The Dotcom boom of late 90’s, also saw some major corporate scams like Worldcom, Enron & Adelphi. Some national headlines in US media (“Data theft at nuclear plant went unnoticed for six months” – June 10 , 2006 New York Times, XYZ Manufacturer violates EU pollution laws” – July 06 2006 CIO Tech Informer “US imposes record $100 Million penalty for export control violations” – March 27, 2007 Washington Post, etc.) would accentuate the changed milieu. This necessitated a major emphasis on data security & vigorous audits (financial / system audits). Sarbanes-Oxley (commonly called as SOX) act came into existence. (The sections of the bill cover responsibilities of a public corporation's board of directors, adds criminal penalties for certain misconduct, and requires the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law). There was a growing need of more transparent corporate governance, a well-designed whistle-blower policy framework & detail audit log (of who did what & when).
IT firms took these challenges into cognisance & turned it into opportunity to come up with security solutions, seamlessly integrated with organizations’ ERP softwares. ERP players like SAP acted upon it swiftly & integrated security solutions into SAP under a growing niche product suite called GRC (Governance, Risk & Compliance). SAP’s GRC 10.1 suite handles it through 3 sub-modules of
Access Control, Process Control & Risk Management.
- Access Control – It involves managing user roles, who will (& who can) do what in the systems. The principle of Segregation of Duties (SoD) needs be considered while providing access. A simple example of SoD is, never to provide the same user access of creating new vendors as well as issuing/printing cheques. Giving too little access to user hinders work, whereas giving too much access attracts risk, so due care needs to be taken while designing access control. It also involves super user management & emergency access management.
- Process Control – This involves checks and balances built into the business processes to avoid/minimize occurrences of fraudulent activities. There are three different types of controls need to be designed: Preventive Controls, Detective Controls & Corrective Controls. The other way to look at building a healthy internal control environment is, following below 5 steps. 1. Documentation 2. Testing 3. Remediation 4. Analysis 5. Optimization. (The details under each will be covered in a separate article)
- Risk Management – It helps reduce the risk of failing to comply with the regulations for financial reporting, trade regulations, factory act/s & environmental protection. At a very high level, Risk Management involves: Identify the risks, analyse the risks, identify risk owners & coordinate responses.
Considering the growing need of ERP-agnostic solutions, many IT consulting companies (like Infor Approva, Greenlight Corp etc) came up with GRC solutions which complement the ERP software (like SAP, Oracle, Microsoft Dynamics) or seamlessly integrate with it.
If we talk of India, the Indian corporate world was shaken by Satyam scam, Reebok India & a recent case in India’s top IT firm. In India, Clause 49 came into existence from 31st Dec 2005, for the improvement of corporate governance of all listed companies. (Which entails - It would be necessary for Chief Executives and Chief Financial Officers to establish and maintain internal controls and implement remediation and risk mitigation towards deficiencies in internal controls, among others)
In short, the question ‘Do-I-need-to-implement-GRC’ is no more relevant. Instead it should be, “What are we going to implement under GRC and when?”