While the sins of the corporate fathers brought down some of the biggest names in business, new government mandates possessed the fervor of commandments. Thou shalt not steal, lie, destroy documents, tamper with evidence, punish whistleblowers, or claim ignorance. Relying on the good word of corporate executives went down with Enron. Now, companies must deploy real-time, continuous compliance solutions to reduce risk and enforce internal controls. Failure to do so could mean a long stay at "Club Fed."
Among other things, Sarbanes-Oxley requires executives and corporate boards to not only tell the truth but to prove it. A company's good word is now worth about as much as the Enron sign unceremoniously removed from the Houston baseball stadium. The new penalties - $25 million fines and up to 20 years in a prison cell - are meant to send a message: "Don't even think about it!"
Beware of Six Common Landmines
Given the penalties and the government's willingness to go after miscreants, "hoping for the best" or "feeling lucky" should not be a part of your compliance strategy. No audit firm wants to suffer the fate of Arthur Andersen. Hence, the standard of due care is rising. Cursory inspections and small samples have given way to closer examinations.
Landmines await the unprepared. Here are six of the most common ones.
Landmine #1: Taking Halfway Measures
Many companies have opted to conduct segregation of duties (SoD) and critical transaction analysis by downloading ERP data from the production system to homegrown spreadsheets or third-party applications. These solutions scan for potential conflicts between users and their roles in standard tables. Unfortunately, they are partial solutions that can miss violations. Like jumping halfway across a chasm, you can get the first part right and still ruin your day.
Concentrating simply on users and their roles does not address the full range of user access and authorization concerns at the heart of effective internal control solutions. Solutions that rely on downloaded data generally fail to address hidden conflicts in custom code, user exits, and reference user tables. For privacy reasons, they cannot download SAP HR data. Further, cross-system analysis is complicated by data aggregation, synchronization, and integrity issues that concern many auditors.
Defusing Landmine #1: Only real-time solutions running inside SAP have full-time access to all ERP data without depleting IT and systems resources in downloads and extra layers of administration and security to handle external analysis. Further, by leveraging the power of SAP NetWeaver's portals and SAP Exchange Infrastructure (SAP XI) functionality, you can conduct cross-system and cross-enterprise analyses from a single interface with no downloading and no data synchronization and integrity concerns.
Landmine #2: Ignoring the Minefield Itself
As noted above, most homegrown and third-party solutions overlook violations embedded in custom code, user exits, and supplemental authorization tables. Companies generate hundreds, if not thousands, of lines of code to simplify complicated processes or reduce the number of steps necessary. This code often includes transactions that call other transactions.
The called transactions exist outside of the normal authorization structure, so users who are authorized only for the initial transaction may gain access to the called transaction. This creates control violations that are often hidden from or missed by security administrators. Auditors are increasingly sampling custom code to uncover these violations.
Defusing Landmine #2: To locate and remediate conflicts created by called transactions, your solution must be able to scan custom code, user exits, and supplemental authorization tables. This is simply not feasible with solutions that run outside of SAP on downloaded data. With SAP NetWeaver and SAP Compliance Calibrator, you can create Web services to conduct functional, cross-functional, and cross-system scans automatically for quarterly and annual attestations of the effectiveness of internal financial controls.
Landmine #3: Throwing Piranha in the Pool
No, you wouldn't deliberately throw piranha in your swimming pool. But security administrators execute the IT equivalent of that whenever they migrate role changes from development to production without first simulating the potential impact on the production system in its current state.
Solutions that rely on analysis of downloaded data lack real-time simulation capability. Consequently, administrators may introduce new conflicts directly to the production system and not discover them until the next download. By failing to halt violations before they occur, remediation is slow and painful. Fraud and malicious mischief go undetected for longer periods, and enforcement of your security policy is delayed. This exposure is significant and potentially expensive in terms of cash, time, and noncompliance.
Defusing Landmine #3: SAP Compliance Calibrator's real-time simulation capability and SAP NetWeaver's Web services and SAP XI functionality can simulate the effect of a change on the production system as it is now, rather than as it was at the time of a download. Moreover, they can accomplish this across systems, saving money and avoiding trouble.
Landmine #4: The Beast in the Bushes
Much has been said already about SAP NetWeaver's ability to conduct analysis across the enterprise. From a security standpoint, this capability is often underappreciated. It is not unusual in large, complicated IT landscapes for users to have conflicting access across systems, such as the ability to order supplies in one system and in another system the ability to designate themselves to take custody of the delivered supplies. Conflicts can be hidden across the landscape. Locating these conflicts across a heterogeneous landscape of multiple systems and platforms can be a nightmare if you are attempting the task with solutions sitting outside of SAP.
Defusing Landmine #4: Locate the beast in the bushes. By using SAP NetWeaver Web Application Server and SAP XI, you can read data from any system in real time, perform cross-system analysis, and report to business users and auditors in the format they prefer.
Landmine #5: Dropping Your Guard
Vigilance. Auditors respect it. If it's automated and operates in real time, they respect you. Real-time, event-driven alerts for sensitive transactions and for configuration changes are your most effective line of defense and your strongest proof that you are a diligent fiduciary of shareholder equity. If you drop your guard and fail to put this protection in place, you increase your exposure to fraud, error, malicious behavior, regulatory penalties, and jail time.
Defusing Landmine #5: With SAP NetWeaver Alert Framework, you can set up and manage alerts through the universal worklist. Moreover, if your controls compliance solution resides inside SAP, instantaneous alerts can abort noncompliant transactions and configuration changes or trigger approval processes and investigations via SAP Business Workflow. This is true prevention, and it is also proof that the company takes controls compliance seriously.
Landmine #6: Confusing Constraint with Control
Adhering to compliance mandates should not constrain a company's ability to do business. Sometimes all that is necessary is a mitigating control. For example, many companies unnecessarily live with an annoying open audit issue: IT superusers with broad access to production for emergency and other support. This broad access introduces the risk of fraud into the environment. Auditors want to limit this exposure, but companies feel such access is necessary to prevent or at least limit business disruptions.
Defusing Landmine #6: There is no need to constrain IT access to gain control. You can approve special "fire call" IDs via a secure automated process, confer super-user status for a designated intervention over a specified period of time, and initiate an audit trail to track all actions taken while in use. Upon logout, tracking terminates, and a complete log of the session remains in an auditable repository. This eliminates the audit issue by adding a mitigating control, yet it allows unconstrained access to resolve problems in production.
The New Scriptures
Mistakes happen. Fraud happens. Authorizations can be faulty. Access can be abused. Controls can be subverted. Process can be ignored. Ultimately, audit opinions are negotiated interpretations of compliance. External auditors respect companies that make an obvious all-out effort to keep these risks to a minimum. If a business can get religion, then the Sarbanes-Oxley mandates and similar regulations being promulgated worldwide are the new scriptures. They provide the belief system, discipline, and impetus to improve controls, reduce fraud, minimize exposure, regain investor trust, and contribute to shareholder value.
Control and Accountability
The Sarbanes-Oxley Act is by no means an only child; it has a rich family tree. Beginning in 1934, the Securities and Exchange Commission Act regulated participants in trading markets, and this act is still used to prosecute insider trading and securities fraud. The Basel II Accord is a risk management mandate for financial institutions. Its requirements include proven IT security and administration. More such regulations are in the works worldwide, with serious civil and criminal penalties advocated by governmental authorities and institutional investors.
Sarbanes-Oxley mandates individual accountability and penalties, including prison time, for violations. A corporate umbrella will not save the guilty or the naïve. Four sections are especially pertinent:
- Section 302 - Executives, particularly the CEO and CFO, must make quarterly attestations to the accuracy of their financial reports and the effectiveness of their controls.
- Section 404 - Companies must conduct quarterly and annual assessments of the effectiveness of financial internal controls. Moreover, an annual review by an external auditor is required.
- Section 409 - Companies must disclose to the public on a "rapid and current basis" material changes to the firm's financial condition.
- Section 802 - Executives must ensure authentic, immutable records and retention.
Though the guidelines are subject to interpretation, one thing is clear: Controls are paramount. A company's annual report is no longer a coffee-table book designed to make investors feel good. Annual reports must contain an internal control statement that includes management's responsibility for internal controls, its judgment of the effectiveness of internal controls, and an external auditor's attestation validating management's assessment.
An adverse audit opinion or admission of a material weakness in a company's financial controls can negatively impact share price, investor holdings, market share, and sales cycles. Real-time, continuously clean systems mean less-costly audits, decreased probability of fraud and error, early notification of deficiencies, a reputation for good governance, and ultimately, increased shareholder value.
Initially, documenting, testing, and enforcing controls for Sarbanes-Oxley compliance can be painful and costly. But it does not have to stay that way. Enforcing segregation of duties (SoD), monitoring critical transactions and process controls, fine-tuning authorization rights, and automatically testing control design and effectiveness can be made routine and effortless.
Mark Feldman, Ph.D., formerly a partner and global practice leader at PricewaterhouseCoopers' mergers and acquisitions consulting business, is currently senior vice president of strategy and business development at Virsa Systems, a developer of software for controls compliance.