The Critical Importance of ERP Audits: Lessons from Birmingham and Hershey

Enterprise Resource Planning (ERP) systems are the backbone of modern organizations, integrating finance, human resources, supply chain, and operational data into unified platforms. Yet when implementations fail, the consequences can be catastrophic. Two high-profile cases—Birmingham City Council's Oracle Cloud disaster and Hershey's SAP rollout failure—demonstrate why systematic ERP audits are not optional luxuries but essential safeguards.

Birmingham City Council: A £90 Million Cautionary Tale

In 2022, Birmingham City Council (BCC) embarked on what seemed like a routine modernization: replacing its legacy SAP system with Oracle Cloud ERP to streamline financial and HR operations. Initially budgeted at £19 million, the project devolved into a £90 million catastrophe—more than quadrupling its original cost—with full functionality now delayed until 2026 (Grant Thornton, 2025).

A damning independent audit by Grant Thornton exposed the underlying failures. The council suffered from weak governance structures, a critical shortage of in-house Oracle expertise, inadequate vendor management, and most troublingly, an organizational culture that actively suppressed dissenting voices and negative reporting. Despite repeated warnings from both internal teams and external consultants, leadership pushed forward with a premature go-live decision, leaving critical defects unresolved.

The consequences were severe. BCC went live with a fundamentally broken Bank Reconciliation System and seriously flawed data migration. For over two years, the council operated without reliable financial controls—a situation that contributed directly to its 2023 bankruptcy declaration and forced a 7.49% council tax increase on already-burdened residents (CIO, 2025). The financial impact extended far beyond IT budgets, affecting essential public services and community trust.

Hershey Foods: When Timing Trumps Testing

While Birmingham's failure unfolded over years, Hershey Foods Corporation's 1999 ERP disaster struck with brutal speed. The chocolate manufacturer suffered approximately $100 million in losses when its SAP implementation collapsed during the company's most critical sales period.

Hershey's approach exemplified what not to do. The company attempted to simultaneously implement three complex systems—SAP ERP, Manugistics supply chain software, and Siebel CRM—using a high-risk "big bang" deployment strategy. Compounding this aggressive approach, management scheduled the go-live date just before Halloween, the company's peak revenue season, driven by urgency to meet the looming Y2K deadline.

Under this pressure, Hershey compressed what should have been a 48-month implementation into just 30 months, systematically sacrificing adequate testing, user training, and system stabilization. When the system launched, it failed to process orders despite inventory sitting available in warehouses. The result: a 19% quarterly profit decline and an 8% stock price drop (Pemeco, 2025).

Notably, Hershey's failure did not stem from inherently flawed software. The systems were industry-proven solutions. Instead, the disaster resulted from poor project scheduling, inadequate testing protocols, and insufficient change management—all issues that a rigorous pre-implementation audit could have identified and potentially prevented.

Understanding ERP Audits: Beyond Financial Compliance

These catastrophic failures highlight a critical gap in corporate governance. While financial audits are mandated and routine, ERP audits remain surprisingly uncommon despite ERP systems controlling virtually all core business functions. This oversight is particularly striking given that ERP failures can trigger the very financial crises that accounting audits aim to detect.

What an ERP Audit Evaluates

A comprehensive ERP audit examines multiple critical dimensions that collectively ensure system reliability and business value. The audit begins with rigorous validation of data accuracy, completeness, and consistency across all modules, including thorough assessment of migration integrity and ongoing data governance practices. Equally important is the review of user permissions, role-based access controls, segregation of duties, and authentication mechanisms designed to prevent fraud and ensure regulatory compliance. The audit then assesses how business processes are configured within the ERP system, examining approval hierarchies, automated controls, and exception handling procedures to verify they align with organizational requirements. Auditors also evaluate whether the system is configured according to business requirements and industry best practices, including detailed review of any custom code or integrations that may introduce vulnerabilities or inefficiencies. Regulatory compliance forms another essential dimension, with verification of adherence to relevant standards such as Sarbanes-Oxley (SOX), General Data Protection Regulation (GDPR), or industry-specific requirements that govern the organization's operations. Finally, the audit includes technical performance analysis, measuring system response times, batch processing effectiveness, and identifying any bottlenecks or inefficiencies that could impair productivity or user satisfaction.

When to Conduct ERP Audits

Organizations should implement a structured audit schedule:

• 3–6 months post-implementation: Initial assessment to identify and resolve early-stage issues before they become embedded in operations
• Annually: Regular health checks to ensure ongoing compliance, security, and operational effectiveness
• After major upgrades or significant changes: Validation that new functionality works correctly and hasn't introduced vulnerabilities
• Following organizational changes: Assessment when mergers, acquisitions, or restructuring affect ERP usage patterns

Building an Effective Audit Team

The audit team must represent multiple perspectives and skill sets. Internal participants should include IT specialists who understand system architecture, finance professionals who rely on accurate reporting, and operations staff who use the system daily. This cross-functional approach ensures the audit addresses both technical and business requirements.

Critically, organizations should engage independent consultants who can serve as what Phoenix Strategy Group (2025) terms "intelligent customers"—experts who bring objectivity, specialized ERP audit methodology, and comparative knowledge from similar implementations. This external perspective can identify issues that internal teams, invested in defending their implementation decisions, might overlook or minimize.

Best Practices for ERP Governance

To prevent disasters like Birmingham's and Hershey's, organizations must adopt proactive ERP governance:

Maintain Comprehensive Documentation: Current process maps, configuration documents, customization records, and change logs create accountability and facilitate troubleshooting.

Automate Financial Reporting: Automated controls reduce manual errors and provide audit trails that demonstrate compliance.

Enforce Segregation of Duties: Proper separation of incompatible functions prevents fraud and errors, particularly in financial processes.

Conduct Regular Access Reviews: Periodic certification of user access rights prevents accumulation of inappropriate permissions and ensures departed employees are promptly removed.

Establish Clear Governance Structures: Define decision-making authority, change management protocols, and escalation procedures before crises emerge.

Foster Transparent Communication: Create organizational cultures where team members can raise concerns without fear of reprisal—Birmingham's failure to do this proved especially costly.

The Strategic Value of ERP Audits

As JS3 Global emphasizes in their audit framework, properly conducted ERP audits deliver measurable benefits: verified data accuracy for confident decision-making, demonstrated compliance reducing legal and financial risk, enhanced security protecting sensitive information, and consistent return on investment through system optimization.

The alternative—operating without regular ERP audits—exposes organizations to operational paralysis, substantial financial losses, regulatory penalties, and severe reputational damage. Birmingham's bankruptcy and Hershey's profit collapse demonstrate that these are not theoretical risks but documented realities.

Conclusion

ERP systems represent massive investments—typically millions or tens of millions of dollars—and govern the most critical business processes. Yet organizations routinely implement more rigorous audits for far smaller assets. This paradox must end.

The Birmingham and Hershey cases teach clear lessons: strong governance structures matter, technical expertise cannot be outsourced entirely, realistic timelines prevent catastrophic corners-cutting, and organizational culture that welcomes bad news early prevents disasters later. Most fundamentally, regular ERP audits provide the systematic oversight these complex systems demand.

Organizations that view ERP audits as optional are gambling with their operational viability. Those that embed rigorous, ongoing ERP audit practices into their governance frameworks are protecting not just their technology investments, but their fundamental ability to function in an increasingly digital business environment.

References

CIO. (2025). Birmingham City Council ERP implementation failure.

Grant Thornton. (2025). Birmingham City Council Oracle Cloud implementation audit report.

JS3 Global. ERP audit framework and best practices.

Pemeco. (2025). Hershey Foods SAP implementation case study.

Phoenix Strategy Group. (2025). ERP audit methodology and intelligent customer approach.