Internal Audit role in ERP implementations

The interviewees were asked, other than as an independent reviewer, what they consider Internal Audit’s role to be. The responses were:

 Review control design of deliverables to ensure there are robust controls designed

into the system

 Assess the controls in place and that they are operating effectively

 Advise on specific areas of control e.g. Financial auditors advise on large Capital

Expenditure projects

 Review that projects are run in accordance with best practice, e.g. steering meetings

are happening, costs monitored and reported

 Influence - directing people to best practice

 Help to build confidence and ultimately help facilitate project success through

advising on effective program risk management

o Identify risks associated with the project around governance and deliverables

 When people know Internal Audit will review and report, they may pay more attention

to getting it right

 Provide an external viewpoint, not aligned to project hierarchy

 Opportunity to participate in the closure & lessons learned process

 Challenger

o independent assurance delivery on time/budget and plan and confirm project status/progress.

o Gives program management another opinion, challenge 3^rd party vendors

 While additional roles are possible from an operational auditing perspective, extreme care must be taken to ensure Internal Audit does not become part of the project plan.

44 | P a g e

5.4.1 At what stage should Internal Audit become involved?

See Table 5.

Table 5 Interviewees view on which stages IA should be involved.

Comments were:

 During Planning, Internal Audit would sit in on Project Management meetings and

check on such things as the team dynamics to observe if there is any friction; also checks on the ability of the team to provide solutions.

 Execution – Internal Audit review the go/no go decision(s) and sense check them, check that project is heading in the right direction and advise management

 Has a Monitoring role not Controlling.

5.4.2 Are there other areas that Internal Audit should be involved in?

The responses were as follows:

 Internal Audit should be involved all the way through

 The process for how projects are approved and scoped

 Change control processes for changes to scope, deliverables, timelines, costs,

benefits etc.

 Project being aligned to the company strategy

 Influencing / reviewing the development and use of Project Management best

practice, processes and methodologies

 For some projects, audit have been involved at initiation phase, other times at planning and execution phases but mostly at monitoring/controlling phase. The respondent considers post-implementation reviews as a separate endeavour, and

45 | P a g e

ideally Internal Audit should be involved before this phase, as implementing recommendations at this phase can be very costly

 If Quality Assurance (QA) is being done independently, review these QA’s as they occur

 In getting involved in the various stages, the Auditor needs to be self-aware and ensure they remain independent and don’t compromise their professional judgement.

5.4.3 Benefits of Internal Audit involvement

Interviewees were given some examples and asked what they consider to be the main benefits of having Internal Audit involvement in an ERP project. They were encouraged to identify any other benefits. See Table 6.

Examples: Responses

Independent review of project progress All agree

Raise issues/concerns not being addressed within the project All agree

Risk management expertise 5 agree

Direct line to audit committee/company senior management 4 agree

Company knowledge 3 agree

Sharing best practice/insights from other areas 5 agree Table 6 Interviewees view on benefits of IA involvement

Other benefits identified were:

 Provides assurance either positive or negative on the project governance processes,

the project being aligned to the company strategy and that what has been approved to be implemented is still on course to be implemented

 In a well-controlled/controlling organisation, knowing that Internal Audit will be

reviewing and reporting to Board Audit Committee can carry a significant amount of weight with business management, project team and contractors / implementation partners

 Review business process mapping to ensure objectives have been realised and no glaring gaps

 Keep third parties ‘honest’ as someone else is monitoring what they are doing

46 | P a g e

 For “Company knowledge”, in some cases, deep technical knowledge of a platform can add more than company or business knowledge can, as this can identify poor/low quality technical implementation or systems development work in advance of go-live.

5.4.4 Risks for Internal Audit working in ERP projects

Interviewees were given some examples and asked what they consider to be the main risks for Internal Audit being involved in an ERP project. They were then encouraged to identify any other risks. See Table 7. Management abrogating responsibility for monitoring progress to

Internal Audit

6 agree 1 NA Table 7 example risks for Internal Audit

Other comments were:

 Internal Audit don’t keep their independence and get involved in signing off or making

design changes to what they think the project should do

 If Internal Audit works “in” the project as opposed to reviewing it, then it naturally follows that Internal Audit is at risk of getting too intimate with the project and in turn needing another independent set of eyes. Internal Audit should only review and not be involved with the design

 Perhaps a risk of over-confidence on the part of an auditor that they know more that the project team

 Quality of reporting – does the auditor convey the messages in the right way

47 | P a g e

 Every auditor and audit process can be different. Results depend on the auditor(s),

their skills, experience, expertise, scope of their review, availability of deep technical skills

 Reviews take a lot of resources and time from the audit team resulting in a risk to the other areas that need to be covered as part of the audit plan

 All are potential risks if Internal Audit’s role is not clearly defined at the outset of the project.

5.4.5 Risk mitigation

Interviewees were asked what could be done to mitigate the above risks. They replied:

 Define Internal Audit’s roles/responsibilities and communicate these to all impacted

stakeholders e.g. the project teams and senior management

 Review only. Any consulting on an ERP project must be strictly controlled and

authorised by the Audit Committee, and not just the Head of Internal Audit

 Don‘t sign off on project documentation

 Obtain additional advice on the role of Internal Audit in reviewing ERPs. Training for

Internal Auditors in auditing projects and to gain experience on a project delivery

 Have the right people available for the job and then getting access to do the job

properly. Some of the risks may derive from auditor(s) not being self-aware enough, although a good auditor will be self-aware and will adjust their scope and approach to suit

 Clear scope showing what has and hasn’t been done.

48 | P a g e