1

BACKGROUND OF SAP IMPLEMENTATION

July: Embarked on replacement of

antiquated information systems with SAP

enterprise software

Year-round: testing Human Resources and Payroll SAP modules.

October: Release 3, SAP Procurement and

Supply Chain began

January: Go Live for HR and Payroll

Mid-year: Release 3 postponed until SAP

system was stabilized

January: initiated Legacy Replacement Project (LRP) which

would complete the SAP implementation and

decommission the IFS system.

2

2005 2006 2007 2012

WHAT WERE OUR AUDIT OBJECTIVES?

We wanted to:

(1) Assess whether there were adequate controls

built in to the SAP configuration, and

(2) Recommend any value-added controls to

mitigate key risks to the Los Angeles Unified

School District.

3

Project Preparation

Blueprint

Realization

Final Preparation

Go Live Support

Run SAP

PHASE 2 – BUSINESS BLUEPRINT

4

LRP PROJECT PHASES

Project Preparation

•One month: January 2012

Blueprint

•From February through June 2012

•OIG started the audit in March

Realization •From June 2012 through May 2013

Final Preparation

•One month: June 2013

Go Live Support

•Starting in July 2013

•4 different rollouts through July 2014

Run SAP •IFS is fully decommissioned in December 2014

5

HOW DID WE DO THIS AUDIT?

List of all processes within scope of LRP implementation

Identified critical processes

Inform LRP Team

“To-Be” processes and design for the selected sub-processes

Assessment of Controls within To-Be documents

Key Risks Identified

Discussion with LRP Team

Review documents

Identified Additional Controls

Reviewed and validated risks and controls with LRP Team

6

NEXT STEP: WE IDENTIFIED CRITICAL

PROCESSES One business process by itself is a LARGE amount of analysis.

We selected the following business processes and sub-processes to focus on:

Procure to

Pay Acquire to

Retire

(aka Fixed

Assets)

Plan to

Report

Manage

Master

Data Process

Transactions Manage

Master

Data

Process

Transactions

Process

Transactions

7

NEXT STEP: SUMMARIZE RISKS

Identified 29 Risks for 5 sub-processes and 3 business processes

Examples of Risks

For the Procure to Pay business process

Manage Master Data

Duplicate vendor records may exist

Process Transactions

An incorrect purchase order amount could be paid resulting in potential

overpayments to vendors

For the Acquire to Retire business process

Process Transactions

Unapproved or incorrect changes are made to assets

8

WORKSHOPS WITH LRP TEAM

LRP

Team

Members

OIG Audit

Team

Project

Leads

Phoenix

Consultants

Chief ERP Director

9

NEXT STEP: PROVIDE SAP CONTROL

RECOMMENDATIONS 61 Recommendations

54 Agreed To

3 Recommendations May Be Implemented during Realization

For example:

Procure to Pay Recommendation

SAP automatically requires key vendor master data fields to

be populated with appropriate field characteristics in

accordance with LAUSD’s master data standards.

What does this really mean?

10

PROVIDE SAP CONTROL RECOMMENDATION

(CONTD.)

11

EXAMPLES OF OTHER RECOMMENDATIONS

SAP has been configured to check for duplicate

vendor records.

Configure a control that will check for duplicate

vendors based on Tax Identification Number.

SAP has been configured to require the duplicate

invoice check for all relevant vendor account

groups.

The duplicate invoice check vendor master field

will be set to required for all account groups.

12

EXAMPLE OF OTHER RECOMMENDATIONS

(CONTD.) SAP is configured to restrict changes to assets

after posting.

Users will not have the ability to change key

fields such as the asset acquisition date after

the posting of documents.

Funds Management is configured which prevents

the posting of transactions if funds are not

available.

13

NEXT STEPS

Follow-up audit

Objective

Timing

14