289.F基于ERP环境下的企业内部审计 外文原文

1、internal audit of enterprise with implementation of erpsteven m.glover,douglas f.prawitt,marshall b.romney abstract：legacy systems are being replaced at a rapid pace by enterprise resource planning (erp) systems, such as sap r/3, peoplesoft, and baan, often with great benefits to the organization, b

2、ut sometimes with painful side effects. since it is managements responsibility to plan and carry out a successful systems implementation, most difficulties and failures cannot be attributed to shortcomings on the part of internal auditors. however, internal auditors can be part of the solution by be

3、ing appropriately and actively involved in erp adoptions, from start to finish. by understanding the risks most commonly associated with erp implementations and appropriately leveraging their core skill sets, internal auditors can become important members of the organizations strategic erp implement

4、ation team.1.an erp introductiondiscussions with representatives from several companies that use erp, systems reveal that these organizations have all made similar mistakes. the story of biz inc., a large, mythical corporation whose experiences mirror those of actual organizations, demonstrates what

5、 can, and often does, go wrong in an erp systems implementation.a good start bizs decision to switch to erp was based on sound business reasoning. costs to maintain the mainframe-based information system had escalated in recent years because the manufacturer no longer supported the model used by the

6、 organization. in addition, arnold jackson, the assistant vice-president in charge of information systems, recognized that client/server systems represented the future of computing. it was time for a change.arnold and his staff prepared a general plan that broadly outlined how the organization could

7、 migrate to a client/server system. they also engaged one of the major public accounting firms to help them determine their information system needs and recommend possible solutions.after interviewing several users, the consultants identified three software products that would meet bizs needs. they

8、also recommended one package they considered to be a best fit for the organization.the problems begin unknown to arnold and other management, biz s parent organization had also been planning a move to a client/server environment. unfortunately, they had chosen a different erp package than the one re

9、commended for biz. although biz was basically self-directed and autonomous, the larger parent organization strongly suggested that biz select the same software. since their choice, brand x, was a leading erp package and was among the three suggested by bizs outside consultants, biz agreed.biz hired

10、a different consulting firm to help with the implementation. as a result, three groups were directly involved: brand xs support staff, the outside consultants, and bizs own information systems staff. although a general implementation plan was outlined, a detailed adoption and testing plan was never

11、developed.biz chose the public-sector version of brand x instead of the commercial one adopted by the parent company. unfortunately, the public-sector version was relatively new, not well tested, and designed primarily for governmental entities - not for bizs type of organization. the system couldnt

12、 handle some of the basic tasks biz expected it to perform, such as budget encumbrances, and k didnt process returns, credits, or blanket orders in a manner consistent with bizs operating environment.biz took comfort in the fact that expensive consultants were on the job and quickly got the project

13、off the ground. however, it soon became evident that they were not familiar with the public-sector version of brand x. more importantly, the consultants did not thoroughly understand biz or its industry.the consultants lacked the big picture perspective of the companys business operations and were u

14、nable to suggest ways biz could reengineer their processes to facilitate erp adoption and increase efficiency and effectiveness. when biz asked the consultants can we do this? the consultants answered,yes, we think we can make that work. a more informed answer would have been something like, we prob

15、ably could, but we do not recommend that. we suggest the following.at the same time, biz personnel were busy dealing with the daily demands of running the existing system and didnt spend a lot of time thinking about these issues. by default, biz and the consultants resorted to making the new system

16、mirror the old one in look and feel, thinking this approach would minimize the suffering associated with the new system. in doing so, the weaknesses of the old system were ignored and, in fact, painstakingly designed into the new system.time to hit the switch after more than a year, bizs management

17、was frustrated with the amount of time it was taking to complete the project. they were also approaching the end of the lease on the mainframe and did not want to incur the high cost of renewing it. as a result, the end of the lease term was set as a firm date for shutting down the mainframe and goi

18、ng live with the new system.while establishing a deadline motivated bizs implementation team, the drop-dead date unfortunately came before the new system was ready. the system was inadequately tested, and it was not yet operating in parallel with the old one.problems and glitches are inevitable in a

19、ny project of such magnitude; but in this case the new system literally slumped and died. first, the system encountered transactions it could not handle; then it froze completely due to the volume of transactions generated.during this difficult time, work-around procedures were developed. to address

20、 the volume issue, the organization processed transactions in split shifts. when the problems persisted, the company abandoned the purchase requisition portion of the erp package and opted instead to prepare and process these documents manuallyfurther investigation revealed a partial source of the p

21、roblem. instead of customizing the database set-up to optimize their business processes, biz had simply accepted brand xs defaults. tweaking the database so that it better fit their needs increased the systems processing speed, but it was still unacceptably slow. the team finally determined that the

22、 systems deficient performance was due to the developers poorly written code.biz successfully convinced the developer that inherent problems existed in the way the package processed data. unfortunately, since the next version of the software was in development and because bizs version was now two ge

23、nerations old, the developer no longer supported the software. as a result, biz employees had to alter the code themselves in many situations.damage assessment the long-term effects of these problems were significant and widespread. previously well-managed processes were left running with little con

24、trol or accountability so that the organization could function. biz fell behind in payments to its vendors, a real blow to an organization with a previously impeccable record and reputation. the new purchasing system was implemented at the end of the fiscal year when most of bizs capital expenditure

25、s are typically made, further compounding the problem.in addition, people at all levels of the organization were unable to obtain critical information for several months. even after some information became available, the erp modules did not integrate as well as expected. key reports generated by the

26、 old system could not be generated by the new one, and queries that were automated under the old system had to be performed manually after erp adoption.one year later, problems still exist. process cycle times are slower under the new system. in addition, the organizations internal auditors indicate

27、 that the system still lacks critical controls. this deficiency is partially attributable to the nature of client/server systems, where accessibility is much more widely distributed. but the problem is also partially due to the fact that neither bizs systems personnel nor the paid consultants unders

28、tood the nature, importance, and value of well-controlled business processes.not surprisingly, a considerable amount of finger-pointing has occurred between biz management, brand x, the technical consultants, bizs systems staff, and the internal auditors. each constituency assumed the others were de

29、aling with critical issues throughout the process.while not every erp implementation is so painful as bizs, scenarios of this kind are surprisingly common. mistakes can be avoided, however, by learning from such struggles. bizs experience offers many lessons for internal auditors, especially when on

30、e carefully considers the decisions and their outcomes.be proactive, and dont be intimidated by the technology. while it is managements responsibility to carry out an erp adoption, internal auditors must be proactive about their contributions to the process. the internal audit department will likely

31、 be underutilized if it does not aggressively offer its services.some internal auditors may feel unqualified or intimidated by the technology or by the outside consultants. or they may erroneously assume the systems people, along with the external consultants, have things under control. however, int

32、ernal auditors possess skills that are crucial to a successful erp implementation, particularly in the area of risk management.usually an erp implementation involves changes in procedure, organizational structure, and technology, all in a compressed time period. such activity is risk-laden, requirin

33、g proper risk management strategies. internal auditors are particularly well positioned to add value in this area.remember that erp implementation is not just another systems project. the vast majority of erp implementations are not systems projects, but business transformation projects. while erp i

34、mplementations do involve operating systems and networks, these aspects will not have the greatest impact on the organization. the elements of erp that really add value are those that enhance the functional and procedural side of the business in areas such as supply chain, customer management, vendo

35、r relations, and electronic commerce.a significant difference exists in the way an organization would approach a pure systems-based project and how it should address a strategic business-transformation project involving erp. many analysts believe most of the fatally flawed projects have occurred bec

36、ause organizations failed to make this distinction.biz, for example, focused on the package, the technology, and the tactical issues of implementation. no one stopped to consider why they were implementing the software, what business advantages they hoped to achieve, and what impact those issues sho

37、uld have on their implementation decisions.early in the process, internal auditors should ask questions like, what is driving the adoption decision? implementing erp is about business process reengineering; a promise of tangible business benefits must exist. if auditors attend erp planning meetings

38、and hear the discussion focusing on operating systems, screens, and graphic user interfaces, they will know problems are ahead.get involved early. the internal audit department should become involved in the erp adoption process as soon as possible. few will understand the business processes of the o

39、rganization as well as internal auditors. their in-depth knowledge of risk and control can be extremely valuable in helping decision-makers assess whether an erp is a logical choice for the organization and, if so, which package provides the best fit.for example, as a member of the steering committe

40、e, internal auditing can be instrumental in asking questions related to risks; contingencies; available resources; costs; fit of the new software to core business processes; expected role of the internal audit department; and controls. these questions are especially important during the planning sta

41、ges of the project.in bizs situation, an internal audit representative participated on the steering committee and identified some concerns. however, the concerns were inadequately addressed by the project manager and the systems team. with the benefit of hindsight, the internal auditors wish they ha

42、d been more tenacious.for example, the auditors asked the project manager about plans for implementation. however, biz never developed an adequate implementation plan that considered issues such as critical milestones, risks, testing, and back-up contingencies. it is clearly not internal auditings r

43、ole to prepare such plans; but bizs internal auditors indicate that if they had it to do over again, they would perform a thorough audit of the development plan and make specific recommendations to management regarding the plans adequacy.an audit of bizs plan would have accomplished at least three t

44、hings. first, it would have motivated those responsible to prepare a more detailed plan by a given date. second, it would have given the internal auditor an opportunity to contribute directly to the quality of the erp implementation. third, the internal auditors report would have provided a vehicle

45、to inform higher-level management of the strengths and weaknesses of the implementation plan. the report would have also provided a basis whereby management could hold the implementation team accountable during the implementation process, rather than just after the fact.develop key competencies by b

46、uilding on existing strengths. even the most technologically challenged internal auditors can effectively build on their core business, risk, and control knowledge by obtaining a broad understanding of the issues germane to erp implementations. auditors can gain such understanding quickly and effici

47、ently by (1) reading articles in professional publications and on the internet and (2) communicating with other internal auditors who have been through the process.because erp packages are enormously complex, a successful implementation team possesses various skills. some of these essential skills i

48、nvolve experience and knowledge in project management; change integration as it relates to training and education, performance measures, and communications; technology or application understanding; systems-development skills, particularly with interfaces and conversions involving legacy systems; and

49、 resource planning infrastructure.it is unlikely that any single audit department will bring all these skills to the table. rather, internal auditors should develop those skills that will have the greatest impact on the organization. in erp implementations, these critical skills relate to the functi

50、onal side of the business rather than the technical side. developing knowledge of operational areas such as supply chain, customer management, vendor relations, and electronic commerce is more valuable than trying to become a technology expert.dont assume the systems team and the consultants have co

51、nsidered risk, control, and auditability. in bizs experience, the internal systems team and the external consultants were quite competent technically; but they lacked both experience with the companys business environment and a fundamental understanding of risk and control issues. they often did not

52、 consider the big picture, focusing instead on time-consuming technical issues - how do we clear up this glitch? instead of what would be the best way to do this? or what are the risks involved if we make this change? such will not always be the case, but one can safely bet that scant attention will

53、 be paid to internal control and auditability issues unless the internal or external auditor becomes proactively involved.erp packages come with a number of built-in controls that can be utilized. however, a cost is associated with every control; and internal auditors need to think carefully about w

54、hat a control is intended to accomplish before turning it on. most organizations do not want security and control for their own sake, but to manage risks.stay informed throughout the process. even if an internal audit shop enters an erp implementation with a proactive frame of mind, management ultim

55、ately determines internal auditings level of involvement. at minimum, internal audit should keep abreast of the progress of the implementation and of the key decisions management is making, especially with respect to issues such as timing of conversion, fundamental changes in business processes, use

56、 of both exogenous and endogenous controls, and migration plans. these decisions can significantly impact the work auditors will perform in the future and should be taken into account in designing future audit plans and programs.stay objective, but roll up your sleeves and get your hands dirty. in o

57、ne erp implementation, management realized the process and the organization itself were floundering and on the verge of serious trouble. the internal audit shop was called in to help. halfway through the implementation, the internal auditors found themselves practically in charge of the entire proce

58、ss. they now face difficult objectivity issues as they audit aspects of the systems they were essentially responsible for implementing.internal auditors must be careful to avoid such situations. after all, professional standards require that internal auditors remain independent and objective. on the

59、 other hand, in most cases internal auditors are wise to roll up their sleeves and get appropriately involved on the front end.auditors can head off objectivity dilemmas by not assuming a decisionmaking role. instead, the audit team should perform audits at various stages of the implementation and include formal recommendations in their reports. such an approach not only provides valuable input, but it also gives higher-level management