Phoenix ISACA Chapter Meeting · PDF filePhoenix ISACA Chapter Meeting ... InfoWorld and CFO Magazine ... million and squarely blamed "substantial costs" associated with its new ERP

Phoenix ISACA Chapter Meeting

Project Implementation -Successes & Failures

October 28th, 2010

“I cannot imagine any condition which could cause this ship to flounder. I cannot conceive of any vital disaster happening to this vessel.” E.J. Smith, Captain of the Titanic

© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

Straight From the Headlines

Hershey’s – In November 1999, Hershey's reported a 19% drop in third quarter net earnings, and placed part of the blame on 'computer problems'. The chocolate maker was having issues with its new order-taking and distribution system, a $112 million combination of ERP, CRM, and SCM software. – InfoWorld and CFO Magazine

Cleveland State University – Ohio's attorney general filed a lawsuit in 2004 against a ERP provider seeking $510 million in damages stemming from an allegedly faulty installation of the company's ERP and student administration applications at Cleveland State University. –Computerworld


2

Computerworld

Levi Strauss – Problems with a massive global ERP rollout have helped send Levi Strauss' 2008 Q2 results through the floor. The jeans giant reported a 98% drop in net income to $1 million and squarely blamed "substantial costs" associated with its new ERP system. – The Register

Goodyear – In November 2003, Goodyear Tire & Rubber Co. restated earnings by $84.7 million for periods going back as far as 1998, due to the implementation of an ERP system in 1999 and errors in inter-company billing systems. – CFO.com

The Hits Keep on Coming…

Invacare – Medical care company Invacare lost $30 million as a result of a bungled ERP implementation in Q4 2005. When the implementation went live, there were problems with the order-to-cash process, despite it having been tested prior to the system going live. – Invacare News Release and ComputerworldUK

Hewlett-Packard – In August 2004, HP announced that its revenues for Q3, from its Enterprise Servers and Storage (ESS) segment had gone down by 5% to $3.4 billion, as compared to the same quarter the previous year. The company attributed this revenue shortfall mainly to the problems faced in migrating to a centralized ERP system at one of its


3

shortfall mainly to the problems faced in migrating to a centralized ERP system at one of its North American divisions. The total financial impact of the failure including backlogs and lost revenue was pegged at $160 million, more than five times the cost of implementing the ERP project. – Center for Management Research (ICMR) Case Study

Overstock.com – In October 2008, Overstock.com says it "failed to hook up some of the accounting wiring" and will revise more than five years of results because of problems in implementing an ERP program. The revisions to its 2003–2007 results probably will reduce revenue by $12.9 million and increase cumulative net loss by $10.3 million. – CFO.com

IT Project Outcomes

2006

2009

Failed

Challenged


4

0% 20% 40% 60% 80% 100%

2004

2006 Challenged

Succeeded

The Standish Group International, Inc., 2009

45% cost overrun

63% time overrun

67% of required functionality delivered

How Projects Fail


(The Standish Group International, Inc., 2009)

Key Risk Factors

• Business critical applications

• Unproven or unfamiliar technology

• Complex project dependencies

• Strict time or budget constraints

• Lack of appropriate performance and status metrics

• Ineffective project


• Unclear or misaligned project objectives

• Lack of management support

• Lack of user involvement

• Project team skills or availability issues

• Ineffective project communications

• Immature project management process

• Ineffective project risk management process

Throughout the Project Life Cycle …

Total project life cycle

Opportunity to reduce risk

When is the Right Time to Mange Risks?


Time

ProductionConcept Development Implementation

Area of highest risk impact

Cost to Prevent/Mitigate/Remediate

Assess or Consult? - Considerations

• General Internal Audit philosophy

• State of PMO and project risk management function

• Compliance role within business/IT

• Organization's implementation history/experience

• Internal Audit resources/skills


• Internal Audit resources/skills

• Involvement of 3rd parties (system integrator)

• Significance of project/system

• Internal Controls ownership/focus within business/IT

8

What is our focus?

• Project Management Risk

– Time

– Money

– Requirements

• Project Lifecycle Controls

• Future Internal Controls


• Future Internal Controls

– Application/Configurable

– Privileged Access and SOD

– Interface

– IT General Controls

– Reports

• Compliance

9

Project Risk Management

Project Risk ManagementPMI ®

Project Management (Project Office)

Scope QualityTime Cost

ProcurementCommunication Risk

Project Lifecycle

Planning & Initiation DevelopmentRequirements

AnalysisDesign

Human Resource


10

Testing Implementation & Rollout Post Implementation

Project Support

ProgramOffice

Integration with CommonBusiness Functions

Project Environment

Business Environment Process Alignment Portfolio Management

Strategic Alignment Corporate Culture Stakeholders

Project Management - Focus

• Requirements definition

• Governance

• Risk/Issue tracking and resolution

• Management of customizations

• Communication


• Communication

• Ownership - RACI

• Change enablement

11

Project Lifecycle - Focus

• CRP/UAT Development and Execution

– Scope (Functions, Role, Data)

– Test Development

– Criteria

– Involvement

– Requirements


• Date Conversion and Migration

– Strategy

– Ownership

– Resources

– Phases

– Testing

12

Future Internal Controls

• Application/Configurable

– Available Options and Selection of Controls

– Elimination of unnecessary manual controls

– Addition of new manual controls

– Incorporation into requirements/design

– Pre/post-implementation testing


• SOD/Access

– Foundational SOD policies in business terms

– Report Access

– Scalable role-based functional and technical design (Who is doing it?)

– User involvement & regional/business-unit variations

– Testing, mitigating and remediating

– Approval for deviations or “violations”

– Go forward management/maintenance

13

Future Internal Controls

• Interfaces & Reports

– Adequate definition of requirements (scope)

– Testing

– Monitoring controls (interfaces)

• IT General Controls


– User Administration

– IT SOD

– Change Management & Data Governance

• User controlled configurations

• Master Data

– GRC Tools

14

Enforces & validates allowable PCG -

AACG

AccessValidation

ContinuousMonitoring

SoD: Ensures no conflicts of interest for a given user or role

Identifies user access events for validation and audit history

Enforces form level restrictions -modifies security, navigation, field and data properties

PCG - FormRestriction

Overview of Oracle GRC Controls Suite


GRC Controls CCG

Configuration Change

Enforces & validates allowable values

Provides audit history of changes to critical application data

TCG

TransactionValidation

Validates transaction against business policy rules

Enforces & identifies transactions for validation and audit history

PCG -PreventiveValidation

TransactionMonitor

15

Additional Considerations

• Statutory/Regulatory Compliance

• Selection

• Information Security

• Data Privacy

• Cloud Computing/Outsourcing


• Cloud Computing/Outsourcing

• Disaster Recovery

16

Project Sponsor, Business Owners and Project Management

• Provide required design and implementation resources

• Provide project and system ownership

• Manage Program Office

• Provide business strategies, processes, & requirements

Internal Audit

• Establish compliance / risk management program

• Define control and compliance requirements

• Validate controls framework

• Ensure that new process and systems fulfill compliance requirements

• Understand, map and document process controls

System Integrator & Impl.Team

• Provide project management and accountable for scope, functionality, budget, schedule, etc.

• Responsible for delivery – system design, configuration, development, testing, and cutover

• Provide expertise in system and related technologiesSystem Internal

Business Sponsor & Business Owners

Strategic Teaming Model


• Understand, map and document process controls

• Understand and validate security, segregation of duties (SoD), and/or critical access

• Audit implementation risks

• Compare against defined audit requirements

• Attest to design and operational effectiveness of controls

technologies

• Configure security and control recommendations based on functionality

• Integrate controls framework

Protiviti

• Enable / facilitate 'control-focused' dialogue between implementation stakeholders and other compliance parties

• Provide risk / control best practices and supporting tools• Facilitate control-focused discussion across all phases of

implementation, from gathering of compliance / risk management requirements to testing / validation of controls (e.g., security and SoD)

• Assist to optimize application controls

• Assist to enable sound security design and configuration

• Leverage knowledge and experience from projects

• Implement GRC solution to monitor and maintain environment

• Knowledge transfer to further enhance client capabilities

ERP Implementation

Team

System integrator

InternalAudit

ExternalAuditor

Definition Elaboration Build Transition Production

• Independent Review of Project Scope & Plan

• Deliver BPO Business Concepts Training

• Design SDLC controls and identify all required SI documentation

• Update SI design documentation with proposed risks & controls

• Design IT Application Controls (ITAC) relevant to RCM

• Ongoing independent

• Complete GRC implementation

• Complete SoD design, considering client-specific resource constraints

• Design change and access management

• Test SoD using automated tool

• Perform application controls testing

• Complete business process RCMs

• Perform & document data

• Perform post go-live SoD test

• Validate effectiveness of Access & Change Management IT controls

• Compile SDLC testing results for external audit

Implementation Risks and Methodology

Project Phases / System Development Life Cycle (SDLC)

© 2010 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party. 18

documentation

• Independent review of key design elements

• Identify policy and procedure gaps for the future state processes

• Review data conversion strategy

• Ongoing independent review of key design elements

• Define SoD Policies

• Define SoD Rule Set

• Start design of Responsibilities

• Develop /update Finance Policies that integrate with new system

• Develop data conversion and interface validation procedures

• Start Oracle GRC implementation

access management controls

• Develop key report validation procedures

• Perform first automated assessment of SoD

• Review whether access to sensitive functions is adequately restricted

• Review the new Finance Policies as the system is configured

• Perform & document data conversion, interface & key report validation procedures

• Participate in go live preparedness risk assessment

• Finalize security administration procedures

results for external audit review

• Perform walkthrough of updated compliance documentation in Production

• Perform testing of ITACs in Production

• Perform testing of Key Reports in Production

Multi-phase Activities: Project Risk Management & Guidance


19

Documents

Phoenix ISACA Chapter Meeting · PDF filePhoenix ISACA Chapter Meeting ... InfoWorld and CFO Magazine ... million and squarely blamed "substantial costs" associated with its new ERP