GRC And Intelligent Finance: How To Get The Human Factor Right

Bruce Romney

Part 4 of the Finance Transformation” series that explores how finance can take the lead in driving their companies towards an intelligent enterprise

By definition, automation means removing the human factor from a given process. This is as true for finance as it is for manufacturing or any other line of business.

But the truth is, the human factor can never be removed entirely – particularly for finance processes where governance, risk, and compliance (GRC) is non-negotiable. Visibility into and oversight over automated processes is a requirement. We are in control, not the robots, and we must maintain appropriate oversight of automated processes.

The question is this: how much of the human factor can be legitimately removed from processes while still maintaining control? Managing payments is a good example. As finance organizations have long known, instead of paying people to check every invoice against every purchase, technology can be used to automate the process of matching purchase orders (POs), goods received, and invoices. This is known as the three-way match.

In this instance, you might maintain the human factor in the form of an auditor. This auditor comes in periodically and pulls, say, 25 transactions at random – examining them to make sure there is no sign of error, fraud, or noncompliance to policy. If the auditor finds an issue, the next step is to pull additional transactions to ascertain the extent of possible anomalies and exceptions and finally recommend remediation steps.

Most certainly, this approach provides some level of assurance and is a compromise between auditing every transaction and helping ensure adherence to policy based on sampling. In the end, however, this is primarily manual in nature and does not provide full coverage of transactions.

Toward full automation

A better way forward is full automation with real-time management by exception. The idea here is to pull humans into the process only as needed. Any process – procure-to-pay, order-to-cash, treasury management, billing and credit, and much more – can be fully automated with proper real-time monitoring to alert process managers of outlier events.

What’s more, whereas the auditing approach involves a statistical sampling of transactions, real-time management by exception means that your system monitors 100% of transactions, configurations, and relevant master data in the here and now.

Getting the human factor just right with full automation, however, requires a different approach to financial process management. You might find it helpful to think in terms of intelligent access, intelligent controls, and intelligent detection.

Intelligent access

Automation and hybrid landscapes can complicate access to financial systems. In the past, you needed to authenticate individuals – or not – based on credentials provided. Now, to facilitate end-to-end automated processes, you need to provide access across landscapes, and in some cases, to robots, as well.

To manage the access risks, you’ll need to manage digital identities across systems as well as be able to provide access capabilities to authenticate robotic identities. A good practice is to define the incoming machine in terms of a defined role that allows the person or machine sufficient permissions to perform the needed business function. And from an audit perspective, every transaction and user requires monitoring. This means that every action taken by users and robotic processes must be logged, producing an audit trail and an alerting system to detect anomalies and potentially malicious activities.

Technology such as machine learning (ML) can help. By reading process data in real time, ML algorithms can detect security and transactional anomalies at the application layer and alert process managers. ML can also be used to intelligently optimize role definition, which can then be assigned dynamically in a secure and traceable manner.

Intelligent controls

Fully automated financial processes are controlled primarily through configuration, master data, and transaction monitoring.

Configuration settings are key to establishing and maintaining processes that are aligned to policy. To optimize processes, leading organizations are adding continuous control monitoring to provide a feedback loop on how these settings can be monitored. Take, for example, a setting that alerts a process owner to a change in the thresholds assigned to a three-way match before manual intervention is required. Or consider monitoring depreciation calculations tied to automated postings, changes to charts of account tables, or modifications to posting and reconciliation rules associated with accounting periods and the financial close processes. By replacing manual controls with fully automated controls, process owners and auditors can gain greater visibility and trust in processes, including robotic processes, managed by core ERP systems.

Proper master data monitoring is also critical to help prevent policy violations or potential fraud. Fields that contain sensitive data can be monitored to help ensure accuracy and completeness, as well as for changes that might be motivated by policy aversion such as one-off transactions. Master data that can be monitored can be found in key fields in vendor or customer master accounts, including bank account information, or fields related to key information in POs or invoices, or conversion values used in various calculations. And in today’s world, which requires greater data protection and privacy, the ability to also mask or log data access to sensitive information is also needed.

Finally, transaction monitoring provides another layer to help identify unexpected outcomes in core processes. Although effective access management, configuration, and master data monitoring are all important in a detective and preventive approach, transaction monitoring adds an important final check to help identify where these prior approaches might not be yielding the expected results and adjustments might be in order. And by receiving alerts, a process owner can also have the ability to drill down quickly into the transaction details residing in back-end systems. This is enabled now more than ever, as SAP S/4HANA allows for tighter integration of core processes that help provide a more consolidated view of enterprise business data that serves as a single source of finance truth.

Intelligent detection

Constant monitoring of finance processes is required to detect intrusions and potentially fraudulent activity. Proper detection is critical at the point of system access – but it doesn’t stop there.

On a 24×7 basis, your systems must be monitored to detect both external and internal threats. Beyond traditional cybersecurity and monitoring approaches, many companies are now turning to ML algorithms as the risk landscape grows in complexity.

You can stay on the offensive by using ML to analyze and correlate logs from past and current security events. Based on this historic data, ML can help you run forensic investigations that uncover new attack patterns before they impact your systems. It can also help you detect patterns of system activities in real time to generate alerts to anomalous conditions that might require immediate attention.

ML can also be used to map structured and unstructured data across systems and highlight personal information, which is relevant under various data-privacy regulatory pronouncements.

The advantages of intelligence

With intelligent access, intelligent controls, and intelligent detection, organizations can get the human factor just right for automated finance processes. The outcomes, though, are not merely a new set of requirements for managing finance risk, but tangible business benefits that serve the business well and provide greater assurance to process owners and stakeholders alike. These include trusted processes that drive business performance, expected results that instill confidence, and streamlined audits that drive down the costs of compliance.

Join the second SAP Intelligent Finance virtual event on Tuesday, Feb. 11, 2020, and explore the new reality driving finance transformation. Register now.

Follow SAP Finance online: @SAPFinance (Twitter)LinkedIn | FacebookYouTube

Bruce Romney

About Bruce Romney

Bruce Romney is a senior director in the SAP Marketing organization for governance, risk, and compliance solutions. His experience in GRC topics stems from a wide range of activities. These include consulting on several engagements in the risk and advisory practice of a large public accounting firm across various verticals, managing large-scale e-discovery projects, and industry experience managing a contract manufacturing facility in Mexico including responsibility for the import/export function. He is a licensed CPA in the state of Texas.