It’s been a while since I wrote my last blog post, and it’s hard to believe I’ve been at Onapsis for seven months already. Since then, I have consumed a lot of information, and talked to dozens of customers and peers in audit and compliance. There’s a lot to share with you, so let’s get started with some key learnings that are important for anyone in an audit and compliance role.
In my first blog post, you learned a lot about my old friend and now coworker, Sergio Abraham. I’m sure that he came across as a great guy who helped someone like me see the light on risks I wasn’t aware of. What I didn’t share then, that I will share now, is that my experience after that meeting (my interview to join Onapsis) was terrifying in many ways.
First off, I went right from meeting with Sergio to meeting the members of the Onapsis executive leadership team. “Do not pass go, do not collect $200.” Here I was, in front of some of the best and brightest as a Chief Audit Executive interviewing at an ERP Cybersecurity firm and, full disclosure, I didn’t even know ERP cybersecurity was a thing, or how vital it is to organizations. I think that is ok to admit now that I am past my probationary period. Secondly, I hadn’t worked at a software company before, and didn’t know any of the jargon, and I also had never worked in sales, go-to-market, marketing, product, etc. After meeting all the leaders during my interview process and realizing all the areas I realized I was deficient in, I survived the first round. And it was actually a lot of fun, albeit mentally exhausting, and I am smiling even writing about it today.
I was then asked to come back and meet the CEO, Mariano Nunez. This is where my head began to hurt. I’m not kidding. I put my hands on my temples and just went silent. He looked at me, and asked me if I was ok. I looked at him, and asked him if he was familiar with the movie ‘The Matrix.’ He said of course. I looked him dead in the eye, and said “My head hurts.” I keep on finding out more and more information about risks I had no idea existed. Risks that executive management and the Board of Directors should know about. Risks that NO ONE seems to know about or want to talk about. Risks that can completely undermine the control structure and integrity of an organization’s financial statements. I feel like I’ve been living in a dream world, where IT general controls (ITGC), an annual pen test and the existence of a security function in an organization were enough. If what you are telling me is true, I’ve been living in the matrix for the last 15 years.’ He looked me dead in the eye, and asked “so, Brian, is it going to be the red pill, or the blue pill.” This has become an inside joke between Mariano and I, and not a day goes by that I am not grateful for taking the red pill.
So, what did the Onapsis Leadership Team inundate me with, so much so that my head literally hurt thinking about it all? Why do I now feel like ITGC’s are the mask auditors wear to provide management and the board with a false sense of security? What was so compelling that I left an organization and management team I loved working for and respected, to take the red pill and leave my Chief Audit Executive life behind?
Well when I looked at my ERP systems, the most critical applications and the IT controls, there are really two main focal points: Access Control & Change Management. Yes, there are other minor areas that exist, but at the end of the day, these are the most critical pieces. I’ll focus on ITGC for Sarbanes-Oxley in particular as they are similar for other regulatory and compliance frameworks.
We look at access and change management through the lens of ERP production systems, such as those from SAP and Oracle, and the processes that exist at an organization. For example:
- How do you provision and deprovision users?
- How do you make sure users in your system have the appropriate roles and access and that separation of duties (SoD) conflicts are monitored & mitigated?
- How do you ensure changes to your system follow your defined change management process?
These are all valid risks to address as part of ITGC testing. However, these are not the only risks that impact access control and change management. What if I told you:
- Non-production users and systems can bypass your access and change management controls?
- Unauthenticated attackers (i.e. those without proper credentials) can do the same without as much as creating a log of what they have done, leaving your organization no audit trail after they’ve infiltrated your mission-critical applications?
- Code and import processes are loaded with additional lines of code beyond what is actually required for the change, sometimes with vulnerabilities and even malicious intent?
The list goes on, and I’ll delve into it more in my next post.
So I ask you, fellow audit, risk and compliance colleagues, which pill is it? The blue pill, where you are acing your ITGC audits and feeling good about how you are addressing risk, all while giving executive management and the Board a false sense of security? Or will you join me in taking the red pill, open up your mind to what is possible, and think differently about how access and change management risk manifest in your organization, better serving your stakeholders?
If you want to move beyond the alternative universe of compliance risk, we can show you the right path.