Posted February 19th, 2008
Compliance as a Service – Counter-counterpoint
Matt and Mark have both responded to my response. Matt writes:
Thanks for keeping us honest Ian! I would be pretty blind to claim that overall regulatory compliance can be solved with any IT solution (…or set of …or service of). But I didn’t make that distinction in my previous post. But, is that the basic point you’re making? …that IT compliance is a subset of overall Compliance? Or is there more to it?
Yes and no. I do believe the IT compliance is a subset of overall Compliance, but that wasn’t my basic point. My most basic point was, because Big C Compliance is so truly tied to people and process it cannot be delivered as a service. The reason I responded to you and Mark about this was that I didn’t want the conversation to start off with a definition of Big C that was too limited and too IT-centric.
Understanding that big-C Compliance requires much more than IT controls, would it seem more realistic if we said IT-compliance-as-a-service? or IT-Audit-as-a-service?
IT audit/compliance can and should be delivered as a service. And not just the tools and tooling for it, but ownership of the compliance state and risk as well. To me this is a natural extension to Managed Security Services and companies like Counterpane and IBM offer this to an extent. Continue reading "Compliance as a Service: Counter-counterpoint"...
Posted October 17th, 2007
Lori Rowland has posted an examination of the state of market given Oracle’s acquisition of LogicalApps. Her analysis of the impact of this acquisition to us independent controls management companies mirrors some of my thoughts on the matter. There was one thing that caught my eye. Lori writes:
There are obvious benefits to implementing Oracle and SAP’s controls management solutions to manage the respective environments. Who knows SAP SOD policies or sensitive transactions better than SAP, right?
Maybe not. I posit that the audit community (both internal and external auditors) have a better sense for what constitutes an SoD violation in their business context than ERP vendors do. Clearly, the ERP vendors know, from a functional stand-point, what each transaction and function does in their products. This enables them to build the “well, duh” SoD policies such as “flag everyone with SAP_ALL.” The “well, duh” SoD policies are the just the ante to play in the controls monitoring game. The meaningful, high value SoD policies come from the audit community and their years of lessons learned working across multiple industry verticals globally. It has yet to been if the ERP vendors will truly cater to this community’s needs. It is the greater audit community that Approva has sought to serve since day one and we’ll continue to do so. Viva independence!
Posted October 11th, 2007
(The following is also available over at Approva’s Audit Trail.)
The deal has been announced and will finally be done in November. Nobody is particularly surprised that Oracle is buying LogicalApps, least of all, us here at Approva. With this transaction Oracle will now have a controls automation tool needed to continue its fight with SAP. Analysts, bloggers, and prospective customers have asked: where does this leave Approva and the answer is – exactly where we want to be: Approva remains the independent controls monitoring company – and the only one with the proven ability to work across applications, in multiple platforms and for any kind of control.
Oracle (and similarly SAP) are taking the approach of strongly tying and embedding their controls monitoring tools in their ERP packages. What’s wrong with this approach? It is fundamentally too limited in scope and vision. Yes, managing controls in ERP systems is critical, especially in a SOX world. But, a tool that scopes controls automation down to SoD analysis for a specific ERP package (and, for that matter, a specific version therein) can only provide a keyhole view and doesn’t truly serve the GRC needs of the enterprise. Since LogicalApps only addressed Oracle E-Business Suite, with this acquisition Oracle continues to neglect its red haired step children: PeopleSoft, JD Edwards, Hyperion, Siebel… where’s the controls love for them? Continue reading "Oracle buys LogicalApps: Approva Remains the Land of Freedom"...
Posted March 20th, 2007
After nearly 7 years of working from home, I have just started a new job… with an office. I have to say, I thought that the adjustment would be a lot harder than it has been. That being said, the commute has been very painless… I am sure I’ll change my tune when I end up sitting on the Beltway for an hour just to go two miles.
I am really excited about my new gig. Approva is a great company with awesome people. I actually look forward to the commute and that should tell you something about how much I am into this new job.
what others say