Preparing for a System Implementation Audit

Whether it’s a global ERP system, or a small payroll system, it’s likely any system implementation has the potential to interest internal audit and possibly even your external auditors. You may be wondering what aspects of an implementation your stakeholders will be most interested in, when the time comes. The following paragraphs identify some of the most common areas that are reviewed during an implementation audit.

Testing.

Testing is often the area where auditors spend a majority of their time during an implementation review. User acceptance testing, validation testing, and interface testing are the main types of testing that auditors will want to review. Consider whether the testing performed was documented in a way to allow an auditor to follow the testing process and understand whether the test was successful or not. When it comes to testing, maintaining adequate documentation is often the key.

End-User Access. 

End-user access is another area to consider when performing an implementation. Your auditors will want to gain comfort that only appropriate users that require access for their job function, are the users that have been set up within the system, and that there are no concerns around the segregation of duties associated with the users, as well. A documented pre-implementation user access review is instrumental in providing your auditors with the comfort they will be looking for, regarding the end-user access to the new system.

Governance and Ongoing Maintenance. 

As you already know, the work doesn’t end when the system goes live, and your auditors know this too. It’s important to show that consideration has been given to the ongoing processes and procedures that will be in place around such things as granting and removing access to the system and handling program changes or upgrades. Ideally, these processes or procedures are formally documented by the time the system is fully implemented.

Documentation. 

You’ve probably heard the phrase, “if it’s not documented, it’s not done.” Often, organizations have very strong system implementation processes and procedures in place; however, the areas where gaps occur are in the documentation and support to evidence the process. Appropriate documentation needs to be maintained to evidence each aspect of the system implementation, so that the support can be provided to auditors, or anyone that is interested in understanding your system implementation process and outcome.