Internal Controls over Financial Reporting are a key strategy in managing financial process risk in the organisation. Finance owns the governance obligations over ICFR as the 2nd Line of Defence just as Audit owns the independent assurance as 3rd Line.
A key responsibility is to ensure the Accuracy, Completeness and Authorization of all relevant transactions and activities.
The “User Access” question often falls into a “no-mans land” between the technical IT General Controls and the organisational Business Application/Process Controls.
Our experts explored experiences of financial risk to material threat in uncontrolled user access and exposed some of the weaknesses in governance over “who has access to what”.
Evidence shows that in most large organisations, substantial numbers of current and past employees, service providers and consultants have, despite all identity access policies, inappropriate and even unauthorised access to applications of financial relevance. Often the prime ERP is relatively well served in this regard, but not always. Recent changes to perceptions of the role of the core ERP and satellite systems, increase the risk of inappropriate access.
User Access remains a hidden danger for many organisations, due to the belief that ‘someone else is looking after it”. It is not an IT issue, although technology can help. It is a process ownership and governance issue.
Our experts shared practices on process, data, governance, and technology, and shared an approach which can drive improved governance over a process that works, even ‘as a service’.
Our speakers took the attendees through the following topics;
- Financial threat and material risk
- The User Access ‘iceberg’
- SOX and general ICFR obligations
- Experiences & Challenges
- Implementing a Process that works
- Governance & Ownership