I, like many, have experienced multiple cycles of buying and selling homes. Each time with a different home inspector. Each time paying for a different report with a different list of audit items. Each time realizing after the fact that something on that “comprehensive list” was missed. A true comprehensive inspection would simply take too much time and the cost would be prohibitive.
Auditing financial systems for SOX compliance is also a very time-consuming process. Typically, Finance and IT folks spend days each month documenting changes and the approval of those changes through an audit of their change management process with both random and pre-defined checks into their application and systems environment.
These checks are driven from a Top Down process to ensure compliance with internal controls. The IT Service Management application (such as ServiceNow) is typically used to drive the Change Management process and in turn provide a list of items to audit each month to check and to confirm that changes made to internal systems have been done in accordance with internal policy.
That is great for proving a positive… confirming that something that was supposed to have been done was done. But what about proving a negative? What about proving that nothing has changed other than the approved changes?
That’s where Bottom Up Continuous Auditing not only automates the process and saves Finance and IT time each month but is able to identify changes and issues related to compliance that are not on the approved change control list.
A Compliance Dashboard, and the monitoring system behind it, automatically scans the Finance System in order to document that no changes or issues have been identified. It is able to alert stakeholders to any key changes and issues while they are current and fresh… allowing them to be quickly resolved and/or documented.
As someone who has been responsible for running a managed application hosting provider that hosted the system of record financial software (Oracle Hyperion including HFM) for many publicly held firms, I have experienced many different public audit firms and their unique requests. I also know what they have not asked for that they really should have asked for in order to truly enforce SOX compliance from an IT/Finance systems standpoint.
There are four major areas that we looked at:
- Security related changes (User and group level permission changes at the Application, Database, Operating System, Cloud network security definitions)
- Daily operational metrics (Daily load file status, load file script and/or mapping changes, scheduler issues, disk space anomalies, performance problems, Windows patches)
- Changes in business application logic (application scripting, business rules, schema changes, report definitions, patches/upgrades)
- Backups and disaster recovery capability (application backups, server and cloud instance level backups)
Security related changes
There are many types of both interactive and non-interactive access provided at all levels of the financial systems software stack. Monitoring changes to user security can be very complex and the automation of this is critical in order to maintain consistency and apply Best Practices throughout your organization year after year.
There are many back doors available to the expert user in order to access your application data. In the case of Oracle Hyperion, not only are users able to be authenticated within your corporate identity management service such as Active Directory, but users can be created natively within the application and often hidden from daily oversight. Permissions for users can also be modified indirectly through group level actions. Additional Authentication systems can be added as another potentially temporary back door to gain access to your environment.
Your application database itself needs to be monitored for changes in permissions. It is critical to monitor new users being added or changed within the local database which has very little oversight.
What about users created at the cloud level? Are new, non-interactive program-level-only access being granted to applications that could make changes to your environment? Are changes being made to the rules controlling internet access to your servers?
Finally, what about local users being created and forgotten about on your Windows or Linux servers which are often created outside the normal provisioning process for legitimate temporary access but often forgotten?
It is very easy to lose track of all these different access points to your server environment which can introduce critical risk and an audit nightmare. An automated system which monitors user and network security changes at each of these levels every day (both internal and external) is an absolute requirement for internal compliance.
Daily operational metrics
Monitoring Finance system operations is a critical component of compliance monitoring. Without the proper checks and balances on the daily processes that support the finance team operation, data can easily be corrupted.
Daily, weekly, or monthly data loads can be missed, loaded twice or may generate unacceptable errors when loading into your database. Connections to third party systems can fail causing a lack of data or even minor software or operating system upgrades on source systems could cause issues in data extraction.
Changes in source to target account definitions is one of the most obvious and usually checked by Finance Administrators. This can be a tedious and time consuming process and is most often done after the fact causing potential issues in flash reporting.
From a scheduling perspective, scripts that meant to support data integration or any number of operational support requirements could fail without notice causing substantial down stream impact.
Disk space issues, CPU performance or even minor windows patches among a myriad of other failed, incomplete or duplicated processes can impact the integrity of the finance system. These issues can occur on upstream systems which are not even under the control of Finance.
Most of these items can fail without notice or require proactive human error checking to selectively enforce.
Changes in business application logic
Changes to corporate financial systems are typically controlled through a top-down process utilizing a Service Management application (such as ServiceNow) to implement Change Management utilizing the approval process built into the software.
This process provides documentation and an audit trail for changes made and then moved into production.
This trust-based approach differs from other audited environments where Change Management is supplemented with active auditing. In IT and Network Security, Change Management is combined with active monitoring tools for Intrusion Detection, Software Inventory Management and IT Audit.
With continuous auditing and monitoring, alerts to changes in the finance application, databases and operating systems as well as issues that may affect daily operation are generated automatically. These alerts can be fed into the Service Management application or managed separately.
These alerts are then correlated with Change Management approvals to confirm that the change was made in accordance with internal policy. In addition, any critical operating issues that are identified are also confirmed to be properly managed though the Service Management application.
Auditing of the finance system environment should detect changes in the application code scripts, business rules, database schema, stored procedures, report definitions and of course patches or upgrades to the application itself.
Backups and Disaster Recovery capability
Maintaining up to date and valid system backups is critical to internal compliance. This includes application, database, operating system, and cloud level backups. Each environment has its own unique backup process and should be regularly confirmed to have the correct total number of backups as well as having the correct number of successful previous day backups.
The validation of these backups is also very important. If possible, the backup file should be validated post export. Disaster Recovery environments should also be confirmed to exist and if possible, regularly validated.
Bottom Up Continuous Auditing
With Bottom up Continuous Auditing, IT and Finance use an automated software tool which proactively monitors and generates detailed reports on the Finance System. In addition, they are notified on issues in near real time.
With a one time simple setup, FinWatchCloud scans the your Oracle EPM Cloud and/or Oracle Hyperion on-premises environment and identifies any daily changes in application design and key operational metrics which are important to the internal audit team. It also maintains point in time reports which document the state of the finance system (including the entire stack of operating system, database and cloud configuration) as it was on a specific dates in history.
Users are able to define their own Compliance Dashboard specific to their corporate compliance policies and be alerted as soon as issues arise and maintain a long term report repository of documentation supporting that compliance throughout the year. Alerts can be fed back into the Service Management application and reconciled with approved changes or they can be acknowledged and maintained within the FinWatchCloud reporting system.
This dramatically reduces and can completely eliminate the hours and days spent each month by IT and Finance on internal compliance. The proactive nature of the Compliance Dashboard (through email alerts) also provides stakeholders with the ability to deal with and document compliance related activities while they are still fresh and top of mind.
The bottom line: Less time spent in compliance reporting by IT and Finance professionals each month and greater insight to the current and past state of your finance system. When compliance issues arise, they are resolved and documented immediately. This enables Finance and IT professionals to take a proactive leadership role in corporate compliance.
FinWatchCloud provides Bottom Up Continuous Auditing of financial software systems with direct connectivity to Oracle EPM Cloud and Oracle Hyperion on-premises environments. With an active Compliance Dashboard, as well as configuration and operational metrics reporting. FinWatchCloud comes with an extensive out of the box set of predefined metrics as well as the ability for users to build their own custom reporting scripts. Application and infrastructure reporting is integrated into a unified dashboard with customized alerts.
For more information visit finwatchsystems.com.