Compliance, risk, and finance executives entered the New Year with Dodd-Frank on the brain. This focus could create some blind spots when it comes to ongoing compliance activities. I caught up with SymSoft CEO Dan Wilhelms to get a read on current Sarbanes-Oxley compliance challenges. Wilhelms explained that while many of the big SOX fires have been extinguished, “smoldering” issues still exist, particularly in the realm where finance and IT meet.
Eric Krell: Sarbanes-Oxley compliance issues largely seem as if they are behind us -- particularly at large companies. However, you've suggested that some trouble spots still exist, particularly regarding compliance issues within the IT realm. What are some of these smoldering compliance issues that you and your partners see in the field right now?
Dan Wilhelms: I see five issues as the most pressing and potentially dangerous. Three of the five have to do with access: providing excessive access, generally; providing access to sensitive data, in particular; and being careless in providing access in an emergency.
Access is usually assigned by the help desk, and in the heat of battle, with many pressing issues, they may not be as careful about assigning or double-checking authorizations as they should be. On the other side of that, users don't necessarily need access to a broad variety of data to pose a risk; they just need access to particular data. Who can view HR salary and benefits information? Again, this is nothing that is likely to show up on a Segregation of Duties (SoD) report, yet it's a very real risk. And, in large ERP environments, there's always the chance that emergency maintenance of production systems will need to be performed. Such emergency maintenance is often by outside parties (e.g., the software vendor or third-party consultants). The problem is that these emergency all-access passes aren't always tracked very well. Everyone is so fixed on putting out the fire â€“ for example, unlocking a sales order that has frozen the entire system â€“ that they never think about documenting what transactions were performed or what data was changed. The risk is increased by the widespread use of generic “firefighter” user IDs whereby the individual performing the actions isn't definitively known.
As for the other two risks? Poor SOD in itself is a big problem. Some organizations are not familiar with what it is and its purpose. You don't want one person to be able to create a vendor in your SAP system and then initiate payment of that same vendor; you're just asking people to steal from you. It's the same problem with financial transactions in an enterprise. And finally, there is the possibility of malicious programs being introduced into production systems. The modern reality is that ERP systems are rarely steady-state. Often enterprises have multiple initiatives going on that introduce new data, configuration, and programs into the production systems. With lean staffing and urgent deadlines, often changes are not properly tested or audited. In other words, they don't use proper change management. A developer who has the means and the motive to do it and knows whether he/she can get away with it can wreak all kinds of havoc by including malicious code along with legitimate code when new applications are moved into production.
Eric Krell: Is there a common thread among these trouble spots that continue to require attention?
Dan Wilhelms: Yes: It is the same old problem of not having enough time, resources, or people. For the past few years, IT and compliance managers have been like emergency first-responder firefighters. They've been putting out the big compliance fires sparked by the original Sarbanes-Oxley legislation. They've done a pretty good job, too. But then you have the smoldering issues that I mentioned above. These are the hidden fires that can still create a back-draft that will burn your organization if you're not careful.
C-level executives find themselves between a rock and a hard place regarding controlling costs and satisfying these hidden compliance demands. At the same time, external auditors are getting more sophisticated in their investigations of compliance â€“ delving deeper into organizations' controls. Companies remain strapped with trying to do more with fewer resources. Increasing scrutiny, coupled with less budget â€“ and, in general, less liquidity for devoting dollars to compliance â€“ makes it hard to stay on top of the smaller, smoldering flash points.
Eric Krell: Among the companies that you've seen address these issues most effectively, what are some of the most successful processes, people-related practices, and technology that help to strengthen Sarbanes-Oxley compliance capabilities and eliminate these trouble spots?
Dan Wilhelms: Without time, resources, and people, you have to find ways to automate compliance. The best way to address it is by installing governance, risk, and compliance (GRC) software that makes managing security and authorization easier. The software should also provide you with tools that help you measure and monitor actual system usage so that you can see whether the things users are doing and the places they're going within the system are appropriate to their job requirements. Having automated systems in place is particularly important in smaller enterprises that usually do not have the resources for a lot of manual inspection.
Such automation will allow you to control access to sensitive data and to exercise more care when assigning authorizations. It is also important for GRC software to have value-added tools that handle change management duties, those that need to be segregated and managed throughout the entire process and are able to analyze user access against the enterprise's SOD rulebook and flag any conflicting functions. An ongoing analysis will point out any areas of risk so that they can be remediated and keep you informed should the situation change. It is critical to have these kinds of tools that allow you to track what everyone is doing while they're in the system -- not just for the day-to-day operation of the business, but for the auditors as well. ###