Approva: Firm Grip on Controls
Low approval ratings are the talk of Washington, D.C., these days, but in nearby Reston, Va., Approva wins praise from customers for its financial management products despite the four-year-old firm's limited history.
Ed Dunn, manager of information technology with Graphic Packaging International, says he likes the overall features of Approva's BizRights controls-monitoring software, such as its easy-to-use report creator. Plus, he says, it does the job that two employees used to perform manually. "From what I can tell, Approva is just dead-on with this product," he says.
The Marietta, Ga.-based paperboard packaging maker implemented BizRights in 2004, to evaluate access privileges of 3,300 users across its SAP systems to meet Sarbanes-Oxley requirements. And Dunn's not finished: This fall, Graphic Packaging expects to deploy an updated version of BizRights that includes a workflow product that automates requests for access-control changes and generates reports for audits.
BizRights also helped Pratt & Whitney's compliance efforts lift off. Bob Barnhart, the company's director of information-technology business applications, says that at first, the East Hartford, Conn.-based aerospace division of United Technologies thought it could build its own application on SAP to set business rules needed for Sarbanes-Oxley compliance.
But while Barnhart's team was able to build the rules, they soon realized software companies like Approva had a lot more expertise with the regulation. "When Sarbanes-Oxley came around, it was much more prescriptive in what we had to do," Barnhart says. Because the company was concerned about "missing something," it abandoned its proprietary tool and implemented BizRights in 2004.
Pratt & Whitney now monitors 20,000 users of its SAP transactions systems worldwide with BizRights. Barnhart says the company uses information from the software to immediately shut down access to any employees who could potentially commit fraud (for example, by issuing payments to fictitious vendors in the SAP system that actually go to themselves).
UGS had a similarly enlightening experience. BizRights helped the Plano, Texas-based product development software maker reach compliance by weeding out thousands of segregation-of-duty conflicts on SAP systems among its 6,000 global users, according to applications security officer Dave Thompson.
This fall, Thompson expects to meld Approva's conflicts-tracking capabilities with a workflow function that should let UGS more effectively route reports and requests for access changes to appropriate managers.
Still, Thompson says there's one feature he'd like to change in BizRights. When the program spots a conflict, it displays a "view reasons" option to help a manager understand the risk. The problem, according to Thompson, is that BizRights floods administrators with multiple pages of detailup to 50before providing the actual reason for a conflict and how it can be prevented.
Approva, for its part, says customers can configure the amount of detail provided and the format for each type of conflict.
Meanwhile, Catherine Okano, I.T. operations manager with construction equipment maker Multiquip, says determining the return on her investment in BizRights will take into account the software's ability to hold down audit fees by catching conflicts before auditors do. That's because auditors usually go through a longerand more expensiveprocess when they find fraud risks. Says Okano, "That's when you start getting really socked in the pockets."