How to Audit an ERP System via the Risk Management Route

Presented by:Gabriel Lung

ISACA London Chapter Events 2003/2004ABN-AMRO, 250 Bishopsgate, London27 May 2004

Disclaimer

This presentation is based solely on my view and not that of my company

Introduction

Risk Management in BAA corporate governance risk management process and

methodology The principle of trust The ERP rationale and coverage The ERP audit the RM way Lessons Learnt Q&A

BAA Business Activities

AirportManagement

Airport retailmanagement

PropertyDevelopment

Duty freeretailing

Train operations

Designeroutlets

Turnbull/combined Code Requirements

BAA must report annually on its’ systems of internal:

financial control operational control compliance control risk management process

The majority of assurance will come from management

Risk Management Process

MB

XCCorporate Risk Director(Key Corporate Risks)

How arethese key

risks managed ?

Residual OperationalRisks

Key OperationalRisks

This ishow

LocalRisk

Management

GIAAudit This

GIAAudit This

Risk Management Stages

Business Objective

RiskThe identification of those things that would PREVENT an objective from being achieved

InherentLevel

The likelihood and consequence of risk crystallisation before mitigating actions (controls) have been put in place

ControlThose actions that, if taken, will reduce either the likelihood or consequence of a risk crystallising

ResidualLevel

The likelihood and consequence of risk crystallisation after mitigating actions (controls) have been put in place

InsuranceThe risk can sometimes be reduced (transferred) by insurance

RetainedLevel

The level of risk formally accepted by the organisation.

The Principle of Trust

Do you trust your clients?

On What Basis Do We Trust Them?

Based on: The strength of the control environment

organisation methods & practices culture & behaviour

Previous audits - these indicate strong internal controls

The caveat is that: We trust but reserve the right to verify

The Rationale of Investing in An ERP

IT, HR & Procurement

SiloOne

SiloTwo

SiloThree

TheBusinessSupportCentre

TheBusinessSupportCentre

CultivatesBetter

Customer Relationshi

ps

Takes Calculated

Risks

Control

Control

Control

Control

E. R. P.

Scope of the ERP (What does it cover?)

Resource, Develop & Manage People (RDMP)

Plan & Develop the Business (PDB) Acquire & Maintain Asset (AMA) Others (income and financial ledgers)

Audit Drivers

Corporate Governance (Turnbull & LSE)

Audit & Assurance Management Requests

Pre-Audit Assessment

No formal business risk register Lack of practical experience in assessing

risks by process management The ERP system was subject to regular

audits before it went live Process management believed that checks

and balances are in place and operating

What did we do before the audit?

Gave a full day risk management training course to key business process managers

Facilitated initial risk assessment workshops Provided feedback on initial risk registers and

ongoing advice on the risk management methodology

Agreed with management that we would be returning to audit the risk registers and processes

Phase 1 Audit Focus

To review how well management identified risks in the ERP processes that could threaten the achievement of business objectives

What did they do? 1/2

No of workshops

No of people involved

AMA 15 120

RDMP 5 40

GL 4 20

PDB 4 20

Income 4 20

Total 32 220

What did they do? 2/2 (This example is for demonstration only)

AM

AMA Inherent 120 140 182

Residual 14 99 35

RDMP Inherent 18 8 12

Residual 6 10 2

GL Inherent 27 15 33

Residual 0 15 6

PDB Inherent 41 9 25

Residual 0 34 9Income Inherent 7 10 11

Residual 2 8 4

Total Inherent 213 182 263

Residual 22 166 56

How Do We Assess Them?

CONSEQUENCE

Probable

Likely

Possible

Unlikely

Improbable

LIKELIHOOD

3 2

1 3 2

2 1 1

2 3

5

4

3

2

1

1 2 3 4 5 Minor Moderate Significant Substantial Catastrophic

52

1

Inherent Risks

CONSEQUENCE

Probable

Likely

Possible

Unlikely

Improbable

LIKELIHOOD

3 2 1

5 4 3 3 1

1

5

4

3

2

1

1 2 3 4 5 Minor Moderate Significant Substantial Catastrophic

1

4

Status of controls

Residual Risks

Risk (RAG)Fully

ControlledPartially

ControlledNo Current

Control

Red 7 11 1

Amber 5 - 3

Green 2 - -

An example)

What We Found?

Management gained confidence in the risk management process: All key risks were identified Risks were aligned with business objectives Controls were reasonably well specified

However, the control monitors and early warning indicators had not been explicitly identified

Remedial Actions

A formal project board was established with Main Board representation and a dedicated project manager to oversee the detailed design of ERP controls

More risk assessment workshops were carried out

Further controls were improved

Phase 2 Audit Focus

To review how well the designed controls and associated embedded monitors address the risks identified in phase 1

What We Found This Time

Project Board is working effectively in accordance to the project charter

Risks and controls are well designed However, more work is still required in the

design of suitable embedded monitors and early warning indicators (Management has sought assistance from GIA to remedy this situation)

What We Did?

A half day workshop was given to 15 key process managers specifically on the design of embedded monitors and early warning indicators including: good and bad examples 4 case studies relevant to our business for

syndicate work group presentation of results to each other

Provided continuous support to all process managers who required assistance on the risk management methodology

Embedded Monitors Design Methodology

Organisation culture

Availability of reliable

info

Objectivity of assurance provided

Cost Coverage

Inspection/ compliance

Command & Control

Low High High Low

Peer review

CSA & verification

CSA & peer review

CSA & self audit

CSA

Info system Freedom to Manage

High Low Low High

Phase 3 Audit Focus

In phase 1, we examined how well management identified risks in the ERP processes that could threaten the achievement of business objectives

In phase 2, we reviewed how well the designed controls and associated embedded monitors address the risks identified in phase 1

In the final phase,we carried out an audit to review how well the designed controls and associated embedded monitors are working in practice over the ERP processes

Phase 3 – What We Found?

No major issues identified in our audits and that: Management has established formal governance

structures for reviewing embedded monitors Formal Service Level Agreement (SLA)

established between the Business Support Centre (BSC) and BAA airports

Key stakeholders have held regular meetings to evaluate SLA performance and to prescribe remedial actions for areas requiring improvement

What We Have Learned

Auditors increasingly demand consultancy skills Audit and consultancy work well together if the

assurance role is segregated Our method would not have worked in a different

organisation culture (we have full support from Top Management)

Risk management is the catalyst to facilitate management in achieving their objectives

Improving risk management maturity of an organisation requires a vigorous process

Risk Management Maturity Continuum (Among the ERP Process Managers)

Novice Competent Proficient Expert

Before

After

Could We Have Done It Differently?

Yes – except that the audit department would need to be 2-3 times our current size or we would need to reduce the level of assurance provided to Management risking non-compliance to the corporate governance requirement

Questions?

How to Audit an ERP System via the Risk Management Route

Presented by:Gabriel Lung

ISACA London Chapter Events 2003/2004ABN-AMRO, 250 Bishopsgate, London27 May 2004