CFO Perspective: How to Manage Controls Across Multiple Systems

by Mark Kissman, CFO, Pathlock Technologies Your business systems deal with critical transactions and data that govern everything from inventory, manufacturing, sales, and human resources to finance, supply chain, and more. That’s why it’s essential for enterprises to have ironclad controls to monitor user access to those systems, ensure transactional integrity, detect fraud and waste, strengthen regulatory compliance, and improve operational performance. But as CFOs, we’ve become all too familiar with trying to enforce controls at the application level despite the fact that our applications, databases and systems are often decentralized and disjointed. Managing access within a single application can be challenging enough. Imagine the scale and complexity across dozens enterprise applications with thousands of users and multiple business processes. In addition, user access rights constantly change due to new responsibilities, transfers to other departments and divisions and new business applications. It’s critical that we address this challenge quickly. A study by ACFE found that “a lack of internal controls, such as segregation of duties, was cited as the biggest deficiency” in control weaknesses that can lead to fraud. In its “Access Governance Trends Survey,” Ponemon Institute LLC found that 57% of organizations surveyed lack the confidence to know whether their user access practices are compliant because they don’t have enterprise-wide visibility of that user access. So how do we meet the challenge? The first step is to abstract the system-level complexity and aggregate it across systems to rationalize and reconcile each user’s entire set of access privileges. The best way to achieve this is through a business-process lens – not an application-specific lens that we’re accustomed to using. A business oriented lens recognizes that the controls enterprises use are process-specific and can often span multiple applications and systems, each with their own access-control model/protocols. For example, there are specific controls that must be applied over the order-to-cash, plan-to-inventory, procure-to-pay, hire-to-retire, and other processes – such as monitoring for SoDs. That means controls are needed that span across both the ERP and procurement systems because POs might be issued from the procurement system, such as Ariba, but payment comes from the ERP system. Ultimately, since the business owners control the applications and are responsible for who uses different systems, they must also have the ability and responsibility for controlling that access. It’s no longer just an IT issue to solve. To learn how Heineken is simplifying access governance across their systems, click here.