I’d like to talk today about the need for many businesses to move beyond simple detective controls to more automated preventive controls – and what the move means for business efficiency and effectiveness.

I have a chart that I like to use to illustrate the typical controls implementation evolution that companies undergo. As it shows, most companies start out with many manual controls, where a person has to manually review a sample of records to ensure there were not problems or someone has to approve a process and sign-off. This is essentially self-reporting, and often the evidence of the control is either stuck in an email somewhere or a signed piece of paper that lives in a fileing cabinet and verifies that records have been reviewed.

One of the problems with the above approach is that reviewers are examining data after events have already happened, likely at a quarterly or year-end review. This time lag means that problems in the past can be identified, but not easily rectified before there are business consequences.

Implementing controls automation brings many benefits in the form of cost and time savings – but one of the benefits with the greatest impact comes from the ability of automated controls to be both detective and preventive.

Controls automation allows for both automated notification of controls issues like duplicate payments, as well as unauthorized changes to system settings that prevent transactions like duplicate payments from even being processed. With this type of implementation, errors are not only identified automatically, but often they’re prevented from happening in the first place. These sorts of automated preventive controls certainly save time and money managing controls and correcting problems , but there is an even more important benefit for the bottom line to the business itself. Mistakes that are avoided in the first place mean that customer satisfaction is higher, shipments and revenue recognition happens faster, cost of goods sold is lower, and working capital is lower…

What’s that old saying about an ounce of prevention being worth a pound of cure? It certainly holds here. Preventing troublesome issues from occurring in the first place is a great way for reducing risk – and for saving time and resources down the road to identify and rectify past mistakes.

Tags: Preventive Controls, Controls Automation, Continuous Controls Monitoring

- Dana Hamerschlag, Senior Director, Product Marketing

I’m extremely pleased to report that Approva concluded another successful year. Over the past two quarters, the company has doubled its revenue, while increasing its market share and adding new customers – including marquee names like Comcast, First Advantage, Komatsu and AECOM among others.

We accomplished these goals while facing tremendous direct competitive pressure and fast changing market dynamics. I would like to thank my team for all of its hard work. They have enabled us to run a profitable, sustainable business – reinforcing our leadership position in the high-growth GRC market place. We’re proud of the success we had last year and our ability to demonstrate immense value to our customers, partners and shareholders.

This past year saw many important developments at Approva, from expanding our use among Big 4 audit firms to expanding into the federal compliance space to increased investment in new products and a good deal of flattering industry awards and recognitions. (Please read the detailed press release for more on Approva’s accomplishments in 2007).

Reflecting on what 2007 meant for our industry, one thing that of course stands out is the strong consolidation trend that we’ve witnessed. The industry’s larger players continue acquiring businesses with more specialized offerings. 2007 also witnessed tremendous innovation from the smaller, more agile players in the market, and I’m equally sure that that trend will continue as well. We have had – and will continue to have – a good bit to say about all of this, frequently via our award-winning blog, Audit Trail. For our take on it, I’ll refer you to our own Ian Glazer, along with Lori Rowland of the Burton Group.

I am struck by the energy and resources that so many companies spent in re-evaluating, re-thinking and re-prioritizing their compliance mandate in 2007. From the SEC’s revisions of SOX Section 404 to the PCAOB’s release of AS5 guidelines, 2007 saw important shifts in the way businesses approach compliance specifically and GRC more broadly. I feel confident that 2008 will be a continuation of this trend – and that companies without a clear GRC strategy are going to spend money without a tangible return on their investments.

As we look toward the future, my management team and I couldn’t be more excited about the year ahead and the opportunity to shape the industry.

Happy New Year.

— PV Boccasam, CEO, Approva

Tags: PV Boccasam, Approva, Governance, Risk and Compliance, GRC

A bit ago, I blogged about the tiers of an effective compliance protocol – the four layers that need to be addressed before an operation can be sure that risks are being defined, monitored, detected, and mitigated.

I’m sure it’s no surprise to readers that Approva just happens to have built solutions to work exceedingly well with each of these tiers, and today I’d like to go into a bit more detail about that, to talk about compliance providers in general and where Approva’s solutions fit into the mix.

The past few years have seen a growth explosion in large companies working to address compliance issues within larger systems. What the big guys may lack in innovative capacity, they make up for in cashflow, and we’ve seen rampant acquisitions of operations like Openpages and Paisley that enable the big guys to be more efficiently manage risk and controls than they could on their own with custom applications or use of MS office.

Over time, competition and merger activity has culled hundreds of providers to a core of three to four true leaders, and the market is more defined, with fewer competitors. This isn’t necessarily a bad thing. Fewer competitors means that our differentiators are more clear – and we can’t complain about the big guys’ marketing efforts, which sometimes have the unintended effect of driving demand for our suite of products.

But what are those differentiators? Well, design, for one. Simply put, Approva has always existed to address complex compliance issues with a platform approach – even before SOX (though we certainly owe a good bit to those honorable gentlemen). We built our software with a keen awareness of what the market needs – not just what we need for market share.

Approva’s products enable different systems to talk across layers of IT stacks, across varied regulations, across business units. Early on, we attempted to develop open controls framework of common ways for these kinds of systems to talk – and this framework ended up as emerging as XML standards, XCDL (Controls Definition Language) and XCRL (Controls Reporting Language). These standards provide a common way to electronically define in an XML format risks, controls, and results of tests.

While our competitors have taken stance of building new software to compete, they run into big limitations in getting different systems to talk to each other or have any form of solid collaboration across their systems. Approva decided to build a single platform that everything will plug into and be both scalable and extensible. The design and thought that we put into our development takes time – but now that it’s maturing, we’re realizing many benefits of our platform, which can be extended through wizards, can work with legacy systems, and can even “earn” on legacy systems.

I’m the first to admit it’s been a challenge to get widespread adoption with so many in the market, but with fewer playing, we’re seeing more traction every day. And we’re confident that our commitment to providing the very best continuous controls monitoring will continue to provide tremendous ROI for our clients – and opportunities for us to grow as well.

Tags: Approva, GRC Market, XCDL, XCRL

There’s been a healthy discussion industry-wide about using automation to increase efficiency, and we at Approva certainly recognize the value in the increased efficiency that automation can bring.

But efficiency isn’t the only benefit that automation offers. With the right deployment, automation can also enable organizations to increase the effectiveness of their controls, improving business processes and turning compliance expenditures from costs into assets. 



One way to boost effectiveness is by implementing controls that reflect a deep understanding of the roles they will govern and the organization’s needs. Consider for a moment a hypothetical accounts payable clerk in a small office of a larger organization, whose very job role necessitates the ability to both create vendors and approve vendor invoices. This is a classic separation-of-duties issue – and one unavoidable for this particular role. 



Traditionally, the potential conflicts inherent in this role would need to be monitored manually, with auditors reviewing records of vendors created and paid to identify potentially suspect transactions – a time-consuming practice subject to human error. 
Automation eases this burden considerably, by allowing managers to set specific rules for user access and receive automatic notification of users who could conduct suspect transactions – or those who have already done so. 



For our customers, we recommend a solution that goes farther than simple notification – through a process that we call closed-loop remediation. In this process, compliance issues are defined, monitored, and addressed within a single system. So, for instance, upon notification that our accounts payable clerk can both create a vendor and approve that vendor’s invoices, her manager can establish automatic transactional monitoring – and at the same time incorporate compensating controls. 



To be clear, compensating controls don’t necessarily involve revoking a user’s access – employees need access to do their jobs, and revoking access doesn’t necessarily increase efficiency or effectiveness. 



This is where closed-loop remediation demonstrates its true value – in allowing managers to choose from several automated options for addressing a compliance issue. Those solutions can include monitoring users with sensitive access, monitoring usage of sensitive transactions, redesigning roles, or identifying access that can be revoked without interruption to business processes.



The fact is that dealing with sensitive access issues can be a time-consuming and difficult process. Automation makes the process run more quickly, but it is transactional monitoring and notification and closed-loop remediation that actually bring the most business value, in the form of rapid issue identification and response, thorough analysis, reduced time spent auditing data and reduced audit preparation time.

Tags: Automated Controls, Business Efficiency, Separation of Duties, Transaction Monitoring

We at Approva like to talk about how important it is to have cross-functional, cross-application controls monitoring solutions – how crucial it is to ensure that risks are monitored and addressed across disparate job functions and varied ERPs.

In order to illustrate exactly how this works, I thought it might be useful to outline the tiers of software within an ideal compliance system – the risks monitored, the stakeholders alerted, and the impacts on business processes beyond compliance.

Ideally, a comprehensive compliance environment consists of four tiers – enterprise risk dashboarding, risk policy and procedure management, controls collection/correlation, and automated controls testing and monitoring. When organizations are able to implement these effectively, and ensure that each tier works with the others, you can be confident that risks are being assessed, detected, monitored and mitigated – and that overall business effectiveness is positively impacted.

The top tier is dashboarding to different personas – the CFO, controller, internal audit manager, or IT managers who need visibility into controls. This tier takes low level information being tested and correlates it across multiple systems to identify gaps large enough to merit CXO awareness and involvement.

The second tier is risk policy and procedure management – essentially, where the rules of the game are documented. In this tier, the organizational structure is defined, along with what is being analyzed and by whom. This tier enables stakeholders to assess risk by region, business unit, or other variables – and enables them to make sense of risk. This tier also incorporates documentation policies and defines responses to everything from loss event investigation to hotlines for whistle-blowers to risk analytics.

The third tier controls collection and correlation. This tier orchestrates the testing scheduling and normalizes results across the landscape for consumption by the risk and controls repository.

The final layer of software compliance environment is automated controls testing and monitoring. This tier enables continuous automated testing of application, process and system controls within the ERP, as well as other layers of the IT stack like database, OS, network, email and spreadsheets. As far as the business world has come in recent years, the fact is that good deal of businesses to this day manage important business functions in uncontrolled tools like Excel, which leaves considerable room for error. Automated application testing helps companies to address this kinds of risks.

If an organization can bring these four tiers to work together, you can be confident that you’ve done a thorough job managing disparate risks across an enterprise. No software solution is perfect, and an organization is only as compliant as its people – but this is heck of a start.

— Steve Elliott, Chief Technology Officer

Tags: Compliance Protocol, Continuous Controls Monitoring, Enterprise Risk

When we launched Audit Trail back in the spring of 2007, I think it’s safe to say none of us here at Approva knew exactly where it would lead us. Our goal was to take a different approach to the world of compliance, controls, audit and corporate governance. The response we received was overwhelming, and it’s clear that many of you now make Audit Trail a regular stop on your daily world wide web tour.

We’ve tried to make Audit Trail a unique mix of news, analysis and opinion with a dose of humor thrown in to lighten things up. And whether we were assessing the viability of GRC as a space, having a little fun with the 5th anniversary of SOX or giving our take on some of the ERP vendors’ latest acquisitions, I think it’s fair to say 2007 was a huge success.

As we head into 2008, we’re taking all of the feedback we’ve received from you to heart. The focus and attitude you’ve come to know and love won’t be leaving Audit Trail. In fact, if anything, you’re going to be hearing a lot more of what we really think. To do that we’ll be scaling back the daily news updates to once a week. That will give our own practitioners some space to get their voices out. You’ll be hearing more lessons from the field, Q&A with industry luminaries and some guest bloggers that are going to surprise you (stay tuned). In short, you’ll be hearing less about what is going on and a lot more about our take on it.

As always, we’d appreciate your feedback on what you think of our new direction and what you’d like to hear more about. To make your voice heard just leave a comment or drop us a line at audittrail at approva (dot) net.

Compliance Week (subscription required) recently released a study on the effectiveness of internal controls implemented in the wake of Sarbanes-Oxley. Financial Week covers it here, but the gist is that there is clear progress being made three years into the internal controls requirements that SOX has mandated.

The highlights? Large filers last year disclosed only a third of the number of the material weaknesses in internal controls that they reported three years ago. Restatements are also down, as are late filings and corporate litigation. And more weakness disclosures are being filed quarterly than annually, which the CW folks point to as a positive sign that companies are uncovering and disclosing problems more quickly.

This is indeed a step in the right direction, and something for corporate America to be proud of. It’s gratifying to see tangible results on the vast amounts of time and money that have gone to attaining and maintaining SOX compliance. But it’s also a reminder of how much farther we have to go to truly get our money’s worth out of GRC investments.

Focusing on compliance issues like general computing and user-access controls is necessary and useful for compliance efforts, but it is in improving the efficiency and effectiveness of these controls where companies will see actual business improvement. When controls themselves become more efficient and effective, they can begin to provide meaningful intelligence about the business and where processes can be improved, with benefits including reduced time and expenses involving external audits, reduced fraud and mistakes, and decreased time required to test and monitor controls.

Governance, risk and compliance (GRC) is still a relatively new concept, and most companies are still on the cusp of realizing its true potential. When we discuss with our clients the “vision” of GRC, they understand what we are saying, and the value that such an approach holds. But they aren’t yet addressing GRC on a day-to-day basis. Many have invested in boosting the efficiency of compliance systems, but we have yet to see widespread dedication to making controls more effective – and an even smaller number are actively trying to realize the link between compliance systems improvement and improved business processes.

Time will tell how the GRC market ultimately evolves – whether it can grow to encompass all the markets it entails and bring together functions from board-level dashboards for enterprise risk management to IT regulatory compliance testing tools, and whether there exists or could feasibly exist a single comprehensive GRC solution. But the vision is there, and the rewards are real. Here’s to all of us being part of the dialogue.

- Dana Hamerschlag, Senior Director, Product Marketing

It’s a fairly well-worn truism that when it comes to software, real innovation originates not with the behemoths, but with smaller companies, which work hand-in-hand with their customers to rapidly turn out new products and features that address long-standing business problems.

The innovation challenges at larger companies come from one root problem: consolidation. These companies are developing holistic suites of products – often disparate technologies from many smaller vendors — through acquisition.

While this strategy allows them to provide comprehensive product and service offerings, and beef up bottom line numbers, it rarely benefits the customer. This mixed-bag approach of providing cobbled-together solutions has clearly caused problems in other industries.

Take the online security space for example. Symantec is currently dealing with customer fall out from its acquisition of Veritas, which, some say, caused the company to lose its core focus. According to this CSO Magazine article, Symantec is dealing with the consequences.

We see this phenomenon happening in all major industries – including the GRC space. Rather than developing innovative products internally, large companies are beefing up their M&A departments, getting out their checkbooks and snapping up one company after another. It’s a fair bet that conference rooms are scarce commodities at their respective HQs. Synching up roadmaps, organizations and go-to-market plans are time-consuming and people-intensive tasks – things that make a company lose focus.

Whatever your view on Governance, Risk & Compliance, one thing we can all agree on is that it’s a pretty nascent market with rapidly changing business requirements. In a market that’s changing and evolving, you need to move quickly, stay close to the customers and deliver tangible value. That’s what Approva’s all about. And our customers seem to agree. Don’t take our word for it, though – Governance, Risk and Compliance, Industry Consolidation, Honeywell

–Michael Evans

In the technology industry, three-letter acronyms seem to sprout faster than mushrooms in a forest. Some fade quickly (does anyone remember ERM?), others linger and only a few stand the test of time (e.g. PLM, CRM, SCM, ERP). Governance, Risk & Compliance (GRC) is the latest addition to the three-letter soup.

Time will tell whether GRC will find its place in the acronym hall of fame or not. But one thing that’s clear – however you define it – is that “GRC” is fundamentally different than the business problems that these other software categories are tackling. While the list of differences is long, here are a few of the more obvious ones that come to mind:

·First, “GRC” is inherently a dispersed problem that is not owned by any single group or individual. It’s about every person (and group) in an organization doing their part.

·Second, the business processes that facilitate good governance, risk & compliance are unique to each company, country and industry. Enterprise software companies are notorious for imposing rigid business processes on their customers that match the features and functions they’ve developed in their applications. That won’t fly when it comes to GRC. My conversations with customers and partners make it clear that companies are looking for solutions that layer on top of their existing processes and applications – not something that’s going to force large-scale business process re-engineering.

·Finally, most companies – even small and medium-sized ones – have dozens, if not hundreds of applications that they must factor into their GRC programs. The trick to making GRC programs cost-effective is to standardize your approach to controls and control monitoring across all applications. An application-by-application approach to GRC simply duplicates effort.

The business press is already starting to look at where GRC is headed. CFO Magazine has a good article that summarizes the different angles of the debate. In any case, whether the GRC acronym (and its status as an all-encompassing category of software) fades, lingers or ultimately stands the test of time the one thing that is clear is that governance, risk and compliance activities are firmly ensconced on the priority list of executives.

– Prashanth “PV” Boccasam, CEO of Approva

Tags: Governance, Risk and Compliance, GRC, Approva

A week into our SOX 5th Anniversary Celebration, we thought we would take a break from the celebrations and focus on more serious matters – namely, the opinions of over 245 public company executives who responded to Approva’s Compliance Survey: Sarbanes-Oxley Five Years Later.

Despite widespread media coverage that public companies are begging for a reprieve from SOX, Approva’s survey found that 83 percent believe the Sarbanes-Oxley Act has had an overall positive impact on their companies. And 63 percent believe SOX has been successful in preventing corporate fraud. Seventy percent of respondents believe that investments in SOX compliance will provide benefits beyond compliance alone. Now, that is some serious ROI.

What other interesting statistics emerged from the survey? Check out the complete survey findings.

Don’t forget to post your comments on the survey findings, as we’d love to hear what you think.

Tags: Approva, SOX Survey, Sarbanes-Oxley, ROI