Archive for the ‘Executive Spotlight’ Category
Posted on January 8th, 2008 by Steve Elliott »Permalink
We at Approva like to talk about how important it is to have cross-functional, cross-application controls monitoring solutions – how crucial it is to ensure that risks are monitored and addressed across disparate job functions and varied ERPs.
In order to illustrate exactly how this works, I thought it might be useful to outline the tiers of software within an ideal compliance system – the risks monitored, the stakeholders alerted, and the impacts on business processes beyond compliance.
Ideally, a comprehensive compliance environment consists of four tiers – enterprise risk dashboarding, risk policy and procedure management, controls collection/correlation, and automated controls testing and monitoring. When organizations are able to implement these effectively, and ensure that each tier works with the others, you can be confident that risks are being assessed, detected, monitored and mitigated – and that overall business effectiveness is positively impacted.
The top tier is dashboarding to different personas – the CFO, controller, internal audit manager, or IT managers who need visibility into controls. This tier takes low level information being tested and correlates it across multiple systems to identify gaps large enough to merit CXO awareness and involvement.
The second tier is risk policy and procedure management – essentially, where the rules of the game are documented. In this tier, the organizational structure is defined, along with what is being analyzed and by whom. This tier enables stakeholders to assess risk by region, business unit, or other variables – and enables them to make sense of risk. This tier also incorporates documentation policies and defines responses to everything from loss event investigation to hotlines for whistle-blowers to risk analytics.
The third tier controls collection and correlation. This tier orchestrates the testing scheduling and normalizes results across the landscape for consumption by the risk and controls repository.
The final layer of software compliance environment is automated controls testing and monitoring. This tier enables continuous automated testing of application, process and system controls within the ERP, as well as other layers of the IT stack like database, OS, network, email and spreadsheets. As far as the business world has come in recent years, the fact is that good deal of businesses to this day manage important business functions in uncontrolled tools like Excel, which leaves considerable room for error. Automated application testing helps companies to address this kinds of risks.
If an organization can bring these four tiers to work together, you can be confident that you’ve done a thorough job managing disparate risks across an enterprise. No software solution is perfect, and an organization is only as compliant as its people – but this is heck of a start.
— Steve Elliott, Chief Technology Officer
Tags: Compliance Protocol, Continuous Controls Monitoring, Enterprise Risk
Posted on January 2nd, 2008 by Michael Evans »Permalink
When we launched Audit Trail back in the spring of 2007, I think it’s safe to say none of us here at Approva knew exactly where it would lead us. Our goal was to take a different approach to the world of compliance, controls, audit and corporate governance. The response we received was overwhelming, and it’s clear that many of you now make Audit Trail a regular stop on your daily world wide web tour.
We’ve tried to make Audit Trail a unique mix of news, analysis and opinion with a dose of humor thrown in to lighten things up. And whether we were assessing the viability of GRC as a space, having a little fun with the 5th anniversary of SOX or giving our take on some of the ERP vendors’ latest acquisitions, I think it’s fair to say 2007 was a huge success.
As we head into 2008, we’re taking all of the feedback we’ve received from you to heart. The focus and attitude you’ve come to know and love won’t be leaving Audit Trail. In fact, if anything, you’re going to be hearing a lot more of what we really think. To do that we’ll be scaling back the daily news updates to once a week. That will give our own practitioners some space to get their voices out. You’ll be hearing more lessons from the field, Q&A with industry luminaries and some guest bloggers that are going to surprise you (stay tuned). In short, you’ll be hearing less about what is going on and a lot more about our take on it.
As always, we’d appreciate your feedback on what you think of our new direction and what you’d like to hear more about. To make your voice heard just leave a comment or drop us a line at audittrail at approva (dot) net.
Posted on December 11th, 2007 by admin »Permalink
Compliance Week (subscription required) recently released a study on the effectiveness of internal controls implemented in the wake of Sarbanes-Oxley. Financial Week covers it here, but the gist is that there is clear progress being made three years into the internal controls requirements that SOX has mandated.
The highlights? Large filers last year disclosed only a third of the number of the material weaknesses in internal controls that they reported three years ago. Restatements are also down, as are late filings and corporate litigation. And more weakness disclosures are being filed quarterly than annually, which the CW folks point to as a positive sign that companies are uncovering and disclosing problems more quickly.
This is indeed a step in the right direction, and something for corporate America to be proud of. It’s gratifying to see tangible results on the vast amounts of time and money that have gone to attaining and maintaining SOX compliance. But it’s also a reminder of how much farther we have to go to truly get our money’s worth out of GRC investments.
Focusing on compliance issues like general computing and user-access controls is necessary and useful for compliance efforts, but it is in improving the efficiency and effectiveness of these controls where companies will see actual business improvement. When controls themselves become more efficient and effective, they can begin to provide meaningful intelligence about the business and where processes can be improved, with benefits including reduced time and expenses involving external audits, reduced fraud and mistakes, and decreased time required to test and monitor controls.
Governance, risk and compliance (GRC) is still a relatively new concept, and most companies are still on the cusp of realizing its true potential. When we discuss with our clients the “vision” of GRC, they understand what we are saying, and the value that such an approach holds. But they aren’t yet addressing GRC on a day-to-day basis. Many have invested in boosting the efficiency of compliance systems, but we have yet to see widespread dedication to making controls more effective – and an even smaller number are actively trying to realize the link between compliance systems improvement and improved business processes.
Time will tell how the GRC market ultimately evolves – whether it can grow to encompass all the markets it entails and bring together functions from board-level dashboards for enterprise risk management to IT regulatory compliance testing tools, and whether there exists or could feasibly exist a single comprehensive GRC solution. But the vision is there, and the rewards are real. Here’s to all of us being part of the dialogue.
- Dana Hamerschlag, Senior Director, Product Marketing
Posted on November 30th, 2007 by Michael Evans »Permalink
It’s a fairly well-worn truism that when it comes to software, real innovation originates not with the behemoths, but with smaller companies, which work hand-in-hand with their customers to rapidly turn out new products and features that address long-standing business problems.
The innovation challenges at larger companies come from one root problem: consolidation. These companies are developing holistic suites of products – often disparate technologies from many smaller vendors — through acquisition.
While this strategy allows them to provide comprehensive product and service offerings, and beef up bottom line numbers, it rarely benefits the customer. This mixed-bag approach of providing cobbled-together solutions has clearly caused problems in other industries.
Take the online security space for example. Symantec is currently dealing with customer fall out from its acquisition of Veritas, which, some say, caused the company to lose its core focus. According to this CSO Magazine article, Symantec is dealing with the consequences.
We see this phenomenon happening in all major industries – including the GRC space. Rather than developing innovative products internally, large companies are beefing up their M&A departments, getting out their checkbooks and snapping up one company after another. It’s a fair bet that conference rooms are scarce commodities at their respective HQs. Synching up roadmaps, organizations and go-to-market plans are time-consuming and people-intensive tasks – things that make a company lose focus.
Whatever your view on Governance, Risk & Compliance, one thing we can all agree on is that it’s a pretty nascent market with rapidly changing business requirements. In a market that’s changing and evolving, you need to move quickly, stay close to the customers and deliver tangible value. That’s what Approva’s all about. And our customers seem to agree. Don’t take our word for it, though – Governance, Risk and Compliance, Industry Consolidation, Honeywell
–Michael Evans
