ERP Customization Auditor Perspective
ERP system implementation is one of the most transformative investment any organization makes during its tenure. By integrating various systems and processes, the organization productivity is expected to move to the next orbit. All ERP consultants normally insist that the organization should avoid or minimize customization to ERP. In the world of ERP implementation, the most commonly debated terminology is about “customisation”. Unfortunately, in general, people tend to interpret “customization” in different ways that adds to more discussion. For the simplicity and ease of understanding this article, let us go by common perception that any development activity outside the ERP supplied software is code is considered as exception. Such customization is carried out when business / operative environment cannot be mapped on ERP through standard configuration management. There are also views and counterviews on the process of customization and about how much is the right level of customization. ERP customization has following its own merits / demerits as depicted below: Case Against ERP customization Case For ERP customization · Requires deep understanding of underlying technology · Creates difficulties in probable upgrades to next version · Reflects that the organization is unwilling to adapt best practices and sticks to older view · Tends to become person/ developer dependent. · Personalized experiences is the need of the end users/ management · By definition, every organization needs to create its distinct identity through differentiated processes and not follow standards · Organizational dynamics and technology changes are too rapid and heterogeneous platforms are the realities. System Integration becomes challenge. Shadow IT There are ample number of surveys and internal discussions as to what is considered as ‘acceptable level of customization’. Irrespective of the decisions taken by the management/ technology teams, the risks of customization are universal and all customizations pose challenges to the Audit team. To handle the same, Auditors need to understand purpose, types, mode of customizations and the risks that arise out of the same. Auditors need to determine the control environment is impacted and formulate its opinion. Purpose of customization: Business Functionality: Enquiry Quotations. Extended functionalities do exist ( YSTORE, ancillary ). Regulatory Compliance: All ERP s do have country specific parameters built into their feature. However, regulatory bodies and governments announce certain schemes, plans, checks and balances that need not be compliant to the ERP design. Operational – Batch uploads, reconciliation, BDC? BAPI? RFC? Efficiency Improvements. Structural – complex, dynamic, decision making authorities, job rotations Technical – Scalability, housekeeping, partitioning, interfaces Types of Customization: Changes in User Interface – These adapt design of screens/ dialogues to give personalised experience. Operational efficiency, effective utilization, off-line updates. Report/ documents/ forms – Ease of availability of information. Forms suitable to organizational needs. Monitoring Programs – Workflows- Enable users to select the steps in business process and give sequence Functionality extensions – Integration with other applications/ technologies Modifications of existing functionality Role customization Modes of customization Add on development Permissible exit points Interfaces building BDC Core Changes Transaction Risks: – Improper customization – Hidden activities – SoD – Improper housekeeping – Interface errors – Over-engineering and non-utilization – Cost of customization – Efforts for analysis, development Control building through customization Normally, customization to ERP is considered unhealthy from control environment perspective. However, a good and well thought through customization can actually help the organizations of better control environment by several means. By consolidating data generated at diverse points, can actually reduce dispersion of data. This also helps in reducing duplication / inconsistency of data and reconciliation overheads. Mid to large organizations especially operating in multi-industry / multi-location environment do have process variances for niche conditions. Understanding and mapping the processes on customized software can help standardization of processes. In today’s technology driven dynamic organizations, there exist multiple application systems / mobile applications. It is desired that they have better integration with core ERP system. Complex system Validations/ system based approvals can be better handled through customization. Substantive testing is required if Auditor sees possibility of technology risk getting translated into financial risk, regulatory risk or worst case, fraud risks. Approval based controls, internal calculations, statutory submissions, financial postings need to be seen at deeper level. In case of customization to reports or authorization given to access data in query mode, risk of sensitive data exposure should also be considered. In all cases, Auditors need to insist on documentations, control change management process, valid test plans, user sign offs, audit trail management and establishing complete accountability of transactions as well as system activities. Conclusion: Understanding ERP control environment requires efforts. Customization to ERP is very often dealt subjectively in organizational environment depending on interpretation of various interest groups. Auditors need to stick to the basic principles of objectivity, independence. They need to study the exact impact of customization on control environment before forming an opinion. This article was also published in Institute of Internal Auditors in April 2017
Bol Madhavache 