A Bermuda Triangle – Levi Strauss, Deloitte Consulting, SAP, and Internal ControlsBy Francine • Jul 21st, 2008 • Category: Pure Content, The Big 4 And Consulting
Mike Krigsman over at ZDNet and the IT Project Failure blog wrote Friday about Levi Strauss’ recent disclosure of a major SAP implementation clusterschmuck. These problems caused Levi Strauss to stop shipping for a week and resulted in a 98% drop in net income relative to the same quarter last year.
Mike described the relationship amongst the client, the software vendor and the systems integration partner this way:
…Virtually all large ERP implementations involve three parties, which I call the devil’s triangle: software vendor, customer, and at least one third-party implementation services provider.
The complex and interlocking set of business and technical agendas governing these relationships can make failures difficult to dissect accurately. Of course, the parties usually don’t want to discuss their failures in detail, which also makes full analysis hard.
I would add one more important party to this relationship, the external auditor. In this case we’re talking about PwC. And it was PwC that brought the hammer down on Levi Strauss. Mike asked me to explain the disclosures included in the SEC 10-Q filing that blamed the drop in income on the ERP implementation failure.
It’s serious stuff. The language suggests that fundamental internal control errors were discovered after the system went live. Apparently, auditors determined these problems could have resulted in a materially significant impact to Levi’s financial statements if not corrected. I can speculate that perhaps it was inventory related, because [inventory] is the big balance sheet item for a company like this.
Also, given Levi’s previous errors and restatements, and with the recent change in auditors, new auditor PwC is probably taking a very strict approach to assessing Levi’s efforts to implement SAP with required controls.
I also told Mike:
Multinationals have long struggled with getting an ERP implementation right in one country on the first go around. When they implement multiple instances in quick succession, they accept the challenge of automating manual processes, adding automated controls to those new processes, and making these new and improved processes conform to the software capabilities and their business objectives. That’s almost impossible to get right the first time.
After thinking about it a little more over the weekend and tapping into some sources at PwC, Levi Strauss’ auditor, I would also say this:
My sources at PwC reminded me that this situation is common and not, obviously, a good thing. Many companies don’t really realize the impact a new ERP is going to have across the whole enterprise. Therefore, many areas are not taken seriously or adequately planned for from a time or budget perspective. Just look at PwC’s own implementation of SAP, using their former consultants who were now working for IBM. A go-live date was set and it happened, even though much of the work was left to be done afterward, without the support of IBM.
Internal controls should be front and center now due to Sarbanes-Oxley, but instead they are most often left on the back burner, not on the sponsors’ and steering committee’s radar screen.
The main reason this happens is because companies always look to their consulting vendors for advice and those consulting firms (Accenture, BearingPoint, CapGemini, etc.) have business process re-engineering with the use of technological components (ERP’s, e-business apps, etc.) as their main focus . They are not in any way, shape, or form experts on internal controls. Even when you use Deloitte Consulting, you’re using the consulting folks, not the audit folks. As close as they are, there are very different kinds of people, at least in Deloitte, on either side.
Therefore, companies constantly make the mistake of thinking that if the consulting firm in charge of the implementation doesn’t consider internal controls as an important part of their implementation, then maybe they don’t have to focus on them to the extent that they should be focused to get them right.
Those that work on internal controls at any company know how important this focus is. Are those folks, from internal audit and/or the internal controls SMEs, included in the project team? Can they influence project planning?
These issues have evolved over the years. If we look back to the early stages of ERP’s, the main focus was Production Planning, Purchasing, Warehouse Management (materials management), Accounting (Financials) and Sales and Distribution (Logistics). All other areas really weren’t taken seriously and in their time they had the same problems that Compliance is having now. As the ERP’s evolved, they started including other applications such as CRM, SRM, Business intelligence (Strategic Management reporting), amongst others. Now vendors are at the Compliance stage of their maturity model, which means that they’re now focusing on creating compliance applications to make internal controls and reporting a lot easier. (e.g. SAP – GRC Suite and Approva BizRights)
These compliance applications have now been implemented in many companies worldwide and work relatively well. Of course, it would be great to see everything fully automated, but it is a major improvement over establishing, testing and reporting results of controls using spreadsheets (controls matrices.)
Levi Strauss should immediately hire an accounting firm (or an internal controls focused professional services firm such as Protiviti) to do a Quality Assurance review of their implementation focused on their internal controls requirements.