effective internal controls during erp and other enterprise system implementations march 22, 2012

Effective Internal Controls During ERP and Other Enterprise System

Implementations

March 22, 2012

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. 38615WDC

Agenda

The Security and Control Challenge An Approach to Security and Controls Benefits & Challenges Summary

2

The Security and Controls Challenge


New ERP Systems: Introducing Risk

“As Is” Processes vs. “To Be” Processes Controls, either manual or system-based, may not be documented in “as is” environment; when the “to

be” is being mapped, these controls may be lost.

Data Integrity in Legacy Systems vs. Integrated Systems Older systems use many separate data files and manual procedures to detect errors; integrated systems

increase the exposure for data interfaces (especially for phased implementations) and risk of data integrity issues.

Up-front Controls Required If robust data and validation checks are not “built in”, the impact is immediate and pervasive rippling

throughout the system(s). Data mapping and data conversion control weaknesses can result in “garbage in, garbage out” when the new system is implemented.

Integrators Focus on Feature/Functions, Not Controls Integrators do not focus on controls or security. Controls specialists are required to design and implement

a robust control environment.

4


New ERP Systems: Mitigating Risk

Migration from the “As Is” to “To Be” environment and ERP presents a controls challenge, especially for phased implementations

How do we ensure effective controls are in place? Purpose of a control is to prevent (system-based control) or detect (manual control) a risk in the business

processes or the systems used to facilitate the process.

How do we ensure controls are efficient? Manual controls may be effective, but are they efficient?

How do we make the best use of controls in the new packages being implemented: JDE’s ERP, i2’s SCP and CAS’ CRM? Need to prevent duplication of manual and system-based controls.

How do we deliver a controlled business environment? Ensure controls are documented and reviewed proactively throughout the project using a structured,

comprehensive methodology.

5


System implementation brings about numerous risks to the organization and may disrupt the overall control environment.


Financial Risk Reputation Risk

Technology Risk

Data Integrity Risk

Project ManagementRiskSystem Development

Risk

Statutory & RegulatoryRisk

Product RiskSecurity Risk

Business OperationsRisk

User PreparednessRisk

Support & MaintenanceRisk

6



Management’s responsibility is to ensure that controls remain effective throughout the implementation and after go-live.

ERP implementations raise many control issues for management including: Optimizing controls associated with streamlined business processes Effective use of the control features of the enterprise software package New IT skills and processes required to administer and operate distributed computer platforms

and networks High system availability and business continuity requirements Controlling the creation and maintenance of shared master data Maintaining data integrity during conversion and interface processes Ensuring authorized transactions and segregation of duties through application security Protection of confidential information in a distributed environment Administration of user security across multiple platforms

7



What is the potential value of including a security and controls perspective in an implementation? Optimize system business process controls that:

- Maximize reliance for management and audit (e.g., data integrity, information availability, data confidentiality, and reliability),

- yet are streamlined for increased efficiency. Effective use of the system control features

- Imbedded process controls (approval limits, data validation, etc.) Secured environment that meets the business requirements and is efficiently and effectively administered. Enabling authorized transactions and segregation of duties through application security. Strong IT operational infrastructure framework to support the implementation and production operation

(e.g., change management, continuity of service, operation management, management and communication, monitoring, and training).

Data conversion process that enable the accurate and efficient transfer of corporate information from existing systems.

8

An Approach to Security & Controls


An Approach to Security and Controls

System Administration Change Management Disaster Recovery Asset Management Performance

Process Documentation

Control Risk Analysis Control Design &

Implementation

User Profiles Infrastructure Security (Network, O/S and

Database) Monitoring and Detection

Data Mapping Data Conversion Interfaces Audit Trail

Project Management

IT O

perat

ions

Business Process

Dat

a In

tegrit

ySecurity

10


Business Process Controls

Evaluation and design of operational and functional controls around application business processes. Business process documentation and control identification Process control risk analysis Business process control assessments

- Data integrity (accuracy, completeness and validity)

- Segregation of duties

- Availability and timeliness

- Confidentiality

- Asset Protection

- Compliance Interface business process controls with security profiles

11


Security Management and Controls

Evaluation and implementation of information security to enable effective, efficient, and secure access to information. Security policies and awareness program Default package security configuration Application security profiles User ID and security administration procedures Security in supporting technologies (Operating System, Database, Network) Privileged access Security incident monitoring and response process User ID and access review processes

12


IT Operational Controls

Evaluation and design of IT processes and controls related to the administration, operation, and support of the enterprise package technology infrastructure environment System administration and operations management Performance and Capacity planning Hardware, software and configuration change management Backup and Continuity Planning Help Desk Asset Management Data Management

13


Data Quality/Integrity Controls

Evaluation and implementation of data integrity controls associated with the required data conversions and system interfaces. Control of Master Record data Control of setup data and user tables Data conversion System interfaces Audit trails Reconciliation

14


Project Management Controls

Evaluation and implementation of project management controls. Project organizational structure Personnel and resource management Financial management and budget tracking Vendor management Risk assessment/management Project monitoring and status reporting Issue/problem escalation and management Program change control and migration to production System development methodology (i.e., project initiation, requirements definition, design, construction,

testing, data conversion, implementation and roll-out)

15

The Benefits and Challenges


Potential Challenges to the Integration of Security and Controls

There are typically a number of challenges that must be considered to successfully integrate security and controls into an system implementation project: Who does the security and controls work?

- Does the system integrator have a security and controls mindset?

- What role does Internal Audit and a Compliance organization have in the project? Timing

- When is the best time to address each of the control components?

- Has sufficient time been allowed for in the project plan? Company willingness to change business process to allow for better control

- Increased control often means less flexibility for users Ability of the software package to be configured to meet business needs

17


Benefits of Considering Control During an Implementation

Our System Integration Controls approach, methodology, and tools have many benefits for your company by enabling: Effective use of system software and generally accepted practices to help optimize IT and business

process controls Establish appropriate controls and IT processes for reliable system operations and administration Develop appropriate data integrity controls to minimize system interface and data conversion risks Define sound information security controls and processes to protect information assets Focus on a risk based approach to focus effective controls design on highest risk areas

18


Contact Information

Timothy N. SchmutzlerPrincipal

KPMG LLPTwo Financial Center60 South StreetBoston, MA 02111

Tel 617-988-6349Fax 617-904-1841Cell [email protected]

Rory CostelloPartner

KPMG LLP515 BroadwayAlbany, NY 12065

Tel 518-427-4826Fax 518-689-4733Cell [email protected]

19


Questions

20

New York’sStatewide Financial System (SFS)

SFS Overview

and

Some Key Control Issues


22

SFS Overview

Goal: To replace State Comptroller’s aging Central Accounting System and disparate agency financial

management systems with one, integrated statewide system.

Sponsors: Jointly governed by the Office of the State Comptroller and the Division of the Budget

Software: Oracle PeopleSoft Financials (v. 9.0)

Consultant Partners: System Integrators – IBM and Deloitte; Quality Assurance – KPMG

Go-Live: April, 2012 (Phase 1)


23

SFS Overview (continued)

Users: 61 State entities (Phase 1) 13 State agencies (Future phase) When fully implemented:

- 9,800 core agency users

- 80,000+ State employee travelers

- 100,000+ vendor users

Cost: $250–$300 million (by end of SFY 2012-13)

Organization: New State Entity/Agency Created to Manage Project and Operate System – SFS

- Approximately 150 State employees (supplemented by consultants)

- Office of the State Comptroller’s CIO provides data center, network operations, storage and other technical support services to SFS.


24

SFS – Some Key Control Areas/Issues

Authority/Roles/Responsibilities: Preserving the Authority/Roles/Responsibilities of the Governor and Comptroller in Regard to State

Financial Management

Application Design: Implications of key design/configuration decisions

Data Conversion/Validation: Implementing an entirely new Chart of Accounts for the State of New York

Ability of Software Package to Meet Business Needs: Challenges where business processes and software meet

Continuity of Business Operations: Ensuring business continuity – and managed expectations – during the conversion/cutover process


25

Additional Information

Internet Resources:

For additional information on the SFS Program: www.sfs.ny.gov

For more information on the NYS Office of the State Comptroller: www.osc.state.ny.us

MY CONTACT INFO:

- Christopher Gorka, Asst. ComptrollerDivision of Payroll, Accounting and Revenue ServicesNYS Office of the State Comptroller(518) 408-4187 (office) (518) 257-6251 (cell)e-mail: [email protected]

http://www.sfs.ny.gov/

http://www.osc.state.ny.us/


Questions

26

© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 38615WDC

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

effective internal controls during erp and other enterprise system implementations march 22, 2012

Documents

kpmg llp

manual controls

effective controls

upfront controls

controls specialists

controls challenge slide

systembased controls

effective internal controls