August 24, 2009, 3:31 PM — The season of annual corporate audits has arrived. If you listen closely, you’ll hear controllers and their staffs lacing up their running shoes, preparing for the marathon of scurrying facing them. Few things are more painful for a CFO of a public company than to watch his or her finance team get consumed by compliance reporting for the annual audit fire drill.
In compliance reporting, the fundamental challenge is the manual labor involved in testing data and controls. When the auditors arrive, the finance department scrambles to address deficiencies and material weaknesses. That means scrubbing logs and running manual tests against the system to verify the integrity of the data and controls. If the auditors have a question, the team does it all over again.
The rise of application GRC can provide much needed relief to the finance department. These automated GRC control systems continuously monitor the source data and key business controls for financial applications. By automating both their financial controls and related compliance reporting, companies can reassign their people to more constructive, profitable activities.
Annual audits truly reveal the value of continuous monitoring. Continuous monitoring is the only way to prove that something did not happen, that no change was made to the source data during the monitoring period. (Of course, continuous monitoring can also demonstrate what did happen to source data — as well as who or what made the change, the before and after values, and the remediation.) By giving companies a way to prove no change, continuous monitoring prevents the manual testing and review of unchanged data and controls that inflate compliance costs.
But application GRC is more than continuous monitoring. It’s also business application process knowledge — the actual controls and policies for a given financial application. That subject matter expertise is just as valuable to finance organizations as they prepare for their annual audits because it makes life easier. Application GRC gives finance organizations a pre-configured, off-the-shelf solution that puts controls and policies in place. In other words, application GRC doesn’t just continuously monitor the controls and policies. Application GRC is the controls and policies.
With annual audits upon us, finance departments are more sensitive to controls and policies, which are understood to be just as important as the technology to provide compliance reporting. While that may have always been the case, controls and policies weren’t easy to review. They were primarily documented in word documents, spreadsheets, and the like. You had to figure out how to implement them. Application GRC changes that equation. Now, the controls and policies are not only delineated, but implemented, in a continuous monitoring environment — all of which yields satisfactory compliance reporting and implementation of controls and policies.
Needless to say, companies have other options. Most consulting organizations identify normal business practices, controls and policies. And most do a great job. The challenge is that once the controls and policies are identified, the company has to implement them, and most wind up implementing them manually. Even big players in the GRC market have consulting organizations that go onsite, identify controls and policies, implement them, and then install software to monitor those controls and policies to make sure there’s something to report against.
Application GRC goes a step farther. The system implements a series of standardized controls and policies as appropriate for a specific business application. It monitors not only the controls and polices but the data itself, and produces the compliance reports. And it provides a data-rich environment for passing compliance-related analysis to analytics programs and executive dashboards for better executive and compliance reporting.
The annual report is the flagship communiqué of the corporation. It’s where the CEO gets his or her message out to shareholders and the market at large. The last message any CEO wants to get out is an annual report filled with negative comments by auditors and material weaknesses that identify a lack of controls and policies in place. With application GRC, the CFO has the alternative to running shoes and the antidote to the annual audit, or any audit of financial applications.
John H. Capobianco is president and CEO of Lumigent Technologies, Inc., the first to market with automated financial controls for primary business applications to drive down the cost of regulatory compliance. Learn more about Lumigent at http://www.lumigent.com, and contact John at firstname.lastname@example.org.