Business process documentation and control identification • Process control risk analysis • Business process control assessments • Data integrity (accuracy, completeness and validity) • Segregation of duties • Availability and timeliness • Confidentiality • Asset Protection • Compliance • Interface business process controls with security profiles

  12. Security Management and Controls • Evaluation and implementation of information security to enable effective, efficient, and secure access to information. • Security policies and awareness program • Default package security configuration • Application security profiles • User ID and security administration procedures • Security in supporting technologies (Operating System, Database, Network) • Privileged access • Security incident monitoring and response process • User ID and access review processes

  13. IT Operational Controls • Evaluation and design of IT processes and controls related to the administration, operation, and support of the enterprise package technology infrastructure environment • System administration and operations management • Performance and Capacity planning • Hardware, software and configuration change management • Backup and Continuity Planning • Help Desk • Asset Management • Data Management

  14. Data Quality/Integrity Controls • Evaluation and implementation of data integrity controls associated with the required data conversions and system interfaces. • Control of Master Record data • Control of setup data and user tables • Data conversion • System interfaces • Audit trails • Reconciliation

  15. Project Management Controls • Evaluation and implementation of project management controls. • Project organizational structure • Personnel and resource management • Financial management and budget tracking • Vendor management • Risk assessment/management • Project monitoring and status reporting • Issue/problem escalation and management • Program change control and migration to production • System development methodology (i.e., project initiation, requirements definition, design, construction, testing, data conversion, implementation and roll-out)

  16. The Benefits and Challenges

  17. Potential Challenges to the Integration of Security and Controls • There are typically a number of challenges that must be considered to successfully integrate security and controls into an system implementation project: • Who does the security and controls work? • Does the system integrator have a security and controls mindset? • What role does Internal Audit and a Compliance organization have in the project? • Timing • When is the best time to address each of the control components? • Has sufficient time been allowed for in the project plan? • Company willingness to change business process to allow for better control • Increased control often means less flexibility for users • Ability of the software package to be configured to meet business needs

  18. Benefits of Considering Control During an Implementation • Our System Integration Controls approach, methodology, and tools have many benefits for your company by enabling: • Effective use of system software and generally accepted practices to help optimize IT and business process controls • Establish appropriate controls and IT processes for reliable system operations and administration • Develop appropriate data integrity controls to minimize system interface and data conversion risks • Define sound information security controls and processes to protect information assets • Focus on a risk based approach to focus effective controls design on highest risk areas

  19. Contact Information • Timothy N. SchmutzlerPrincipal KPMG LLPTwo Financial Center 60 South StreetBoston, MA 02111 Tel 617-988-6349Fax 617-904-1841Cell 401-338-8645 tschmutzler@kpmg.com Rory CostelloPartner KPMG LLP515 BroadwayAlbany, NY 12065 Tel 518-427-4826Fax 518-689-4733Cell 518-729-7159 rcostello@kpmg.com

  20. Questions

  21. New York’sStatewide Financial System (SFS) • SFS Overview • and • Some Key Control Issues

  22. SFS Overview • Goal: • To replace State Comptroller’s aging Central Accounting System and disparate agency financial management systems with one, integrated statewide system. • Sponsors: • Jointly governed by the Office of the State Comptroller and the Division of the Budget • Software: • Oracle PeopleSoft Financials (v. 9.0) • Consultant Partners: • System Integrators – IBM and Deloitte; Quality Assurance – KPMG • Go-Live: • April, 2012 (Phase 1)

  23. SFS Overview (continued) • Users: • 61 State entities (Phase 1) • 13 State agencies (Future phase) • When fully implemented: • 9,800 core agency users • 80,000+ State employee travelers • 100,000+ vendor users • Cost: • $250–$300 million (by end of SFY 2012-13) • Organization: • New State Entity/Agency Created to Manage Project and Operate System – SFS • Approximately 150 State employees (supplemented by consultants) • Office of the State Comptroller’s CIO provides data center, network operations, storage and other technical support services to SFS.

  24. SFS – Some Key Control Areas/Issues • Authority/Roles/Responsibilities: • Preserving the Authority/Roles/Responsibilities of the Governor and Comptroller in Regard to State Financial Management • Application Design: • Implications of key design/configuration decisions • Data Conversion/Validation: • Implementing an entirely new Chart of Accounts for the State of New York • Ability of Software Package to Meet Business Needs: • Challenges where business processes and software meet • Continuity of Business Operations: • Ensuring business continuity – and managed expectations – during the conversion/cutover process

  25. Additional Information • Internet Resources: • For additional information on the SFS Program: www.sfs.ny.gov • For more information on the NYS Office of the State Comptroller: www.osc.state.ny.us • MY CONTACT INFO: • Christopher Gorka, Asst. ComptrollerDivision of Payroll, Accounting and Revenue ServicesNYS Office of the State Comptroller(518) 408-4187 (office) (518) 257-6251 (cell)e-mail: cgorka@osc.state.ny.us

  26. Questions

  27. © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 38615WDC • The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

More Related