greenlight

Perspectives

GRC effectiveness in ERP implementations

Modernizing business processes and internal controls

Companies can have a lot riding on their enterprise resource planning (ERP) investments. So why do governance, risk, and controls (GRC) often get left behind? Take a look at some of the common pitfalls of addressing GRC requirements in an implementation, along with five measures you can put into place early on to help mitigate risk and produce better outcomes for your business transformation.

A compliance mindset for ERP implementation

At the center of most finance transformations today is an ERP system implementation waiting to unfold. With so much riding on these large-scale investments, companies need their ERP implementations to contribute to an effective business transformation.

However, opportunities are sometimes missed. One of the most common pitfalls is not adequately addressing the governance, risk, and controls (GRC) requirements of the ERP implementation. It’s also one that can be avoided with adequate planning and perspective.

A compliance-focused mindset can help organizations effectively mitigate risks in business transformations and ERP implementations as a mechanism for value creation and return on investment.1 Approaching the process through the lens of compliance by design can elevate a governance and implementation framework to a controls-conscious transformation.2

Five key considerations for effective risk mitigation and controls effectiveness in ERP system implementations

Why governance, risk, and controls get left behind

Effective GRC processes are foundational to improving the accuracy and reliability of a financial accounting and reporting system. Because an ERP transformation will likely introduce new capabilities and risks, it is important to maintain effective controls in all stages of the rollout and to have effective internal control processes in place once the system is in production. That means addressing governance and controls from the earliest phases—design, during implementation and testing, and finally at and post go-live. All too often, however, controls are an afterthought in the ERP system design and implementation.

But why would an organization neglect such a critical aspect of the implementation? One reason is transformations today likely happen at a dizzying pace. Initiatives that once took five or six years to complete are now being implemented in much less time, thanks to the accelerating pace of business disruption and agile approaches.

In addition, ERP implementations require a level of integration and alignment that many enterprises are not prepared to handle because they may not have experience with these types of projects in house. Moreover, because ERP implementations are such large, complex undertakings, finance teams may not think they have the influence to put their requirements front and center in such a major IT-led undertaking.

Finally, many finance teams harbor the misconception that they can implement or improve system controls after the fact. What they don’t realize is that adding proper controls once the system is operating is an expensive and time-consuming proposition. In the meantime, threats are introduced to the underlying financial control environment, and the organization incurs unacceptable levels of risk to internal controls over financial reporting.

Common pitfalls in addressing GRC requirements

Here is a summary of some additional reasons governance and controls can get left behind in an ERP implementation:

  • Difficulty redesigning complex business processes: Deciding that processes are too complex and time consuming to redesign during a fast-track implementation keeps complex control frameworks in place that could be streamlined.
  • Complex and lengthy financial close and consolidation process: Organizations accept inefficient processes as the way it’s always been instead of taking time to envision the possibility of more efficiently designed processes and a rationalized control framework that mitigates risk.
  • “Lift and shift” implementation approach: Because the system is considered turnkey, or “off-the-shelf,” modules are considered already designed, resulting in reduced interaction with finance and accounting departments.
  • Failure to transform and streamline manual processes: Highly manual accounting and finance processes that aren’t addressed during system design and implementation will invariably result in inefficiencies and data integrity risks as well as manual controls being carried over to the new ERP system.
  • Data deficiencies: Data not structured to achieve desired agility, efficiency, and reporting results will likely lead to shortcomings in the new system such as low data integrity.
  • Project cost: Sometimes organizations are pressured to reduce the cost of the overall project by excluding regulatory or reporting controls from the scope of early project phases. This results in more costly post-go-live projects later to address these gaps.

Some steps to consider for effective GRC management during your ERP system implementation

With the importance of timely GRC activities established, here are five potential measures that can be put into place early in the transformation journey to mitigate risk and produce better system outcomes.

  • Expand all
  • Collapse All

The risks of waiting to address GRC requirements are clear. But how early in the ERP system implementation process is early enough to begin thinking about governance, risk, and controls? A controls mindset should underly the project from the outset.

ERP leading practices call for a close collaboration between company IT and business leaders. The old days—when IT ran the show with minimal consultation with businesses—should be relegated to the dustbin of ERP history. Again, finance and accounting staff, along with system controls, must be included from the beginning and at every phase of the ERP project. If the company lacks staff who understand both the systems and internal controls, consider including external resources with those capabilities as well.

Another potential key to success for any ERP system implementation is striving towards governance, risk, and control requirements as primary focuses of the system design phase. Addressing GRC requirements in the design phase should include determining how system controls will support accounting and compliance standards, such as the implementation of ASC Topic 606, Revenue Recognition.

The design phase should also focus on an effective way to standardize business processes and the system’s data structure. This phase should also address how central processes, such as procurement, expense, and capital expenditure procedures that have direct impact on accounting records, should be designed to support compliance with the relevant accounting and reporting standards.

The design and implementation of external financial reporting controls should not be an afterthought. Internal controls over financial reporting (ICFR) should have a workstream from the beginning of the project. The idea of increasing efficiency in the financial reporting and disclosures process needs to be part of the initial planning and design phases so missed opportunity is unlikely.

Business process redesign is essential to an effective implementation of GRC processes. GRC implementation should be an opportunity for true transformation of current processes. It is common, however, for long-standing institutional practices to cloud underlying regulatory requirements. As a result, legacy practices are frequently reimplemented in new systems in the name of compliance.

Moving inadequate legacy processes to the new ERP environment will produce substandard results. That’s why it’s important to take the opportunity to modernize the control structure. As you modernize, consider opportunities to automate manual processes and calculations that may mitigate risks, including financial, operational, regulatory, and strategic risks.

Governance, risk, and control process implementation typically focuses on the new financial and reporting environment. But let’s not forget that GRC needs to apply equally to the implementation process as well as the end system. This means understanding that there are controls around implementation itself as well as accounting and reporting operations. It is important to pay attention to both control environments. Controls around the implementation process should include managing the cutover of data, reconciling complete and accurate production against source data from the old system.

Contact us

 
 
 
 
 
 
 
  Yes         No

Get in touch

Isa Farhat
Accounting and Reporting Advisory, Partner
Audit & Assurance
Deloitte & Touche LLP
+1 703 251 1109

Courtney Connors
Accounting and Reporting Advisory Senior Manager
Audit & Assurance
Deloitte & Touche LLP
+1 860 725 3368

Endnotes

1. Charmaine Wilson, “Assurance by design: Insights for a controls approach to transformation,” Deloitte, November 2021.
2. Ibid.

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

Did you find this useful?
SOX and internal control over financial reporting services

SOX program needs addressed with people, processes, and technology

SOX modernization

Optimizing compliance while extracting value