Will You Pass an ERP Implementation Audit?
Do you like surprises? Your answer might depend on the type of surprise. For example, our 13-year-old daughter, with a little help from her grandmother, recently planned a surprise anniversary party for my husband and me. That was a pleasant surprise, especially knowing the time and thought she had put into planning it. Some surprises are not so pleasant, however, such as an unexpected audit finding. This article highlights areas to keep in mind as you proceed through an ERP implementation, to help you avoid common audit findings (i.e. not so pleasant surprises).
Verify Controls in Your ERP System
If you are transitioning from another system (or systems), you likely have automated controls you will want to verify exist in your new ERP system, or if the ERP system cannot support an existing automated control, you may need to implement a manual compensating control in its place. Additionally, you may have manual compensating controls that could not be enforced by your current system(s) that can be enforced in your new ERP system.
Consider the following as you proceed through your ERP implementation:
- Evaluate your existing controls, and determine which controls can be enforced by the new ERP system
- Evaluate financial and operational controls
- Evaluate security-related controls
- Segregation of duties
- Password usage
- Process for requesting and approving user access
- Process for periodic access reviews
- Evaluate and design controls for any batch processes you are implementing
- Evaluate and redesign controls for any business processes you are modifying
- Design manual compensating controls where needed
- Document controls that can be enforced by the ERP system (automated controls)
- Document controls that cannot be enforced by the ERP system (manual compensating controls)
- Test all controls during ERP implementation testing
ERP Implementation Documentation
During an implementation audit, you will be asked to provide various implementation documentation. Keep records of key information as you proceed through your ERP implementation, so you can easily provide the information when requested. Examples of implementation documentation you should consider keeping:
- Documentation of review and approval of key implementation artifacts, such as:
- Business requirements
- Functional specifications
- Technical specifications
- Configuration documents
- Test plans and scripts
- Training plans and materials
- Documentation of security approval, verifying appropriate user access
- Documentation of all changes made to the system, including approval of each change
- Data verification documentation, showing that all data migrated into the system was reviewed and verified
- Testing results, showing that all business processes, system changes, and controls were tested
ERP Implementation Audit Conclusion
The information provided above should help you prepare for a potential implementation audit and hopefully avoid the not so pleasant surprise of an unexpected audit finding. In addition, you will have implementation documentation you can easily and quickly provide to an auditor when requested, giving the auditor a pleasant surprise!