Auditing Requirements After an ERP Implementation or Conversion

The basic premise of an ERP system audit is to ensure that the data converted matches the previous system’s data at cut off. It’s also to document any changes made, system wise and security wise.

I’ve been involved with all aspects of ERP implementations for the past 20 years. This article is based on my experiences and some consulting with a senior manager at a Big 4 firm for ERP audits.

I’ll share some of my experiences of what auditors will be looking for in an implementation or a conversion of a new ERP system. This article is system agnostic, and the theory can be applied across ERP systems.

Implementation Timeframes as They Relate to Auditing

There are typically two timeframes in which you can go live with a new ERP system: one at the fiscal year end and one in the middle of the fiscal year.

When you schedule your go-live at the end of the fiscal year, the complete year of financial statements can be ran in the new ERP system. However, if you use the year-end approach, your accounting team could be stretched thinly during the year-end process.

If your go-live is in the middle of a fiscal period, you’ll need to combine that year’s financial statements, part of it in the previous system and part of it in the new system. There will be more efforts to reconcile from a resourcing perspective.

Note: We typically don’t recommend running two ERP systems in parallel. This doubles the work for the accounting team, and if the data isn’t entered exactly in both systems that will cause some reconciliation issues.

What Auditors Look For

Items that the auditor will be looking for are:

1. 1. Agreement/contract for services (detailed plan) and system purchase with related invoicing, etc.
      1. Accounting would need to consider any split between the capital asset related costs and ongoing maintenance/ongoing service contract (non-capital expense) components.
   2. Conversion plan, including:
      1. Conversion team (you and external vendor members).
      2. Responsibilities by role, i.e., who is responsible for the conversion timeline/milestones and approvals/review.
      3. Details of specific data migration techniques and data cleansing required to convert data from legacy to new system.
      4. Planned conversion steps and timeframes.
   3. Documents utilized through the plan/test/final conversion process, which are documents/items that you would want to have on record either way:
      1. Complete data sets of legacy data being converted.
         1. Verification of data being frozen in legacy system before final conversion.
      2. Mapping details for legacy data to new system.
         1. Retained copies and details of data that has been cleansed, and related details of steps to cleanse (before and after).
      3. New data set of converted data.
         1. At Encore, we would audit to make sure that the new data matches the frozen legacy data.
      4. Conversion testing – as applicable throughout the process:
         1. Retention of tests performed and reviewed during the “test” phases of conversion.
         2. Documentation of modifications/resolution of conversion issues identified.
         3. Depending on the extent of the conversion, we at Encore may reperform certain parts of the test, or review the details of testing performed by you/external vendor.
      5. Milestone approvals and final go-live approvals (documentation of approval from your management that the planned testing has been successfully performed and issue resolution cleared prior to go-live).
      6. File retention – legacy and new. This includes documentation and sign-off that the legacy TB/GL detail has been successfully transferred and verified with copies of:
         1. Master Records – chart of accounts, vendor, customer master.
         2. Trial balance/historical GL detail (if historical data being transferred).
         3. Payroll/HR data.
         4. Other data (i.e., non-financial stats), if applicable – these would not generally be related to our financial statement audit and we at Encore would not generally test this.
   4. Internal Controls.
      1. E.g. Segregation of duties, access and permissions of each user.
   5. User Access Management.
      1. Who has access to which modules of the ERP system.
   6. Vendor/third-party services and service level agreements.
      1. Are there third-party add-ons and what are their support levels?
   7. Change and release management.
      1. Documentation of changes and approvals of changes to the ERP system.
   8. Backup and restore controls.
      1. How is the system backed up and what is the restore policy?
   9. Application security.
      1. Who can access the application?
   10. Risk and control issues around the ERP application.
   11. Operating system security.
       1. The base operating system hosting the ERP system.

It’s quite an extensive list that the auditors could be looking for. The above list doesn’t cover every single item that the auditors are looking for but it’ll give you an idea for your preparation. It’s best to ensure you have the proper documents during the ERP implementation/conversion process.

For assistance and advice on Dynamics implementations, please contact us.