How (And Why) The Mechanics Of Financial Technology Matters
Business used to be done on paper and accountants would manage vendors, pay accounts and dutifully fill out balance sheets in exacting detail, employing their a) unearthly ability to understand double entry book keeping and b) desire to want to pore over business administration figures in minute detail.
But then, the industrial revolution(s) 1.0, 2.0 and 3.0 all happened and we found that technology could give us spreadsheets, forensic accounting analysis applications and higher-level Enterprise Resource Planning (ERP) suites. Of course with great (technology) power comes great responsibility. So how do we control the internal mechanics of our financial technology systems to make sure that staff and stakeholders only use them to do what we want them to?
It comes down to managing internal controls for access including a key practice known as Segregation Of Duties (SOD).
Segregation Of Duties
CEO and founder of ERP Maestro Jody Patersonexplains that his firm has been established to automate all IT-related access to a firm’s financial records. Specifically, ERP Maestro manages access risk, compliance and security in SAP environments through its cloud-based software as a service (SaaS) platform.
An ex-KPMG audit specialist, Paterson explains that SOD and Control Monitoring is not the same as Identity Access Management (IAM) and that IAM vendors in fact want to build SOD into IAM, where possible.
“Okay so here’s a working example: when a new supplier is signed up by a company, the financial team will enter all their details into the company’s financial records and set up the procedures needed to process payments to them. The staff who set up that procedure in a large enterprise should not also have the ability to ‘actually’ pay that supplier. The risk is that an employee could defraud the company. Segregation of Duties ensures that these kinds of risks are spotted and prevented. That’s Segregation of Duties in motion,” said Paterson.
This process is essentially put in place to stop fraud, where a financial services employee could set up a new payee and then pay them. In the event of that happening, ERP Maestro provides what it calls Conflict Reporting, i.e. an anomaly gets logged when someone initiates an action that they are not supposed to. The results of these analyses are then ultimately flagged for a business manager to view in a visual dashboard.
7 out of 10 audit firms
Paterson says that the ERP Maestro platform exists to automate the monitoring, detection and prevention of internal cybersecurity risks in SAP systems, minimizing potential breaches and fraud and accelerating remediation. This software is used by seven of the world’s top 10 audit firms in line with governance, risk, and compliance (GRC) processes.
In May this year ERP Maestro announced the completion of a US$12 million funding round, bringing its total capital raised to $20 million. The new capital infusion was initially led by Aspen Capital, with further investment from AdvancedStage Capital.
“Most companies struggle under the time-intensive and labor-intensive processes of managing ERP access and meeting compliance reporting and auditing requisites, especially if they are performing these tasks manually. Automated controls are a critical part of a company’s total cybersecurity defense and compliance solutions,” said ERP Maestro’s Paterson. “Because our platform was built from the ground up as a cloud-deployed system, we have agility and the capability to extend into other security market segments.”
With what is claimed to be over 60 percent of cybersecurity threats occurring within the walls of companies, having automated controls and processes has arguably become more critical today to prevent potential fraud, improper access to sensitive data and mishandling of information.
It’s true enough to remind ourselves that companies running any other major enterprise data platform player typically have hundreds or thousands of employees touching the system, exacerbating the potential risk. For this reason, periodic user access reviews are crucial for companies, especially those subject to Sarbanes-Oxley compliance.
“Many companies allocate staff to this problem, but unfortunately this ends up costing companies more because of internal costs and an inability to prove completeness and accuracy,” said Paterson. “The result is control deficiencies reported to shareholders. Nobody wants this. Scrutiny is increasing as of late.”
Will ERP Maestro extend its reach and capabilities outside of the SAP realm where it started? Paterson concedes that, yes, his firm’s long-term goals do include work to provide the same kind of functionality across other ERP platforms.
“While at KPMG, I recognized this need and built the solution in my spare time. I even asked KPMG to fund the initiative, but this was not a part of its business strategy at the time. Ultimately, they [KPMG] have become our customer,” said Paterson. “We’ve been the first to market in delivering this type of software built from the ground up as a cloud solution. This means that even though we may not be the least expensive platform, our total cost of ownership is a fraction of the cost of other on-premise or hosted solutions, even if other vendors give their software away for free. More importantly, within an hour, you get value. This is important because many customers who come to us have deficiencies that need to be addressed straight away.”
In terms of new product updates, June 2018 saw ERP Maestro announce the availability of Access Reviewer, a feature that the firm says will help businesses automate user and access certifications, traditionally a difficult control. CEO Paterson has explained Access Reviewer as software solves the problems caused by manual processes by making reviews intuitive for reviewers who have to understand the risk behind the access they are approving. Admin is also easier with less than 20 minutes to create a review and the ability to automatically and centrally manage the entire process.
Once again it’s a case of automation everywhere. We are now reasonably far enough down the road with certain applications of technology to now find ourselves in a place where we have an opportunity to automate. We know what should happen when and where, so we can build automation controls to make those things happen and also look for anomalies that represent behavior that is potentially detrimental to system health.
The ‘trouble’ (if it really is a problem) is that big system vendors sometimes fail to produce automation controls in a form that are simple to implement, affordable to buy, easy to integrate, flexible enough to grow ‘webscale’ (i.e., when cloud models allow for massive growth as big as the web) and easy to use from a visual user’s perspective.
These ‘realities’ form perhaps some of the rationale that has led to ERP Maestro and many other new and emerging software tools.
Users want software mechanics delivered with automation intelligence whether they themselves know it or not. Business itself is certainly waking up to the idea. Let’s dive into more of so-called Industry 4.0 as it happens.
The revolution will be automated.