In this second of a two-part video with ERP Maestro Founder and CEO Jody Paterson during the SAPinsider GRC 2015 event in Las Vegas, Paterson discusses the risks associated with manual access controls. Topics of this discussion include:
- How manual controls introduce multiple points of failure and an increase in exposure to fraud
- Increased scrutiny on GRC tools and whether they're ensuring completeness and accuracy as mandated by certain compliance measures
- Some of the risks of non-compliance that are driving access control automation
This is an edited transcript of the discussion:
Ken Murphy, SAPinsider: Earlier you touched on the efforts involved with manual access control, and I’m just wondering if you can address the risks that are associated for organizations that continue with that approach?
Jody Paterson, ERP Maestro: Think about the risk of not knowing what’s out there. The risk of either your tools or your manual processes not finding the risks, or you’re not actually even looking for the right risks. The risk is really that you’re not going to find the segregation of duties conflict, the people that have access to your sensitive data. And the result is that you have a much higher risk of fraud. There are many documented cases in which segregation of duties and access to your information that allows people to (take) fraudulent activity has led directly to fraudulent activity. But not only that, the process of going through it manually is actually relatively inaccurate because you’re either not doing the analysis correctly, you’re using access databases you’re not writing your queries correctly, or the multiple points of failure in that process lead to an unreliability of the results. You can’t rely on them. But also what’s happening in 2015 is pretty interesting. You have a lot more scrutiny in the marketplace for – external auditors are placing a lot more scrutiny on these manual processes, on these field tools out in the marketplace which has directly come out of the Framework changes to COSO in 2013 which are more of a clarification really. But that has led to a lot more scrutiny being placed on the completeness and accuracy around these field tools in the marketplace today, and that’s where ERP Maestro is really going to help and assist with these companies that are really struggling to make that large investment to realize the benefits of automation by facilitating a very easy entry to take advantage of what automation can bring them.
Ken: And so for the reasons you mentioned, do you see 2015 and beyond as being important for organizations that are looking to take that step toward automation?
Jody: Absolutely, yes. What comes with this increased scrutiny is going to be organizations sitting with the realization that the risk of approaching this challenge manually is resulting in a much higher risk of fraud. But also they’re sitting with a real significant deficiency on their hands that they need to address before year-end. Now by being able to implement a full access control suite in a very short amount of time, you can really start tackling this process head-on very quickly and that’s what we see as ERP Maestro is ideally positioned for; to help companies with that increased scrutiny that’s about to occur.
Ken: Jody, thank you for joining us today.
Jody: Thank you very much Ken.