Webcast Synopsis – April 28th 2021
69% major corporations have had one or more significant audit deficiencies in the last 2 years.
Financial control and IT control deficiencies remain a major challenge. Despite huge investments in digitization, the problem isn’t going away.
You can watch the webcast recording including live polls here . . .
Our research into whether we have “Nailed It or Failed It” with internal controls over financial reporting (ICFR) reveals a series of big questions.
One of the key issues is how we effectively manage people, identities, access across an increasingly complex application and service landscape. Dealing not only with interactions from our own staff, but also from customers, suppliers, business partners, outsourced process operators, consultants and temporary staff, and last but not least with robotic and system “users”.
Yet as businesses invest in digital transformation and work to improve their risk management, policy, control and compliance strategies these issues are becoming even more pressing.
We are seeing the perfect storm of 6 major challenges to ICFR effectiveness converging;
- Global Business Processes – “end-to-end” thinking and global process governance is essential but is changing the nature and shape of business risks.
- Risk Management, Control & Compliance as a Process – controls don’t exist in isolation and themselves are engaged in an end-to-end process we call “Risk to Perform”
- Technology shifts – the all-encompassing, monolithic ERP was everything in the past few decades, but now we are in a paradigm shift to a hub & spoke architecture, in part driven by the new generation of cloud ERP capabilities. Again this is changing our risk profile.
- Manual Controls – polls consistently show that the majority of financial controls remain largely manual. One recent survey showed that 46% of firms had less than 10% of controls automated. 62% stated that single biggest concern relating to ICFR is manual controls
- Governance – the way in which we make decisions, drive ownership, accountability and execution requires that we need to align around clear outcomes, in a business world where we still have different “lighthouses” marking different destinations and routes!
- Identities, “Users” and Interactions – the subject of this webcast, is once again growing as one of the single biggest contributors to Significant Deficiencies in ICFR. It’s time we get control of the governance of business process “interaction” in the digital world.
Focusing on number 6, in our recent webcast, Mike Sims, VP IAM Advisory & Architecture, Herjavec Group, shared his veteran wisdom on the Identity & Access Management market, the history, technology segments and challenges as well as the evolving maturity levels, indicated below.
There are key questions to answer, not least;
- Identities – Who owns? Who manages? Who decides? Who controls?
- Scope – Internal only? Suppliers? Customers? Short term staff/outsourced staff/customers? System Users, BOTS?
- Granularity – To what level? Role Based Access Control or deeper? Exception handling? Provisioning? Fine grain access management? Privileged Access? End-to-end process, system, limits and tolerances, segregation of duty and restricted/sensitive access?
The good news is that it is now abundantly clear that we cannot managed identity, access, process, applications, risk and controls in isolated silos. There is a time for integrated governance.
This is the “Elephant in the Room”.
Hans van Nes shared some key insight into how you can ensure ICFR and IAM are aligned successfully.
He showed the conceptual integration of core concepts as well as the 4 routes you need to choose from in your strategy. He described, and recommended avoiding, the “Frankenstack” . . .
Hans also advocated a “Pareto Thinking” approach that focuses on interaction rather than integration of technologies. He cited speed, cost, business impact, effective control and pragmatism as the key benefits of this type of approach.
In our discussion, it became clear that, in this new world, the maturity model is more extensive and addresses technology, business process and enterprise risk management maturity. There was a good discussion on this.
Hans proposed an integrated governance model which brought together the concepts we had discussed.
We summarized by asking some questions;
- Is it time for a “refresh” of our approach to risk management and control?
- Can we identify and align all stakeholders?
- Is technology “integration” or “interaction” the right strategy?
IAM, IRM and GRC technologies will abound in your own organization. Do we have the impetus for integrated governance?
Maybe, however unpleasant, for many organizations the Significant Deficiency (SD) is the necessary catalyst for change.
Do you think it’s time for a refresh of our approach to risk management and control? Is it down to Integration or Interaction when it comes to technologies?
We will be continuing this ICFR series with a critical session looking at Manual Controls and how we “crack THAT nut”!
We concluded with a audience survey at the end, asking the question “What, in your view and experience, is the single biggest challenge in managing Identities, “Users”, Access & Interaction?”.
This is a summary of what you said . . .
You can watch the recording including live polls here . . .
Thanks for reading…