insiderPROFILES recently caught up with Steve Biskie, Managing Director of High Water Advisors — a privately held governance, risk, and compliance (GRC) and audit consulting firm headquartered in Denver, Colorado — to find out how he developed the experience to become a sought-after speaker, author, trainer, and consultant in the areas of governance, audit, and internal controls in the SAP space. Biskie, who has published numerous audit-related topics for SAP Professional Journal, written articles for SAP Experts, and has been invited to speak at the SAPinsider series of conferences for 10 consecutive years, shared his career path, discussed the evolution of the GRC landscape, and touched on how the SAP solution suite for GRC helps companies effectively manage risk.
Q: How did your expertise transition from auditing to GRC solutions in the SAP space?
In the mid-1990s, I was a relatively new auditor with a well-established consultancy firm, and one of my clients at the time was undergoing the largest SAP implementation in the world. The SAP system was still pretty new in the US, and I was part of the team tasked with figuring out how we could most effectively assess both the system and the integrity of the processes dependent on the SAP system. This was back during the ERP implementation craze, and I had the chance to work with other systems as well. It was only about 12 years ago that I started focusing almost exclusively on SAP software.
When the Sarbanes-Oxley (SOX) Act came out in 2002, organizations scrambled to become compliant. With my background in SAP solutions and the compliance program I was running at the time, there was no shortage of work. Soon other compliance initiatives started appearing in the US, and SAP’s response was to develop applications that dealt with these initiatives from an internal reporting compliance standpoint. This was the beginning for SAP in the GRC space. I then joined an influence council for a tool SAP was developing called Management of Internal Controls (MIC), which was the precursor to what is now SAP Process Control. That was an interesting and pivotal experience. Historically, from an audit-compliance viewpoint, the SAP system is like a big, black box with very little publicly available insight into risks and controls. I developed a true passion for digging deeper into the system and developing a better understanding of some of the configurable control options available, as well as the risks of which organizations using SAP solutions need to be aware.
Q: How did your experience lead to the decision to branch out and start your own GRC consulting firm based in Denver?
A lot of my career was being at the right place at the right time. The early SOX days coincided with my move to Denver to run a compliance project. Then, in 2003, I was asked to keynote the first Sarbanes-Oxley Compliance for Customers of SAP Software conference, which was run by SAPinsider. It was a precursor to the SAPinsider GRC event, which I have continued to speak at in subsequent years. In turn, I ended up writing a book called Surviving an SAP Audit (published in 2010), which led to me being approached to consult and also to train employees on SAP audits and systems. People began to view me as someone who seemed to know what he was talking about!
I was fortunate because the company I was working for full time was fine with my moonlighting as long as it didn’t affect my job. That’s why I enjoyed training in Europe, because I could work a full day in the US after European hours. But what ultimately happened is that the combination of events and speaking engagements, writing the book, and starting to train people on auditing SAP systems brought me to the point where I couldn’t moonlight anymore. So I had a big decision to make. As much as I’ve always wanted to start my own company and be entrepreneurial, at the end of the day, I’m an auditor and pretty risk-averse. When my business partner Scott Delbeck and I started High Water Advisors three years ago, it was just the two of us — and even as a small company, we were hired by some pretty sizable and recognizable organizations. The market need clearly existed, and there wasn’t a lot of experience out there in our specialty of audit-compliance GRC in the SAP space. It was also a fortuitous time because it coincided with SAP enhancing SAP Process Control and beginning to think about fraud and audit management as well. We were able to pick up some work with SAP to provide advice and thought leadership, and shed some light on what auditors are looking for.
In the GRC space, what set SAP apart very early on was developing the GRC suite on the SAP ERP platform side and making the tools highly customizable for the end user.
Q: What are some new threats or compliance mandates that companies need to be aware of and prepare for?
One thing we’ve certainly seen over the last decade is that compliance requirements, the number of regulations, and the fines for these regulations have escalated exponentially. To some extent, we might say the pendulum has shifted from one extreme to another; we were a little bit Wild West early on, and now there is so much regulation that it requires a significant amount of internal effort to deal with and manage it all — it places a bit of a burden on the business. These are not necessarily direct value-added activities that affect the bottom line, other than preventing fines or mitigating negative public perceptions in the market if an issue becomes public.
While the risk landscape has changed a great deal, we see some of the same controls issues — namely, organizations that have the tools but perhaps aren’t using them as they should, or that maybe don’t know about certain functionalities. In today’s environment, adding to the increasing regulations and compliance issues is a concern about cyber security, and organizations rightly want to know if their solutions are up to the task — whether that is SAP or any other vendor. In SAP software, a lot of risks have been identified where notes and patches have been released, but many of these relate to how the SAP NetWeaver layer, SAP Gateway, or SAP router is set up. These are things that are not usually considered in a rapid implementation. This methodology has taken root and, at times, puts a premium on speed over thoroughness; if you’re not careful, some items might be missed. Generally, a lot of these rapid implementations go with default settings, and while SAP provides the tools you need to protect yourself on the cyber security side, you have to conscientiously use those tools.
Q: How have GRC solutions evolved in response to the changing risk and compliance landscape?
During the first half of my career, when I was working on SAP audits and implementations, the SAP solutions for GRC didn’t yet exist. The closest thing that SAP had to an audit- and compliance-related application was Audit Information System (AIS), a basic tool that has been part of the SAP system for several decades and was designed to help external audit firms get reports out of the system.
It’s a bit of an understatement to say the suite has matured. With SAP Process Control, SAP Access Control, and the newer applications SAP Fraud Management and SAP Audit Management, SAP has certainly come a long way in developing a comprehensive GRC platform. SAP Process Control helps consolidate and centralize compliance processes so you don’t have to reinvent the wheel every time multiple auditors come in, which can happen a lot. And particularly over the last five years, SAP has successfully started to integrate what had been mostly a series of independent tools into a common platform, so you don’t have to re-create information that may be similar in each of the different tools in the suite. SAP has also continued to innovate in the GRC space, particularly with SAP Fraud Management and SAP Audit Management. I work a lot in fraud detection, and the big challenge is that, in many cases, your objective is to just stop the bleeding and minimize your sunk costs. With SAP Fraud Management, and particularly having it built on SAP HANA, we can detect fraud a lot quicker and stop funds from walking out the door much earlier in the process. And SAP Audit Management is developed specifically for internal auditors. I had the opportunity to work with SAP a bit on the design and roadmap for the application, and it’s exciting to see what it has done. Rather than just trying to improve the AIS tool, SAP started from scratch with SAP Audit Management, which allowed it to get into mobile technologies more easily.
Q: How do you think GRC processes will evolve in response to this new technology?
SAP is now such a data-rich environment that, to a large extent, we can move away from the traditional approach of proving things are working by mining samples of data. With all SAP data now sitting in tables somewhere, you can get a lot more sophisticated in your logic and move to a much more real-time monitoring environment. Duplicate payment is a great example. Historically, duplicate payments were only detected after you made the payment; the chief objective was to minimize this as much as possible, but you knew the timeframe was limited. We still might not be able to stop the duplicate payment from being entered, but stopping the duplicate payment before the invoice is entered becomes irrelevant when you can stop the payment before it’s ever made. With SAP HANA and other new technologies that are out there, you have the ability to be more proactive.
One of the organizations I worked with discovered a billing issue during an audit that had been going on for years. When you think of the cost to your business of having a problem that persists until it’s corrected, you understand how important it is to speed up the detection processes. This helps prevent the snowball effect, which can lead to a negative impact on the business. Having the real-time capability to identify an issue closer to the point of origin will save organizations immensely from “after-the-fact” efforts to clean up and resolve the issue. The challenge for many organizations as it pertains to GRC is establishing a business case because it can be hard to see the value when it’s not directly tied to revenue. Companies are tasked with optimizing compliance procedures to manage risk and avoid potential problems, but at the same time not detract from core business opportunities.
Q: What major changes will new technologies bring to the GRC environment that auditors and specialists must keep up with?
I teach a couple of classes about SAP technology and security to the people who are responsible for making sure that SAP software and processes are working the way they should. The majority of these attendees are either internal auditors or those who serve a compliance function in their organization. One thing I find interesting is the maturity level across everyone in the business in terms of their experience with IT. There is definitely a much deeper understanding and comfort with technology.
In the GRC space, what set SAP apart very early on was developing the GRC suite on the SAP ERP platform side and making the tools highly customizable for the end user. While it certainly wasn’t the first company to do this, SAP took it to the extreme at a time when most other systems required programming changes. That’s not to say there is no programming involved with SAP software, but the majority of the application setup is filling out forms and checkboxes. This customizable setup approach was a new concept because people had previously been under the impression that implementing out-of-the-box SAP standard functionality meant everyone would use it the same way. I see a lot more understanding and acceptance of this concept now, and users expect that they can make an application look the way they want without having to go through IT.
The much bigger change is the sheer size of the systems that my students encounter. In the mainframe days, it was prohibitively expensive to keep a full year’s worth of data online in an SAP system. Many companies would archive the previous quarter to tape every three months, and auditors would go to the tapes to conduct annual audits. Now space and computer power is much less expensive, and technologies like SAP HANA are uncovering the potential for things that truly were impossible back in the day, such as mining through all of your business transactions since the beginning of time to look for patterns of activities and beginning to identify where issues originate. This is what keeps things interesting; new technologies such as mobile, cloud, and SAP HANA have made GRC a constantly moving space. Whether it’s new technologies, regulations, or compliance issues, there’s always something new that we need to stay on top of to make sure our organizations can effectively manage those risks. SAP has definitely moved in a new and different direction to keep pace. Had it stayed still, I might be at the point where I knew all the risks and controls, and with my curiosity satisfied, moved on to something else. Luckily, we aren’t there, because to me, this is still exciting.