To fully report on the health of a financial ecosystem so it stays aligned with and optimized for the goals of the business an audit tool must meet five key requirements.
Finwatch Systems developed FinWatchCloud for its predecessor Strafford Technology in order to offer quarterly audits of Strafford clients’ financial ecosystems. The audits produce a complete report card on the current system status — architecture, hardware and software specifications, configuration settings, users and permissions, system logs, software patches, performance metrics, security settings, and much more. Along with reporting status we also identify opportunities for improvement due to underutilized product features, deviations from standard functionality and settings, and sub-optimal performance and processes. The goal is to improve our client’s use of its financial solutions, which in most cases typically are Hyperion Financial Management (HFM), Hyperion Planning, or Oracle EPM Cloud solutions. Achieving that goal will in turn help maximize return on investment, reduce total cost of ownership, and ensure that solutions are up-to-date, secure, compliant, and can grow with our client’s business.
The secret sauce behind all this is our proprietary audit automation technology. After applying this technology to hundreds of audits, we have found that there are six essential elements a financial ecosystem audit tool must possess. Taken together, these six “musts” deliver the technology’s overarching benefit — what we call holistic auditing.
Must be automated. Trying to manually audit an entire financial ecosystem at scale is obviously impossible. There are literally tens of thousands of data points to evaluate — all operating in sync — spread across application instances, databases, operating systems, servers, virtual machines, and other assets located on-premise and also (depending on the environment) in the cloud. Different data points involve different access protocols and interfaces (some programming, some human). After data is retrieved it must be processed, correlated, and presented in different ways based on the type of data so that reports are meaningful to system administrators. Automation is therefore also necessary for bringing about the other four elements of holistic monitoring — since each of these must also be provided at scale.
Must be full-stack. While commercial datacenter admin tools exist today with built-in audit features — and cloud providers like Amazon and Azure have their own — none of these tools are “full-stack.” In other words, none encompass all three layers of the environment: application, operating system, and infrastructure (cloud or on-prem). What’s missing is the application auditing piece, i.e., the ability to examine how the application is set up (e.g., current patch levels) and how the rest of the environment impacts its performance (as in system log data pinpointing application runtime glitches). Furthermore, if the audit tool is to encompass the application layer, it must also be tailored to the particular application’s unique features. In other words, to audit a Hyperion environment you need an auditing tool tailored to Hyperion.
Must be full-scope. If full-stack is holistic in the vertical dimension, full-scope is holistic in the horizontal dimension. In other words, for each of the three levels in the stack, the tool must address the complete list of data points relevant at that level. Here, for example, are some of the items in a typical Hyperion application report:
- Patch level and any changes
- Native users and any changes
- SQL Server native users and any changes
- Windows local users
- Windows domain Administrators
- Security group changes
- Hyperion services running
- Errors in log files
- Hyperion backup status (alerts on failures)
- Services running
- Backup status
Must enforce best practices. One of the most important benefits of automating a process is that you can repeat it over and over again until it is fully optimized. Both the audit itself can be optimized and the ecosystem under audit — until each reflects best practices. Automation contributes to best practices in other ways too — such as the best practice of running the audit at least quarterly and the best practice of making it full-stack (both of which automation enables).
Must be policy driven. In addition to best practices, something else you can optimize for are the policies driving your business — so that the financial ecosystem stays aligned with business objectives. For example, if certain default security settings are wrong for your business, you should know that.
Must provide near real-time alerts. This feature integrates best practices into the business every day, not just at audit time. For example, when a security policy is modified the internal audit teams can correlate that to a recent change control request, thus providing a check and balance. You can also do spot checks to ensure all changes have the proper documentation and approvals.