Archive for the ‘Executive Spotlight’ Category
Posted on January 23rd, 2008 by admin »Permalink
I’d like to talk today about the need for many businesses to move beyond simple detective controls to more automated preventive controls – and what the move means for business efficiency and effectiveness.
I have a chart that I like to use to illustrate the typical controls implementation evolution that companies undergo. As it shows, most companies start out with many manual controls, where a person has to manually review a sample of records to ensure there were not problems or someone has to approve a process and sign-off. This is essentially self-reporting, and often the evidence of the control is either stuck in an email somewhere or a signed piece of paper that lives in a fileing cabinet and verifies that records have been reviewed.
One of the problems with the above approach is that reviewers are examining data after events have already happened, likely at a quarterly or year-end review. This time lag means that problems in the past can be identified, but not easily rectified before there are business consequences.
Implementing controls automation brings many benefits in the form of cost and time savings – but one of the benefits with the greatest impact comes from the ability of automated controls to be both detective and preventive.
Controls automation allows for both automated notification of controls issues like duplicate payments, as well as unauthorized changes to system settings that prevent transactions like duplicate payments from even being processed. With this type of implementation, errors are not only identified automatically, but often they’re prevented from happening in the first place. These sorts of automated preventive controls certainly save time and money managing controls and correcting problems , but there is an even more important benefit for the bottom line to the business itself. Mistakes that are avoided in the first place mean that customer satisfaction is higher, shipments and revenue recognition happens faster, cost of goods sold is lower, and working capital is lower…
What’s that old saying about an ounce of prevention being worth a pound of cure? It certainly holds here. Preventing troublesome issues from occurring in the first place is a great way for reducing risk – and for saving time and resources down the road to identify and rectify past mistakes.
Tags: Preventive Controls, Controls Automation, Continuous Controls Monitoring
- Dana Hamerschlag, Senior Director, Product Marketing
Posted on January 21st, 2008 by Steve Elliott »Permalink
I’m extremely pleased to report that Approva concluded another successful year. Over the past two quarters, the company has doubled its revenue, while increasing its market share and adding new customers – including marquee names like Comcast, First Advantage, Komatsu and AECOM among others.
We accomplished these goals while facing tremendous direct competitive pressure and fast changing market dynamics. I would like to thank my team for all of its hard work. They have enabled us to run a profitable, sustainable business – reinforcing our leadership position in the high-growth GRC market place. We’re proud of the success we had last year and our ability to demonstrate immense value to our customers, partners and shareholders.
This past year saw many important developments at Approva, from expanding our use among Big 4 audit firms to expanding into the federal compliance space to increased investment in new products and a good deal of flattering industry awards and recognitions. (Please read the detailed press release for more on Approva’s accomplishments in 2007).
Reflecting on what 2007 meant for our industry, one thing that of course stands out is the strong consolidation trend that we’ve witnessed. The industry’s larger players continue acquiring businesses with more specialized offerings. 2007 also witnessed tremendous innovation from the smaller, more agile players in the market, and I’m equally sure that that trend will continue as well. We have had – and will continue to have – a good bit to say about all of this, frequently via our award-winning blog, Audit Trail. For our take on it, I’ll refer you to our own Ian Glazer, along with Lori Rowland of the Burton Group.
I am struck by the energy and resources that so many companies spent in re-evaluating, re-thinking and re-prioritizing their compliance mandate in 2007. From the SEC’s revisions of SOX Section 404 to the PCAOB’s release of AS5 guidelines, 2007 saw important shifts in the way businesses approach compliance specifically and GRC more broadly. I feel confident that 2008 will be a continuation of this trend – and that companies without a clear GRC strategy are going to spend money without a tangible return on their investments.
As we look toward the future, my management team and I couldn’t be more excited about the year ahead and the opportunity to shape the industry.
Happy New Year.
— PV Boccasam, CEO, Approva
Tags: PV Boccasam, Approva, Governance, Risk and Compliance, GRC
Posted on January 18th, 2008 by Steve Elliott »Permalink
A bit ago, I blogged about the tiers of an effective compliance protocol – the four layers that need to be addressed before an operation can be sure that risks are being defined, monitored, detected, and mitigated.
I’m sure it’s no surprise to readers that Approva just happens to have built solutions to work exceedingly well with each of these tiers, and today I’d like to go into a bit more detail about that, to talk about compliance providers in general and where Approva’s solutions fit into the mix.
The past few years have seen a growth explosion in large companies working to address compliance issues within larger systems. What the big guys may lack in innovative capacity, they make up for in cashflow, and we’ve seen rampant acquisitions of operations like Openpages and Paisley that enable the big guys to be more efficiently manage risk and controls than they could on their own with custom applications or use of MS office.
Over time, competition and merger activity has culled hundreds of providers to a core of three to four true leaders, and the market is more defined, with fewer competitors. This isn’t necessarily a bad thing. Fewer competitors means that our differentiators are more clear – and we can’t complain about the big guys’ marketing efforts, which sometimes have the unintended effect of driving demand for our suite of products.
But what are those differentiators? Well, design, for one. Simply put, Approva has always existed to address complex compliance issues with a platform approach – even before SOX (though we certainly owe a good bit to those honorable gentlemen). We built our software with a keen awareness of what the market needs – not just what we need for market share.
Approva’s products enable different systems to talk across layers of IT stacks, across varied regulations, across business units. Early on, we attempted to develop open controls framework of common ways for these kinds of systems to talk – and this framework ended up as emerging as XML standards, XCDL (Controls Definition Language) and XCRL (Controls Reporting Language). These standards provide a common way to electronically define in an XML format risks, controls, and results of tests.
While our competitors have taken stance of building new software to compete, they run into big limitations in getting different systems to talk to each other or have any form of solid collaboration across their systems. Approva decided to build a single platform that everything will plug into and be both scalable and extensible. The design and thought that we put into our development takes time – but now that it’s maturing, we’re realizing many benefits of our platform, which can be extended through wizards, can work with legacy systems, and can even “earn” on legacy systems.
I’m the first to admit it’s been a challenge to get widespread adoption with so many in the market, but with fewer playing, we’re seeing more traction every day. And we’re confident that our commitment to providing the very best continuous controls monitoring will continue to provide tremendous ROI for our clients – and opportunities for us to grow as well.
Tags: Approva, GRC Market, XCDL, XCRL
Posted on January 15th, 2008 by admin »Permalink
There’s been a healthy discussion industry-wide about using automation to increase efficiency, and we at Approva certainly recognize the value in the increased efficiency that automation can bring.
But efficiency isn’t the only benefit that automation offers. With the right deployment, automation can also enable organizations to increase the effectiveness of their controls, improving business processes and turning compliance expenditures from costs into assets.
One way to boost effectiveness is by implementing controls that reflect a deep understanding of the roles they will govern and the organization’s needs. Consider for a moment a hypothetical accounts payable clerk in a small office of a larger organization, whose very job role necessitates the ability to both create vendors and approve vendor invoices. This is a classic separation-of-duties issue – and one unavoidable for this particular role.
Traditionally, the potential conflicts inherent in this role would need to be monitored manually, with auditors reviewing records of vendors created and paid to identify potentially suspect transactions – a time-consuming practice subject to human error.
Automation eases this burden considerably, by allowing managers to set specific rules for user access and receive automatic notification of users who could conduct suspect transactions – or those who have already done so.
For our customers, we recommend a solution that goes farther than simple notification – through a process that we call closed-loop remediation. In this process, compliance issues are defined, monitored, and addressed within a single system. So, for instance, upon notification that our accounts payable clerk can both create a vendor and approve that vendor’s invoices, her manager can establish automatic transactional monitoring – and at the same time incorporate compensating controls.
To be clear, compensating controls don’t necessarily involve revoking a user’s access – employees need access to do their jobs, and revoking access doesn’t necessarily increase efficiency or effectiveness.
This is where closed-loop remediation demonstrates its true value – in allowing managers to choose from several automated options for addressing a compliance issue. Those solutions can include monitoring users with sensitive access, monitoring usage of sensitive transactions, redesigning roles, or identifying access that can be revoked without interruption to business processes.
The fact is that dealing with sensitive access issues can be a time-consuming and difficult process. Automation makes the process run more quickly, but it is transactional monitoring and notification and closed-loop remediation that actually bring the most business value, in the form of rapid issue identification and response, thorough analysis, reduced time spent auditing data and reduced audit preparation time.
Tags: Automated Controls, Business Efficiency, Separation of Duties, Transaction Monitoring
