If you think of the various things that send a CFO’s pulse racing, then governance, compliance, control, and audit will probably rank quite low on that list. Legacy software designers must have formed similar lists because they’ve treated control and governance as afterthoughts, or even irritants, in the financial modules of classic ERP software. Control concepts are not as urgent as transaction processing, as visible as financial reporting, or as sexy as analytics.
To be fair, back in the ’80s, where enterprise software has its design roots, control was not top-of-mind. These were pre-Sarbanes-Oxley, pre-Basel II, pre-COSO/COBIT, and “audit around the computer” days. And, in all honesty, technology innovation had not reached a point where control was even technically feasible. A gigabyte of storage back then cost today’s equivalent of over $200,000 with similar constraints on processing power. Systems maxed out just capturing journal entries and rolling them up to ledger balances. Back in those days, there was little need or capacity to dig deeply into controls. How the world has turned.
Legacy software designers treated control and governance as afterthoughts, or even irritants, in the financial modules of classic ERP software.
Today we can’t afford for governance to be an afterthought. The cost of noncompliance is just too high. Traditional ERP vendors have responded in typical fashion by acquiring technology or creating capabilities that are then layered onto their legacy systems. However, this aftermarket approach to compliance and control comes with a number of drawbacks, specifically:
Voluntary controls: The user must pick, choose, and then implement each control mechanism. Each control requires conscious thought and significant effort leading to the implementation of a minimum, rather than optimal, set of controls. Putting the burden to remember to institute controls on the user virtually guarantees that controls won’t be implemented uniformly.
Aftermarket inefficiency: Because they were built after the fact, control frameworks add weight to processes that were never designed to handle the load, resulting in “dim the lights” performance. This, in turn, results in users turning off the system controls and managing compliance manually.
Documentation nightmare: In today’s control environment, documentation of controls is almost as important as the existence of those controls. The legacy approach requires manual documentation via spreadsheets, hand-written descriptions, and customized flow diagrams, which then must be updated manually for any change.
Mountain of maintenance: The key control risks in enterprise systems occur at the intersection of people and processes. The aftermarket control model never completely connects with the HR system-of-record, meaning that control parameters must be manually maintained to account for the frequent personnel and organization changes in today’s enterprises.
Never complete, never comprehensive: Since concepts such as workflow arrived many years after legacy systems were designed, control frameworks were not fundamental to core system design. Even more controls had to be individually established for specific processes. This means that any new or adjusted process, control, or audit requirement has to be actively considered and addressed separately. There can be no comfort in the idea of completeness of the control framework.
The aftermarket governance and control approach of legacy systems may have been close to adequate in the past; however, it can lead to disaster in today’s business climate of heightened corporate responsibility, transparency, regulation, and accountability. The Workday view is that an enterprise system must have a solid governance and control foundation. If the processes managing the data going into the system can’t be trusted, then the system is compromised before it even starts.
It is literally impossible to layer control software onto a pre-existing enterprise system.
To combat these shortcomings, Workday started with one fundamental governance principle: You cannot create governance and control via audit. You can test for them, but you can’t create them. Even cursory reads of governance frameworks such as COBIT and COSO make it very clear that to establish an effective governance environment, control concepts and capabilities must be woven into the very fabric of the system. It is literally impossible to layer control software onto a pre-existing enterprise system and to ensure an effective, comprehensive, documentable, maintainable, economical and auditable control environment.
These characteristics must be purposely developed and built into the system from the beginning, which is why the opportunity for Workday to begin with a clean sheet of paper was so crucial to our approach to governance. Essentially it afforded us the opportunity to build control and governance into the core of our system. Here are the five key elements we used to design Workday Financial Management and that, we believe are necessary, for financial systems to meet the compliance needs of modern businesses:
Controls that map to business process frameworks: All business event activity should be modeled and governed within a dedicated business process framework (BPF). Nothing should move unless it is modeled within the BPF.
Unified with the user system-of-record: An effective compliance environment is possible only if the entire enterprise system has intimate knowledge of the users and their roles, permissions, approval limits, and managers and how they fit into their many organizations. The “worker” object should not be an HR thing separate from finance, it must be a “business thing” shared by finance and HR systems.
Self-documenting: Business processes come defined and documented in Workday’s BPF tool. Any process change is done in the tool so the processes are self-documenting. And since the information is unified across the system, this documentation includes who made the change and when.
Always-on audit: Modern in-memory data structures allow all system data to be accessible at any time and in real time, allowing continuous access to audit evidence. Traditionally, auditing has mostly focused on evaluating the past and ensuring compliance.
Audit the model not the transaction: Transaction testing is often the primary cost driver for audit effort and fees. Legacy systems did not incorporate a true comprehensive governance model and so required significant detail for transaction testing. A system based on a unified control and governance framework supports the much more efficient and effective “test the model” approach.
While discussions around governance and control may not be the most exciting part of finance, it is something that organizations must get right. Successful delivery of governance and control can make a huge long-term difference in enterprise systems, and play a big role in what separates new systems and approaches from legacy ERP systems.
Read part four in Mark Nittler’s blog series, “Partner Perfect: How the Finance Team Can Help Guide Business Strategy.”