Approva Corporation - Controls Intelligence Software

Business Challenge

As a privately held company, Datacard Group is not subject to the same legislative controls as a public company, but its management believes that the business needs to have processes and systems in place for control and compliance that are consistent with best practices within similar public organizations. The company has an annual external audit conducted by a leading global accountancy firm.

Datacard updated its homegrown enterprise resource planning (ERP) system in 2005, replacing it with the Oracle 11i E-Business Suite (v11.5.9). Oracle was chosen for all business functions with the exception of payroll/HR, where the existing PeopleSoft Enterprise system was retained. The company relied on a time-consuming system of manual checks to test business controls across its ERP environments, led by a team of internal auditors and business analysts. Control and compliance were typically addressed at year-end in preparation for the annual audit.

With the Oracle system fully in place, the external auditor performed an initial audit of the system as part of their fiscal year 2006 review. To perform the audit, the auditor used Approva’s BizRights product suite to obtain a comprehensive set of user access information directly from Datacard Group’s ERP systems. It then used Approva to analyze the data, identify and evaluate potential user access risks.

An initial assessment of the user access rights revealed numerous sensitive access and segregation of duties (SoD) issues in their ERP environments. This highlighted that Datacard needed to take action to remediate the issues and also to put a sustainable process in place which would enable the company to manage control and compliance across the organization on an ongoing basis.

Approva's Approach

Following the fiscal year 2006 audit, Datacard quickly came to the conclusion that the most effective way of resolving their control challenges would be to implement Approva’s continuous controls monitoring solution. “We felt that it was important to have the same controls monitoring solution that our external auditor uses when they perform their IT control reviews,” said Alla Johnson, Director, Systems & Services, Datacard Group. “With the Approva BizRights system, we can monitor all of our critical ERP environments for control, compliance, and fraud related issues. This saves us time, while improving the quality of our internal controls.” Datacard implemented Approva’s BizRights Platform and Enterprise Controls Suite to automate the remediation process and ongoing monitoring of business controls across their Oracle environments. The Approva products are used to monitor a range of control issues including user access, system settings and master records access, with any problems being highlighted for immediate action. System settings can be checked against best practices, and a record kept of the baseline settings. The company was able to replicate the same rules and controls that their external auditor relied on by using a library of pre-defined Oracle and PeopleSoft-specific control definitions and access rules which are built in to the Approva products. The system was quick to implement, and required only two initial days of training for the primary users. To eliminate the large number of user access violations initially identified, the internal auditor and business analysts involved managers from the main business unit to analyze and remediate the individual cases.

By using the data from the Approva system, the company was able to prioritize the critical violations, identify the root causes behind each control failure and remediate the violations.

Leveraging the Approva data, the main actions taken by the company to eliminate the violations included:

• redesigning the Oracle responsibilities – removing “super user” responsibilities, and creating separate responsibilities for individual functions across the 44 Oracle modules
• analyzing and controlling individual usage – ensuring access to specific functions has management approval, and installing end-dates for temporary requirements
• prioritizing major users – identifying individuals responsible forlarge numbers of violations for priority attention

Results

Following an intensive effort by the Datacard team, the fiscal year 2007 audit by the external auditor revealed a dramatic improvement in SoD performance. “Using Approva BizRights, and implementing some mitigating controls, we were able to reduce the number of critical SoD violations from thousands to zero within only a few months,” said Alla Johnson.

Implementing the Approva system has provided Datacard with more rigorous control and compliance processes, supported by clear, detailed documentation, resulting in reduced business risk and less opportunity for fraud. Some of the key benefits include:

• Automated testing and monitoring of controls
• Proactive alerting of potential problems
• Elimination of SoD violations
• Significant reduction in time and cost required for external audit

The Datacard team now has clear visibility of any control and compliance issues using the same rule sets applied by the external auditor. This allows the company to maintain an ongoing dialogue with the auditor throughout the year, based on a clear understanding of the SoD and compliance goals and their progress against them.

Download the full case study