Have you heard the phrase “risk is the new black”? It refers to the fact that what people thought was safe has now changed radically. As a result, organizations are now expected to provide investors, customers and regulators verifiable assurance that there are the necessary controls to manage risk, by ensuring segregation of duties, integrity of operations and auditability.
It is becoming increasingly common to hear auditors ask about:
- Oversight and control over transactions and operations
- Monitoring and documentation of information flows and business transactions
- Detection and prevention of accidental, and purposeful, changes that would increase risk and compromise business operations.
Before you ask your auditors to do a governance, risk and compliance assessment for your business you should consider whether your software system has addressed some key security issues:
- Access
- Control
- Monitoring
- Auditing
Access
This is a standard tool for software that includes logins and passwords and should give you access security for various levels within the application. These levels are, from widest to most detailed:
- The system
- Company
- Program
- Transactions
- Activity
- Field
This means that a user’s access can be limited down to a fine level – not just to a program, but also to details of the data, such as specific warehouses, and branches.
Control
Your software system should be configured to suit your organization’s control requirements. These controls enable business to ensure a much greater level of accountability, to promote segregation of duties, and tom implement traceability of activities throughout the system.
Operator control enables security to be managed at the individual level. Operators can be put into groups and sub-groups to align security administration to organizational division, such as departments and teams.
You can streamline controls further with role-based security. A default organogram provides a starting point for role management which can then be customized for different hierarchies.
Business processes can be defined against a general ledger code to ensure the code is used for appropriate transactions only.
Electronic signatures (e-signatures) secure transactions by authenticating the operator that performs specific transactions. E-signatures also provide traceability of who performed a transaction and when.
Monitoring
Monitoring can be done via:
- Event logging and management
- Triggers and alerts
- Role conflicts
These can be automated to provide continuous controls monitoring.
Events refer to activities on the system, whereas triggers and alerts can be applied in a client user environment. This functionality enables the identification of abnormal events which may potentially point to fraudulent activity.
Auditing
Does your system have a logging and recording facility which tracks when programs are accessed, and when changes are made to critical data, such as master file, company setup and operator information?
You don’t have to be a big or well established business to need good security and control. But you need to have a level of organizational maturity to effectively implement a proper governance and controls regime. The test is whether your auditors are happy that the necessary controls and standards are in place.
Have you asked your auditors to do a governance, risk and compliance assessment yet?
