How to conduct a thorough ERP audit
The Oxford Dictionary defines an audit as an official investigation of an organization’s accounts, typically by an independent body. An ERP audit is an investigation into aspects of that organization’s ERP systems with an opinion as to the adequacy of the ERP. An ERP audit expresses an opinion whether the records and processes are adequate.
ERP, of course, is a large, wide-ranging set of tools. Adequacy can be defined from many perspectives, which leads to the objective of the ERP audit. What will be the objective of your ERP audit? There is no one right answer.
A compliance audit can be internal where you evaluate whether documented procedures are followed and whether there are documented procedures where necessary for processes people currently follow. Observe any person and document their actions and behaviors. Match those behaviors against the procedures as written that person is supposed to follow. Variances might mean that person needs encouragement to work according to the procedure manual. A variance might also show that the manual needs some updates. Much of the work in an organization requires data entry into the ERP or requires a person use ERP to make an optimal choice. Ensure the touch points related to ERP are covered in the documented procedures.
Compliance audits can also be external, such as a medical device business following GMP or good manufacturing practices. Another business with connections to Europe should follow GDPR or general data protection requirements. Your business data is kept within your ERP. What data is subject to GDPR? Your audit might first identify all data within your ERP that is subject to GDPR. Your audit then evaluates whether the protection of that data is adequate.
Auditing along a process could be your objective. Look at your purchase order processes, for example. Your business probably has levels of authority to authorize spending. A level one buyer might be authorized to make purchases up to $2,500 and your chief executive officer might have a limit of $250,000. Are these levels set within ERP ensuring any purchase order has proper authorization?
In a business with inventory, many purchase orders with high value will be to purchase inventory items. Your audit might verify there is an actual customer order or an approved forecast serving as a demand before approval of an inventory purchase.
ERP risk audit
SOX, the Sarbanes–Oxley Act requires businesses to assess various kinds of risk. ERP systems contain the transactions of all kinds that yield that business’ financial statements. While the SOX Act suggests a top-down approach to controls, our audit might look from the bottom up beginning with individual transactions to assess risk. Are there appropriate controls over the transaction and who is allowed to enter that transaction? Is the ERP configuration designed to lead a person toward the optimal choice as transactions are required?
We can look at an ERP audit from a systems perspective too. Do we have the right hardware and network to best support our use of ERP? Are any users suffering slow processing because their computer is obsolete or improperly set up? Is our wireless network consistently available in the back corner of the warehouse? What is our actual downtime related to server or cloud access compared to our standards? Are those downtime standards appropriate for our business?
Security is extremely important and an ERP audit based on security will find areas for improvement. Begin with examining which users have access to system data and the limits set. Financial records should generally belong to the accounting department. Engineers might own part numbers and bills of material. Other users can view engineering records but not have the ability to make changes. You might find that a warehouse clerk needs to update the approved warehouse for a part but write access is only available to engineering. The easy solution is to open up access to that warehouse clerk while establishing some control to ensure to misbehavior is allowed. We also could develop screen personalization, a simple form of customization where that clerk can update only the fields they need but can only view other fields.
Mobile access to ERP data is necessary today when users need to use their smartphone to remotely perform their jobs. The same mobile access opens the ERP system to the outside perhaps bypassing the firewall designed to protect ERP data.
How well is the ERP protected from industrial espionage? Can anyone copy data such as customer and supplier lists? This month, in December 2018, Intel sued a former engineer who is accused of stealing plans for a new product by copying information into a thumb drive before leaving to take a new job.
Lean-thinking businesses will use their audit to search for waste in their ERP. Taiichi Ohno of Toyota first defined seven wastes to eliminate. Every one of those wastes is connected to ERP.
Overproduction means making a product before it is needed. ERP configurations are rules we set to govern how ERP helps us make decisions. Check that we have not set minimum order quantity levels that produce overproduction. Look within ERP too. We could be overproducing data that does not add value through incorrect types of transactions.
Waiting is the second waste. Certainly, we do not want inventory waiting; it should continue movement adding value until it is ready for our customer to use. How about users waiting for system access? Whether the cause is inadequate infrastructure to too few licenses for our ERP system, waiting is a waste.
Transporting a product for further processing does not add value. Are there situations where we still use the old “sneakernet” where someone walks to the next room to complete a transaction? This, too, is a waste to be found and fixed.
Look for inappropriate processing in our ERP through an audit. Do we require management approval for transactions that can be made correctly by a trained user? Have we built workflows, combining a series of individual transactions into a single, controlled, flow?
Unnecessary inventory of products is an obvious waste. An ERP audit can spot unnecessary inventories of other types. One transaction inventory is where we use batch processes to post transactions at set intervals. Downstream work might be delayed or even a downstream user forced into a sub-optimal choice through lack of information.
Excess motion can be a defect in the ERP system. Have we limited computer access in production areas causing shop floor workers to stop work and move to where the terminal is to enter their transactions? When they arrive, do they need to remove gloves and other personal protection equipment or is our system ready to use with touch screens and measuring tools linked to the ERP through USB connections?
Defects are a waste that includes ERP transactions and data as well as the inventory of products. An audit will find those defects. We can now use Pareto analysis to identify those defects that cause the most problems and occur the most frequently.
Validate ROI used to justify ERP
When we chose the ERP system we use today, we justified the purchase and implementation through certain returns on that investment. We could audit our use of that ERP to quantify those returns after implementation. We planned to save payroll expense by reducing our labor force because of gains from ERP. Has that reduction in force been completed and did we realize the savings expected? We made assumptions of the costs related to ERP implementation and maintenance of the ERP system. What are the actual costs as compared to those assumptions? If we promised a return on investment of 7.5%, has the business seen that return?
Building your audit team
Whatever your audit objectives, a team to perform that audit is needed. Who should staff your team? A good rule of thumb is to choose people outside the domain of the audit. Engineers should not audit bills of material, but financial people have the understanding of complex data relationships and could perform the audit. Auditors must be people who can think critically and spot flaws in logic. They must also be agile enough to understand when a user-developed workaround is an improvement from the expected process flow. The developers of your ERP cannot have understood every situation possible but they did their best.
Auditors often are called to the team as needed and have “day jobs” to perform too. Management must understand the importance of an ERP audit and provide supplemental resources, perhaps temporary workers to perform some of the auditor’s regular work. That resource could also be overtime or bonus pay rewarding the auditor for the additional time required during the audit.
Management also must empower the auditors, giving them the authority to investigate work related to their audit and supporting their audit findings when those findings might fault the owners of the audit’s domain.
Audit leads to actions
If an ERP audit is to add value, it must lead to actions. Faults or defects found need to be corrected. Those faults also have a priority. Some are minor and can be immediately corrected. Others are significant and must be corrected immediately with little regard to cost. Other fault corrections will be scheduled for later actions. These cannot be forgotten, they should remain on an active future work schedule, reviewed by top management until completed.
The final action is to perform another audit. All the findings are corrected now, but we humans always find ways to create more faults. Our business situations evolve too so an audit that passed yesterday’s conditions might fail in today’s condition.
Featured white papers
5 steps to successful ERP requirements gathering
Five critical steps to successful ERP requirements gathering
28 cost elements to include in your ERP TCO calculation
With differing definitions and more hidden costs than you can shake a stick at, ERP TCO can be a ...
7 ERP features every omnichannel retail business needs
Exclusive guest blog from Brightpearl