how to audit an erp system via the risk management route presented by: gabriel lung isaca london...
TRANSCRIPT
How to Audit an ERP System via the Risk Management Route
Presented by:Gabriel Lung
ISACA London Chapter Events 2003/2004ABN-AMRO, 250 Bishopsgate, London27 May 2004
Introduction
Risk Management in BAA corporate governance risk management process and
methodology The principle of trust The ERP rationale and coverage The ERP audit the RM way Lessons Learnt Q&A
BAA Business Activities
AirportManagement
Airport retailmanagement
PropertyDevelopment
Duty freeretailing
Train operations
Designeroutlets
Turnbull/combined Code Requirements
BAA must report annually on its’ systems of internal:
financial control operational control compliance control risk management process
The majority of assurance will come from management
Risk Management Process
MB
XCCorporate Risk Director(Key Corporate Risks)
How arethese key
risks managed ?
Residual OperationalRisks
Key OperationalRisks
This ishow
LocalRisk
Management
GIAAudit This
GIAAudit This
Risk Management Stages
Business Objective
RiskThe identification of those things that would PREVENT an objective from being achieved
InherentLevel
The likelihood and consequence of risk crystallisation before mitigating actions (controls) have been put in place
ControlThose actions that, if taken, will reduce either the likelihood or consequence of a risk crystallising
ResidualLevel
The likelihood and consequence of risk crystallisation after mitigating actions (controls) have been put in place
InsuranceThe risk can sometimes be reduced (transferred) by insurance
RetainedLevel
The level of risk formally accepted by the organisation.
On What Basis Do We Trust Them?
Based on: The strength of the control environment
organisation methods & practices culture & behaviour
Previous audits - these indicate strong internal controls
The caveat is that: We trust but reserve the right to verify
The Rationale of Investing in An ERP
IT, HR & Procurement
SiloOne
SiloTwo
SiloThree
TheBusinessSupportCentre
TheBusinessSupportCentre
CultivatesBetter
Customer Relationshi
ps
Takes Calculated
Risks
Control
Control
Control
Control
E. R. P.
Scope of the ERP (What does it cover?)
Resource, Develop & Manage People (RDMP)
Plan & Develop the Business (PDB) Acquire & Maintain Asset (AMA) Others (income and financial ledgers)
Pre-Audit Assessment
No formal business risk register Lack of practical experience in assessing
risks by process management The ERP system was subject to regular
audits before it went live Process management believed that checks
and balances are in place and operating
What did we do before the audit?
Gave a full day risk management training course to key business process managers
Facilitated initial risk assessment workshops Provided feedback on initial risk registers and
ongoing advice on the risk management methodology
Agreed with management that we would be returning to audit the risk registers and processes
Phase 1 Audit Focus
To review how well management identified risks in the ERP processes that could threaten the achievement of business objectives
What did they do? 1/2
No of workshops
No of people involved
AMA 15 120
RDMP 5 40
GL 4 20
PDB 4 20
Income 4 20
Total 32 220
What did they do? 2/2 (This example is for demonstration only)
AM
AMA Inherent 120 140 182
Residual 14 99 35
RDMP Inherent 18 8 12
Residual 6 10 2
GL Inherent 27 15 33
Residual 0 15 6
PDB Inherent 41 9 25
Residual 0 34 9Income Inherent 7 10 11
Residual 2 8 4
Total Inherent 213 182 263
Residual 22 166 56
How Do We Assess Them?
CONSEQUENCE
Probable
Likely
Possible
Unlikely
Improbable
LIKELIHOOD
3 2
1 3 2
2 1 1
2 3
5
4
3
2
1
1 2 3 4 5 Minor Moderate Significant Substantial Catastrophic
52
1
Inherent Risks
CONSEQUENCE
Probable
Likely
Possible
Unlikely
Improbable
LIKELIHOOD
3 2 1
5 4 3 3 1
1
5
4
3
2
1
1 2 3 4 5 Minor Moderate Significant Substantial Catastrophic
1
4
Status of controls
Residual Risks
Risk (RAG)Fully
ControlledPartially
ControlledNo Current
Control
Red 7 11 1
Amber 5 - 3
Green 2 - -
An example)
What We Found?
Management gained confidence in the risk management process: All key risks were identified Risks were aligned with business objectives Controls were reasonably well specified
However, the control monitors and early warning indicators had not been explicitly identified
Remedial Actions
A formal project board was established with Main Board representation and a dedicated project manager to oversee the detailed design of ERP controls
More risk assessment workshops were carried out
Further controls were improved
Phase 2 Audit Focus
To review how well the designed controls and associated embedded monitors address the risks identified in phase 1
What We Found This Time
Project Board is working effectively in accordance to the project charter
Risks and controls are well designed However, more work is still required in the
design of suitable embedded monitors and early warning indicators (Management has sought assistance from GIA to remedy this situation)
What We Did?
A half day workshop was given to 15 key process managers specifically on the design of embedded monitors and early warning indicators including: good and bad examples 4 case studies relevant to our business for
syndicate work group presentation of results to each other
Provided continuous support to all process managers who required assistance on the risk management methodology
Embedded Monitors Design Methodology
Organisation culture
Availability of reliable
info
Objectivity of assurance provided
Cost Coverage
Inspection/ compliance
Command & Control
Low High High Low
Peer review
CSA & verification
CSA & peer review
CSA & self audit
CSA
Info system Freedom to Manage
High Low Low High
Phase 3 Audit Focus
In phase 1, we examined how well management identified risks in the ERP processes that could threaten the achievement of business objectives
In phase 2, we reviewed how well the designed controls and associated embedded monitors address the risks identified in phase 1
In the final phase,we carried out an audit to review how well the designed controls and associated embedded monitors are working in practice over the ERP processes
Phase 3 – What We Found?
No major issues identified in our audits and that: Management has established formal governance
structures for reviewing embedded monitors Formal Service Level Agreement (SLA)
established between the Business Support Centre (BSC) and BAA airports
Key stakeholders have held regular meetings to evaluate SLA performance and to prescribe remedial actions for areas requiring improvement
What We Have Learned
Auditors increasingly demand consultancy skills Audit and consultancy work well together if the
assurance role is segregated Our method would not have worked in a different
organisation culture (we have full support from Top Management)
Risk management is the catalyst to facilitate management in achieving their objectives
Improving risk management maturity of an organisation requires a vigorous process
Risk Management Maturity Continuum (Among the ERP Process Managers)
Novice Competent Proficient Expert
Before
After
Could We Have Done It Differently?
Yes – except that the audit department would need to be 2-3 times our current size or we would need to reduce the level of assurance provided to Management risking non-compliance to the corporate governance requirement