Archive for the ‘Executive Spotlight’ Category
Posted on February 15th, 2008 by Ian Glazer »Permalink
My friend Mark MacAuley can always be counted on to stir things up. He’s seen plenty of enterprise deployments and architectures and comes at problems with a combination of Yankee ingenuity and healthy cynicism. Over on Identitystuff, Mark writes about offering Compliance as a service:
“The new frontier is CaaS – Compliance as a Service. Fixed cost, consistent automated reporting, a defensible model for implementing and showing transparency.”
Although the intent of Compliance is good, in Mark’s estimation Compliance is 100% cost with no positive yield to the bottom line.
The trouble is that Mark refers to Compliance as if it is an IT service that can be delivered like outsourced help desk or security management. Compliance, the Big “C,” cannot be delivered as a service. The Big “C” is the interplay between people, processes, and IT systems to achieve the mission of the business in the context of regulatory and market pressures. It isn’t binary; it isn’t something you have one day and not the next. This dynamic interplay requires continuous measurement and feedback loops to ensure that deviations are corrected and, ideally, prevented.
Compliance is a matter of controls - instituting a variety of controls and then charting the business’ distance in relation to those controls at all times. Let’s take a simple common non-business example. When a cop pulls you over for speeding, you often get asked two questions:
• Did you see that speed limit sign?
• Do you know how fast you were going?
This is a simple example of controls in daily life. To track towards Compliance, first, you have to know about the control – awareness of the speed limit. Second, you have to be aware of your relationship to the control – how fast you are going. Finally, you, as a safe driver and responsible citizen, have to continually measure your relation to the control – keep your eye on the speedometer, unless you want a visit from auditors or enforcement agencies.
Expressing, understanding, monitoring, and enforcing controls CAN be delivered as a service. These services, including controls documentation and controls management, address automated and manual controls for IT and non-IT systems and processes. And it is the delivery of these capabilities as a service that can reduce the cost of compliance.
Matt Flynn gets in on the action and provides a crucial point, if indirectly:
“I think there are definitely organizations out there that would love to have a third party who is willing to be an expert and own compliance for them.”
It’s people! Compliance is People! This is the other piece of the puzzle and as Matt says, it can be delivered by a third party. Service providers, with deep domain expertise, armed with controls documentation and management tools, can provide holistic compliance services, and with a little creative thinking, a bit of indemnity insurance, they can truly own compliance for an enterprise.
The Big “C” Compliance cannot be delivered as a service, nor by Santa Claus, not for all the tea in China. But that being said, compliance experts and expertise bolstered by controls management and documentation services can help organizations track towards Compliance and be able to adapt as any of the variables in the Compliance equation shift.
Tags: Compliance, CaaS, SaaS
Posted on January 23rd, 2008 by Dana Hamerschlag »Permalink
I’d like to talk today about the need for many businesses to move beyond simple detective controls to more automated preventive controls – and what the move means for business efficiency and effectiveness.
I have a chart that I like to use to illustrate the typical controls implementation evolution that companies undergo. As it shows, most companies start out with many manual controls, where a person has to manually review a sample of records to ensure there were not problems or someone has to approve a process and sign-off. This is essentially self-reporting, and often the evidence of the control is either stuck in an email somewhere or a signed piece of paper that lives in a fileing cabinet and verifies that records have been reviewed.
One of the problems with the above approach is that reviewers are examining data after events have already happened, likely at a quarterly or year-end review. This time lag means that problems in the past can be identified, but not easily rectified before there are business consequences.
Implementing controls automation brings many benefits in the form of cost and time savings – but one of the benefits with the greatest impact comes from the ability of automated controls to be both detective and preventive.
Controls automation allows for both automated notification of controls issues like duplicate payments, as well as unauthorized changes to system settings that prevent transactions like duplicate payments from even being processed. With this type of implementation, errors are not only identified automatically, but often they’re prevented from happening in the first place. These sorts of automated preventive controls certainly save time and money managing controls and correcting problems , but there is an even more important benefit for the bottom line to the business itself. Mistakes that are avoided in the first place mean that customer satisfaction is higher, shipments and revenue recognition happens faster, cost of goods sold is lower, and working capital is lower…
What’s that old saying about an ounce of prevention being worth a pound of cure? It certainly holds here. Preventing troublesome issues from occurring in the first place is a great way for reducing risk – and for saving time and resources down the road to identify and rectify past mistakes.
Tags: Preventive Controls, Controls Automation, Continuous Controls Monitoring
- Dana Hamerschlag, Senior Director, Product Marketing
Posted on January 21st, 2008 by PV Boccasam »Permalink
I’m extremely pleased to report that Approva concluded another successful year. Over the past two quarters, the company has doubled its revenue, while increasing its market share and adding new customers – including marquee names like Comcast, First Advantage, Komatsu and AECOM among others.
We accomplished these goals while facing tremendous direct competitive pressure and fast changing market dynamics. I would like to thank my team for all of its hard work. They have enabled us to run a profitable, sustainable business – reinforcing our leadership position in the high-growth GRC market place. We’re proud of the success we had last year and our ability to demonstrate immense value to our customers, partners and shareholders.
This past year saw many important developments at Approva, from expanding our use among Big 4 audit firms to expanding into the federal compliance space to increased investment in new products and a good deal of flattering industry awards and recognitions. (Please read the detailed press release for more on Approva’s accomplishments in 2007).
Reflecting on what 2007 meant for our industry, one thing that of course stands out is the strong consolidation trend that we’ve witnessed. The industry’s larger players continue acquiring businesses with more specialized offerings. 2007 also witnessed tremendous innovation from the smaller, more agile players in the market, and I’m equally sure that that trend will continue as well. We have had – and will continue to have – a good bit to say about all of this, frequently via our award-winning blog, Audit Trail. For our take on it, I’ll refer you to our own Ian Glazer, along with Lori Rowland of the Burton Group.
I am struck by the energy and resources that so many companies spent in re-evaluating, re-thinking and re-prioritizing their compliance mandate in 2007. From the SEC’s revisions of SOX Section 404 to the PCAOB’s release of AS5 guidelines, 2007 saw important shifts in the way businesses approach compliance specifically and GRC more broadly. I feel confident that 2008 will be a continuation of this trend – and that companies without a clear GRC strategy are going to spend money without a tangible return on their investments.
As we look toward the future, my management team and I couldn’t be more excited about the year ahead and the opportunity to shape the industry.
Happy New Year.
— PV Boccasam, CEO, Approva
Tags: PV Boccasam, Approva, Governance, Risk and Compliance, GRC
Posted on January 18th, 2008 by Steve Elliott »Permalink
A bit ago, I blogged about the tiers of an effective compliance protocol – the four layers that need to be addressed before an operation can be sure that risks are being defined, monitored, detected, and mitigated.
I’m sure it’s no surprise to readers that Approva just happens to have built solutions to work exceedingly well with each of these tiers, and today I’d like to go into a bit more detail about that, to talk about compliance providers in general and where Approva’s solutions fit into the mix.
The past few years have seen a growth explosion in large companies working to address compliance issues within larger systems. What the big guys may lack in innovative capacity, they make up for in cashflow, and we’ve seen rampant acquisitions of operations like Openpages and Paisley that enable the big guys to be more efficiently manage risk and controls than they could on their own with custom applications or use of MS office.
Over time, competition and merger activity has culled hundreds of providers to a core of three to four true leaders, and the market is more defined, with fewer competitors. This isn’t necessarily a bad thing. Fewer competitors means that our differentiators are more clear – and we can’t complain about the big guys’ marketing efforts, which sometimes have the unintended effect of driving demand for our suite of products.
But what are those differentiators? Well, design, for one. Simply put, Approva has always existed to address complex compliance issues with a platform approach – even before SOX (though we certainly owe a good bit to those honorable gentlemen). We built our software with a keen awareness of what the market needs – not just what we need for market share.
Approva’s products enable different systems to talk across layers of IT stacks, across varied regulations, across business units. Early on, we attempted to develop open controls framework of common ways for these kinds of systems to talk – and this framework ended up as emerging as XML standards, XCDL (Controls Definition Language) and XCRL (Controls Reporting Language). These standards provide a common way to electronically define in an XML format risks, controls, and results of tests.
While our competitors have taken stance of building new software to compete, they run into big limitations in getting different systems to talk to each other or have any form of solid collaboration across their systems. Approva decided to build a single platform that everything will plug into and be both scalable and extensible. The design and thought that we put into our development takes time – but now that it’s maturing, we’re realizing many benefits of our platform, which can be extended through wizards, can work with legacy systems, and can even “earn” on legacy systems.
I’m the first to admit it’s been a challenge to get widespread adoption with so many in the market, but with fewer playing, we’re seeing more traction every day. And we’re confident that our commitment to providing the very best continuous controls monitoring will continue to provide tremendous ROI for our clients – and opportunities for us to grow as well.
Tags: Approva, GRC Market, XCDL, XCRL
Posted on January 15th, 2008 by Dana Hamerschlag »Permalink
There’s been a healthy discussion industry-wide about using automation to increase efficiency, and we at Approva certainly recognize the value in the increased efficiency that automation can bring.
But efficiency isn’t the only benefit that automation offers. With the right deployment, automation can also enable organizations to increase the effectiveness of their controls, improving business processes and turning compliance expenditures from costs into assets.
One way to boost effectiveness is by implementing controls that reflect a deep understanding of the roles they will govern and the organization’s needs. Consider for a moment a hypothetical accounts payable clerk in a small office of a larger organization, whose very job role necessitates the ability to both create vendors and approve vendor invoices. This is a classic separation-of-duties issue – and one unavoidable for this particular role.
Traditionally, the potential conflicts inherent in this role would need to be monitored manually, with auditors reviewing records of vendors created and paid to identify potentially suspect transactions – a time-consuming practice subject to human error.
Automation eases this burden considerably, by allowing managers to set specific rules for user access and receive automatic notification of users who could conduct suspect transactions – or those who have already done so.
For our customers, we recommend a solution that goes farther than simple notification – through a process that we call closed-loop remediation. In this process, compliance issues are defined, monitored, and addressed within a single system. So, for instance, upon notification that our accounts payable clerk can both create a vendor and approve that vendor’s invoices, her manager can establish automatic transactional monitoring – and at the same time incorporate compensating controls.
To be clear, compensating controls don’t necessarily involve revoking a user’s access – employees need access to do their jobs, and revoking access doesn’t necessarily increase efficiency or effectiveness.
This is where closed-loop remediation demonstrates its true value – in allowing managers to choose from several automated options for addressing a compliance issue. Those solutions can include monitoring users with sensitive access, monitoring usage of sensitive transactions, redesigning roles, or identifying access that can be revoked without interruption to business processes.
The fact is that dealing with sensitive access issues can be a time-consuming and difficult process. Automation makes the process run more quickly, but it is transactional monitoring and notification and closed-loop remediation that actually bring the most business value, in the form of rapid issue identification and response, thorough analysis, reduced time spent auditing data and reduced audit preparation time.
Tags: Automated Controls, Business Efficiency, Separation of Duties, Transaction Monitoring
Posted on January 8th, 2008 by Steve Elliott »Permalink
We at Approva like to talk about how important it is to have cross-functional, cross-application controls monitoring solutions – how crucial it is to ensure that risks are monitored and addressed across disparate job functions and varied ERPs.
In order to illustrate exactly how this works, I thought it might be useful to outline the tiers of software within an ideal compliance system – the risks monitored, the stakeholders alerted, and the impacts on business processes beyond compliance.
Ideally, a comprehensive compliance environment consists of four tiers – enterprise risk dashboarding, risk policy and procedure management, controls collection/correlation, and automated controls testing and monitoring. When organizations are able to implement these effectively, and ensure that each tier works with the others, you can be confident that risks are being assessed, detected, monitored and mitigated – and that overall business effectiveness is positively impacted.
The top tier is dashboarding to different personas – the CFO, controller, internal audit manager, or IT managers who need visibility into controls. This tier takes low level information being tested and correlates it across multiple systems to identify gaps large enough to merit CXO awareness and involvement.
The second tier is risk policy and procedure management – essentially, where the rules of the game are documented. In this tier, the organizational structure is defined, along with what is being analyzed and by whom. This tier enables stakeholders to assess risk by region, business unit, or other variables – and enables them to make sense of risk. This tier also incorporates documentation policies and defines responses to everything from loss event investigation to hotlines for whistle-blowers to risk analytics.
The third tier controls collection and correlation. This tier orchestrates the testing scheduling and normalizes results across the landscape for consumption by the risk and controls repository.
The final layer of software compliance environment is automated controls testing and monitoring. This tier enables continuous automated testing of application, process and system controls within the ERP, as well as other layers of the IT stack like database, OS, network, email and spreadsheets. As far as the business world has come in recent years, the fact is that good deal of businesses to this day manage important business functions in uncontrolled tools like Excel, which leaves considerable room for error. Automated application testing helps companies to address this kinds of risks.
If an organization can bring these four tiers to work together, you can be confident that you’ve done a thorough job managing disparate risks across an enterprise. No software solution is perfect, and an organization is only as compliant as its people – but this is heck of a start.
— Steve Elliott, Chief Technology Officer
Tags: Compliance Protocol, Continuous Controls Monitoring, Enterprise Risk
Posted on January 2nd, 2008 by Michael Evans »Permalink
When we launched Audit Trail back in the spring of 2007, I think it’s safe to say none of us here at Approva knew exactly where it would lead us. Our goal was to take a different approach to the world of compliance, controls, audit and corporate governance. The response we received was overwhelming, and it’s clear that many of you now make Audit Trail a regular stop on your daily world wide web tour.
We’ve tried to make Audit Trail a unique mix of news, analysis and opinion with a dose of humor thrown in to lighten things up. And whether we were assessing the viability of GRC as a space, having a little fun with the 5th anniversary of SOX or giving our take on some of the ERP vendors’ latest acquisitions, I think it’s fair to say 2007 was a huge success.
As we head into 2008, we’re taking all of the feedback we’ve received from you to heart. The focus and attitude you’ve come to know and love won’t be leaving Audit Trail. In fact, if anything, you’re going to be hearing a lot more of what we really think. To do that we’ll be scaling back the daily news updates to once a week. That will give our own practitioners some space to get their voices out. You’ll be hearing more lessons from the field, Q&A with industry luminaries and some guest bloggers that are going to surprise you (stay tuned). In short, you’ll be hearing less about what is going on and a lot more about our take on it.
As always, we’d appreciate your feedback on what you think of our new direction and what you’d like to hear more about. To make your voice heard just leave a comment or drop us a line at audittrail at approva (dot) net.
Posted on December 11th, 2007 by Dana Hamerschlag »Permalink
Compliance Week (subscription required) recently released a study on the effectiveness of internal controls implemented in the wake of Sarbanes-Oxley. Financial Week covers it here, but the gist is that there is clear progress being made three years into the internal controls requirements that SOX has mandated.
The highlights? Large filers last year disclosed only a third of the number of the material weaknesses in internal controls that they reported three years ago. Restatements are also down, as are late filings and corporate litigation. And more weakness disclosures are being filed quarterly than annually, which the CW folks point to as a positive sign that companies are uncovering and disclosing problems more quickly.
This is indeed a step in the right direction, and something for corporate America to be proud of. It’s gratifying to see tangible results on the vast amounts of time and money that have gone to attaining and maintaining SOX compliance. But it’s also a reminder of how much farther we have to go to truly get our money’s worth out of GRC investments.
Focusing on compliance issues like general computing and user-access controls is necessary and useful for compliance efforts, but it is in improving the efficiency and effectiveness of these controls where companies will see actual business improvement. When controls themselves become more efficient and effective, they can begin to provide meaningful intelligence about the business and where processes can be improved, with benefits including reduced time and expenses involving external audits, reduced fraud and mistakes, and decreased time required to test and monitor controls.
Governance, risk and compliance (GRC) is still a relatively new concept, and most companies are still on the cusp of realizing its true potential. When we discuss with our clients the “vision” of GRC, they understand what we are saying, and the value that such an approach holds. But they aren’t yet addressing GRC on a day-to-day basis. Many have invested in boosting the efficiency of compliance systems, but we have yet to see widespread dedication to making controls more effective – and an even smaller number are actively trying to realize the link between compliance systems improvement and improved business processes.
Time will tell how the GRC market ultimately evolves – whether it can grow to encompass all the markets it entails and bring together functions from board-level dashboards for enterprise risk management to IT regulatory compliance testing tools, and whether there exists or could feasibly exist a single comprehensive GRC solution. But the vision is there, and the rewards are real. Here’s to all of us being part of the dialogue.
- Dana Hamerschlag, Senior Director, Product Marketing
Posted on November 30th, 2007 by Michael Evans »Permalink
It’s a fairly well-worn truism that when it comes to software, real innovation originates not with the behemoths, but with smaller companies, which work hand-in-hand with their customers to rapidly turn out new products and features that address long-standing business problems.
The innovation challenges at larger companies come from one root problem: consolidation. These companies are developing holistic suites of products – often disparate technologies from many smaller vendors — through acquisition.
While this strategy allows them to provide comprehensive product and service offerings, and beef up bottom line numbers, it rarely benefits the customer. This mixed-bag approach of providing cobbled-together solutions has clearly caused problems in other industries.
Take the online security space for example. Symantec is currently dealing with customer fall out from its acquisition of Veritas, which, some say, caused the company to lose its core focus. According to this CSO Magazine article, Symantec is dealing with the consequences.
We see this phenomenon happening in all major industries – including the GRC space. Rather than developing innovative products internally, large companies are beefing up their M&A departments, getting out their checkbooks and snapping up one company after another. It’s a fair bet that conference rooms are scarce commodities at their respective HQs. Synching up roadmaps, organizations and go-to-market plans are time-consuming and people-intensive tasks – things that make a company lose focus.
Whatever your view on Governance, Risk & Compliance, one thing we can all agree on is that it’s a pretty nascent market with rapidly changing business requirements. In a market that’s changing and evolving, you need to move quickly, stay close to the customers and deliver tangible value. That’s what Approva’s all about. And our customers seem to agree. Don’t take our word for it, though – hear it straight from the source.
Tags: Governance, Risk and Compliance, Industry Consolidation, Honeywell
–Michael Evans
Posted on November 14th, 2007 by Audit Trail »Permalink
As we mentioned last week, Approva recently presented a webcast with AMR Research vice president and research fellow John Hagerty on addressing the Top 5 Audit Challenges in Oracle E-Business Suite.
We had a good time with the webcast and with the questions and answers that followed, and we also heard some interesting data from our participants – over 50% of whom said their businesses are spending between $500k and $5 Million annually on compliance.
That seems like an awfully high number to see five years after SOX adoption – especially since, as John mentioned in his presentation, we know of other companies that are saving millions on annual compliance costs through the use of continuous controls monitoring.
Hearing about this spending brought me to think a bit on how the time and resources being spent on SOX could be utilized elsewhere, if compliance spending could be reduced. Unlike other fixed corporate expenses, many businesses are finding considerable leeway in their compliance expenditures – and re-allocating that spending to other business areas.
Key ways to increase efficiency and reduce spending on SOX:
• Use automated vs. manual controls
• Use well defined, clearly understood, industry standard key controls
• Design your business processes with control and compliance in mind
• Empower internal control stakeholders and business process owners
• Consider not just detection, but also prevention of issues
Once compliance spending is automated and made more efficient, funds saved can be allocated to business areas where they bring more return on investment, such as:
• Improved technology (analysis and monitoring tools, business intelligence, etc)
• Improved business processes
• Improved fraud detection and prevention
• More frequent and / or more thorough reviews of the business overall
• A new audit center in the U.S. Virgin Islands
Food for thought, don’t you think? Where would you spend an extra $500k (or more) a year?
For more on working within the Oracle market, check out this short video addressing Approva’s cross platform and cross application functionality.
- Brian Groves, Senior Director, Product Marketing, Oracle, Approva
Tags: Compliance Savings, Approva
