It sounds simple enough to steal from the coffers. Someone gets into a company’s order management system, creates a fake vendor and then submits payments, sending the check to himself via a post-office box or other ambiguous address.
The solution seems just as basic: identify the problem, find the source and block it from happening again. “Fraud occurs where there’s opportunity,” says Philip Upton, a Pricewaterhouse Coopers forensic accounting partner. “If you take away the opportunity, the fraud won’t occur.”
The Sarbanes-Oxley Act of 2002 put financial controls into the spotlight by requiring extensive documentation for and monitoring of access to key systems. Scrambling to find a way to meet the regulations, companies began testing financial control software that scans enterprise resource planning systems to find employees who have access rights that would let them circumvent corporate policiesin other words, cases where potential scams could occur.
In late 2002, just after Sarbanes-Oxley passed, the Reader’s Digest Association was “struggling” to meet its requirements, says Jim Carlson, vice president of commerce technology. The problem wasn’t rampant fraudit was that Reader’s Digest wasn’t exactly sure what was happening in its Oracle financial software. “Quite frankly, before we started this, we didn’t know what we had,” Carlson says.
Homegrown efforts helped get the Pleasantville, N.Y.-based publishing and direct-mail company’s Oracle financial and supply chain systems to meet the legislation’s initial requirements. But in the future, Carlson wanted to manage the process without modifying any business applications.
To do that, Carlson and his team used software from Irvine, Calif.-based startup LogicalApps, to build a set of rules governing access to Oracle. The software let them define conflicts and monitor them. Now, when a conflict is spottedfor example, if an employee has privileges to create and approve paymentsthe program alerts two separate administrators, both of whom must agree to approve the overlap.
Using the software, Reader’s Digest has eliminated 100% of its conflicts, Carlson claims, though he wouldn’t say how many his team found initially.
When the landmark act passed in 2002, most publicly traded companies rushed to comply, either by building stopgap programs in-house or farming them out to consultants. Now technology executives say they’re looking to automate as many controls as possible.
Software providersincluding Approva and Oversight Systemspopped up soon after Sarbanes-Oxley went into effect, offering a slew of capabilities. Since 2003, companies have spent more than $14 billion on tools, people and services to meet Sarbanes-Oxley requirements, according to AMR Research, and the firm expects that figure to spike above $20 billion by the end of 2006.
For Mark Van Holsbeck, director of enterprise security at Avery Dennison, relying on a person to find fraud risks was daunting. “There’s too much human error, potentially,” he says. About three years ago, the Pasadena, Calif.-based office supply maker went with Oversight Systems, an Atlanta company with roots in intrusion-detection software.
Oversight’s product provides continuous monitoring of Avery Dennison’s accounts payable, general ledger, action request and human-resources systems. The software cross-references hundreds of reports covering vendor pay and employee activity. Previously, those same tasks were done by staff, without any software to help.
Catherine Okano, information-technology operations manager at construction equipment maker Multiquip, went through a similar exercise in early 2005, when the company’s executives charged Okano with fixing problems auditors had identified in the construction equipment maker’s SAP systems.
Okano opted for Approva’s BizRights. The software identified thousands of segregation-of-duties conflicts, and will allow her to shift the oversight responsibility away from the technology staff and back to business managers, who will use the program to monitor their workers’ activity.
BizRights “passes the ownership of the security to the proper people, so it’s not that it’s all with I.T. and has I.T. calling all the shots,” she says.
Return on Investment?
Since installing many of the controls is mandated by Sarbanes-Oxley, a lot of technology executives consider software expenditures a cost of doing business. When it comes to eliminating conflicts and assigning access, many companies say they aren’t saving moneyinstead, they’re avoiding having to spend money.
“You can’t measure preventive measures, because you’ve prevented things from happening,” says David Alkhazraji, director of information technology for Utility Service.
The Perry, Ga.-based company, which manages thousands of water towers across the U.S., uses LogicalApps’ software to analyze risk in its financial systems. The payoff becomes evident, he says, in using such software to report on access controls across the company, because it provides higher-quality data than maintaining that information by hand.
Others also justify their investment in fraud detection software in terms of a “must-have” piece of technology.
“We wouldn’t look at it from an ROI standpoint,” says Bob Barnhart, director of information-technology business applications for Pratt & Whitney, the aerospace arm of United Technologies.
Barnhart and his team deployed Approva’s BizRights to keep tabs on how 20,000 worldwide users were tapping into the company’s SAP systems. Eliminating conflicts and minimizing risk is payoff enough, according to Barnhart.
Simply put, he says: “The cost of not being compliant is something that we don’t even want to think about.”