From GRC to Great
The priorities in most businesses, driven by Sarbanes-Oxley, are user access, segregation of duties, and tracking critical configuration changes in the ERP. All of these factors affect how efficiently a business operates, so a thorough review process ensures that any changes are adding value to the business unit. There’s less complication from changes that seemed like a good idea at the time, because those changes can’t be made without upfront documentation. By making the tracking automatic, though, necessary changes can often be made with less overall effort.
Of course, not all compliance activities are related to information systems, but they should still be synchronized with the rhythm of the business, Mitchell says. Instead of making compliance an additional set of activities imposed by the legal staff, he’s found that firms gain greater employee acceptance when they integrate compliance topics into regular business activities. For example, rather than having the legal department host a special “dos and don’ts” session for the sales department, training on pricing could include information on antitrust concerns, and training on closing orders could discuss bribery and kickbacks. “Do compliance at a time when people are thinking about their business as a whole,” he says.
Some companies think that compliance will be easiest if it’s done on an as-needed basis, but Mitchell says the opposite is true. The Open Compliance and Ethics Group’s research shows a high success rate on holistic compliance projects. Organizations that have been most successful, he says, generally start with a big goal, such as developing a GRC backbone that would include every department and track a full range of activities. But they start small, choosing two or three issues and looking for ways to leverage them synergistically. For example, he says, a company might start by examining how Sarbanes-Oxley compliance measures overlap with privacy regulations. Then, it designs processes to incorporate the two. When that works, the company integrates a third compliance matter, such as warranty tracking. That helps keep everyone focused.
Continuous Compliance and Continuous Operations
In many organizations, controls are set and reviewed manually. Every month, every quarter, and every year, managers receive a stack of printouts and have to review them line by line to see who did what to the system. Do former employees still have access? Is someone getting into the financial system who shouldn’t be? The process required to answer questions such as these is a huge time sink. GRC automation reduces human error and releases resources for the nuts and bolts of running the business—because those hours of review were spent by people whose skills are better suited to managing operations than reading lines of data printouts.
The goal at Cymer was to identify weaknesses before they turned into problems that sucked time and resources. And, with nine locations all over the world and IT centralized in San Diego, the compliance staff had an interest in reducing panicky middle-of-the-night phone calls. LogicalApps helped the company convert manual controls into automatic processes. The result? Less staff time to manage controls, and less audit support to make sense of the reports that were generated. “We’re embedding tools like LogicalApps into our base infrastructure,” says Craig Haught, Cymer’s vice president and CIO. “There are no surprises. It’s like a flight check. When you bring in a new capability, you want it to work at launch.”
LogicalApps helped Intuit set up a more-preventive controls environment. For example, if someone changes a product SKU number, the revenue recognition team at Intuit receives a memo to review and approve the change. In most cases, the change goes through, but the reason for the change is noted in real time instead of at the end of the reporting period, which may require reconstructing sales figures, writing justification memos, and letting the change go through whether or not it was the right thing to do simply because it’s too late. “It’s not a resource strain at month-end,” says Robert Singleton, manager of Intuit’s controls advisory office. “Until the team reviews and approves the process, it’s not in Oracle.”