MASTER'S THESIS

ERP System: Implementation, Audit and

Control Risks

Supervisor:
Professor Jean Charles Clément

Prepared by:
Borhen Habib Khatib

2009-2010

INSEEC
MSc Program in Audit and Control Management

Abstract:

Organizations implement Enterprise Resource Planning (ERP) Systems in order to address the problems pose by disparate applications within functional areas and to achieve competitive advantages. ERP systems typically provide elegant technological solutions for organizations information needs through radical changes in information processing orientation. Due to the robust nature of these applications and the changes associated with the implementation, auditors may need to adjust the audit processes and procedures when auditing in such an environment.

The aim of this study is to present phases of an ERP systems implementation and its impact on audit process in an organization. The focus is to identify different phases of the implementation and how auditor can manage this change. The research is conducted during my training on AS-Solar France and the samples consist in the implementation of different module in CEGID ERP System.

Table of contents

1. Introduction ............................................................................................................... 6

2. ERP System ................................................................................................................. 8
2.1. What is an ERP System?

2.2. ERP System Integration

3. Implementation of ERP System 10

3.1. The architecture of ERP project

3.1.1. Change management

3.1.2. Technical structure

3.2. ERP implementation phases ............................................................... ......11

3.2.1. Launch phase 11

3.2.1.1. Build the project and release the means

3.2.1.2. Confirm the objectives and identify the open questions

3.2.1.3. Initiate information systems mapping

3.2.2. Design phase .............................................................................. 14

3.2.2.1. Validate options and close open questions

3.2.2.2. Define scope and structures

3.2.2.3. Identify and address specific risks

3.2.2.4. Define strategy and technical means

3.2.3. Implementation of the solution ............................... 18

3.2.3.1. Coordinate sub-projects

3.2.3.2. Organize the deployment

3.2.3.2.1. A deployment plan

3.2.3.2.2. Deployment teams organization

3.2.3.2.3. Training

3.2.3.2.4. Anticipate actions

3.2.3.3. Upgrading existing repositories

3.2.4. Integration phase 20

3.2.4.1. Prepare toggle plan

3.2.4.2. Validate integration

3.2.5. Production phase 23

3.2.5.1. Prepare the structure

3.2.5.2. Simulate actual operation

4. ERP System: Audit and Control of Risks 24

4.1. Reasons for implementation of Audit and control ERP System 24

4.1.1. High risks ................................................................................................ 24

4.1.2. Higher Levels of Regulation 24

4.1.3. Efforts to meet new regulatory requirements ....... 26

4.1.3.1. Visibility

4.1.3.2. Control

4.1.3.3. Efficiency

4.1.4. Common mistakes ................................................................................. 29

4.1.4.1. Poor planning

4.1.4.2. Lack of focus

4.1.4.3. Auditors skills

4.1.4.4. Reliance on technology

4.2. What should be reviewed? 31

4.2.1. Hardware

4.2.2. Network

4.2.3. Software

4.2.4. Processes

4.2.5. users work

4.3. Required Action

5. ERP CEGID Implementation: Case AS-SOLAR FRANCE .............. 36

5.1. Introduction

5.1.1. AS-Solar, CEGID and evolution of the implementation 36

5.1.1.1. About CEGID ERP System

5.1.1.2. AS-Solar, evolution of the ERP implementation

5.2. Review management process 40
5.2.1. Audit services

5.2.2. Audit Purchases Department

5.2.3. Audit Sales department

5.2.4. Recommendations

5.3. Implementation phases 44

5.3.1. launch phase 44

5.3.2. Design phase........................................................................................... 44

5.3.3. Implementation of the solution ............................... 45

5.3.3.1. Coordinate sub-projects by service

5.3.3.2. Integration of two new module

5.3.4. Management process of the company after implementation

5.4. Test and control 47

Conclusion.............................................................................................................................. 48

Reference..................................................................................................................................50

1. Introduction

ERP systems facilitate horizontal and vertical integration of business processes across an organization via a synchronized suite of software applications. ERP systems successfully implemented, can enable companies to better manage supply chains, perform business reengineering and reorganize their accounting processes along with different other functions. In addition, observed that ERP systems are currently becoming a necessary tool for companies to remain competitive in this new business environment rather than constituting a new strategic move.

However, ERP systems are usually accompanied with changes in business processes in companies. ERP systems bring about changes in internal control, business process, and segregation of duties. Typically, organizations may need to reengineer business processes and make essential changes for successful implementation of ERP systems. Such changes brought about by ERP systems affect the ways auditors perform their duties.

It is important to understand how this ERP environment is affecting auditors work and responsibility. What makes this topic interesting is because several researchers are quick to point out the need for auditors to adapt to changes brought about with ERP evolution, yet understanding how these changes affect auditors have not been adequately investigated.

Structure of the Study

This study is divided into five chapters. The first chapter covers the introduction and structure of the study.

Chapter two, will review briefly enterprises resource planning (ERP) systems. This will help to present a clear understanding of ERP System Implementation.

Chapter three discusses enterprises resource planning (ERP) systems, their technical characteristics and their architecture. It will present a detailed understanding of ERP systems and phases of implementation.

Chapter four will review briefly auditing and audit process. This will help to present a clear understanding of audit approach and steps performed by auditors in audit engagements.

Chapter five introduces the empirical part of this study. Implementation of the ERP CEGID System with AS-Solar France team and present how audit can effect implementation phases.

2. ERP System Implementation 2.1. What is an ERP System?

ERP means "enterprise resource planning" and it is a computer application. That enables the company to manage and optimize all of its resources.

ERP provides availability of different modules that cover all business needs such as undertaking, since commercial production, logistics, finance, human resources, customer service, (all fields are present at an equal level completeness). ERP System dependents on the different process and on the different areas caused by the use of a common database.

ERP system provides the company with the enables to manage and control several sites, languages and currencies simultaneously. Therefore, the ERP system is fully recognized and used at international level.

Organizational and functional integration was built around the knowledge of different management processes and interaction between different services. The complexity of this integration is growing fast with the number of areas covered and with the number of users, which itself is a technology that is a set of techniques, expertise and practices.

- ERP technology

As the applications share the same information, the system must be developed with
rules built inside the database. The development of the screens and reports can be
minimized since each application does not require duplication of share data update

capabilities. For instance, defining departments can be done in one site and shared by all applications.

- Know-how and best practices

ERP systems require a big more effort in terms of planning and resources implementation than stand-alone applications. Integration means that all functional areas and business process's have to be considered prior to any decision.

3. Implementation of ERP System

3.1. The architecture of the ERP project

The architecture of an ERP project consists in defining its division into subprojects. The division into sub-projects is a breakdown into different types of activity. Subprojects allow the implementation of the global project, but each of them requires, for its realization, different techniques involving specific skills. Project success depends on a good timing and coordination between subprojects, which are the responsibility of the project management.

Figure 1. Architecture of an ERP Project

3.1.1. Change management

The role of this subproject is related mainly to users training, data preparation as well as to organizational change. This subproject must be conducted in parallel with the implementation of the ERP and it is essential for the transition phase.

Change management is conducted by operational users and accompanied by external consultants.

3.1.2. Technical structure

This subproject reviews:

- The technical infrastructure needed to run the software. Infrastructure refers to servers, networks, workstations that give users an access to the ERP. This infrastructure consists in hardware but also in software (operating system, database system, utilities). It will be necessary first for the team project and then for the production phase.

- The operating environment of the ERP itself and all the components that are necessary for the implementation: interfaces, conversions and database.

- All the adjustments to the standard product that the company decides to implement. The activities will be related to their definition, design, implementation, testing and documentation

These adaptations depend on the specific functions that the company decides to maintain and which are not provided by the ERP. This means modifications or creation of states or screens with or without modifications on the standard chaining screens.

3.2. ERP System implementation phases

These phases make the project progress by providing visible landmarks and give a general layout of the project.

3.2.1. launch phase

Anticipating all necessary resources for an immediate departure of the project is the key of success in this phase. This phase requires a strong involvement of senior managers and economic objectives must be known and shared.

The failure factors are due to a too fast start of the project caused by a long decisional cycle and the consultants desire to gain the lost time.

Key activities are:

3.2.1.1. Build the project and release means

This will require mobilizing the project team which is a difficult step because after identifying the potential partners we must, negotiate with those concerned their participation in the project, and convince their superiors.

In this step difficulty is that for many operational users, it is not obvious to leave their own structure and join the project team for one to two years.

3.2.1.2. Confirm the objectives and identify the open questions

Formalization of objectives and definition of exact needs are the challenge for the project team. Indeed they can make concrete and visible the project's contribution to the company goals by allowing needed resources.

The objectives are first expressed in general terms and therefore must be listed by the project management in more details:

- Organizational scope, which specifies the entities involved: Business units,

services, profiles and number of users.

- Functional scope, which identifies functions / processes used by prospective users and the modules and sub modules in the ERP.

- Integration scope, which details other applications with which ERP data exchange.

By performing this exercise, we will detect "open questions" that should be clarified during the design phase.

Key questions that a business should ask are: Who will lead our implementation effort?

- Do we have the in house resources, skills and experience to implement ERP?

- Should we build effective strategic partnerships?

- Have we considered how the implementation will differentiate our business?

- Have we developed a business case for the ERP implementation project?

- Do the features and functions meet our needs?

- Is the ERP package compatible with our business?

- Should we buy an integrated package from a single vendor or best-of-breed

solutions from several vendors?

- How do we get started with the implementation?

- What steps do we take to ensure that the implementation is on track? - How do we ensure that our people are accepting change?

- How do we integrate the ERP with our other legacy systems?

The Project team has to detect those under the responsibility of the direction team.

Open questions will be resolved during the next phase. However, if the questions are important, it will be advisable, before starting the design phase, to take time and clarify the key points by a pre-focused study.

3.2.1.3. Initiate information systems mapping

During this phase, the concern is to establish, or at least to initiate the establishment of a mapping.

Mapping is related to existing applications, interfaces, platforms and technologies that support the information flows around the databases and allows in the next phase project team to assess the functional context of integration between the ERP and other applications.

This will be made with computer services technical study, and using functional to clarify the functions which are handled by existing applications.

3.2.2. Design phase

The factors of success in this phase are related to the clarification of structuring points. The purpose is to have a defined objects solution.

However the failure factors are the difficulty in finding «the right level of details» and miss some essential points.

3.2.2.1. Validate options and close open questions

As we saw during the previous phase in which we have identified questions, also the work of the design phase will generate new "opened points". The responses of all opened points will be mad during this phase. This will be the role of project manager.

The decisional process will be related to:

· Operational modes and target organization. Identify the differences or the similarities between existing organizational and change needed to prepare new areas.

· The character of data bases and their administration. This is typically the level of harmonization and centralization between bases.

· Specific needs, the decisions on this point are either accepts the cost of specific development and maintenance or to match capabilities.

· Integration mode of the ERP, either to accept a challenge and reduce functional scope or to agree with an important cost of development and maintenance interfaces.

All Decisions are mainly produced by the ERP team project which identify outstanding issues and take decisions. The project manager should be reactive and must be able to responds to unsolved points.

After solving different questions, team project resume decision and outstanding issues for the area studied. With this summary, they can react immediately on such of opened points and ensuring integration between the different areas.

This approach ensures the end of design decisions and start to structure their solutions, which are identified, quantified and validated by the steering bodies.

3.2.2.2. Define scope and structures

This is the main activity of ERP subproject. All preoccupations are around the definition of an organizational structure, study adequacy and integration between the ERP System and other applications.

For each domain / sub domain / process we will identify:

· Operating modes, which are defined by procedures

· Organizational structures; is the organization of work (who does what) and circulation of information.

· Characteristics of repositories.

This classification will be done during workshop by the team project.

The starting point is always running after a proposal from the repository of the ERP. After that participants can identify differences with their organizations.

The implementation of a functional scope guide allowed need two aspects:

- Complexity of interfaces between the ERP System and other information systems

- Impacts on integrate software package itself

3.2.2.3. Identify and address specific risk

It is important at this stage to identify specific functional mode of the company. These characteristics could lead to a gap in coverage between needs and capabilities of the ERP.

This identification is done during the study of adequacy between desired functional modes and possibilities of the ERP System. It focuses on a solution by seeking changes in the organization and removes discrepancy without specific development and without compromising the original goal.

? Avoid the specific development is the goal number one when we chose a package solution.

These extensions should always be carefully validated, because it reflects the choice of the company and extend existing operating capacity to evaluate and stay in the standard options of the product.

3.2.2.4. Defining strategy and technical means

Technical project's still a poor factor in the implementation of an ERP project. The importance of its components, architecture and other operational management isn't perceived with sufficient acuity by the manager.

The various levels that will guide the ERP project are:

- Implementation of technical infrastructure and procedures support needs of project phase and prepare production environment. This step is done during the design phase and project execution.

- Scalability of continuous services, which support change under real conditions. This step occurs during the integration phase and into production.

- Service continuous, provide needs and carry out any transfer of competence in the internal teams.

Non-technical context or improperly mastered causes:

- Loss productivity of the project team and a lot of nervousness. This may represent about 20% of potential team product and therefore huge sums relative to cost techniques themselves.

- Dissatisfaction or even a rejection of the new information system by users.

3.2.3. Implementation of the solution

The factor of success on this phase is to avoid external disturbances. But factor of failure is the modest involvement of user's resources on integration process.

Key activities are:

3.2.3.1. Coordinate sub-projects

During this phase ERP sub-projects; expansion and integration are closely linked and must master the synergy between them.

The master of sub-project clarify during this phase management rules; establish setting sheets, detailed specifications of programs interface and extensions. It is from this point that the training of implementation is elaborated. It is built around configuration, specific programs and interfaces. The master of interactions requires above all a good balance communication between functional and technical teams.

3.2.3.2. Organize the deployment

When deployment is expected we must build, establish strategy and launch anticipatory action.

3.2.3.2.1. A deployment plan

The deployment steps should identify organizational various entities that is deployed from the driver. The sequence should include:

o Functional constraints (such area must be installed before another, two areas of different entities have to go into production at the same time)

o Integration constraints (reuse of existing interfaces, don't develop temporary

interfaces)

o Constraints of project objectives (project benefits may be more urgent at any given location).

Functional and technical constraints are identified; we try to go as soon as possible by establishing multiple deployments and allocate means to ensure monitoring and supervision of the project.

3.2.3.2.2. Deployment teams organization

A team should be identified for each deployed unit. This team is deployed to the entity for which installation of the ERP is a mini-project. Skills of this local team are reinforced by a specific expertise from initial project team or experts who have been specially trained for this purpose.

The identification of the local team will need at first to choose a project manager and representatives of users on functional area. User's choice depends on the complexity of key functional areas and on the profile of user's representatives.

3.2.3.2.3. Training

Implementations of the various entities engage team manager to prepare a shared guidance for local project team and especially for users.

3.2.3.2.4. Anticipate Actions

After solving opened questions during previous phases, several actions can be launched from the middle of this phase to prepare the deployment;

.. Inventory of local technical infrastructure; .. Identification of local and central resources .. Identification of training means

3.2.3.3. Upgrading existing repositories

This subject is often critical in the middle of the implementation phase when it wasn't allowed. Indeed at this stage project team addressed a new framework, specifications of recovery programs and take actions to upgrade existing files.

Harmonization of files is primarily the harmonization of different codifications, cleansing data and their impacts in terms of particular statistical treatment.

3.2.4. Integration phase

In this phase the key for success is monitoring carefully coherence between ERP System interfaces and external systems.

Key activities:

3.2.4.1. Prepare toggle plan

During this step, project team, list all steps which conduct changes between old and new systems.

These steps include rocking action preparation and it may start several months earlier. Actions are relating to:

- Clean up data such as customer-supplier, articles, charts of accounts, additional manuals before restart and additional manual after recovery.

- Correlation tables used by conversion program

- Production environments which are performed by the new system. Upgrade library of references, tables or specific data.

- Control static balance between old and new systems

- After data migration controls are necessary to validate information related to current inventory, customer, supplier, balance and production orders.

For all of these spots a schedule of responsibilities and roles must be established.

To create this plan; team project need to use information from testing data and from integration phase.

3.2.4.2. Validate integration

This step is essential; it is a part of testing process that has been made in previous phases. At this stage it becomes possible to validate integration as various components are completed.

- Contribution:

- This validation don't focus on setting up the ERP, but they focus on the ERP

specific programs and interface between different programs, so it's a validation of all components to the new information systems.

- Integrator execute much strong test sets on the real data, and relevance of tests are encountered in reality.

- Tests must be done mainly by users and not only by representatives of users as

it could be done in the previous phase.

It takes place in a real environment to test prototype and functional tools. It is faced to the interaction between correcting and testing.

In validation process this step is a key for functional and technical success. Indeed,
behind project team, technical resources bring position to exploit different interface.

Which allow them to review their operating procedures and validate different aspects of technical performance.

- Honing means operating in real conditions.

This step allows execution to check with a final operating platform and run in the landscape management system. This point is related to transfers management between different development environments.

During this phase of integration that is revealed the risk of technical structure. Indeed tests performed in a configuration close to the operational reality. So this phase proved the performance often associated with necessary adjustments between ERP and database manager used.

3.2.5. Production phase

The factor of success in this phase is to put in a real situation; functional, technical and organizational measures to minimize discoveries during production transition.

Key activities:

3.2.5.1. Prepare the structure

This phase is launched with the training of users. It includes a theoretical and a practical part.

During the first months after the switch it is often desired to implement local support. It is like a filter between user and help desk to resolve problems that needs additional training.

3.2.5.2. Simulate actual operation These operations simulate the final production scale.

It will therefore test the switch plan, based on real data, get in position to do work expected daily, weekly, monthly. This simulation is done by the most advanced resource projects (functional representatives and consultant).

Beyond the switch test, this step allows to improve tools and methods for controlling additional data.

4. ERP System Audit and Control Risks

4.1. Reasons for an ERP System Audit

ERP audits and reviews can be justified by outlining the wide-ranging consequences of undertaking an ERP implementation. If implementing a system can impact a company in a multitude of ways then there will be a need to monitor and control such an implementation as well as ensure its continued success. Implementing an ERP system will significantly increase risks which in turn will require the establishment of mitigating controls and a mechanism for monitoring such controls.

4.1.1. Increased Risk

Enterprise Resource planning systems use data from a wide range of business areas to provide cross-departmental management and process information. Such systems manage the core critical business processes of an organization. Implementations can fail to deliver expected results if not adequately managed and controlled. Furthermore, there are emerging trends and changing technologies that support expanded use of ERP systems (such as, web-enabled customer interfaces), which will increase the importance of the security and control consideration for ERP. Hence, an ERP implementation will have wide ranging impacts on the technology, people and processes of an organization and its trading partners.

4.1.2. Higher Levels of Regulation

Perhaps the greatest justification for an ERP audit at this point in time is the increasing
levels of regulation being imposed on organizations. In the wake of corporate financial
scandals, governments and regulatory agencies are responding to failing investor

confidence by implementing new regulations. In the United States for instance, stricter reporting rules, such as those defined in the Sarbanes-Oxley Act of 2002, require company executives to certify the accuracy and legitimacy of corporate financial statements or face the possibility of punitive and criminal action. European Union members are mandated to report financial results as per the International Accounting Standard (IAS) by 1 January 2005. At that time, they also have to restate 2003 and 2004 results, per the IAS. Further, IAS is going global. In addition to the EU, Hong Kong, Korea, Singapore, Australia, Canada, and most recently, Russia have announced either their support for, or adoption of the IAS. The U.S. Financial Accounting Standards Board is conducting discussions with the IAS board on the reconciliation of differences between the two standards. Multinational corporations may have the added burden of complying simultaneously with the Sarbanes-Oxley Act and the IAS, as well as a host of local regulations in the countries in which they operate.

4.1.3. Efforts to meet new regulatory requirements

4.1.3.1. Visibility

Enterprise visibility is imperative to give you immediate access to high-quality business information. In most companies, the best information executives have about the state of their business comes from the close of the preceding quarter. However, without access to the current state of your business, you risk making decisions that solve yesterday's problems, not today's. To exercise good governance and meet regulatory demands, you need access to timely, relevant, and accurate information across your organization. Only a business system with a complete set of integrated business intelligence and analytics can provide managers with continuous, current, customised information about their business which can enable them to:

- Access a complete and accurate view of financial data for quicker reporting and meaningful disclosure.

- View global enterprise information that is timely, relevant, consistent, and available in realtime. Obtain a complete view of your business with global information from a single source of truth.

4.1.3.2. Control

Enterprise control is necessary to accurately provide information based on standardised processes and procedures. With effective control, you can avoid careless accounting actices, enable compliance through documented business practices and procedures, implement your vision and business strategies, and find and fix discrepancies proactively. To control your enterprise more effectively, you need to centralise and secure policies, processes, and procedures across your organisation. Business systems can help you streamline the transparency of policies and procedures,

enforce them, reduce the risk of malfeasance and errors, and improve confidence in your business data:

Support the audit department in enforcing corporate compliance with documented policies and procedures, risk and process control management, visibility to business process workflow, and improved project management.

Keep your employees informed - document and track critical business processes, determine workflow, and develop and deploy applicable training to ensure compliance. Manage and document corporate communications and data with an integrated suite of enterprise level applications that focus on managing all of the communications between individuals and teams, the content they create, as well as the information for supporting them.

Centralise and automate processes and controls for information consistency. Eliminate duplicate processes, reduce overhead, and cut costs.

4.1.3.3. Efficiency

To meet the reporting deadlines imposed by new legislation, your organisation must operate at maximum efficiency. By removing the complexity from your business applications you can confidently face new governance demands. A truly efficient business system operates on a single data model with data consolidated in one location. Integrated applications and automated business flows quickly moves business data among global front and back office operations. Data can be rolled up and reconciled accurately and business processes run smoothly and quickly - %o

Eliminate bottlenecks and streamline the rollout of new internal processes and procedures with self-service.

- Reduce the risk of malfeasance and accidental errors by streamlining inter-user approvals and participation in review processes.

- Enable efficient execution of internal audits by providing project team members complete visibility into audit data.

- Integrate enterprise data and business processes based on a unified data

model to support global compliance.

4.1.4. Common mistakes 4.1.4.1. Poor planning

In many instances there is no concerted effort to ensure that audit and review processes are embedded in the project life cycle. It is essential during the initial planning of a project to ascertain who will be performing audit and review activities as well as the duration and frequency of such activities. At the outset of a project it is important that all parties involved understand the scope of the activities to be performed.

4.1.4.2. Lack of focus

Even when audits and reviews are undertaken they often fail to focus on the areas of an implementation that pose the greatest threat to implementation success or organisational control. This to a large extent relates to the previously mentioned point of planning. Implementation planners should identify potential problem areas and

then determine how to adjust their audit and review approach to deal with these concerns.

4.1.4.3. Competency of Auditors

In many instances the parties made responsible for audit and review do not know the workings of ERP systems. They are often not aware of the workings of the particular system they are auditing. In many instances the financial auditors audit around the system using the «black box» approach i.e. they rely on inputs and outputs and don't look at what happens in between the ERP auditors must have at least a high level knowledge of how such systems work and how the modules relate to each other. Certainly, they should know the key features of the particular software they are working with and ensure they ascertain whether the package has any problem areas. Being able to query and pull out reports from the system is the ideal situation. This would necessitate persons responsible for audit and review being included in implementation activities such as training and testing.

4.1.4.4. Reliance on technology for the solution

All too often people have a tendency to believe that by implementing a highly functional system, controls will automatically be taken care of as there is a high degree of sophistication embedded in these systems. However, this is not the case and care should be taken to ensure that all business processes are carefully documented and users clearly understand what components of a process require manual or human intervention.

4.2. What should be reviewed?

In any systems implementation, it is not just about the software. There are many other components that make up a successful implementation and these will be identified. Each of these areas may necessitate specialised audit, as they require a unique level of knowledge and skills set. Although I have mentioned each of these components separately, it is important to understand that they all interact with each other and are part of an organisational system.

4.2.1. Hardware

Each software vendor will provide the business with certain minimum specifications that they should follow when determining the hardware requirements of clients and servers. These requirements should be strictly adhered to. Often these specifications will be based on statistics that the auditors have provided the vendor with regarding volumes of transactions that are to be processed. Every effort should be made to ensure that these statistics are correct as this may result in sizing problems. The organisation should ensure that they size the hardware in such a manner that it provides for growth.

4.2.2. Network

There's nothing worse than going live and finding that inadequate network speed brings the system to a screeching halt. Efforts should be made to ensure that network speeds are tested and that all persons involved in system operation have access to the network. Control should also be maintained over the network to prevent unauthorised users gaining access.

4.2.3. Software

Every organisation has various layers of software upon which their ERP systems reside as well other systems, both internal and external, with which they interact - see figure 2. Audits should be conducted of software subsystems within the organisational system. The following are key areas that should be examined:

- Standard ERP parameters, including application controls, authorisations and standard security configuration.

- Application security - to ensure processing occurs in an efficient and controlled

manner, while protecting valuable data.

- Configuration decisions - to help provide reasonable assurance of the integrity of business processes and application security.

- Design documentation - to ensure appropriate security and control.

- The security administration process - to provide reasonable assurance that access granted is appropriately identified, evaluated and approved.

Many business processes may be extended out over the intranet, extranet or Internet. The auditor should provide reasonable assurance that security processes appropriately address these risks.

4.2.4. Processes

An audit of an ERP should provide assurance on the integrity of processes in use by the business. Specifically, the following tasks relating to audit and review should be undertaken.

- Identify control objectives for processes being implemented.

- Identify and assess potential business risks and financial risks in the processes

being implemented.

- Develop and design the most effective and efficient ways of controlling these risks (which implementers generally do not focus on or do not have the expertise to develop).

- Perform an independent analysis of key business activities, comparing organisation processes to leading practices and recommending process improvements.

- Provide assurance that the controls within ERP are appropriate and effective.

- Review the interfaces feeding into ERP from non-ERP systems (such as, including legacy, web-based and mobile computing applications).

- Perform audit tests focusing on business process and internal control. Many organizations reengineer business processes during ERP implementation. Review business continuity plans and provide reasonable assurance that they have been tested.

4.2.5. Users work

All implementations require a successful combination of the elements of people, process and technology. It is essential that an audit be conducted of the staff involved in the implementation as well as the way in which their roles are structured in relation to the ERP software implemented.

In particular the following tasks should be undertaken:

- Identify staff, their responsibilities and skills sets.

- Assess training and knowledge transfer requirements.

- Ensure staff is adequately trained and test knowledge transfer.

- Determine roles and responsibilities for staff by mapping existing staff complement to processes in the ERP systems.

- Ensure that appropriate segregation of duties is maintained.

4.3. Required Action

Wherever risk is increased, management should institute controls which mitigate the risks posed.

The objectives of such controls would be to:

1. Safeguard all the assets of the enterprise

2. Ensure accurate and reliable accounting (and other) information

- Validity - only valid items are allowed to enter a system (authorisation)

- Completeness - all valid items are captured and entered into system (number of items)

- Input accuracy - data that is entered into the system is correct (data fields)

3. Improve operational effectiveness, efficiency and security

- Effectiveness - fulfils intended objective.

- Efficiency - prevents unnecessary waste of resources.

- Security - protection of resources from misuse or destruction.

4. Promote adherence to managerial policies

It is imperative that when such controls are established, continuous audit and review work be undertaken in order to assess the effectiveness of these controls. The audit of an ERP system requires specific knowledge and an understanding of the complex features and integrated processes built into and required for the successful implementation, use and control of specific vendor products. As financials audits require specialised audit skills so do ERP audits. Not only should the auditors have specialised skills but the methodologies they use should also be uniquely tailored to deal with the different risks involved. Audit and Review guidelines should be developed which provide a management-oriented framework and proactive control self assessment specifically focused on:

- Performance measurement--How well is the IT function supporting business requirements?

- IT control profiling--What IT processes are important? What are the critical success factors for control?

- Awareness--What are the risks of not achieving the objectives?

- Benchmarking--What do others do? How can results be measured and compared?

With respect to IT control profiling in point 2 above, I believe organisations should reassess the controls in place using the maturity framework outlined in figure 3 and the subsequent text. For each control the required level of maturity should be determined and where the control is not found to be at that level, corrective action should be taken.

5. ERP CEGID Implementation: Case AS-SOLAR FRANCE 5.1. Introduction

AS Solar is an internationally active German specialized distributor and project developer for solar technology. Along with different subsidiaries in Spain/Portugal, Benelux, France, Italy and Romania/Hungary it is present on the most important global markets in the field of photovoltaics. As SOLAR connects lasting market quality and the technical know-how with outstanding service to give customers an unparalleled advantage.

5.1.1. AS-Solar, CEGID and evolution of the implementation 5.1.1.1. About CEGID ERP System

Cegid Business Management V8.10

Encompasses all business management Processes from procurement to sales, ensuring the right products are in the right stores at the right price and right time. In real time, the retailer needs to access data on key indicators, including turnover and productivity. All in a multi-channel sales environment: stores, website, mail order, wholesale.

· End-to-end merchandise management: retail referencing, procurement, manufacturing, merchandise allocation, goods receipts, pricing, promotions, inventory, restocking and replenishment, sales, customer relations, sales events etc.

· Integrated decision-making tools for every step of the way: standard and personalised dashboards, statistical analysis (stock turn, best sellers, margin monitoring etc), alerts, reports, etc. allowing management to make the right decisions at the right time

· Industry best practices and international expertise

· Data base management: products, prices, suppliers etc

· Assortment and range planning

· Monitoring and management of purchasing and imports

· Inventory management, replenishment optimisation and management of procurement cycles

· Price optimisation, sales and discounts

· Promotions, CRM, sales events and marketing

· Multi-channel management

· Management of international locations: own-label stores, concessions, agents, franchises etc

5.1.1.2. AS-Solar, evolution of the ERP implementation

AS-Solar France started the implementation of CEGID ERP on 2007 by integrating CEGID Business Management. This Module manage all the important processes that increase operational performance: range planning, pricing and promotions, replenishment optimization, loyalty and CRM.

But this first implementation failed for these different reasons:

1. Governance

Lack of a single person in charge who reports directly to openly supportive senior executive accountable for the solution. Also, ineffective steering body of cross-functional senior executives.

2. Scope Failure to align contract for services with the requirements expectations.

3. Change Management Insufficient investment in all facets of change Management

4. Skills

Team members lack a thorough understanding of the technical capabilities of the solution or of the underlying business processes

5. Decision Making

Relying too much on consensus-based decision making, rather than rapid evaluation of options

6. Communications

Lacking at all levels (executives, functional owners, across team, with working level system users, external stakeholders, etc.)

7. Solution Architecture Lack of a solution architecture or proven implementation methodology

8. Training Insufficient investment at all levels (including executives)

9. Culture

Trying to force an integrated, enterprise-wide solution into a stove-piped culture. Systemic resistance to change trying to force an integrated, enterprise-wide solution into a stove-piped culture. Systemic resistance to change.

10. Leadership

Lack of «public» leadership from senior, accountable executive and/or lack of continuity in this leadership position.

After two years of testing CEGID ERP System and insufficient investment in the solution; senior executive decide to invest more time and more resources on the different application of CEGID. They fixed new objects related to use of all application and option of the solution, and integrate tow new module Settlement Monitoring and CRM.

5.2. Review management process 5.2.1. Audit services

5.2.2. Audit Purchases Department

5.2.3. Audit Sales department

5.2.4. Recommendations

· L1 Remove tools provided by Excel

· L1 Set up and develop applications in CEGID ERP System

· L1 Establishment of clear procedures for each position

· L1 Assignment of responsibility for service with well-defined objective

· L1 Limiting access to different module of CEGID as required for each position

· L1 Impose control and completeness of data entered into CEGID

· L1 Assigning a management

controller for the establishment and control procedures and control margins

· L1 Separation of tasks and definition of jobs

· L1 The organization of the stock and imposition of a monthly inventory with a screening of the causes of differences between actual stock and theoretical stock

· L1 Appoint a director to monitor commercial customer and prospect

· L1 Validation of purchase orders by the Financial Officer

· L1 The introduction of visas that allow the control and command generation

· L1 Configuration of the

tool to alleviate CEGID spots and avoid double entry in EXCEL

· L1 Development board tables to manage the project margins

· L1 Manage clients and prospects to the aid of the CRM module

5.3. Implementation phases 5.3.1. launch phase

After auditing all service and identify weaknesses, we start our planning by the establishment of clear procedures for each position and we study this fundamental points:

- Who do what?

- Define roles and responsibilities

- Limit access and develop restriction - Drafted requirements

- Analyze working procedures

? By performing this exercise, we detect "open questions" that should be clarified with the integrator.

5.3.2. Design phase

Clarifications of structuring points and we establish a plan to define objective solution.

All Decisions are produced with the integrator of CEGID System which identifies outstanding issues and review specific functional mode of the company.

We focus on a solution by seeking changes in the organization and removing discrepancy without specific development and without compromising the original goal.

? The integrator analyze our draft requirements and give us integration solution without a specific development

5.3.3. Implementation of the solution

5.3.3.1. Coordinate sub-projects by service

· Commercial service

On this department we set up and develop applications in CEGID ERP System and simplify use of all application by creating a new procedures and defining new rules. The objects on this sub-project and for this department we avoided Excel Table and we get all information in one database.

Create a dashboard to manage efficiently the stock

· Purchases Service

Set up and develop applications in CEGID ERP System to manage Stock, and manage requested quantity.

We develop a clear procedure and simplify the use of the application. All information saved in one date base, the CEGID System. And purchaser can't generate an order without the authorization of the accountant.

We develop a dashboard to manage quantity on stock and avoid errors between theoretical and physical input

· Sales Administration

For this department we focus our improvement on developing dashboards to manage delivery date for customers. Then, simplify application concerning request payment of the deposit.

· Create new procedures toward save time and be more productive.

? All procedures, applications and interfaces that we developed on these different services are designed to simplify user entry and manage more effectively their time.

5.3.3.2. Integration of two new module

. CRM Module

· The CRM module gives us a better insight into customers and fosters a personalized approach for cultivating high value relationships.

. Settlement Monitoring

· Allow us to be more effective on managing cash receipts and disbursements.

· Develop new tools for fast debt collection.

· Schedule of payment tracks overall change in the cash and we are more reactive to find solution

· After the due date of payment CEGID create an automatic debt recovery letter. 5.3.4. Test and control

The end of implementation process was the test of all tools, applications and interfaces by users.

This step is the most important because we test system on a real condition.

5.4. Management process of AS-Solar company after ERP implementation

Conclusion

The purpose of this study was to identify the phases and audits related to the implementation of ERP systems in organizations.

An ERP implementation project is different from other systems development projects. During the implementation of this project significant risk factors was identified which include technological change, organizational change and project complexity. These factors are the hallmarks of most (if not all) ERP implementations.

Consequently, it is important to understand how these risk factors can be mitigated. In this study, audits and management required to minimize risks that organizations must control in an ERP system implementation were identified.

Reference:

· Fred Kaplan (2007)/Best practices for an effective ERP implementation / w w w . r e l e v a n t e . c o m

· Guy P. Lander(2004)/ What is Sarbanes-Oxley? Vol 0-07-143796-7 the mcGrawHill companies

· Henning Kagermann, William Kinney, Karlheinz Küting ; In cooperation with : Corinna Boecker, Julia Busch, Oliver Bussieck / Internal audit handbook : management with SAP -audit roadmap /

· Jean-Luc Deixonne /Piloter un projet ERP : transformer et dynamiser l'entreprise par un système d'information intégré et orienté métier / Edition DUNOD

· Jennifer Hahn, Michael Juergens, Deloitte & Touche / SAP: Business Process Controls and AIS / ISACA Spring Conference

· John Gunson, Jean-Paul de Blasis / THE PLACE AND KEY SUCCESS FACTORS OF ERP IN THE NEW PARADIGMS OF BUSINESS MANAGEMENT/

· Jennifer Hahn, Deloitte & Touche/ ERP Systems: Audit and Control Risks/ ISACA Spring Conference

· LORIN M. HITT, D.J. WU AND XIAOGE ZHOU / ERP Investment: Business Impact and Productivity Measures/

· Michael Donovan /Successful ERP Implementation the First Time/ Performance Improvement

· Nwankpa joseph kelechi (2007)/ the impact of erp system on the audit process

· Richard Byrom (2003) /Audit Considerations for your ERP implementation/ RPC Data Ltd

· Severin V. Grabski, Stewart A. Leech, Bai Lu, / Risks and Controls in the Implementation of ERP Systems/ The International Journal of Digital Accounting Research Vol. 1, No. 1, pp. 47-68