Globalization, disruption, innovation, and continually evolving technology are driving a wave of business transformations. Such transformations involve making fundamental changes to how business is conducted to help cope with a shifting market environment, gain a competitive advantage, or reinvent the organization. These changes are frequently facilitated by implementing or upgrading IT systems such as core business applications.
Yet according to consulting firm McKinsey, 70 percent of business transformations fail. Many efforts to understand this result have focused on failures in change management and establishing a vision. Although these are critical elements in any business transformation, there are many common pitfalls that can derail these initiatives, including failing to manage change and communicate management’s vision. These pitfalls are process, project, and control risks that fall squarely within the core competencies of the internal auditors. By inserting itself at seven steps of the transformation process and addressing these risks, internal audit can assist management in beating the odds and achieving a successful transformation.
1. Pre-implementation Reviews
A pre-implementation review can help management identify problems in the planning stage — before they develop into costly missteps. An ideal pre-implementation project asks the question: What is the best practice model that should be applied to this transformation or new system implementation?
Pre-implementation projects identify the gaps between the best practice approach and the current planned approach for the transformation. For example, an aerospace manufacturer and integrator had processes and systems that were several generations behind the current state of the art. The company sought to modernize them by implementing the latest enterprise resource planning (ERP) suite and changing its processes to take advantage of the efficiencies the software provided. The company’s internal audit function began a pre-implementation review by asking, what is the best practice project model for the implementation of complex ERP packages? The answer was a model that assessed project management risk, stakeholder commitment, functional risks such as defining requirements, change management risk, resource risk, and technical risks such as the IT controls testing methodology. This pre-implementation review identified issues with business owner approvals of process designs and acceptance of the benefits realization plan, the aggressive project timetable, and planning for regulatory compliance. Identifying these issues early allowed management to address them during the project.
“Top Transformation Pitfalls,” at right, summarizes the most common transformation process, project, and control risks, and describes how internal audit can address these risks through pre-implementation reviews and other projects.
2. Process/Controls Analysis
During a business transformation, it is easy for the project leaders to focus solely on the steps required to make a new application function appropriately. The real key to success with new systems is to take maximum advantage of the tools provided by the software to make the organization’s processes more effective in meeting business objectives.
Leveraging the power of the latest software and achieving the transformation’s goals come from an equal focus on both system functionality and processes and controls. This is an area where internal audit can advise process owners on how to structure processes and controls to take advantage of the new application and make the organization’s new controls efficient.
In some transformations, auditors provide this process and controls advisory assistance directly to the project team. In other transformations, internal audit becomes a controls team champion. Ideally, the organization and staffing for a major business transformation will include a controls team. The controls team works full time as part of the project team to assist process owners in reengineering their processes and controls to fit the new business structure.
3. In-flight Reviews
One of the biggest challenges in a large transformation or system implementation effort is getting accurate data on the progress of systems development work and the quality of the modules being produced. Sometimes, project team members are reluctant to admit when objectives are not being achieved and communicate this bad news up the chain of command. As a result, project teams and project managers frequently report that a transformation project is on track when, in fact, it is far behind schedule. Moreover, the Ethics & Compliance Initiative’s 2016 Global Business Ethics Survey of more than 13,000 employees notes that pressure to compromise standards and observed misconduct are most common in organizations undergoing change.
Internal audit reviews performed during the transformation project, rather than at the beginning or end, can assist management in assessing whether a project is on track to achieve its objectives. These in-flight reviews can address the same areas as the pre-implementation review, such as project management risk, stakeholder commitment, and functional risks. It also can concentrate on specific areas of concern such as whether the project is on track to achieve a specific goal.
4. IT and User Acceptance Testing
When projects fall behind, leaders naturally look for ways to get the project back on schedule. Shortening the IT and user acceptance testing cycle is one method used to make up time. Although taking systems and user acceptance testing shortcuts may create the illusion of saving time, cutting corners almost always results in additional challenges that further delay the project. This produces the classic paradigm: “We did not have time to do it right the first time, so we ended up having to redo the effort.”
Internal audit can contribute to IT and user acceptance testing by assessing the project’s overall compliance with the company’s full set of system development life cycle policies, or by assessing just the IT or testing processes. Auditors also can assist in user acceptance testing by advising process owners on testing methodology or by assisting in performing the testing in certain situations.
5. Output/Results Testing
Once the new processes and system are live and producing information for management’s use, the output should be tested. While user acceptance testing is usually performed at the individual process level, testing of higher-level management accounting and operational reporting output is needed to ensure this information is reliable. At this stage, internal audit can provide assurance that the new system produces accurate management information on operations, production status, costs, and profit.
Likewise, financial reporting information must be reliable. Testing financial reporting information produced by the new system is a critical part of the organization’s assessment of internal control over financial reporting before the new system goes live. Internal audit should assess how the new processes and system will impact the design of internal controls of financial reporting and determine whether appropriate control design changes are being made as part of the transformation.
6. Post-implementation Reviews
For nearly all new system implementations, there is a time after the new system goes live when there is a high level of system change and correction requests. Post-implementation reviews can help management understand and prioritize corrections and changes to best align the corrective actions with the project’s objectives. Ideally, a post-implementation review would be scoped to assist management in understanding how well the planned objectives have been met.
Post-implementation reviews also can help management understand what process and control issues remain to be addressed. Not all of these issues can be anticipated. Addressing the issues that are identified once the system comes online is another critical element in achieving the benefits originally sought when the transformation project began. As with designing good processes and controls into the project, addressing the control issues that develop later in the transformation life cycle can help prevent operational challenges and financial reporting issues from appearing after the organization has begun relying on the new processes and system.
7. Comparison to Project Management Reviews
In some respects, transformation projects are like any other project management review. Internal auditors are assessing whether the project is achieving the objectives that were the basis for its approval by management. The difference is that business transformations, by their very nature, are larger in scope and complexity than individual capital projects or investment initiatives.
Transformations involve most, if not all, of the key management and board stakeholders in a business, and cross many functional and operational lines. Frequently, the future success of the business depends on the success of the transformation. This high level of risk to the business is the reason that internal audit should actively participate in its organization’s business transformation initiatives.
Achieving success with a large transformation is a daunting challenge for management. Internal audit’s involvement can help management avoid the most common pitfalls and provide advice for building processes and controls that allow the organization to realize the benefits of its investment. In turn, these efforts can transform internal audit’s reputation as a business partner and strategic contributor.