Ventana Scorecard: Amping Up GRC

In the wake of the passage of the Sarbanes-Oxley Act (SOX) in 2002, software companies ramped up their efforts to market a range of tools and systems that quickly came to be grouped under the "governance, risk, and compliance" (GRC) label. The SOX requirements are the reason why many companies have purchased software to ensure that separation-of-duties structures are not breached and to manage their IT systems' security more effectively.

Unfortunately, the term "GRC" is a bit artificial, as most often the various tools designed to address governance, risk, or compliance are purchased separately by different people in different departments and often for separate business units within a given corporation. It is true that in some corporations that are heavily regulated -- such as financial services, pharmaceuticals, and airlines -- managing governance, risk, and compliance is strategic, so the software and systems to support these efforts command greater attention. Nonetheless, many (if not most) corporations approach risk and compliance management software in a tactical fashion -- with little coordination and no regard for the broader business and technology issues at work.

Comprehensive GRC software doesn't exist today. Should it? Ventana Research thinks that the answer is yes, but it's not clear how fast this evolution will take place. That it will occur, though, is a certainty, enabled by the emerging ability to automate more finance department governance and handle risk on a cross-functional basis and driven by the long-standing need to do so.

Thanks to the demands of SOX, more effective finance department governance using software has become increasingly feasible. Compliance with Sarbanes-Oxley Section 404 initially seemed so challenging because of early confusion about how broadly to address the specific demands of the act to prevent fraud in external financial statements. This confusion, and a lack of clear guidance on responding to SOX, sent companies on a paper chase to document all of their financial processes and analyze them for vulnerability to fraud or misstatements, regardless of their relevance or potential to harm external investors.

This largely ended with the issuance of Accounting Standard 5 in 2007. Nonetheless, even though companies are not compelled to monitor and control every nook and cranny of their processes and systems, they have opened the Pandora's box of financial governance, and many have realized that there likely are areas where more effective controls can yield a positive ROI.

Today, companies can use software to monitor end-to-end processes such as procure-to-pay and order-to-cash to automatically spot duplicate invoices from vendors, invalid purchase orders, shipments made without orders or invoices, or inaccurate commissions. Tools exist to make it possible to spot duplicate merchant charges or to split purchases to avoid going over thresholds on purchase cards, and Finance can automatically be notified if the company's payroll records show errors or indications of benefit irregularities.