In recent days, both noted GRC pundit and analyst Michael Rasmussen and consultant James Roeske sat down with Dave Hannon of SAPinsider to answer questions regarding GRC frameworks and SAP Access Control 10.0.

First, Michael provided insights on topics including:

  • Common mistakes in setting GRC strategy
  • The role of technology in a GRC strategy
  • The one true definition of GRC
  • How to drive collaboration in your GRC program
  • Importance of GRC maturity and integrity
  • Selecting the right GRC solution for your organization

You can hear the full podcast here:

James, who is CEO of Customer Advisory Group, discussed getting the most "bang for your buck" with SAP Access Control 10.0. James discussed topics such as:

  • New features in the 10.0 release
  • Enhanced integration with other SAP solutions for GRC
  • Important technical- and business-level considerations before implementing or upgrading to 10.0.

You can listen to the full podcast here:

In addition, both Michael and James will present at the upcoming GRC 2013 conference in Las Vegas from March 18-22.

Michael will lead two pre-conference workshops on March 18:


James will present two sessions on March 19:


Matthew Moore

Conference Producer, GRC 2013

Follow me at @mattmoorewis

Many organizations do far too much work on these areas, primarily because they scope the work in isolation from their top-down approach to the identification of key controls. They base their scope on good business practice, and/or a list of ‘rules’ from a consultant or software vendor, rather than focusing on the access limitations necessary to prevent an action that might lead to a material misstatement of the financials.

The following discussion is taken from my book, Minimize Costs and Increase the Value of Your Sarbanes-Oxley 404 Program: Management's Guide to Effective Internal Controls, published by and available from the Institute of Internal Auditors (just $35 for members in hard copy, $25 as a PDF download).

Segregation of duties and restricted access controls must be identified, assessed, and tested where they are key controls. (A key control is one that is relied upon to either prevent of detect a material misstatement of the financials.) Key SOD and RA controls include those that:

  • Are required for an authorization control to be effective. For example, if the business control requires that all purchase orders be approved in the system by the purchasing manager, it is critical to ensure that only the purchasing manager has that capability.
  • Reduce the risk of a material fraud that could be reported incorrectly in the financial statements.

With restricted access and segregation of duties, there is a risk of doing more work than is required for Sarbanes-Oxley. While there are excellent business reasons for restricting access to only those functions individuals need to perform their assigned tasks, it is important to remember that only fraud risk that is both material and also misstated in the financials is within scope for Sarbanes-Oxley.

This last point is important. Many companies test SOD using a standard set of “rules” (combinations of access privileges deemed inappropriate) that have been provided by a consultant or vendor. While they may represent a risk to the business (at least in theory), they may not represent a risk of material misstatement for your organization. The rules used to drive SOD testing should be based on the top-down, risk-based approach described above, to support a key control or reduce the risk of a material fraud.

As an example, at a company where I was responsible for the Sarbanes-Oxley program, both the external auditor and the internal auditor (at that point, the internal audit activity was outsourced) had tested user access consistently for several years. They each used a standard set of more than 150 rules to identify (a) access to important ERP transactions, and (b) SOD conflicts where one individual would have the ability, using a combination of ERP transactions, to commit a fraud. When the Sarbanes-Oxley team changed to a risk-based approach, concentrating on testing access rights that represented a risk of material misstatement, the number of rules was cut to about 20.

Is your SOX scope based on a top-down, risk-based assessment when it comes to SOD and RA?

Please share how many rules you test (tests of SOD and/or RA).

Recently, two of the Big Four accounting firms released reports that address the increasing importance of the CIO. PwC published their 5th Annual Digital IQ Survey and Deloitte issued an Audit Committee Brief on the topic of “Understanding the CFO and CIO Dynamic”.

The short discussion by Deloitte provides advice for members of the audit committee. The authors say that “The ability to mine data and drive insight from a company’s numerous systems has highlighted the importance of an effective relationship between the CFO and CIO”. They refer to an earlier Deloitte publication, CFO Signals, which found that “only a little over half of the CFOs said they have the information they need to manage the business effectively, and about one-third expressed a neutral opinion”.

It is understandable that the Deloitte piece focuses on the clear and troubling problem that CFOs and other executives are making decisions without the benefit of the information they need, both on performance and risk. It is also understandable that their advice to the audit committee brings in the issue of financial reporting risks. But, I think there is more that the audit committee and the board as a whole should be concerned with, let alone the CFO, than that the CIO has aligned the activities of the IT organization with the strategies set by top management.

Rather, I think the CFO and the board should be asking whether the CIO is sufficiently involved in helping to set the strategies and vision of the organization.

I found the PwC contribution more useful. Although the paper talks about ‘collaboration’ between the CIO and the top executives, the value is clearly highest when the executive team – with the CEO as active champion – recognizes that “technology is a critical driver of business value”

PwC talks about “Strong Collaborators” and how these companies outperform their rivals. They say “Strong Collaborators are those that said that the CIO has a strong relationship (4.5 out of 5 or better across all relationship pairs) with members across the C-suite: CEO, CFO, CMO, CRO, CSO, CISO, and business unit leaders”.

Here are a couple of key excerpts, but I recommend reading the entire 9-page document:

  • “Naturally, companies with high Digital IQ understand which technologies will provide the greatest business benefits, leveraging the tools and platforms to optimize processes and improve overall performance. Our analysis shows that Strong Collaborators are more likely to aggressively invest in the four key digital technologies—mobility, cloud computing, business analytics and social media—than other companies.”
  • “Our survey found that companies with collaborative C-suites intertwine business strategy and information technology and are often rewarded with stronger company performance. They can also adapt quickly to market changes to maintain an advantage over competitors.”

PwC addresses the need for information to drive decisions. They say “Strong Collaborators are more likely to integrate internal and third-party data to better support decision-making, a critical step to provide senior leaders with the insight to make the right choices.”

But the key for me is that the CIO moves out of a role as the janitor and enters the organization’s executive team to drive the organization forward. PwC captures this with:

“CIOs of Strong Collaborator companies tend to not only ensure that technology initiatives are in step with the business plan but champion innovation across the enterprise.”

I welcome your views and comments. My recommendation is that CFOs and members of the audit committee review the two papers together and consider whether the role and relationship of the CIO within the organization is as effective as it should be.

Security Guide

SAP Access Control™ 10.0 / Process Control™ 10.0 / Risk Management™ 10.0


Please find the the same in the below link :



Since the announcement of SAP GRC 10.0, every organization wants to migrate from 5.3 to 10.0


Hence I would like to start this blog with some questions of Migration from 5.3 to 10.0.


1. Why do every customer has to migrate it to  SAP GRC 10.0?


2. What are excellent features exist between GRC 5.3 to 10.0?


2. Will my current GRC technology infrastructure suffice?


2. Will the cost justify the return?


3. What will be migration impact?


4. What is the average time for Implementation?


5. At anytime can we get a Audit reports?


I welcome your views and commentary.

The Aberdeen Group has a new research report out on Fighting Fraud with Big Data Visibility and Intelligence.


The report includes a useful review of the risk and cost of fraud. (Note that it errs when it refers to ‘tips’ as being external: these are typically calls to the internal compliance hotline or whistleblower line.)


What is new in the report is the discussion of the ability to mine the mass of Big Data, perhaps with predictive analytics, to understand and assess fraud risk, and also to monitor for red flags that indicate an investigation is warranted. As the report says:


“Rapid changes in information technology infrastructure are increasing the difficulty of maintaining high levels of preparedness simultaneously against all threats. In response, organizations are adopting enhanced strategies for fighting fraud: from 100% success at prevention, to greater visibility, faster detection and incident response; from “figure out what already happened” using post-incident forensics, to proactively “figuring out what’s happening” using Big Data and predictive analytics.”


Unfortunately, Aberdeen’s research showed that only about 16% are using predictive analytics for the detection and prevention of fraud.


Why is this? I suggest it’s from one or more of these factors:


  1. Those responsible for fraud prevention/detection are not aware of the capabilities of the new technology
  2. Those responsible for fraud prevention/detection are (justifiably or not) content with the ‘older’ technology
  3. Priority and/or resources are not given to fraud prevention/detection


I welcome your views.

I admit to criticizing my “alma mater”, PwC, for much of their thought ‘leadership’ over the last years.

Today, I come to praise PwC, not to bury it.

They have published an excellent guide for boards that merits reading not only by board members but also by all those responsible for management of IT, risk management, and internal audit.

Directors and IT: What Works Best suggests a six-step process, what they refer to as an IT Oversight Framework, that I believe should be effective for the majority of organizations.

Why is this important? PwC answers:

  • “The pace of change in this area is rapid, the subject matter is complicated, and the highly technical jargon used to describe emerging and evolving risks makes this a challenging area. And companies are relying more and more on technology to get ahead, often prompting substantial changes in how they operate.”
  • “Many directors are confused by and uncomfortable with overseeing IT. They sometimes don’t have an adequate understanding of the subject to be effective and confident in overseeing this area. And they do not necessarily have a well-defined process to help them in fulfilling this very important responsibility. Together, these factors can create an “IT confidence gap.””
  • “Directors are hungry for more information about the company’s approach to managing IT strategy and risk and believe they do not get enough information from management: 67% indicate their company’s approach to managing IT risk and strategy provides them with only “moderate” information to be effective or the information “needs improvement.” Many directors want more comfort regarding IT activities so they can sleep better at night.”

The six step process is described in detail in the guide. Here’s is my summary:

  1. Assessment: Understand the role of and reliance on technology – in the industry in general, and as it affects the organization in particular. As PwC says: “Conclude how important IT is to the company’s success”. But a word of caution – see #4, below
  2. Approach: Who will provide oversight of IT and technology, and how?
  3. Prioritization: Of all the technology-related activities, which merit priority attention?
  4. Strategy: In many ways, this is the most important area of focus. Most organizations are highly dependent on technology to advance – much more so than is evidenced by the responses to PwC’s study. Frankly, as intimated by PwC, when 87% directors and executives fail to indicate that reliance on technology is critical, it indicates myopia or outright blindness to the future.  PwC reports that “Nearly half of directors believe the board’s ability to oversee strategic use of IT is less than effective”. However, they also say that “Most CEOs of global companies say technology is the number-one factor that will impact their company’s future in the next three years; they believe it will be even bigger than changing economic and market conditions”.
  5. Risk: As PwC indicates, technology is a source of risk to the business, and technology-related issues need to be ‘baked’ into the risk management oversight process
  6. Monitoring speaks to the continued need for oversight, not something you take on once a year

This is, in my opinion, an excellent starting point for oversight (and management) of technology.


  • My advice is to start looking at technology as the subject of discussion rather than IT. The IT function or department only manages or directs part of the investment in and use of technology across the organization. In fact, much of the budget and decision-making when it comes to technology is increasingly outside the IT function – especially when it comes to the use of technology for marketing
  • New technology and related issues change constantly, so don’t limit yourself to the subject areas introduced by PwC. For example, I think the announcement on January 10th by SAP that they now enable organizations to run their ERP systems (including manufacturing capacity planning and other complex and calculation-intensive applications) in memory, and as much as 300,000 times faster, is amazing and may transform traditional computing.
  • Boards need to understand that IT is no longer a utility that provides a platform for the business. In most cases, it is a vital and integrated element and capability for strategy and execution. Separate discussions on IT and strategy, or even organizational performance, may soon have to disappear

I welcome your views and commentary.


I truly believe that amazing developments are arriving that will make future decision-making far more effective. I want to talk about two in this post; admittedly one is more a hope and the other more a prediction.


The prediction can be expressed this way:


In the near future, which is getting nearer every day, decision-makers will have moved from an experience-based process to an information-based process. They will have reliable, useful information delivered to the palm of their hand in near real time that will let them make better decisions faster.


Until now, those making decisions have placed great reliance on their experience and ‘gut’ when making decisions. The information they have is typically historical, days if not months old. At times, the information is buried in reports or in a form that is not immediately useful. Studies have shown that even when the data exists within the organization and it is possible to ‘mine’ it to produce the information they need, managers don’t know how to get it – or it takes too long.


In the absence of information on today’s state of affairs and trends, decision-makers rely extensively on their experience its results. Their decisions are not always the best.


I think we would all agree that you can make better decisions with better information. Better being faster, more current, more useful (e.g., highlighted for you, not buried).


IDC captures much of what is happening when it says, in its 2013 predictions: “The ICT industry is in the midst of a once every 20-25 years shift to a new technology platform for growth and innovation. We call it the 3rd Platform, built on mobile devices and apps, cloud services, mobile broadband networks, big data analytics and social technologies.”


It’s not only that we have cloud, big data, mobile, social, in-memory computing, predictive analytics, and more. It’s that organizations are deploying a combination of these technologies to deliver near-real time insights, in a useful form (such as dashboard on mobile devices) that enable better decisions at speed.


Note that last phrase: ‘at speed’. George Patton would love this technology, because being able to make decisions faster (when based on reliable and current information) is a sure recipe for success.


Now, we have the ability to mine that incredible mountain of big data, completing analysis in seconds instead of hours, and deliver the results to the manager’s tablet – wherever she is. If the manager needs to get more question, another dive into the data (i.e., another round of analytics) can be completed in seconds.


There isn’t time or space to explain or discuss all of the new technologies. But I would be happy to answer questions (please post in Comments).


The hope is that as organizations improve their understanding and practice of risk management, it will move from a separate and distinct activity to an integral and necessary part of decision-making. No decision can be a quality decision unless the potential effects of that decision – and alternative decisions - are understood. No decision can be a good decision without reliable, current, useful information on uncertainty, both the good and the bad that may lie ahead.


Every manager will become a performance and risk manager. You can’t optimize long-term performance without optimizing potential outcomes – the essence of risk management. The risk officer becomes more of a mentor and coach, and nobody sees them as responsible for managing risk.


I welcome your views and commentary.

We've been running Virsa/Compliance Callibrator/SAP GRC for quite a while now. When we first started the project and ran the first analysis it turned out that we were in much better shape than many people expected, certainly our external consultants. Apparently, many organisations end up with a 7-digit violation count first time around, if viewed at permission level. We had a little over 50,000. That's been reducing slowly over the course of a couple of years now, until eventually, today, we got this:


Celebrations all round


Making big reductions in that number is always easy at first, and gets progressively harder as time goes on. We've been below 1,000 violations for the last 12 months, below 500 for 6 months, and below 100 for 4 months.


We've used a few mitigations, and in a handful of places had to use Firefighter where there just aren't enough people, but mostly this is proper segregation of duties. If you are embarking on the same process and can't see the light at the end of the tunnel, take heart - it is hard work, but zero violations is possible!


Next step - an upgrade to GRC 10.0...

We all have high expectations to reduce risks in our SAP environments.  The objective which we chose to take was to get clean and stay clean.  Management has further decided to track our every move from the risk analysis dashboards.  Oh, Big Brother! Are violations going up or down?  With this kind of visibility, you want to address risks prior to provisioning access.  But how do you do this when the GRC Access Control 10 application forces you to choose one default risk? What if you have rules for critical authorizations in addition to segregation of duties?  How can you be sure that the default risk type is not removed?


These are all questions that we ask ourselves as we perform a detailed analysis of our violations. We identify additional unmitigated risks that are being introduced into our GRC control environment.  We spent weeks identifying the root causes of these newly introduced risk violations.  Since our task is to get clean and stay clean, what could we do to prevent these new violations?  Prior to recent changes, the GRC 10 application only allowed a single default risk type through configuration.  The application provided flexibility to choose one of the five risk analysis options as a default, but by only having a single default parameter you may allow unmitigated risks to be introduced into your environment.  If you were proactive, you may be able to mitigate some risks prior to them being included in the management dashboard.  But is our job to perform multiple manual processes to reduce risk?  I believe there are more important tasks than to constantly monitor new violations manually.  Isn’t that what the application is for? Yes!


With recent influence activities you now have more flexibility.  If you wanted to select all five risk analysis types as defaults on an access request you could.  However, choosing all of the risk types introduces a second issue of false positives.  These are issues when a user technically has access to a transaction (Action) but does not have the required authorization object values to create the risk.  I personally would not recommend selecting all risk types but rather select those appropriate to your environment which will force mitigation of risks prior to provisioning.  The five risk types on a standard GRC Access Request are as follows:


parm 1023 risks.jpg


This new option is available in SAP Note 1776542 (UAM: Multiple values for default report type not possible).  If you are on GRC support package 10 or less, you can manually implement this note.  The solution is currently scheduled to be included in GRC support package 11.  Without applying the note and performing the manual steps, you can only select one default risk type for GRC configuration parameter 1023.  After the note is implemented you have flexibility that was not previously available through configuration.  You could have provided this through careful custom coding but the ability to apply notes within a complex environment would create new support issues.  After applying the note you are allowed multiple parameter 1023 entries in the GRC configuration.


parm 1023 config.jpg


With this note our mission is almost complete.  Our next agenda item is to prevent the user from unchecking the default risk types within the request.

Last week, I had the honor of being the opening keynote speaker at the Compliance Week West conference in Palo Alto. As we gathered, I chatted with a couple of friends from a large technology company. They told me about some amazing things they are doing with the latest technology (including from SAP and its partners) to improve their risk and compliance activities. This company is not alone and I am hearing stories from companies in all different sectors and geographies almost every week.


For example:

  • One company is continuously monitoring hundreds of millions of transactions for indicators (red flags) of potential fraud. While organizations have been doing this on a monthly basis for a long time, the latest in-memory technology provides speed improvements - up to 300,000 times faster than just a year ago – that let them monitor transactions almost as they are processed. Now, they can intervene and take action quickly and close down anything improper very quickly.
  • A large bank is using some of the same in-memory technology to monitor signs of money-laundering. With the massive fines being levied by the government and regulators for anti-money laundering (AML) compliance failures, this has become a critical activity for financial services organizations. The power is now available to monitor the literally billions of transactions processed every day.
  • An IT organization has moved its information security threat risk assessment tool onto an in-memory platform. Previously, the tool was limited to assessing intrusion risks by analyzing a sample of intrusion attempts. As a result, its accuracy and reliability was limited. Now, it does its assessment based on the full history of intrusion attempts.
  • SAP is one of many companies that use social media monitoring technology (sometimes referred to as sentiment analytics or text analytics) to monitor what people are saying about the company; this keeps their fingers on reputation risk.
  • SAP’s internal risk management function is in the process of deploying mobile risk analytics. Linked to our enterprise risk management system, this mobile app will enable every manager to see and dive into the risks they own. It is enabling risk management to be “embedded” into daily management of the business.
  • Other companies are using new technology to improve their monitoring and communication of risks across the organization. It is great to go to a conference, such as Compliance Week West, and see the growing maturity of risk and compliance solutions showcased by vendors, some with integrated risk monitoring capabilities.


The ability to monitor risk and compliance in a more dynamic fashion that is responsive to change delivers power and value to the organization – and to the contribution that can be made by risk and compliance professionals.


But, I hear you say, risk and compliance functions don’t have the money to spend on expensive new toys.


That is true, but the majority of companies are either acquiring or actively looking at the new technology to improve business operations – especially to leverage so-called Big Data, but also to improve the analytics used to make decisions and run the business.


Risk and compliance professionals should be looking for the opportunity to leverage the technology their organization is acquiring for other purposes. That is what my friends at the Silicon Valley technology giant did.


What to look for? Here’s a partial list of new technology to power risk and compliance:

  • In-memory computing (sometimes this is called in-memory analytics, sometimes just as a platform or a database. SAP’s solution is called HANA)
  • Predictive analytics
  • Mobile analytics (sometimes referred to as mobile business intelligence, or mobile BI)
  • Risk monitoring, including event monitoring (where a real-time agent tests individual transactions against rules as they are processed)
  • And more, such as these solutions from Wipro


I would love to hear what you are doing with the new technology to improve risk and compliance effectiveness and efficiency.

The Department of Justice and the Securities and Exchange Commission have just released A Resource Guide to the U.S. Foreign Corrupt Practices Act (the link is to the Department of Justice’s web site, which summarizes the guidance and has a link to download a PDF of the Resource Guide).


The Introduction states:

"This resource guide, prepared by DOJ and SEC staff, aims to provide businesses and individuals with information to help them abide by the law, detect and prevent FCPA violations, and implement effective compliance programs."


I am not an attorney, so will not provide additional highlights in my normal fashion. Instead, I have included links to legal firms’ and experts’ analyses.


Clearly, this should be read by internal audit leaders around the world (remember: most of the legal actions under the FCPA have been against non-US corporations).

A recent whitepaper by Michael Rasmussen titled “Anti-Bribery & Corruption: The Good, The Bad, & The Ugly” discusses how over the past 18 months the sentiment at the DOJ has shifted from somewhat passive to a proactive approach of requiring multi-national companies to demonstrate they have process checks & balances in place to alert them to any Foreign Corrupt Practices Act (FCPA) event.


With this new direction from the DOJ and the expanding regulations, increased fines and sanctions around the world, today’s organizations need preventative and detective measures to monitor for corruption. A proactive compliance program that includes Transaction Monitoring demonstrates strong controls that can help shield a company from liability.


This paper discusses how transaction monitoring eases the anti-corruption compliance burden by delivering operational effectiveness, human and financial efficiency and agility to compliance processes by monitoring the transactions and the personnel that perform them, and detecting and preventing bribery, corruption and other types of fraud.


To learn more go to:

Deloitte has done a good job summarizing some of the fast-moving developments and applications of the latest business technology in their Tech Trends 2012: Elevate IT for digital business. The summary page includes a short video discussion that is worth reviewing before reading the report.

The publication lists and discusses 5 “disruptors” and 5 “enablers”, each of which are interesting topics.

The disruptive technologies are:

  • Social Business
  • Gamification
  • Enterprise Mobility Unleashed
  • User Empowerment
  • Hyper-hybrid Cloud


The enabling technologies are:

  • Big Data
  • Geospatial Visualization
  • Digital Identities
  • Measured Innovation
  • Outside-in Architecture


Here are some of the points that caught my eye:

  • It’s an uncommon, and perhaps even unique, time to have so many emerging forces – all rapidly evolving, technology-centric and each already impacting business so strongly. Whether or not you have previously thought of your business as inherently digital, the convergence of these forces offers a new set of tools, opening the door to a new set of rules for operations, performance and competition. This is an opportunity for IT to truly help elevate business performance.
  • Each of these 2012 trends is relevant today. Each has significant momentum and potential to make an impact. Each warrants timely consideration. Forward-thinking organizations should consider developing an explicit strategy in each area – even if that strategy is to wait and see. But whatever you do, step up. Use the digital forces to your advantage. Don’t get caught unaware or unprepared.
  • Leading enterprises today are applying social technologies like collaboration, communication and content management to social networks – the connected web of people and assets that impact on a given business goal or outcome – amplified by social media from blogs to social networking sites to content communities. Yet it’s more than tools and technology. Businesses are being fundamentally changed as leaders rethink their core processes and capabilities with a social mindset to find new ways to create more value, faster.
  • Millennials joining the workforce are wired to use social and mobile channels to bond, socialize and solve problems. Organizations that lack internal, governed social media and computing channels may find their younger employees using public tools as a well-intentioned, but risky, alternative.
  • Mobility has evolved from an issue within a few niche industries and functions (think oil & gas and logistics services) to a potential source of innovation across wide-ranging vertical industries, processes and business models. And while many of the underlying components have been evolving for decades, the break-out potential is only now being realized.
  • Early experiments in business-to-consumer and early business-to-business scenarios are leading to more compelling, complex applications across the enterprise value chain, making integration, security and manageability more critical.
  • Organizations need policies and tools to authenticate users; control devices, applications and data; provide end-to-end encryption while at rest, in flight and in use; run content filtering and malware protection; and allow security event monitoring, logging and response. Security policies and profiles should be tied to specific users and scenarios, focusing remedies on likely incidents, not the infinite range of risk possibilities.
  • Developing, deploying and supporting mobile solutions is quite a bit different than traditional IT. Doing it well requires a special blend of business insight, deep technical chops and strong design. Companies that recognize this required mix of business, art and science can set themselves apart from their competition and help to reshape entire industries.
  • End users have plenty of opportunities to bypass IT and procure off-the-shelf or low/no-code solutions that are just good enough to meet their needs. Through mobile and desktop application (app) stores, cloud-based marketplaces and rapid development and deployment platforms, business stakeholders are one swipe of the corporate credit card away from procuring rogue “almost-enterprise” applications to fulfill their unmet needs. As a result, CIOs should consider adopting a design-led, user-centric approach to new application development, while also accepting the inevitability of business users directly sourcing apps. BYOA (bring your own application) will likely become part of many organizations’ solution footprints.
  • Whether your organization will shift to cloud services is unlikely to remain an open question. The question now becomes how that shift is likely to happen. Will your approach add complexity to your technology environment – or will it bring elegance and simplicity? The choice is yours.
  • The potential of big data is immense. Remove constraints on the size, type, source and complexity of useful data, and businesses can ask bolder questions. Technology limitations that once required sampling or relied on assumptions to simplify high-density data sets have fallen to the march of technology. Long processing times and dependencies on batch feeds are being replaced by on-demand results and near real-time visibility.
  • Organizations that put big data to work may pursue a huge competitive edge in 2012 – and beyond.
  • These emerging technologies are driving business transformation and bold new applications – sources of both sustaining and disruptive innovations. Social business and enterprise mobility are changing the way business is conducted and, increasingly, allowing new operating and business models to emerge. IT organizations should be educating their business counterparts on the potential of these new technologies – and preparing for the groundswell of demand once the implications are understood.
  • Creating a vision for driving innovation is the often-forgotten third role of CIOs. Beyond running the business of IT and delivering IT to support the needs of the business, CIOs should be leading the charge toward innovation through emerging solutions and technologies.


What does this mean for boards, executives, and risk and assurance professionals? My view:

  1. Does your organization have an organized strategy and plan for adopting and optimizing the use of technology? This applies both to the technology that is selected and the technology that is not selected
  2. Are the CIO and his team working cooperatively with the business? Are priorities shared? Is the business doing its own thing? Is IT a visionary leader, or a reluctant irrelevance?
  3. Are the risk, compliance, control, and information security functions involved early and throughout the strategy-setting and deployment phases? Are risks and controls thought of before or not until after there is a problem?
  4. Are you sure you will not be left behind by a competitor who leverages the new technology better than you?


I welcome your comments and perspectives.

This year, the Aberdeen Group has released two linked papers on mobile BI (business intelligence). They are both available with free registration:


Their message is clear: putting access to information in the hands of management and employees improves the timeliness and quality of decisions, and helps enable improved performance.


Mobile BI (described here) refers to the ability not only to see dashboards and other visualization of information on mobile devices (tablets and smart phones), but in most cases to analyze that data directly on the device. Generally speaking, the device is connected over the internet to enterprise systems so that the data is current and subject to corporate internal controls.


Key points include:

  • 46% believe that mobile BI will give them a competitive advantage
  • The average time to make a decision is just 66 hours for those with this technology enabled compared to 190 days without


What does this mean to board members, risk, and assurance professionals?

  1. Board members can get not only their board books on their iPad, but intelligent dashboards that enable them to drill down into and explore the numbers
  2. Board members, executives, and practitioners can get real-time alerts of changing conditions delivered to the palm of their hands for rapid response
  3. Risk information can be delivered to managers, enabling them to make business decisions based on the risks today (assuming risk monitoring is in place)
  4. Practitioners can continue to monitor risk conditions even when not at their desks. In addition, they can monitor performance – and I continue to assert that Key Performance indicators provide a window into how well risks are being managed
  5. Internal auditors can explore CAATS on the go! This new technology is simple to use and will improve the quality of the audit
  6. Internal auditors should consider the quality of information when assessing internal controls. After all, Information and Communication is a COSO component!


I welcome your comments and perspectives.


Filter Blog

By author:
By date:
By tag: