Reducing the Cost of Compliance Down in the Trenches
Posted on June 14th, 2007 by Michael Evans »Permalink
Air travel never ceases to amaze me. Hop in an airplane and soon you’re 30,000 feet up in the sky skimming the clouds, blissfully unaware of what’s happening below you. Reading most of the press coverage on the legislative and regulatory struggle to pare back the more onerous portions of SOX isn’t so different. A typical article has the usual mix of regulators, congressional committee chairs, even a few CEOs weighing in with their opinion. But, as you take in the thoughts and opinions from on high and afar you miss all of the action that’s taking place at the ground level.
I was reminded of that earlier this week as I was talking to a customer of ours. This customer is a relatively small company with only about 1,000 employees. They went live with a new Oracle ERP system a little over a year ago. As luck would have it, their audit took place just a few weeks after they went live. When their auditors came in to test whether they had locked down access to their Oracle system they found more than 10,000 segregation of duties (SoD) violations. That is, there were more than 10,000 different ways that their employees could do something they probably shouldn’t be doing. Needless to say, once the auditors saw that, they decided to stick around for a few more weeks to dig a little deeper.
Ten thousand ways to potentially commit fraud may sound shocking. But the fact is that if, you talk to the folks down in the IT, finance and audit departments at companies both large and small they’ll openly tell you that before SOX there were a lot fewer restrictions over who could do what in their ERP systems. SOX or not, that’s not something most CIOs and CFOs would be happy about.
Over the past year, the company I referred to above chose to adopt the same continuous controls monitoring solution as their auditor was using so they could test their Oracle user access controls with the very same rules as their auditor. With a single resource in IT security and a one-person internal audit staff this company was able to quickly eliminate the 10,000 violations their auditors had uncovered. One year later, they just finished their most recent audit. The results this year? A quick audit and no violations. Better yet, no violations meant no deep dive by their auditors. That translated into significantly reduced audit fees which made the board and the CFO pretty happy. They continue to continuously monitor their user access controls with the Approva software. But the net result is that this requires minimal resources, and they’ve eliminated a chunk of their annual audit fees. Now that’s an audit you can love.
Going back to where I started this post — as you read the high-level (and somewhat repetitive) press coverage that carries on at 30,000 feet you don’t often see this innovation that happens at the ground level. As the philosopher Plato once said, “necessity is the mother of invention”. That’s what’s happening in the trenches. Innovative companies have already found ways to both reduce risk and cut the cost of compliance. As regulators and legislators look for ways to reduce the burden of SOX they would serve themselves well to take a closer look at what’s going on down in the trenches.
Michael Evans is the Vice President of Marketing at Approva.
June 15th, 2007 at 5:42 am
[...] We wanted to call attention to a Business Week piece that ran this week. Karen Klein interviewed Jeffry Netter, a prof of finance at the Terry College of Biz, University of Georgia. And, his colleague, James Linck. The bottom line: new guidance which focuses on risk assessment and management SHOULD reduce the burden on small public companies. They acknowledge that outside auditors were nearly forced, under the old system, to assess EVERYTHING. Risk or not. From Linck, “The proposals are directly responsive to the recommendations of an advisory committee that was focused on capital formation and the removal of obstacles that impede the growth of small companies.” We liked this — particularly on the heels of Mike Evans’ piece on Audit Trail yesterday. There is positive movement for small public companies, and hopefully, despite the rhetoric, the tide has turned. [...]
June 18th, 2007 at 1:16 pm
[...] If the SEC is looking for some examples they would do well to give a call to the small company I mentioned in my previous post. They have some hard numbers to share. Better yet, take a look at the results being generated by other companies that have long since adopted automated continuous controls monitoring solutions. [...]
June 26th, 2007 at 8:05 am
[...] June 14, 2007 Reducing the Cost of Compliance Down in the Trenches Posted in: Executive Spotlight with: 2 comments [...]
June 29th, 2007 at 6:23 am
[...] June 14, 2007 Reducing the Cost of Compliance Down in the Trenches Posted in: Executive Spotlight with: 3 comments [...]
July 24th, 2007 at 12:28 pm
[...] Harvey L. Pitt, CEO of the global business consulting firm Kalorama Partners, is a former SEC chairman and a current independent board member of Approva Corporation. As SEC chairman from 2001 to 2003, Pitt led the commission’s response to the market disruptions resulting from the terrorist attacks of 9/11 and led the commission’s adoption of dozens of rules in response to the corporate and accounting crises generated by the excesses of the 1990s. [...]
June 14th, 2010 at 10:12 am
I really like that information that you wrote. It shows that you really know your stuff.