Maximising the value from your existing Infor enabled controls monitoring & attestation processes
With a team of experts with 15 years’ experience as a company on this topic, and up to 25 years plus individually, we have been asked countless times to share best practices, insights, “what good looks like” and specific recommendations to get the most out of your investment in risk, controls and compliance processes, organisation, skills and technology.
These recommendations have general applicability but are specifically aimed at users of Infor Risk and Compliance (IRC), formerly Approva, and once upon a time, BizRights.
At Consider Solutions we help major organizations on a journey to something we call ‘World Class Finance’, in the areas of end-to-end business process optimization, financial control and compliance and broader risk assurance, across specific challenges such as fraud, bribery and corruption identification and prevention and more generally in the implementation and refinement of enterprise risk management (ERM) and policy management initiatives.
Within this landscape, we also help many of you in your risk management, controls monitoring and remediation, and compliance management activities. We try to regularly share the latest insights into managing success, overcoming technology challenges, best practices in SOX testing and continuous controls monitoring, with focus on specific implementation and business-as-usual process issues.
We have taken time with our experts and consulted our customers and locked them in a dark room to harvest these fifteen key insights that you can apply yourself, from simple but immediately actionable advice through to more systemic improvements, addressing process, governance, technology and usage issues. We also conducted a worldwide survey of users of IRC/Approva to provide input for you.
We created a customer webcast, which we can give you access to, but we summarise the findings here. If you have any questions on these, feel free to contact us and we will do our best to answer or advise you.
Here are the Top 15 insights that you can specifically exploit to reduce effort, cut cost, drive greater business value and sweat more from your existing technology assets:
1) Ensuring Audit Readiness
Reducing the pain, frustration and cost of audit is high on everyone’s priority list. Moving from local sample-based testing to continuous monitoring from a centralised location is a crucial way to do this. Reducing the cost of audit is perfectly reasonable and achievable with IRC/Approva, but you need to plan for it. Sometimes, the external audit team are in the habit of conducting substantive testing on all controls themselves and are comfortable with it. However, this is a time consuming, costly and frankly outdated approach, so you may need to set the ground rules. The external audit team may want to get confidence that your own ‘management testing’ is effective, and demonstrates completeness and integrity, but once achieved, you need to maintain careful control of your own process so that they can continue to rely on your testing, rather than conduct their own. You can keep one step ahead of the audit program so that you can avoid the ‘death by 1000 cuts’ of audit Q&A and focus your attention on supporting the business. Just ask for a copy of our latest IRC/Approva Audit Readiness Guide.
2) Ensuring Relevant Risk Management
It is easy to assume that the standard, “out-of-the box” rules from any controls monitoring tool should be “correct”, but businesses, organizations and processes vary. Whilst these “out of the box” rules are a good starting point, there is a need to validate risks and rules against YOUR specific business operational model. Performing a business focussed risk review is a great platform for audit readiness, as detailed questioning about your rationale for certain risks and rules is a common, time consuming activity from many GRC teams, In general, you should conduct a full risk assessment/review every 5-10 years or around substantial business process or system change and perform a more straightforward rule/risk review every couple of years. We can share some of the tools you need to do this or support you directly in mapping the end to end process, facilitating workshops with stakeholders, identifying and assessing key risks and mapping them back into the detailed rule constructs of IRC/Approva or other tools.
3) Sharing Deeper Risk Insight with Visualisation and Reporting Tools around IRC/Approva
There are always customer specific risk and compliance reporting requirements as well as a changing landscape in the style of reporting expected by stakeholders, If you use Tableau, Qlik, Birst or Splunk or any other enterprise reporting and visualisation tool, we have created supporting kits to allow you to drive your management reporting through your chosen mechanism, or we can provide the reporting service directly ourselves, We can give advice or facilitate workshops to establish what reports or dashboards are needed for which stakeholder groups and how to get the data from IRC into your preferred reporting environment. This can be a great way to re-invigorate your stakeholders by engaging and immersing them in the information and insight they need.
4) Web Based On-Demand Training from Experts:
The last structured training/skills transfer your team received was probably when you first deployed the software and implemented your continuous controls monitoring process. Staying effective and efficient is a challenge when information and knowledge has been passed down through organisation changes, outsourcing and staff moves. The fact that IRC/Approva does not need a large skills base to support it, while a financial benefit, can also be a challenge as you do not build up the critical mass of skills to be able to develop and sustain as easily as you do with a larger Centre of Excellence. Lack of relevant knowledge about your installed version of the Approva/IRC application costs your organisation time and money, as well as wasted effort and frustration.
We have developed an on demand, web-based training that is a customizable modular training scheme (both technical and functional) that you can join live or watch online and revisit as many times as necessary, as well as having live interaction with trainers one on one. This doesn’t just apply to your employees, but your outsourced staff, consultants, auditors, subcontractors, service providers, shared services staff and any other stakeholders. For some customers, we become their Centre of Excellence for IRC/Approva on a renewable service level agreement basis. Fortunately, we do have the economy of scle to sustain skills and expertise in all the technology components.
5) Functional and Technical Usage Optimisation
Is your IRC/Approva environment, and the processes it supports, optimized for current capabilities and your current systems landscape? Look at your IRC alert dashboard! If there is a lot of red, you may want to go into health check mode. Are you sure the environment is clean of the alluvial deposits of historical residual data that slow things down and create intermittent failure? This is an expert level activity, requiring insight and experience, but a small review and assessment can deliver major improvements in the technology operation and the process efficiency and reliability.
6) Outsourcing IRC Niche activities
Do you really have the skills and experience to perform some of these potentially error prone tasks effectively? You may have quarterly activities that where the struggle for knowledge and expertise outweighs the cost of the work itself. Whether it is pulling content for custom reports, adding new rules and rulebooks, responding to unannounced ERP functional or security changes or upgrades, supporting your underlying servers, or managing the remediation process for violations, we have the skills and can deliver a simply agreed service level to support your organization’s compliance needs.
7) Upgrade of outdated Bizrights, Approva, IRC versions
Put simply, you must upgrade. The latest versions of IRC software have addressed long running issues and internal faults, In addition, the IRC software is now being developed and enhanced in an agile model, which means that the most recent updates can be simply added without major effort. A number of long running customer frustrations have been eliminated with recent versions of IRC, and the changing landscape of underlying infrastructure is also now better enabled. To deliver audit ready compliance, you need to ensure that the technology you are using is still fully supported, on servers and the new desktop environments. An upgrade also allows you to take account of new compliance requirements that affect the data your store in IRC/Approva, such as GDPR. Upgrades provide security enhancements, better functional changes and performance We can provide upgrade rationale for stakeholders, the best upgrade variant and path. We call this ‘SafePassage’. No risk to you, and the full upgrade can be outsourced for a fixed price.
8) Automating “end to end “User Access Change Requests and Provisioning
Access Provisioning Tools tend to be clunky, and IRC is no different. Access Manager is designed for technical experts who really understand the sense and content of the technology and security model, so people need helpdesks and centres of excellence, which require some level of centralisation of the process. In the pursuit of efficiency and effectiveness, we have put in place some easy to use integrations and web portal capabilities, to enable federation of requests for changing end user access needs. Eliminating the need for the requestor to have detailed technical knowledge about names of roles and responsibilities, enabling lightweight but secure approval cycles, facilitating automatic compliance checks, provisioning (or de-provisioning) the requests, all in a way that frees the central help desk to deal with the complex issues they are trained for, not the mundane, everyday tasks that frustrate them. We call this approach ‘Self Service User Access Provisioning’. In our experience the typical ROI is less than a year and the cost savings and user satisfaction increases are high. This is a genuine ‘low hanging fruit’ of efficiency gain.
9) Extending Risk and Control Monitoring Beyond Core ERP
IRC/Approva has long exhibited the architecture that enables ‘cross application’ and ‘multi-application’ risk and control monitoring. This is a powerful capability. However, without sufficient insight and expertise, delivering on the promise can be a daunting prospect. We have built an intermediary capability known as “AnyConnect” that easily allows you to extend compliance monitoring to multiple applications and manage risks that span applications. The growing appeal of the augmented P2P process suites such as Coupa, Determine and Ariba for example, offer great value in managing the true end to end process risk. How do I monitor across and end to end process that includes multiple suites of technology? We can get all your applications in-scope systems connected to and monitored by IRC to deliver critical cross system analytics. If your organization is restructuring around end to end Global Process Owners (GPOs), then this requirement will likely emerge rapidly.
10) Extending Controls Monitoring with Attestation
Despite the best efforts of the ERP majors, the majority of key controls are still not automated, and in many cases, they cannot be fully automated as they require judgement. According to a recent survey 76% of your key controls are either manual or hybrid. These controls do not lend themselves to continues controls monitoring but they do need an efficient and reliable way of gaining attestation from stakeholders and process owners across the business operations. One obvious example is the infamous User Access Review (UAR), typically a painfully manual Excel and email driven task that still lingers in an incomplete state by the time the next attestation cycle comes round! Automated attestation or certification is enabled by IRC in a lightweight way with an auditable workflow and system of record of approvals, rejections and commentary. These attestation workflows are easy and swift to implement and remove another load of compliance burden and audit readiness effort. Don’t let the 76% be a slave to the 24%!
11) End to End Controls Process Improvement
Sometimes in the frenzied activity of maintaining compliance over specific tasks, we lose focus on the end to end process. It is a common problem. What is our end to end process for compliance management? Where does it start and where does it end? Who is doing what in across the process? Without this big picture view, it is almost impossible to simplify or streamline the process. We have created some easy `to use templates to map the high-level compliance process and the specific sub processes, Map your own processes using our templates, define the key risks areas, who owns what, who administers, how is control assurance provided, how do the various levels of oversight and assurance fit in? You can quickly see gaps, find unknown risks and outdated procedures. It is also a valuable step in demonstrating audit readiness.
12) Integrating IRC with ERM framework
The intense focus on controls that was inflamed by the launch of Sarbanes-Oxley has been tempered with a growing focus on risk in recent years, Enterprise Risk Management gained early traction in the financial services industry, but with support from COSO and ISO is now the widely accepted risk management discipline in business addressing all themes if corporate risk including strategic, operational and financial risk. The entity level, process, application and IT general controls that we monitor for compliance should all relate to a dimension of enterprise risk. It is worth ensuring linkage between the enterprise risk management process in the organizations and the compliance and controls management activities. It can help simplify and resolve controls and compliance issues. Is the work you’re doing with IRC aligned with ERM? We’ve done a lot of work to align the thinking and the action in an approach we call “Fact to Act”, which as it implies, aims to link risk management and assessment to factual monitoring to drive effective action. We can share our work in this area for you to action or we can engage with you.
13) Applying a Governance Framework
“GRC” has become an acronym that can mean very different things to different people. OCEG are one bright light of consistency and simplicity striving to maintain a clear focus. However, in efforts to implement a governance, risk management and compliance process, we have sometimes lost sight of some of the elements that are required to make the process work effectively for the organization. In concert with some of our global customers we have summarised the key themes into a framework that is easy to refer to and helps drive stakeholder alignment on key issues. The most compelling elements that are often missing in organizations are those related to ‘Mission and Objectives” or “Target Outcome’, ‘Stakeholder Management’, “Communicating Progress” and “Process”. As you can see below, the tools are just 1 of 9 domains. It pays to bear that in mind.
14) Harmonize your GRC-Tool Landscape.
It is likely that you have a complex GRC technology landscape, covering various tools acquired or developed over the years o support specific issues. Typically, these include tools for risk management, policy management, compliance reporting, controls monitoring, data analytics, process and procedures, training and attestation, audit management to name a few. It was popular to believe a few years ago that there could be “one tool to rule them all” but this has been demonstrated to be a false hope. However, all these tools and applications ned nourishment, alignment, feeding and support, and not just technically. So it makes sense to have a periodic (maybe every 5 years) review with all the stakeholders of the purpose and target outcome of the various tools, costs and benefits, Some harmonization opportunity is likely to emerge. We have produced a simple traffic light template for our customers to help identify unknown/unclear ownership or expose potential overlap. Less tools = lower cost!
15) GRC Market and Technology Trends
In concert with the harmonization agenda above, it is worth assessing the GRC market and technology trends periodically. Be cautious of claims that the latest new technology (AI, RPA, Blockchain, IoT etc) will eliminate the need for risk management, control and compliance but be aware how they could augment current approaches to deliver greater insight and assurance. The OCEG Current State and Future Trend materials are worth reviewing as an example.
We talked about each of these 15 topics in a recent webcast session we hosted, which you can find the recording for here. Or if you’d prefer you can reach out to us directly and we’d be happy to discuss any of these 15 issues or any others you may have thought of! Send us an email at firstname.lastname@example.org