What is the role of governance, compliance, and control in financial transformation?
Governance, compliance, and control can no longer be an afterthought. It is vital that organisations get governance right when it comes to finance
Governance, compliance, and control can no longer be an afterthought. It is vital that organisations get governance right when it comes to finance
If you think of the various things that send a CFO’s pulse racing, then governance, compliance, control, and audit will probably rank quite low on that list.
Legacy software designers must have formed similar lists because they’ve treated control and governance as afterthoughts, or even irritants, in the financial modules of classic ERP software. Control concepts are not as urgent as transaction processing, as visible as financial reporting, or as appealing as analytics.
Back in the 1980s where enterprise software has its design routes, control was not at the forefront. Technology innovation had not reached a point where control was even technically feasible. A gigabyte of storage back then cost today’s equivalent of over $200,000, with similar constraints on processing power.
Systems maxed out just capturing journal entries and rolling them up to ledger balances. Back in those days, there was little need or capacity to dig deeply into controls.
Today we can’t afford for governance to be an afterthought. The cost of noncompliance is too high. Traditional ERP vendors have responded in typical fashion by acquiring technology or creating capabilities that are then layered onto their legacy systems. However, this aftermarket approach to compliance and control comes with a number of drawbacks.
Voluntary controls
The user must pick, choose, then implement each control mechanism. Each control requires conscious thought and significant effort leading to the implementation of a minimum, rather than optimal, set of controls. Placing the burden to remember to institute controls on the user virtually guarantees that controls won’t be implemented uniformly.
Aftermarket inefficiency
Control frameworks add weight to processes that were never designed to handle the load, resulting in “dim the lights” performance. This, in turn, results in users turning off the system controls and managing compliance manually.
Documentation nightmare
In today’s controlled environment, documentation of controls is almost as important as the existence of those controls. The legacy approach requires manual documentation via spreadsheets, hand-written descriptions, and customised flow diagrams, which then must be updated manually for any change.
Mountain of maintenance
The key control risks in enterprise systems occur at the intersection of people and processes. The aftermarket control model never completely connects with the HR system-of-record, meaning that control parameters must be manually maintained to account for the frequent personnel and organisation changes in today’s enterprises.
Never complete, never comprehensive
Since concepts such as workflow arrived many years after legacy systems were designed, control frameworks were not fundamental to core system design. Even more controls had to be individually established for specific processes.
This means that any new or adjusted process, control, or audit requirement has to be actively considered and addressed separately. There can be no comfort in the idea of completeness of the control framework.
The aftermarket governance and control approach of legacy systems may have been close to adequate in the past but it can lead to disaster in today’s business climate of heightened corporate responsibility, transparency, regulation, and accountability.
You can combat these shortcomings by implementing one fundamental governance principle: that you cannot create governance and control via audit. You can test for them, but you can’t create them.
Even cursory reads of governance frameworks such as COBIT and COSO make it very clear that to establish an effective governance environment, control concepts and capabilities must be woven into the very fabric of the system. It is impossible to layer control software onto a pre-existing enterprise system and to ensure an effective, comprehensive, documentable, maintainable, economical and auditable control environment.
These characteristics must be purposely developed and built into the system from the beginning, which is why starting with a clean sheet of paper is crucial to your approach to governance.
Essentially this creates the opportunity to build control and governance into the core of your system. Here are the five key ways for financial systems to meet the compliance needs of modern businesses.
1. Controls that map to business process frameworks
All business event activity should be modelled and governed within a dedicated business process framework (BPF). Nothing should move unless it is modelled within the BPF.
2. Unified with the user system-of-record
An effective compliance environment is possible only if the entire enterprise system has intimate knowledge of the users and their roles, permissions, approval limits, and managers and how they fit into their many organisations. The “worker” object should not be a HR responsibility separate from finance, it must be a “business thing” shared by finance and HR systems.
3. Self-documenting
Business processes come defined and documented. Any process change is done in the BPF tool so the processes are self-documenting. And since the information is unified across the system, this documentation includes who made the change and when.
4. Always-on audit
Modern in-memory data structures allow all system data to be accessible at any time and in real time, allowing continuous access to audit evidence. Traditionally, auditing has mostly focused on evaluating the past and ensuring compliance.
5. Audit the model not the transaction
Transaction testing is often the primary cost driver for audit effort and fees. Legacy systems did not incorporate a true comprehensive governance model and so required significant detail for transaction testing. A system based on a unified control and governance framework supports the much more efficient and effective “test the model” approach.
While discussions around governance and control may not be the most exciting part of finance, it is something that organisations must get right. Successful delivery of governance and control can make a huge long-term difference in enterprise systems, and play a big role in what separates new systems and approaches from legacy ERP systems.
Learn more about how Workday delivers a single view of finance across your business enabling you to make strategic decisions better, faster, and with more predictable outcomes.