CFO Perspective: How to Manage Controls Across Multiple Systems
Pathlock
July 28, 2016
CFO Perspective: How to Manage Controls Across Multiple Systems
by Mark Kissman, CFO, Pathlock Technologies
Your business systems deal with critical transactions and data that govern everything from inventory, manufacturing, sales, and human resources to finance, supply chain, and more. That’s why it’s essential for enterprises to have ironclad controls to monitor user access to those systems, ensure transactional integrity, detect fraud and waste, strengthen regulatory compliance, and improve operational performance. But as CFOs, we’ve become all too familiar with trying to enforce controls at the application level despite the fact that our applications, databases and systems are often decentralized and disjointed.
Managing access within a single application can be challenging enough. Imagine the scale and complexity across dozens enterprise applications with thousands of users and multiple business processes. In addition, user access rights constantly change due to new responsibilities, transfers to other departments and divisions and new business applications.
It’s critical that we address this challenge quickly. A study by ACFE found that “a lack of internal controls, such as segregation of duties, was cited as the biggest deficiency” in control weaknesses that can lead to fraud. In its “Access Governance Trends Survey,” Ponemon Institute LLC found that 57% of organizations surveyed lack the confidence to know whether their user access practices are compliant because they don’t have enterprise-wide visibility of that user access.
So how do we meet the challenge? The first step is to abstract the system-level complexity and aggregate it across systems to rationalize and reconcile each user’s entire set of access privileges. The best way to achieve this is through a business-process lens – not an application-specific lens that we’re accustomed to using.
A business oriented lens recognizes that the controls enterprises use are process-specific and can often span multiple applications and systems, each with their own access-control model/protocols. For example, there are specific controls that must be applied over the order-to-cash, plan-to-inventory, procure-to-pay, hire-to-retire, and other processes – such as monitoring for SoDs. That means controls are needed that span across both the ERP and procurement systems because POs might be issued from the procurement system, such as Ariba, but payment comes from the ERP system.
Ultimately, since the business owners control the applications and are responsible for who uses different systems, they must also have the ability and responsibility for controlling that access. It’s no longer just an IT issue to solve.
To learn how Heineken is simplifying access governance across their systems, click here.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.