Professional Documents
Culture Documents
48009/2_iis_2008_578-586
need to implemented only once. As the system risks, and ability to manage risks in four different
resides in one centrally controlled database, the risk categories (operational, financial, technical, and other
of privacy violation can be identified more easily and risks); (iii) changes in costs associates with risk
the steps necessary to satisfy privacy constraints can identification; and (iv) the mechanism followed to
be implemented more readily. Integrated systems acquire special skills needed to carry on internal audit
provide for improved audit planning and execution. If functions in an ERP environment.
a new government regulation requires the
organization to institute a new internal control, is has We sent hard copies of the survey to the members of
to be incorporated only once into an integrated the New York Chapter of the Institute of Internal
system [9]. Auditors. We received nine responses from internal
auditors at member organizations that had adopted
On the other hand, the complexity of an ERP system ERP systems in some part of the organization.
creates additional risks during both the Subsequently, we posted an online version of the
implementation and the operational stages. During survey on the Institute of Internal Auditor’s online
the implementation, the organization faces risks due survey site http://www.theiia.org/guidance/
to possible poor project planning and control, benchmarking/flash-surveys/. We received an
dependence on external consultants and integrators, additional 38 responses. Our findings below are bases
resistance to organizational change, and lack of on responses both sources.
specialized skills needed to customize the system and
populate it with organizational data [5, 11, 12]. Even For sake of brevity, we have not provided charts and
when implementation is relatively smooth, risks graph for every category but only the ones that
remain during the operational phase. An integrated describe the main effects. More detailed survey
environment often precludes the possibility of results as well as the survey instrument are available
switching to a new system for an individual function, from the authors.
even if the new system has better functionality and
easier maintenance routines. An integrated system INTERNAL AUDITORS’ ROLE DURING ERP
presents the possibility that a small glitch introduced IMPLEMENTATION
in one part of the system, perhaps as part of a routine
maintenance activity, brings down the entire system Despite the significant organizational risk associated
potentially disrupting the firm’s business operations. with change management that often results from an
In essence, the benefits of a unified integrated system ERP implementation, involvement of the internal
are traded off against the risk diversification achieved auditors in ERP implementation was not as heavy as
with multiple, independent systems. Integrated we had expected; only in one third of the cases,
systems also complicate audit planning as the auditor internal auditors were proactively involved in change
must gather evidence encompassing the entire system management. Despite their lack of involvement in the
in an integrated manner [1, 7] implementation process, majority of respondents felt
that their firms followed structured processes for
While there have been many studies of the risks in change management associated with the ERP
ERP implementations, there is not much research on implementation.
the role that internal auditors play in ERP adoption
and the impact ERP systems have on internal We were surprised to find that internal auditors were
auditors’ abilities to manage risks. In this work, we not as actively involved in defining and
address this gap. We surveyed a group of internal implementing internal controls as new modules
auditors to explore the effects of ERP systems on implemented and existing modules are enhanced or
internal audit functions. In particular, we wanted to maintained. Only a quarter of respondent were
identify how ERP systems affect risks faced by an heavily involved in building internal controls and
organization and how ERP systems affect internal only one-fifth of the respondents were involved in
auditors’ ability to identify and manage these risks. business process reengineering efforts. These issues
Our survey asked the respondent to identify (i) perhaps reflect a broad perception that ERP
background information (characteristics or the implementation are often led and managed by
organizations, systems implemented, and role of information systems groups and not treated as
internal auditors in the implementation process); (ii) enterprise wide efforts.
changes in level of risks (using qualitative scales like
increase, decrease or no change), ability to identify
20
15
10
0
Heavily involved Somewhat involved Not involved
Figure 1. Role of internal auditors in defining internal controls during ERP system
implementations.
THE IMPACT OF ERP SYSTEMS ON RISK training, with the biggest improvement in assessing
HR and procurement related risks.
Once the ERP system implementation is complete,
the organization does not have to deal with the In the financial risk category, we include liquidity
project risks. During the operational stage, the focus and credit risk, and price risk (arising because of
becomes identifying and managing ongoing risks. In exposures from such sources as interest rates,
the next part of the survey, we asked the respondents currency, stock prices, and commodity prices.). ERP
to identify the whether the ERP system led to systems seem to reduce financial risks while
changes in the level of ongoing risks and, and improving an internal auditor’s ability to assess and
irrespective whether the risk level changes or not, manage these risks. Specifically, liquidity and credit
how it has affected their ability to assess and manage risks decreased, or at the worst, stayed the same for
these risks. We grouped risk factors into four all firms. Only two respondents indicated increase in
categories: Operational, Financial, Technological and the price risk. ERP systems led to improvement in
Miscellaneous (see Table 1). internal auditors' ability to assess and manage these
risks, with the largest improvement for the price risk.
In the operations risks category, we include factors
relating to physical processes (e.g., disruption in In the technical risk category, we included factors
production cycles, procurement, human resources, associated with adoption of information technology,
quality assurance), external business environment network, and data center operations, quality in data
(e.g., change in competitive landscape), and customer and application, availability of technical skills.
relationship management. Our survey indicates that Despite their ability to provide an integrated
ERP systems reduced the level for risk for most application platform, thereby eliminating many
factors. The only exception is risk associated with the unnecessary data entry steps and awkward interfaces,
user training that saw a slight increase. ERP systems surprisingly, ERP systems were perceived to increase
lead to improvement in internal auditors' capabilities technology risk. The biggest increases were noticed
for risk assessment in all categories including user in maintenance (modifications, upgrades, and
migrations to new systems) and personnel issues. fraud, regulatory noncompliance, and financial
However, the ERP system also perceived to provide reporting errors. In addition to risk reduction, our
better tools to assess and manage technology related survey also seems to indicate a significant
risks. For all risk factors, more respondents felt that improvement in the organization’s ability to assess
ERP systems improved their risk management ability and manage the risk associated with these factors.
than those that did not. Similar to this observation, the results indicated that
ERP adoption leads to reduced risks of privacy
In the miscellaneous risk category, we include violation and provides a better mechanism for
factors associated with fraud and reporting errors, assessing and managing this risk. ERP systems seem
compliance with regulatory requirements, political to have minimal effects on risks associated with
and legal, privacy violations. ERP systems seem to legal, political, environmental, and international
make a significant reduction in risk associated with issues.
Number of Responses
35
30
25
20
15
10
5
0
35
30
25
20
15
10
5
0
35
30
25
20
15
10
5
0
Relationship
Production
Assurance
Operational
Procurement
Product Risk
Resources
Customer
Training
Quality
Sourcing
Human
User
and
Figure 3. Effects of ERP system adoption on operational risks. About as many respondents
thought that the levels for operational risks have increased as the ones that
thought the levels have decreased. However, the ability of auditors to assess and
manage these risks has improved.
Negative impact (increased risk level; worsened ability to asses the risk
assess, worsened ability to manage the risk)
No change
Positive impact (increased risk level; worsened ability to asses the risk
assess, worsened ability to manage the risk)
35
30
25
20
15
10
5
0
35
30
25
20
15
10
5
0
availability
Integrity of
Maintenance
(physical &
Network &
Support
with other
Interfaces
Personnel
System
programs
hardware
systems
Security
data &
logical)
issues
Figure 3. Effects of ERP system adoption on technology risks. For most risks in this
category, the levels of the risks have increased. However, the ability of
auditors to assess and manage these risks has improved.
Negative impact (increased risk level; worsened ability to asses the risk
assess, worsened ability to manage the risk)
No change
Positive impact (increased risk level; worsened ability to asses the risk
assess, worsened ability to manage the risk)
COST OF MANAGING RISKS cost associated with managing technology risks goes
up. It would be interesting to see if the pattern holds
While there is no consistent pattern over all it does as the ERP systems become more mature and skill
seem that the cost associated with managing sets available for maintaining and managing skill
operations and financial risks goes down while the become commonplace
0
Operations Financial Technology
Figure 2. Effects of ERP system adoption on cost of managing risks. The costs for
managing operational and financial risk has not changed significantly but the
costs of managing the technology risk has gone up.
INTERNAL AUDIT STAFFING AND on process review and quality assurance. Only two
PERSONNEL ISSUES respondents indicated that quality assurance and
process review receive somewhat less emphasis after
ERP systems have led a significant shift in the overall ERP adoption.
focus in the internal audit function. An integrated Adoption of ERP system also creates a need
environment leads to elimination of many points of for additional skills in the internal audit groups. In
failure by eliminating manual work and document the new environment, internal auditors have to have
flows. In an ERP environment, internal auditors enough knowledge and skills to understand of the
should then spend less time in crisis management and internal workings of the ERP system adopted by the
resolving problems once they have arisen and more organization. We asked our respondents to identify
on making sure that the internal controls are how these additional skills being acquired. The
functioning properly. As we mentioned earlier, responses were widely dispersed. Although some
internal auditor in our sample were not as heavily firms were willing to engage outside consultants or
involved during the implementation stage yet most hire new employees, most firms chose to acquire
seem to think that ERP systems allow them to spend these skills through training and reskilling current
less time on managing problems and much more time employees. Most companies view the ERP system as
a long-term commitment, are willing to invest in Given the increasing demand for ERP related skills,
employees who they believed would stay with the we had expected a more pronounced shift. Of course,
company. Independent study, classroom instruction, employers may have been responsive in countering
and seminars were the primary means of staying higher wages offered in the market. Alternatively,
current on ERP systems. internal auditors may have seen greater job stability
in being involved early in a complicated new
Internal audit groups experienced only a small shift system’s implementation and traded job stability off
towards higher turnover after ERP implementation. against the possibility of higher wages in the market.
12
Number of Rsponses
10
0
Much more Somewhat About the Somewhat Much less
emphasis more same less emphasis
emphasis emphasis emphasis
Figure 5. ERP systems adoption leads to a change in emphasis from problem solving to
more process modeling and quality assurance.