BENEFITS AND RISKS OF ERP SYSTEMS (STUDY OBJECTIVE 7)

As is true of any IT system, there are both benefits and disadvantages to ERP systems. The next several sections describe some of the benefits and disadvantages.

BENEFITS OF ERP SYSTEMS

ERP systems have characteristics that allow an organization to experience many benefits. However, to gain any benefits from an ERP system, the organization must successfully implement and operate the ERP system. The characteristics that allow organizations to benefit are the following:

1. The interactive nature of the modules allows processes to interact with each other. For example, the ordering and receiving processes can automatically trigger payment processes.
2. The real-time nature of processing decreases the total processing time and allows more immediate feedback to management.
3. The “best practices” nature of the processes in ERP systems—ERP systems have evolved from many years of software experience with various companies, and the software reflects tried and true practices.
4. The single database enhances sharing of information between the business's functional areas and between processes.
5. There is the capability to analyze large amounts of data in a single database. Analytical tools that enable detailed analysis of the data are incorporated into ERP systems.
6. The capability to enhance e-commerce and e-business—the ERP systems of today incorporate modules to fully incorporate e-commerce and e-business.
7. ERP systems have the capability to interact in real-time with trading partners. ERP systems are built to interact with the IT systems of trading partners such as customers and suppliers.
8. ERP systems are scalable, which means they can grow with the business.

Exhibit 15-4 Five Dimensions of ERP Benefits

These characteristics can allow more efficient processes, better information flow between processes and to management, and therefore increased organization efficiency, effectiveness, and cost control.

Two researchers named Shari Shang and Peter Seddon undertook an extremely detailed study of companies that had implemented ERP systems. They examined the websites of the top software sellers of ERP systems. Each of these websites contained the success stories of customers who had implemented ERP systems. Shang and Seddon studied 233 of these business cases and developed a list of benefits that can be gained by implementing ERP systems. Exhibit 15-4 is a summary of the five dimensions of benefits that Shang and Seddon identified as a result of their study.⁷

RISKS OF ERP SYSTEMS

The risks inherent in ERP systems can be categorized into the two primary risk areas: implementation and operation.

Implementation Risks

The risks inherent in an ERP implementation are very similar to risks of implementing any IT system. However, the scope, size, and complexity of an ERP system increase many of these risks. Since the intent of ERP is to implement the system across the entire enterprise and to incorporate all business processes into the ERP system, the scope, size, and complexity increase tremendously. This causes the implementation of an ERP system to be very costly, time-consuming, and potentially disruptive to current operations.

ERP implementation cost and the time required have been briefly discussed in other parts of this chapter. In summary, large organizations may spend in excess of $100 million dollars and one to two years to implement an ERP system. Upgrading ERP systems to new versions of the same ERP system are also expensive and time-consuming, but not as expensive or time-consuming as the original implementation.

The complexity of an ERP system is due to the enterprise-wide scope and integrated nature of an ERP system. All business processes are incorporated into the ERP system, but the system is also integrated in the sense that each process affects other processes. For example, the sale of goods in an ERP system may automatically trigger more production, which in turn would trigger the purchase of raw materials. The need to ensure that these integrated processes are triggered at the correct time and in the correct amounts is a very complex implementation issue.

Operation Risks

As was true for implementation risks, the operation risks inherent in ERP systems are similar to those for other IT systems. The extent of the risks may be larger, since the ERP system is enterprise-wide and processes are integrated. For example, a risk of any IT system is availability. An IT system failure can stop or disrupt operations. The failure of a legacy system that is not enterprise-wide may affect only part of the organization's processes. For example, if a separate legacy system for payroll fails, it would not necessarily impact sales or purchase processes. However, an ERP system would normally incorporate all business processes. Therefore, if the ERP system fails, it has the potential to stop or disrupt all processes across the entire enterprise.

The full scope of operation risks are those identified in the AICPA Trust Services Principles as described in Chapter 4. Those risks are as follows:

1. Security. The system is protected against unauthorized (physical and logical) access.
2. Availability. The system is available for operation and use as committed or agreed.
3. Processing integrity. System processing is complete, accurate, timely, and authorized.
4. Online privacy. Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.
5. Confidentiality. Information designated as confidential is protected as committed or agreed.

Each of these risks becomes magnified when the IT system is an ERP system. Security becomes a greater risk because the processes are integrated and, often, automatically triggered in ERP systems. Therefore, any unauthorized user can affect more processes than in an older, legacy system. For example, unauthorized access to a purchase module in an ERP system could allow an unauthorized user to trigger not only purchase activities, but also the related payment within accounts payable.

Processing integrity risks are also magnified in ERP systems due to the integrated nature of the processes. Incorrect data generated in a given process can automatically trigger other processes and post flawed data to other processes. Processes may be triggered at the wrong time, and incorrect data can be spread over several processes and ERP modules. It is important to understand that such processing integrity problems are possible in any IT system. But they have the potential to be more damaging in an ERP system.

Online privacy and confidentiality risks are also magnified in ERP systems. ERP systems often have sales and customer relationship management modules in an e-commerce mode. This means that sales and customer data are exchanged via the Web or EDI. In ERP systems, these front office systems of e-commerce and sales are automatically integrated into the back office systems of an ERP system. The back office modules include the financials, supply chain management, and human resources modules. Therefore, in an ERP system, the e-commerce activity of customers often automatically integrates into the general ledger and related processes. This interconnectivity causes more areas for private and confidential information to be available.

As discussed in previous chapters, cloud-based systems can dramatically change the security, availability processing integrity, and confidentiality risks. The choice of a cloud-based ERP system shifts the responsibility for controls in each of these areas to the cloud provider.