The Four Tiers of a Successful Compliance Protocol
Posted on January 8th, 2008 by Steve Elliott »Permalink
We at Approva like to talk about how important it is to have cross-functional, cross-application controls monitoring solutions – how crucial it is to ensure that risks are monitored and addressed across disparate job functions and varied ERPs.
In order to illustrate exactly how this works, I thought it might be useful to outline the tiers of software within an ideal compliance system – the risks monitored, the stakeholders alerted, and the impacts on business processes beyond compliance.
Ideally, a comprehensive compliance environment consists of four tiers – enterprise risk dashboarding, risk policy and procedure management, controls collection/correlation, and automated controls testing and monitoring. When organizations are able to implement these effectively, and ensure that each tier works with the others, you can be confident that risks are being assessed, detected, monitored and mitigated – and that overall business effectiveness is positively impacted.
The top tier is dashboarding to different personas – the CFO, controller, internal audit manager, or IT managers who need visibility into controls. This tier takes low level information being tested and correlates it across multiple systems to identify gaps large enough to merit CXO awareness and involvement.
The second tier is risk policy and procedure management – essentially, where the rules of the game are documented. In this tier, the organizational structure is defined, along with what is being analyzed and by whom. This tier enables stakeholders to assess risk by region, business unit, or other variables – and enables them to make sense of risk. This tier also incorporates documentation policies and defines responses to everything from loss event investigation to hotlines for whistle-blowers to risk analytics.
The third tier controls collection and correlation. This tier orchestrates the testing scheduling and normalizes results across the landscape for consumption by the risk and controls repository.
The final layer of software compliance environment is automated controls testing and monitoring. This tier enables continuous automated testing of application, process and system controls within the ERP, as well as other layers of the IT stack like database, OS, network, email and spreadsheets. As far as the business world has come in recent years, the fact is that good deal of businesses to this day manage important business functions in uncontrolled tools like Excel, which leaves considerable room for error. Automated application testing helps companies to address this kinds of risks.
If an organization can bring these four tiers to work together, you can be confident that you’ve done a thorough job managing disparate risks across an enterprise. No software solution is perfect, and an organization is only as compliant as its people – but this is heck of a start.
— Steve Elliott, Chief Technology Officer
Tags: Compliance Protocol, Continuous Controls Monitoring, Enterprise Risk
January 11th, 2008 at 7:28 am
[...] Post of Note January 8, 2008 The Four Tiers of a Successful Compliance Protocol [...]
January 18th, 2008 at 11:19 am
[...] A bit ago, I blogged about the tiers of an effective compliance protocol – the four layers that need to be addressed before an operation can be sure that risks are being defined, monitored, detected, and mitigated. [...]
April 20th, 2010 at 11:39 am
[...] messier in terms of access-control governance.” It’s a new iteration of something we’ve been saying for a while now – that for an organization to have strong internal controls, cross-functional buy-in is [...]