When undertaking a large investment such as an enterprise

resource planning (ERP) implementation, there is little mar-

gin for error. It is critical for the project to be completed on
time and be as effective as possible. An organization cannot
afford to miss important aspects of an implementation,
such as efcient and effective control design, and hope to
build it in at the end of the project. Such mistakes will
delay the project and substantively increase the cost of the
implementation.
Issue
Regardless of economic or market conditions, most compa-
nies continue to undertake some type of ERP implementa-
tion, including enhancement and upgrades. Many tackle
full ERP implementations in order to keep pace with the
rapid development of technology and anticipated business
changes. Clearly, times have changed with regard to proj-
ect/implementation risk management and internal controls.
Previously, risk and control considerations in enterprise
system projects often were an afterthought or overlooked
altogether. Section 404 of Sarbanes-Oxley and changes in
nancial reporting standards, including International Finan-
cial Reporting Standards, are bringing risk management
and internal control considerations to the forefront of any
major ERP system change program.
Challenges and Opportunities
ERP project leaders, including major system integration
rms, are still adapting to a business environment in which
key business risks and effective control conguration of
a new system should be integral to the design and imple-
mentation. Control design, testing and control framework
documentation are important work streams within the
project. ERP project leaders usually struggle to understand
the impact of risk management and internal controls on
their work, as well as implications for estimating, planning
and delivering major systems that will comply with nancial
reporting and internal controls standards. As a result, ERP
project leaders may fail to recognize or may underestimate
the effort and skills associated with the risk management
and internal control design aspects of the project. These
knowledge gaps may lead to project delays or an implemen-
tation that fails to embed controls properly into the new
system. The result can be a system that does not comply
with the requirements of Section 404, or one that does
comply but in a very inefcient and ineffective manner.
There are several reasons why companies may overlook risk
management and internal controls in ERP projects:
ERP project teams typically are built around deep
technology and software expertise. They may lack
perspective on risk management or controls, or how the
functions and features of the software can be tailored to
meet control objectives.
Practitioners of internal audit and risk management are
not proactively involved in ERP project activities.
Risk management and internal controls affect all aspects
of an implementation, including business process,
technology and user education, and require control
specialists with ERP skills.
ERP project leaders tend to underestimate or not include
risk management, internal control or compliance
requirements in requests for proposals for project
implementation.
Our Point of View
By effectively addressing these topics up front, it is possible
to engineer a culture of compliance into the project so
that risk management, internal controls and compliance are
understood and expected throughout the project lifetime,
rather than viewed as a hindrance when the project is operat-
ing at full speed.
Continuous focus is required throughout the project life-
cycle to manage the risks of project success and embed the
necessary activities to ensure effective internal control over
nancial reporting.
Managing Risk as Part of ERP Implementations
POWERF UL I NSI GHT S
About Protiviti
Protiviti (www.protiviti.com) is a global business consulting and internal audit rm composed of experts specializing in risk, advisory
and transaction services. The rm helps solve problems in nance and transactions, operations, technology, litigation, governance,
risk, and compliance. Protivitis highly trained, results-oriented professionals provide a unique perspective on a wide range of critical
business issues for clients in the Americas, Asia-Pacic, Europe and the Middle East.
Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI).
Founded in 1948, Robert Half International is a member of the S&P 500 index.
PROVEN DEL I VERY
How We Help Companies Succeed
We help companies identify, measure and manage ERP
implementation and compliance risks, complement
internal audit and project teams, and help leverage ERP
investments by:
Conducting effective front-end risk assessment
Designing effective systems controls
Maximizing congurable controls
Implementing sustainable compliance processes
Enhancing risk management capabilities
Optimizing control environment (automated versus
manual controls)
Evaluating and designing effective segregation of duty
frameworks and mitigating controls
Implementing integrated GRC applications
Delivering ERP audits, and reducing testing time and
costs
We help companies select, implement and manage ERP
solutions and, by focusing on compliance and managing
implementation risk, help ensure that all deployed business
processes meet control objectives. This reduces the total
cost of ongoing internal controls and compliance activities.
Example
A global manufacturing and retail company implementing
an ERP solution was looking to implement controls within
its implementation. Protivitis ERP control specialists
teamed up with implementation project management, inter-
nal audit, compliance leaders and the system integrator to
identify and mitigate compliance risks. Specically, we:
Implemented more than 150 standard congurable controls.
Standardized nancial close reports and desktop
procedures for 19 business units.
Dened segregation of duties and sensitive access
requirements.
Performed regular testing of security and control
implementation.
Updated the control framework prior to go-live.
Included internal control testing steps in integrated scripts.
Facilitated compliance discussions with external auditors,
who signicantly leveraged our control documentation
and relied on our deliverables to perform their required
pre-implementation testing.
We helped deliver a compliant and well-controlled ERP
system for our client that was implemented more effec-
tively with our risk-managed approach. The company
immediately realized the benets of greater emphasis on
preventative and system-based automated controls. Our
client has been able to reduce its associated controls as
well as its compliance and operational costs.
2011 Protiviti Inc. An Equal Opportunity Employer. PRO-0611-107033
Protiviti is not licensed or registered as a public accounting rm and does
not issue opinions on nancial statements or offer attestation services.
Contacts
Scott Gracyalny
+1.312.476.6381
scott.gracyalyny@protiviti.com

Carol Raimo
+1.212.603.8371
carol.raimo@protiviti.com
Ronan OShea
+1.415.402.3639
ronan.oshea@protiviti.com

John Harrison
+1.713.314.4996
john.harrison@protiviti.com