We all know what it’s like to step on a bit of Lego and to say the least, it can be a painful experience. But if you can avoid stepping on it and build something out of it instead, great things can come about as a result.
So, when it comes to governance and compliance audit regulations like SOX and, in the UK, the UK Governance Code, you can avoid a lot of pain by just making sure you have the right building blocks in place to create the perfect risk and internal control framework. This is even more important when you are running an ERP application like Oracle E-Business Suite, you simply don’t want to be in a position where evolving compliance regulations force you to look at other ERP applications.
With the constantly rolling EBS roadmap now extending to 2036, customers are in control of their own destiny, and many are deciding to stick where they are. At the same time, they are facing ever more complex requirements when it comes to meeting their auditors’ risk, compliance and cyber security demands.
The traditional approach is to throw resource and time at the issue and then pay auditors an extortionate amount of money to tick it all off once a year. However, clever companies are taking a different approach and leveraging software technologies to not just make the task easier but to make a robust framework that gives them the agility to response to regulatory change as and when it happens.
An example of this was a large retail company that has several issues noted by their auditors related to their SOX audit. They had been trying for years to use the assessment from their external auditors, but finally the Public Company Accounting Oversight Board (PCAOB) put pressure on the auditors to have management do their own assessment. This retail company engaged CAOSYS and partner firm ERP Risk Advisors to evaluate their Access controls and put in the necessary monitoring over configuration and master data changes. A combination of the CS Comply and CS Audit solutions from CAOSYS were the perfect solution! Additionally, they implemented CS Provisum PAR (Periodic Access Review) to help with their quarterly re-certification process. A perfect illustration of a company not just leveraging software technologies but also engaging consultancy services that knew exactly how to apply them to maximum effect.
Another perfect example was where a district county faced similar demands from their auditors. It had been years since they had analyzed their access controls. And they had never developed a population of changes to support their IT General Controls audit. Once again, the answer was a combination of CS Comply and CS Audit. Once these solutions were implemented, their auditors were HAPPY and remain so to this day!
Although the two stories above were clearly driven by pressure from auditors, in both cases finding the right solution to successfully overcome the risk and compliance challenges they had been set was a joint effort by all the relevant stakeholders. By having those responsible for making the right call working together meant that everyone felt they had their ‘bit of Lego’ with which to build an effective risk management program that met their needs, their departments needs and the needs of the company as a whole.
About the Author
Stephen Davis is Business Development Director at CAOSYS Limited. For the past 20+ years, CAOSYS has been a market leader in developing governance, risk, compliance and reporting solutions for Oracle EBS and Cloud ERP. The company strives to ensure that users of EBS always have the right answer to the ever-evolving compliance landscape.