289.F基于ERP环境下的企业内部审计 外文原文.doc

Internal Audit of enterprise with Implementation of ERPSteven M.Glover,Douglas F.Prawitt,Marshall B.Romney Abstract：Legacy systems are being replaced at a rapid pace by enterprise resource planning (ERP) systems, such as SAP R/3, PeopleSoft, and Baan, often with great benefits to the organization, but sometimes with painful side effects. Since it is management's responsibility to plan and carry out a successful systems implementation, most difficulties and failures cannot be attributed to shortcomings on the part of internal auditors. However, internal auditors can be part of the solution by being appropriately and actively involved in ERP adoptions, from start to finish. By understanding the risks most commonly associated with ERP implementations and appropriately leveraging their core skill sets, internal auditors can become important members of the organization's strategic ERP implementation team.1.An ERP introductionDiscussions with representatives from several companies that use ERP, systems reveal that these organizations have all made similar mistakes. The story of BIZ Inc., a large, mythical corporation whose experiences mirror those of actual organizations, demonstrates what can, and often does, go wrong in an ERP systems implementation.A good start BIZ's decision to switch to ERP was based on sound business reasoning. Costs to maintain the mainframe-based information system had escalated in recent years because the manufacturer no longer supported the model used by the organization. In addition, Arnold Jackson, the Assistant Vice-President in charge of information systems, recognized that client/server systems represented the future of computing. It was time for a change.Arnold and his staff prepared a general plan that broadly outlined how the organization could migrate to a client/server system. They also engaged one of the major public accounting firms to help them determine their information system needs and recommend possible solutions.After interviewing several users, the consultants identified three software products that would meet BIZ's needs. They also recommended one package they considered to be a "best fit" for the organization.The problems begin unknown to Arnold and other management, BIZ s parent organization had also been planning a move to a client/server environment. Unfortunately, they had chosen a different ERP package than the one recommended for BIZ. Although BIZ was basically self-directed and autonomous, the larger parent organization strongly suggested that BIZ select the same software. Since their choice, Brand X, was a leading ERP package and was among the three suggested by BIZ'S outside consultants, BIZ agreed.BIZ hired a different consulting firm to help with the implementation. As a result, three groups were directly involved: Brand X's support staff, the outside consultants, and BIZ'S own information systems staff. Although a general implementation plan was outlined, a detailed adoption and testing plan was never developed.BIZ chose the public-sector version of Brand X instead of the commercial one adopted by the parent company. Unfortunately, the public-sector version was relatively new, not well tested, and designed primarily for governmental entities - not for BIZ's type of organization. The system couldn't handle some of the basic tasks BIZ expected it to perform, such as budget encumbrances, and k didn't process returns, credits, or blanket orders in a manner consistent with BIZ's operating environment.BIZ took comfort in the fact that expensive consultants were on the job and quickly got the project off the ground. However, it soon became evident that they were not familiar with the public-sector version of Brand X. More importantly, the consultants did not thoroughly understand BIZ or its industry.The consultants lacked the "big picture" perspective of the company's business operations and were unable to suggest ways BIZ could reengineer their processes to facilitate ERP adoption and increase efficiency and effectiveness. When BIZ asked the consultants "Can we do this?" the consultants answered,"Yes, we think we can make that work." A more informed answer would have been something like, "We probably could, but we do not recommend that. We suggest the following."At the same time, BIZ personnel were busy dealing with the daily demands of running the existing system and didn't spend a lot of time thinking about these issues. By default, BIZ and the consultants resorted to making the new system mirror the old one in look and feel, thinking this approach would minimize the suffering associated with the new system. In doing so, the weaknesses of the old system were ignored and, in fact, painstakingly designed into the new system.TIME TO HIT THE SWITCH After more than a year, BIZ's management was frustrated with the amount of time it was taking to complete the project. They were also approaching the end of the lease on the mainframe and did not want to incur the high cost of renewing it. As a result, the end of the lease term was set as a firm date for shutting down the mainframe and "going live" with the new system.While establishing a deadline motivated BIZ'S implementation team, the drop-dead date unfortunately came before the new system was ready. The system was inadequately tested, and it was not yet operating in parallel with the old one.Problems and glitches are inevitable in any project of such magnitude; but in this case the new system literally slumped and died. First, the system encountered transactions it could not handle; then it froze completely due to the volume of transactions generated.During this difficult time, "work-around" procedures were developed. To address the volume issue, the organization processed transactions in split shifts. When the problems persisted, the company abandoned the purchase requisition portion of the ERP package and opted instead to prepare and process these documents manuallyFurther investigation revealed a partial source of the problem. Instead of customizing the database set-up to optimize their business processes, BIZ had simply accepted Brand X's defaults. Tweaking the database so that it better fit their needs increased the system's processing speed, but it was still unacceptably slow. The team finally determined that the system's deficient performance was due to the developer's poorly written code.BIZ successfully convinced the developer that inherent problems existed in the way the package processed data. Unfortunately, since the next version of the software was in development and because BIZ's version was now two "generations" old, the developer no longer supported the software. As a result, BIZ employees had to alter the code themselves in many situations.Damage assessment the long-term effects of these problems were significant and widespread. Previously well-managed processes were left running with little control or accountability so that the organization could function. BIZ fell behind in payments to its vendors, a real blow to an organization with a previously impeccable record and reputation. The new purchasing system was implemented at the end of the fiscal year when most of BIZ'S capital expenditures are typically made, further compounding the problem.In addition, people at all levels of the organization were unable to obtain critical information for several months. Even after some information became available, the ERP modules did not integrate as well as expected. Key reports generated by the old system could not be generated by the new one, and queries that were automated under the old system had to be performed manually after ERP adoption.One year later, problems still exist. Process cycle times are slower under the new system. In addition, the organizations internal auditors indicate that the system still lacks critical controls. This deficiency is partially attributable to the nature of client/server systems, where accessibility is much more widely distributed. But the problem is also partially due to the fact that neither BIZ's systems personnel nor the paid consultants understood the nature, importance, and value of well-controlled business processes.Not surprisingly, a considerable amount of finger-pointing has occurred between BIZ management, Brand X, the technical consultants, BIZ's systems staff, and the internal auditors. Each constituency assumed the others were dealing with critical issues throughout the process.While not every ERP implementation is so painful as BIZ's, scenarios of this kind are surprisingly common. Mistakes can be avoided, however, by learning from such struggles. BIZ'S experience offers many lessons for internal auditors, especially when one carefully considers the decisions and their outcomes.Be proactive, and don't be intimidated by the technology. While it is management's responsibility to carry out an ERP adoption, internal auditors must be proactive about their contributions to the process. The internal audit department will likely be underutilized if it does not aggressively offer its services.Some internal auditors may feel unqualified or intimidated by the technology or by the outside consultants. Or they may erroneously assume the systems people, along with the external consultants, have things under control. However, internal auditors possess skills that are crucial to a successful ERP implementation, particularly in the area of risk management.Usually an ERP implementation involves changes in procedure, organizational structure, and technology, all in a compressed time period. Such activity is risk-laden, requiring proper risk management strategies. Internal auditors are particularly well positioned to add value in this area.Remember that ERP implementation is not just another systems project. The vast majority of ERP implementations are not systems projects, but business transformation projects. While ERP implementations do involve operating systems and networks, these aspects will not have the greatest impact on the organization. The elements of ERP that really add value are those that enhance the functional and procedural side of the business in areas such as supply chain, customer management, vendor relations, and electronic commerce.A significant difference exists in the way an organization would approach a pure systems-based project and how it should address a strategic business-transformation project involving ERP. Many analysts believe most of the fatally flawed projects have occurred because organizations failed to make this distinction.BIZ, for example, focused on the package, the technology, and the tactical issues of implementation. No one stopped to consider why they were implementing the software, what business advantages they hoped to achieve, and what impact those issues should have on their implementation decisions.Early in the process, internal auditors should ask questions like, "What is driving the adoption decision?" Implementing ERP is about business process reengineering; a promise of tangible business benefits must exist. If auditors attend ERP planning meetings and hear the discussion focusing on operating systems, screens, and graphic user interfaces, they will know problems are ahead.Get involved early. The internal audit department should become involved in the ERP adoption process as soon as possible. Few will understand the business processes of the organization as well as internal auditors. Their in-depth knowledge of risk and control can be extremely valuable in helping decision-makers assess whether an ERP is a logical choice for the organization and, if so, which package provides the best fit.For example, as a member of the steering committee, internal auditing can be instrumental in asking questions related to risks; contingencies; available resources; costs; "fit" of the new software to core business processes; expected role of the internal audit department; and controls. These questions are especially important during the planning stages of the project.In BIZ's situation, an internal audit representative participated on the steering committee and identified some concerns. However, the concerns were inadequately addressed by the project manager and the systems team. With the benefit of hindsight, the internal auditors wish they had been more tenacious.For example, the auditors asked the project manager about plans for implementation. However, BIZ never developed an adequate implementation plan that considered issues such as critical milestones, risks, testing, and back-up contingencies. It is clearly not internal auditing's role to prepare such plans; but BIZ's internal auditors indicate that if they had it to do over again, they would perform a thorough audit of the development plan and make specific recommendations to management regarding the plan's adequacy.An audit of BIZ's plan would have accomplished at least three things. First, it would have motivated those responsible to prepare a more detailed plan by a given date. Second, it would have given the internal auditor an opportunity to contribute directly to the quality of the ERP implementation. Third, the internal auditor's report would have provided a vehicle to inform higher-level management of the strengths and weaknesses of the implementation plan. The report would have also provided a basis whereby management could hold the implementation team accountable during the implementation process, rather than just after the fact.Develop key competencies by building on existing strengths. Even the most "technologically challenged" internal auditors can effectively build on their core business, risk, and control knowledge by obtaining a broad understanding of the issues germane to ERP implementations. Auditors can gain such understanding quickly and efficiently by (1) reading articles in professional publications and on the Internet and (2) communicating with other internal auditors who have been through the process.Because ERP packages are enormously complex, a successful implementation team possesses various skills. Some of these essential skills involve experience and knowledge in project management; change integration as it relates to training and education, performance measures, and communications; technology or application understanding; systems-development skills, particularly with interfaces and conversions involving legacy systems; and resource planning infrastructure.It is unlikely that any single audit department will bring all these skills to the table. Rather, internal auditors should develop those skills that will have the greatest impact on the organization. In ERP implementations, these critical skills relate to the functional side of the business rather than the technical side. Developing knowledge of operational areas such as supply chain, customer management, vendor relations, and