Information Assurance for Enterprise Resource Planning Systems : Risk Considerations in Public Sector Organizations

ERP (Enterprise Resource Planning) systems reveal and pose non-typical risks due to its dependencies of interlinked business operations and process reengineering. Understanding of such type of risks is significant conducting and planning assurance involvement of the reliability of these complicated computer systems. Specially, in case of distributed environment where data reside at multiple sites and risks are of unique nature. Until now, there are brief pragmatic grounds on this public sector ERP issue. To analyze this subject, a partially organized consultation study was carried out with 15 skilled information systems auditors who are specialists in evaluating ERP systems risks. This methodology permitted to get more elaborated information about stakeholder’s opinions and customer experiences. In addition, interviewees mentioned a numerous basic execution troubles (e.g. inadequately skilled human resource and insufficient process reengineering attempts) that lead into enhanced hazards. It was also reported by the interviewees that currently risks vary across vendors and across applications. Eventually, in offering assurance with ERP systems participants irresistibly stresses examining the process instead of system end product.

The aim of research is to achieve an agreement of the distinctive hazards linked along with execution and ERP systems performance as well as the risks involved in centralized and de-centralized implementation of ERP.This is significant for ensuring suitable preparation and carrying engagements offering assurance involving the dependability of ERP systems [4].Up to now, limited experiential studies have been conducted on how system assurance associated hazards effect ERP systems.
Comprehensive ERP customization and business process reengineering can grow substantial risks.Implementation/ Execution force might not interpret the working of an ERP sufficiently to appraise customization significances or to keep reliability it may not interpret the reengineered processes adequately.Hence, risks which are related to implementation of ERP must be familiarized by assurance providers that might include the design or choice of software and hardware and process design [2].They also may be aware of the risks involved in implementation of ERP in centralized or distributed environment since on one hand there is a strong biasness for decentralize control and cross functional cooperation and on other side there are simultaneously strong plead for centralized environment in the shape of centralized arrangements, best practices and solution.
Inconsistencies between ERP systems and organizational requirements towards improper approach, overlooking data-checking routines and verification processes, overlooking or improper steps at functional side, improper formats of end products and inappropriate input of information [5].Numerous issues mentioned may lead to a possible risk of financial mis-statement (e.g.Wrong income identification, mis-stated indebtedness of payroll, inappropriate inventory rating) due to targeted financial affect (e.g., Wrong income identification, misstated payroll indebtednesses, inappropriate rating of inventory and the requirement for further revelations (e.g. because of business disruption deficiency of financial feasibility).
Moreover, discovering persistent implementation of ERP and possible hazards, the objective of this research is also to analyze ERP application hazards (e.g.Supply-chain management, Logistic management, Payroll, business intelligence and human resource management) and seller (e.g.SAP, OpenERP, Oracle) as well as its implementation in centralized or distributed manner.Fluctuations in financial statement hazard can be occurred due to the Conflicts in risk by application e.g.accounts involved and nature of the predictable error which may alter if risk of ERP implementation is dissimilar, suppose, supply chain management versus human resource management system.Hazard may also be affected by the reputation of leading major ERP sellers.SAP is European based firm, foundation in manufacturing, operations and industrial engineering.Initially the development of ERP vendor firm SAP software started with material requirement planning standard controlled inventory, manufacturing.Inorder to ensure processes like sales, management, inventory management and human resource management etc.SAP was expanded [6].Supply chain management and financial management system were begun to be developed by the OpenERP.In features like database design and adding features to software application Oracle is better.Oracle is also higher in technology.
In the beginning, the history of leading ERP marketers was different due to which the control risks produces were different by financial statement.In pay sheet area the OpenERP was expected to offer more reliability than other marketers.
A number of expert system auditors were selected and asked to get in depth experience of all the individuals who had remained close in the part of consideration of risks during implementation of ERP systems and complete operations.To get more knowledge about the ERP two types of questions were designed i.e. broad perspective which was common and some related to particular issues in different packages and application architecture.
According to research reports the teams which implement ERP did not consider the customization of ERP and role of business process reengineering on system reliability.
According to the results the risk was variable in different applications, architecture approach and major ERP vendors.The results also indicated that when existed legacy systems were integrated with modules of ERP the risk was considerably greater.The results indicated in the end that firms used process audit techniques as opposed to validation testing to provide assurance on the risks in an ERP system.

LITERATURE REVIEW AND RESEARCH QUESTIONS
The requirements which are used to assess the risks linked with ERP solutions are identified by accounting profession.For example, [7] devise control objectives for information and associated technologies COBIT (Control Objectives for Information and Related Technology) framework as a guide for management, auditors, and help the users to minimize the gaps between control needs, technical issues and business risks.The needs to identify the risks in computerized consideration are spelled out by COBIT framework.
It is pertinent to mention that organization get competitive advantage by the correct and sensible use of technology and this statement is true particularly in case of enterprise resource planning.ERP system is capable of transforming processes of organization through automation and integration [8].Oftenly, [9] positive return is provided by ERP system to organizations but that is not always true.ERP system often resulted in inconsistent economic returns due to its cost [8].First reason is the poor implementation lead ERP to a failure [10] and the other reason is a poor fit of this ERP system in a particular firm and perhaps should have not been adopted [11].
ERP systems affect the business processes dependency on each other; and also represent heightened hardware and software.The purpose of customization or reengineering the ERP process is to achieve a certain functionality level in a business.This leads to increased and heightened risks associated with financial statements and inappropriate classifications.For example, Gibbs and Keating [12] review the impact of reengineering business process on ERP controls.It is also discussed that, many control measures lean towards working cross-intentions to the objectives of virtual corporations reengineering.While the requirement of manual controls may not be a necessity, it is of utmost importance that any management action to obtain modified efficiencies in operations as a result of integrated information systems does not substitute the necessity to formulate adequate controls.
For large business organizations, ERP system is the most popular business management system which provides extra ordinary benefits of seamless communication in business and real-time capabilities.However, the success of ERP implementation largely depend on entire organization such as culture, people, process and the capability of organization that it may encounter in implementing ERP systems.Different types of risk factors including control, system, business and protection are distinguished independently to provide acceptable consideration with respect to their varying nature in the auditing literature [5][6][7][8][9][10][11][12][13].Two types of control factors are hypothesized by control and system threats, they are social and systemic.Social controls are integrated and the policies, procedures, guidelines, job responsibilities and career paths in the organization.Systemic controls refer to system risks and are incorporated into system by designers and system engineers [14].
Security threats are linked with the utilization of right equipment, software, hardware or database approach.For example, security is implemented by applying physical controls to the system, including encryption, passwords, virus protection, firewalls, file backup and recovery solution [13].Risk factor in businesses may best be understood through a specialist literature.It is normal for technology to either come short or breaks off its original purpose.A useful illustration in this situation is to study Fox Mayer Drug.The organizations future was put to stake by Modern information system to accomplish its enormous development.The organization had a strategy of keeping lowest prices in the drug distribution market, the officials declared to have achieved the savings of $45 million by utilizing the efficient processing system.
Following a strategy of being the lowest priced contender in the drug-distribution industry, company officials calculated on reaping savings of $45 million from more efficient processing of high order volumes.As discussed before, the previous researches are not tested for how the ERP system can affect the system assurance and any associated risks.Even though, research [15] state significant variations in the reasons and occurrences of errors and mistakes for a normal computerized accounting system against a conventional manual system, i.e. huge issues in computerized system in the recording of exchange documents for third party.These issues are resolved by stating that the results suggest the requirement of considering the reliability of similar systems in the planning phases of engagement.
It is more feasible to consider that the conclusion achieves apprehension of the threats in ERP system in a system-assurance arrangement, generally depicting broader scope and wider business impact than a computerized accounting system that is not integrated into the system.
These thoughtfulness leads to the first research question: Research Question-1: In an ERP system, what are the most common risks associated with it?Previous research has evaluated risk from the perspective of software development.The risk associated with the business assignment should be understood and reduced so that to achieve utmost chances of success of a software development project [16][17].The same idea remains similar for the achievement of an ERP system.It is rational to hypothesize from the point of view of system reliability that the success of given ERP system is related to sufficient deliberation of the effect of customization and business-process reengineering.Due to scarcity in knowledge and the range and span of transformation or knowledge of the requirement for reliance by the execution team, this may lead to rise of substantial risks.Due to unsuitability between requirements of an organization and the ERP system, ERP customization can steer to unsuitable validation procedures, unsuitable access and information content that is incorrect.Organizations are satisfactory with the operational costs of its already running system.
Organizations are satisfied with multisite ERP system.
Organizations think that it would be difficult to re-centralize the business units thus prefer to have autonomous approach.
Organization prefers that a corporate reporting from separate divisions is not a priority.
Research Question-5: What are advantages achieve by implementing ERP in distributed environment?
Multisite ERP implementations are not at all unusual.Unless you work for a small local company, chances are your business is spread across multiple locations.
According to [18], 50% of organizations implementing ERP software have four or more sites undergoing deployment.Fig. 1 shows portion of organizations with ERP implemented on multiple sites [18].
Implementation of ERP on multiple sites can be difficult and thus requires a comprehensive integration strategy in order to achieve the anticipated business benefits from the ERP system deployed.Amalgamating the ERP system at multiple locations can help improving the accounting estimates and improve the data accuracy resulting the reducing the invoice processing cost.It will also enable a business unit to immediately make available the shared

FIG. 1. SITES IMPLEMENTING ERP SOFTWARE
information to any other business unit by synchronizing immediately.
Research Question-6: What are the common ERP Failure Risk Factors?The aim of this research question was to obtain a better knowhow of main risks associated with ERP implementation projects.Further to recognizing the failure risk factors and critical success factors, the participants provide understanding of the factors that are associated with success of ERP implementation.

Overview
To address the research questions and interview method was used.This method was the most patient one to find out the experiences and in-depth aspects of knowledgeable persons who did the examination and evaluation of ERP systems.Researchers also carried out recorded interviews, which were afterwards transcribed for the assurance of accuracy and completeness Identifying reactions

Participants
The participants selected for the interviews had considerable understanding and knowledge of computer systems and accounting and an excessive level of expertise in ERP systems.An excellent source for such experts is to search for them in strategic public sector organizations specialize in ERP implementation and evaluation.Five public sector organizations are selected to locate such experts from.The experts have considerable experience of implementation of ERP systems while working with these organizations.Reviews after implementation of the project are also performed by these experts while working with auditors of the firm.The ERP experts are engaged in an overall implementation and operations of ERP systems in these organizations, thus, they can provide a unique perception in dealing with a range of ERP problems.
Contacts at three of the 5 open division association were asked to depict ten learned persons suitable for the meetings.Interest was on a willing premise.As obliged, the last example included 15 respondents, three from every association.Meetings needed around 40-50 minutes to achieve.Demographic information got from members toward the end of the meetings showed they were the accomplished people looked for.

ERP Risks (Research Question-1)
The most widespread ERP implementation issues associated with ERP as mentioned by participants are identified in Table 1.It is pertinent that, most of these issues circle around insufficient user participation and insufficient training.One of the participants mentioned that: It is equally critical to put in order the organization and communication of the project as much as to manage the workforce and an execution team of ERP that has both knowledge and technical expertise.As the project is Information System drives and requires very small participation of user, thus forms the basis for problems all the way.It is very necessary for users to be a part of decisions because they are going to be affected by proposed change into the system; they need to know the processes.
The  [19][20].It was also suggested in [21] that a large number of ERP failure incidences are related to insufficient training resulted by focusing on technical problems rather than inadequate attention and finances and flows of business processes just in the end exactly before the systems is to be launched.As one of the participants mentioned: At the start of a project, the firm is not provided with complete awareness and understanding with impact and capacity of its execution.There is not enough time to train the users because of fixed timelines and what is seen in the end are a huge number of end users that find it difficult to operate the new system.Financial statements can even be effected because of improper reporting cause by uneven running of data across the system.
It was indicated by 44.1% of the participants that process reengineering is necessary, while 26.9% mentioned that the necessarily required processes were not reflected in the system.A participant explained as: Usually an ERP system that is deployed as an alternative for a legacy system is further linked to legacy business process.At times, those implementations of ERP are found to be more successful where reengineering is carried in prior, because in this case the organization has already gone through the way they carry out their operations in routine rather than to go away and start a new system.At times the ERP system being deployed does not fully keep up with the existing business operations.However this should not be considered as the ERP solution is not capable to provide the very functionality, rather it is because of the design of the system.The users would ultimately be using the new system but by same old process mechanism, which would mean that the system does not support its desired goals.
It is also crucial to mention that, inadequate system controls were observed by 32.9% of the participants, for the reason that the focus was more on to get functional the system before a certain deadline.Security and controls are not much of a priority at this point as stated by a participant: It is natural that, when a major change is brought into the system of an organization or when a gigantic package is being implemented that may be SAP or Oracle, then the security concerns are not among the top of the list, this is because frequent changes are required to brought into the system.Tests are conducted to find the system functionality and identify any functional limitations followed by making the system running in production environment.At this point some organizations may feel reluctant to implement security and disturb the running system.In the end, 18.9% of the participants noted poor data conversion.

Risk by Application (Research Question-2)
It was exhibited by the participants as shown in Table 2 that among the modules that pose greater risk, Supply

TABLE 2. RISK ASSOCIATED WITH ERP APPLICATIONS
There is significantly higher risk associated with supply chain management, mainly at the time when integration is being carried out with different enterprises.When supply chain management expand further than the enterprise, this is where organizations are not fully aware of the procedure to deal with security.There is propensity to impart more and more information to customers and vendors in the supply chain ERP, thus, making security a bigger risk.
It was only cited by 7.2% that research and Development is a high risk module; despite its capability for valuable information none of the participant underlined business intelligence.
To categorize the applications, the interviewees were asked if the potential of risk differed by discretionary and mandatory in nature of ERP module.These applications can be classified as, mandatory are those that are essential to routine operations and discretionary applications are adopted on cost benefit basis when required.17.6% identified mandatory applications as riskier and 29.9% discretionary.It is worth mentioning that, most of interviewees identified that risks are tightly associated with the organizations business operations.A participant stated that: It is fairly dependant on the nature of operations of organization.If the organization is public sector services organization then it's the strategic objectives achievement in addition to its employees, salaries and payroll, and if the organization is a sales organization, their whole business is based on revenue and is built on the demographics and population and consumers.
Boltons are the hardware and software components that are part of the system but designed and developed by an organization other than that is used for the ERP system.
They also posit control risks and potential capacity issues.
In overall, all the replies by participants suggest that security and control risks associated with ERP may significantly differ from application to application and from vendor to vendor.However they still rely on the organization's business processes.

4.3
Risks Variation in Centralized vs Distributed ERP (Research Question-3) The Research Question-3 was designed to find variation of risks associated with distributed ERP systems in contrast to Centralised ERP systems.The survey results showed that 85.6% response of the participants' states that implementing distributed ERP will require unique configurations in all the sites, whereas only 22.9% participants posed increased total cost of ownership is of concern as shown in Table 3.
The reason for least concern over total cost of ownership is the nature of organization ERP is being implemented.
As the organizations in which ERP was being implemented are of public sector and strategic in nature, hence the cost of implementation is not considered as a serious concern.

Complexities in Moving from
Distributed to Centralized ERP (Research Question-4)

ERP Integration Effects (Research Question-5)
The Research Question-5 addresses the effects caused as a result of implementing integrated ERP system.The survey results as shown in Table 5 show that , more than 90% of the participants consider that implementing ERP system at different locations standardize the business process operations of the organizations even if the business units are operating in autonomous environment.
The risk chances of inaccurate information can be reduced by implementing ERP system in different business units; this was depicted by 78.2% of the participants.

Common ERP Failure Risk Factors (Research Question-6)
In Research Question-6, it is tried to determine the major critical risk factors that can lead to failure of ERP system implementation in an organization.As the results shown in Table 6, it is presented by 91.4% of the participants that, full-time commitment the ERP implementation project is extremely important.Whereas, less than 50% of the participants have blamed technological bottlenecks to be the critical factors that can result in ERP system implementation failure.

CONCLUSIONS
The aim of this research was to create an understanding of risks related to ERP systems to ensure information assurance.The approach to interview was semi-structure in nature to properly address the issues associated with ERP systems that included 15 expert information systems auditors.
Results of the study show that user involvement in the design of ERP system should be increased to avoid compromising controls, specifically during ERP customization and business process reengineering.In addition to this, significant number of interviewers reported that, data conversion was poorly executed and the system lacks in adequate controls.Another concerning issue reported by the participants is the existence of multiple vendors with differing security and control features.Organizations for the most part of implementation do not report issues with existing frameworks, due to the fact that shifting from existing and legacy frameworks and adoption of new system is not a preferred choice.Further research is required to determine probable issues and their effects on the system dependability and reliability.Additional research is sought to support and validate the results of this study, which may help in uncovering a directory of risks and to determine how the reliability of ERP system is affected.
Key ERP modules and packages are structured by applications, which reflect the key accounting rounds.Process reengineering and ERP Design are also performed by application.There may be difference in risks associated with respect to application resultantly a considerably different experience to problems including areas of management control and business disruptions by financial account.These anticipations form the grounds for next research question: Research Question-2.Do different modules of ERP have different types of risks?The risk that has been raised by different ERP modules may also vary by management control area or by the financial statement and it occurs mainly because of dissimilarity in historical origin of key ERP systems.As discussed before, when SAP began it includes material requirements planning, manufacturing, standard inventory control and later SAP expanded it modules and also includes financial accounting, payroll as well as the human resource management.It seems validated that, for example, to consider manufacturing module of SAP would be less exposed to risk than payroll and human resource modules of SAP, resultantly increase the potential for financial statement error in payroll expense.In comparison with the human resource module it looks reasonable to find that OpenERP manufacturing module would be more prone to control and security risk than the SAP manufacturing module, and it increase the potential for financial statement error in inventory and cost of goods sold.These possibilities formed the foundation for the following research question: Due to the cost sensitive IT climate this type of implementation is becoming rare but in case of strategic public sector organization this aspect may be ignored due to the nature of organization.When an ERP consolidation strategy is driven by new business requirements, individual business units are under increased pressure to adopt new data architecture standards and functional requirements.

TABLE 1 . COMMON ERP PROBLEMS accidental
errors.For example, previous studies show that cause of common error is inappropriate training of employees

Table 4 )
, 91.3% mentioned that if in an organization its different operational units already have separate ERP systems deployed and the business operations are running smoothly then it is not necessarily demanding to shift to Centralized ERP system.Whereas, results from 45.1% of the participants showed that if the organization's operations are highly autonomous and their integration will create security and/ or functional issues then shifting to centralized ERP should not be preferred.