Why Compliance Cannot be Delivered as a Service

My friend Mark MacAuley can always be counted on to stir things up. He’s seen plenty of enterprise deployments and architectures and comes at problems with a combination of Yankee ingenuity and healthy cynicism. Over on Identitystuff, Mark writes about offering Compliance as a service:

The new frontier is CaaS – Compliance as a Service. Fixed cost, consistent automated reporting, a defensible model for implementing and showing transparency.

Although the intent of Compliance is good, in Mark’s estimation Compliance is 100% cost with no positive yield to the bottom line.

The trouble is that Mark refers to Compliance as if it is an IT service that can be delivered like outsourced help desk or security management. Compliance, the Big “C,” cannot be delivered as a service. The Big “C” is the interplay between people, processes, and IT systems to achieve the mission of the business in the context of regulatory and market pressures. It isn’t binary; it isn’t something you have one day and not the next. This dynamic interplay requires continuous measurement and feedback loops to ensure that deviations are corrected and, ideally, prevented.

Compliance is a matter of controls – instituting a variety of controls and then charting the business’ distance in relation to those controls at all times. Let’s take a simple common non-business example. When a cop pulls you over for speeding, you often get asked two questions:

  1. Did you see that speed limit sign?
  2. Do you know how fast you were going?

This is a simple example of controls in daily life. To track towards Compliance, first, you have to know about the control – awareness of the speed limit. Second, you have to be aware of your relationship to the control – how fast you are going. Finally, you, as a safe driver and responsible citizen, have to continually measure your relation to the control – keep your eye on the speedometer, unless you want a visit from auditors or enforcement agencies.

Expressing, understanding, monitoring, and enforcing controls CAN be delivered as a service. These services, including controls documentation and controls management, address automated and manual controls for IT and non-IT systems and processes. And it is the delivery of these capabilities as a service that can reduce the cost of compliance.

Matt Flynn get’s in on the action and provides a crucial point, if indirectly:

I think there are definitely organizations out there that would love to have a third party who is willing to be an expert and own compliance for them.

It’s people! Compliance is People! This is the other piece of the puzzle and as Matt says, it can be delivered by a third party. Service providers, with deep domain expertise, armed with controls documentation and management tools, can provide holistic compliance services, and with a little creative thinking, a bit of indemnity insurance, they can truly own compliance for an enterprise.

The Big “C” Compliance cannot be delivered as a service, nor by Santa Claus, not for all the tea in China. But that being said, compliance experts and expertise bolstered by controls management and documentation services can help organizations track towards Compliance and be able to adapt as any of the variables in the Compliance equation shift.

(Originally posted over on Audit Trail.)

Oracle buys LogicalApps: Redux

Lori Rowland has posted an examination of the state of market given Oracle’s acquisition of LogicalApps. Her analysis of the impact of this acquisition to us independent controls management companies mirrors some of my thoughts on the matter. There was one thing that caught my eye. Lori writes:

There are obvious benefits to implementing Oracle and SAP’s controls management solutions to manage the respective environments. Who knows SAP SOD policies or sensitive transactions better than SAP, right?

Maybe not. I posit that the audit community (both internal and external auditors) have a better sense for what constitutes an SoD violation in their business context than ERP vendors do. Clearly, the ERP vendors know, from a functional stand-point, what each transaction and function does in their products. This enables them to build the “well, duh” SoD policies such as “flag everyone with SAP_ALL.” The “well, duh” SoD policies are the just the ante to play in the controls monitoring game. The meaningful, high value SoD policies come from the audit community and their years of lessons learned working across multiple industry verticals globally. It has yet to been if the ERP vendors will truly cater to this community’s needs. It is the greater audit community that Approva has sought to serve since day one and we’ll continue to do so. Viva independence!

Oracle buys LogicalApps: Approva Remains the Land of Freedom

(The following is also available over at Approva’s Audit Trail.)

The deal has been announced and will finally be done in November. Nobody is particularly surprised that Oracle is buying LogicalApps, least of all, us here at Approva. With this transaction Oracle will now have a controls automation tool needed to continue its fight with SAP. Analysts, bloggers, and prospective customers have asked: where does this leave Approva and the answer is – exactly where we want to be: Approva remains the independent controls monitoring company – and the only one with the proven ability to work across applications, in multiple platforms and for any kind of control.

Oracle (and similarly SAP) are taking the approach of strongly tying and embedding their controls monitoring tools in their ERP packages. What’s wrong with this approach? It is fundamentally too limited in scope and vision. Yes, managing controls in ERP systems is critical, especially in a SOX world. But, a tool that scopes controls automation down to SoD analysis for a specific ERP package (and, for that matter, a specific version therein) can only provide a keyhole view and doesn’t truly serve the GRC needs of the enterprise. Since LogicalApps only addressed Oracle E-Business Suite, with this acquisition Oracle continues to neglect its red haired step children: PeopleSoft, JD Edwards, Hyperion, Siebel… where’s the controls love for them?

To say that governance, risk, and compliance (GRC) is an ill-defined piece of buzzword bingo may be the understatement of the last few years. If someone says they have a complete GRC platform to meet all enterprise needs, kindly escort them out of the building via the nearest window. The point is that we, vendors, service providers, and customers, are still feeling out what truly needs to be in a complete GRC solution set and over time “GRC” will continue to evolve before it solidifies into a commonly accepted set of capabilities. Accepting this limited definition of controls automation that ERP vendors are serving up will cost their customers and force them to reinvest over time. By definition, a constrained, embedded approach to controls automation is shortsighted. It cannot meet the future needs of GRC because it cannot adapt to other systems and other processes that will eventually fall under the controls monitoring umbrella.

Approva’s approach has been and will continue to be fundamentally different. By staying independent and ERP agnostic, while at the same time providing rich domain expertise in those ERP packages, we provide customers better controls monitoring capabilities than the ERP vendors. We do this not only in these ERP applications, but we also provide the ability to do so in any application. Furthermore, we do this for any kind of automate-able control, be it traditional authorization-related segregation of duty or any kind of business process that our customers and business partners dream up. And we do all of this without the premium or baggage associated with ERP vendors.

Freedom to monitor any kind of control. Freedom to leverage our deep domain expertise as well as that of our partners in the audit world. Yep, staying independent is all about freedom for Approva and it is this freedom we give to our customers – even Oracle’s red haired step kids. I may not know what the final definition of GRC will be, but I do know that Approva’s independent approach to controls monitoring will serve its customers better than any controls monitoring tool shackled to just a single ERP package.