One vital goal of CFOs is to ensure their data is viewed by authorised individuals and only those specific individuals. To accomplish this, IT professionals must employ best practices related to the segregation of data (SoD) within their organisations.
"Data segregation is the process of separating certain sets of data from other data sets so that different access policies can be applied to those different data sets," says a report on NextLabs (https://www.nextlabs.com/what-is-data-segregation/). "The ultimate goal of doing so is only allowing authorised individuals to view certain data sets accessible to them."
"There are many reasons why organisations may need to segregate their data, from regulatory requirements, systems that are shared between different entities in relationships like joint ventures, mergers, acquisitions, and divestitures, or systems that are shared by many people within an organisation that does not all have the same authorisation to view all of the data," said the NextLabs report.
Business leaders weigh in
In the FutureCFO roundtable, organised by Cxociety and SailPoint and titled "Drive Business Value from Policy Driven Access Risks Insights," senior finance leaders from Hong Kong organisations shared their experience on the challenges of managing complex business processes.
A Zylo report estimates that the average enterprise has about 600 SaaS applications in use, but only one-quarter are managed by IT. As many as ten new applications are introduced into a typical company each month, making tracking and optimising SaaS usage a new challenge.
Arguably, the more significant challenge comes from access to key systems, including enterprise resource planning (ERP) systems that run critical processes and involve sensitive data. These systems will involve complex access control levels involving third-party applications and internal users.
The lack of uniform controls across these applications can result in inconsistent, non-conforming access, time-intensive and error-prone monitoring, increased threats, fraud, and audit deficiencies.
"CIOs and CFOs across the region tell me that SoD is critical, as they're giving out too much access," said SailPoint senior solutions engineer Richard Malmberg. "We're working with them on the types of technology, people and processes that can solve specific issues. Often, the problem is that CFOs and the financial team expect IT to solve the problem. The finance team needs to know what the business controls are and what the business processes are, to drive value for the IT teams—that's the biggest issue."
Simon Tai, SailPoint managing director for Hong Kong and Macau, concurs: "Right now, we engage with finance users to better understand their value proposition. Software is important, but success depends on the process."
"Just to share one example—we got an inquiry from IT about access review, then found out that this company is listed in the US, and if they failed an audit, they might be forced to de-list from the US market. Right now, we are more and more engaged with finance users to understand the value that customers seek."
Simon Tai
Drowning in data
"Two questions auditors seem to be asking: what sensitive data do you have in your company, and who has visibility on it?" asked moderator Tan. "Is there too much access to data? Have we gone too far in the democratisation of information?"
Responding to the former question, Scott Lee, VP and regional controller (APAC) for the Interpublic Group acknowledged that: "There's lots of data—frankly, way too much. There are data security issues, privacy issues, and all those sorts of things that we worry about, but I feel we're reasonably confident with our finance and accounting data and employee data."
Vitasoy group director for internal audit and risk management Terence Chow commented that it's more than just financial data. "This also involves a lot of different processes in lots of different functions—actually, not many companies will focus on authorisations in finance."
He cites issues relating to processes, governance, reviews, and approval—all of these complicate matters.
"Finance must also deal with SoD among different lines of business. How can we utilise technology to help us with these things?" queried Chow.
The Association of Chartered Certified Accountants (ACCA) says auditors have the power to instil trust and confidence in a company’s financial statement. It is the nature of the audit function to uncover variances and exceptions.
For Danny Ho, executive director & CFO at cosmetics retailer Sa Sa International Holdings Limited, says: “Generally speaking, it is more about how we put together processes to prevent these things from happening. I think if you have the right processes and controls in place, it should be reversing the asking of auditors what is missing in the design to prevent conflicts and why issues are still happening, if any.”
Importance of ERP in finance
According to SAP's January 2021 corporate fact sheet, 77% of the world's transaction revenue is handled by an SAP system. In addition, in today's complex ecosystem of connected but distinctly separate applications, real-time intelligent understanding of access is critical for protecting against fraud, data theft, and employee mishaps.
"SAP has all the generic roles, and you can print out your reports—what each person is doing and the different roles—it has all the different roles that people are playing, and different processes," said Lee. "It's pretty standard for all ERP systems, which is what we use across the world. As we have shared services, agency finance, and a regional team, there's quite a lot of SoD."
When you consider the many applications outside the SAP business core, both on-premises and in the cloud, that need to access or connect to SAP, ensuring access governance becomes even more complicated.
"We do get a lot of conflicts, generic conflicts that come up that SAP kicks up, and then you've got to find a way to mitigate [them]," said Lee. "Sometimes we fix one, but that kicks off something else—we're often trying to manage the conflicts and rushing because we have to finish the quarterly reports or whatever."
"I feel like we're ticking the box rather than thinking through the whole process on an enterprise-wide basis," he said, adding that these activities increase as the business changes. "We bring on acquisitions or move things around, and what happens is that people who used to do one role are now doing two or three roles."
From an auditor's perspective, Vitasoy's Chow acknowledges that full automation is not always possible and that some processes will remain manual for now. "It's a very painful and tedious process," he continued. You have to do it manually—you have conflict rules in your organisation matrix and [must flag] all the exceptions."
"Of course, you can classify, you can put it in groups, but it's still a manual process that we need to go through," said Chow. "And we simply don't have the in-house resources to go through all of them—you end up picking high-risk ones or what we think are high-risk ones."
Data access during the pandemic
Before the pandemic, digital transformation was already on the agenda of many organisations in Asia. As with all things that demand change, this digitalisation was met with resistance, particularly at the operational levels.
The COVID-19 pandemic has washed away most of the resistance as digitalisation has proved to be the best solution for continuing business as usual in the face of prolonged social restrictions.
Finance teams were not exempt from the restrictions and the ensuing transformation that followed. According to one delegate to the roundtable, many employees shifted to a WFH model during the pandemic.
He noted that at his organisations they adopted a three-lines-of-defence model. "The first line: the finance department is responsible for their team getting the right access. Second line of defence: IT people are responsible for the IT system. You need to make sure that people are monitored, whatever the system, whatever the infrastructure, to ensure they are granted the right access."
"The third line of defence—the internal audit—is to ensure that the first and second lines are doing their job properly," he said. "The CFO or the finance manager must be sure that when people access the information from home or anywhere, IT security is good enough to have proper protection."
He acknowledged that there's no such thing as 100% security. "We balance costs against risk within the organisation, which always requires assessment of the control environment to see whether it's worthwhile to add more IT technology, systems, or applications to control access," he said. "There's always a cost and benefit comparison."
For his part, the finance director for Asia with City Facilities Management, Travis Huggins, conceded that his organisation still relies on existing systems and IT to sort out the problems at the backend. "Within finance, it's all grouped by use access—if someone joins, they get assigned to the correct group. That's how we manage it, and that hasn't changed regardless of work locations."
"We don't have a view necessarily of the entire portfolio, but we know that when the auditors come, they will ask questions about who has the right access, who's the administrator, who's the approver, who's the creator," said Huggins. "They'll ask these questions, and we should be able to look at that specific part of the system and be able to say: yes, we know who has access to it."
Segregation of duties
Identity security is different for different leaders, with the common denominator that identity security is a technology issue and possibly understanding how it can impact their agendas.
Some leaders might see investing in identity as a way to accelerate product innovation by speeding up the time to market for new products. For the CFO, identity security can ensure the proper segregation of duties to prevent fraud.
"Segregation of duties is a practice I learned from the auditing process," said CFO of Lee's Pharmaceutical Holdings Limited, Jason Chow. "While some smaller businesses may want to hold on to their old ways of doing things, we need a system to document the process and put it on the table for your team and management to make informed decisions—you will want this if and when you face the auditor."
When asked for any best practices to guide finance leaders in driving business value from policy-driven access rights insight, SailPoint's Malmberg suggests the first step is to manage access by defining the access risk framework or policy that governs the organisation.
"Then use tools to give you the starting point and customise that to your organisation. Once you have that framework, start looking away from grouping roles as high as possible that are risk-free, or else you're just creating more work for yourself," he continued.
He suggested giving people access if needed, provided there is no risk. "Then segregate all the access for supplementary roles in terms of more critical functions. Anything that will cause a segregation of duties, you build out and separate any risk.
"If you want access, you request it, or you can sign it to a particular group. Then, you can train to reduce that risk, which needs to come from the business governance. Then, you look at building access from that, starting by mapping the function against positions. The role should fit the description. That's how you eliminate the risk and anything else is around the requestable."
Richard Malmberg
He conceded that there will be cases of segregation of duties regardless. The point is to limit access – instead of having 100 people with access, this is down to only 10. "You put reporting around that governance model, which is so much easier to manage than having to report over 100 people having access that don't need it," he explained.
"Finally, review access periodically and simplify the model based on the needs of your organisation. Technology will be able to give you the visibility, and the framework to start with and then you customise that to your organisation," concluded Malmberg.
