Dear Friend,
Hopefully, this brief extract alongwith G21 Enterprise Resource Planning Systems Review Guidelines from "https://www.isaca.org" will be helpful for you:
Auditing Governance in ERP Projects
It is very important for an IS auditor to carry out an audit of the governance aspects of an ERP project, for it is often a neglected area. The audit of governance should be done ideally at different stages throughout the life of the project, beginning with the initiation stage.
For a typical ERP project, the audit of governance aspects may be covered at four stages:
1. Initiation
2. Midterm, i.e., midway through the implementation when most of the new business processes have been defined and configured in the system
3. Project completion, a month or two after "go live" and project completion
4. Post-stabilization, i.e., after about a year after project completion
The best time to do an audit of the governance of an ERP project is at the initiation stage. It is at this stage that the scope of the project and the corresponding benefits and expectations are defined.
The focus of the governance audit during the initiation phase should be on:
i) Clear definition of gains and benefits expected from the implementation—Unfortunately the expectations from the ERP project by persons at various levels and functions of the organization are vastly different and at times can also be grossly at variance with the real and correct picture. Therefore, it is necessary that during the initiation stage of the project, the expectations are clearly defined. This should go beyond the usual project vision and charter statements that use grand words to convey more intent than tangible benefits that can be quantified and measured. The expected benefits should be categorized with respect to the various functions. At least some of the benefits should be quantifiable and measurable; those that relate to improvements in processes should be converted to some measures of increased efficiency, such as cycle time and number of events, and the other nonquantifiable benefits and advantages should be listed together with the favorable impact that they will produce on the business for achievement of the objectives of the business.
ii) Scope definition—The definition of the scope of the project should ensure that the real needs of the business (in the functions and locations that are critical to the enterprise's success and where there are major pains for the organization) are included. The audit should also check the extent of the participation of users in the scoping. Often scope definitions are guided by the limitations of the existing feature set of the chosen package and ease of implementation to ensure early success. This may result in key areas of the business being left out or marginally covered by the ERP, resulting in minimal benefits in the critical areas. This area of audit aims to check the alignment of the ERP project with the business.
iii) Current levels of the metrics that are expected to be improved—The auditor should also check whether various metrics on which improvements and benefits are expected to flow after the ERP implementation are recorded accurately at their current levels, together with the conditions and assumptions. Typical areas would be inventory, working capital, cycle times for various processes and other productivity measures. This will provide a proper basis for checking the improvements after the implementation.
iv) The organization structure for ensuring governance— At this stage, the auditor should check whether the responsibility for ensuring governance is entrusted to a capable senior person or a committee. Ideally, it should be a senior management committee that is fairly distant from the IT and project management organization.
Once the audit is completed at the initiation stage, the next audit of governance should be done at the interim stage midway through the implementation, to ensure that the project is progressing without dilution in scope and the critical business needs are covered to realize the achievement of key result areas for these functions. At this stage of the audit, it is very important for the auditor to get feedback from the managers and users of the various functions as to how they see the ERP assisting them in performance of the business processes in their areas and in efficiency improvements.
The next audit of governance in an ERP project should be done post-implementation and should cover the areas described in the two previous paragraphs. This will be the time to assess whether the ERP covered all the key processes and locations, as per the scope, and the impact of changes to business processes with a view to see if efficiencies improve. It may be too early to actually compute the benefits and improvements at this stage.
In addition, during this phase of the project, the audit should focus on the IT service delivery. The ERP users need to be suitably assisted in using the system and the system should deliver the promised levels of uptime and response to user problems. This audit would also cover the method of computing the service level agreement (SLA) metrics and their adherence.
The post-stabilization audit should focus on two key areas of governance: the alignment with the business and the benefits realization. The documentation of the expectations and objectives at the initiation stage together with the metrics should be used as reference points during this audit. The auditor should also determine if there have been any changes to the business scenario during the period to impact the ERP and whether or not suitable changes have been made.
The methodology for doing this audit may involve using certain instruments and surveys at user and manager levels suitably corroborated by evidence from the system regarding actual usage. This audit can be a useful tool to make adjustments to configurations, fine-tune the changed business processes, implement complementary software solutions for meeting specific needs and do some integration of the ERP with a few simple home-grown solutions that are too important and user-intensive to dispense.
It is not necessary that audits of governance of ERP projects be carried out as special assignments. All these audits can actually be combined with the traditional IS audit that would be conducted during these periods. The only difference is that instead of covering only security, controls and other aspects, the audit would also include, under a separate section, the points as mentioned in the previous paragraphs.
IT is too important and too expensive to the business to think that only its security and control risks need to be managed and audited. The audit of the governance aspects of ERP implementations is necessary to ensure that IT helps the enterprise in the achievement of its business goals.
Regards
CAclubindia
