Approva Automates Compliance Efforts with BizRights
February 27, 2007 Alex Woodie
When it comes to ensuring that certain regulatory controls have been implemented in your ERP system, it’s one thing if Joe from accounting gives the “thumbs up” sign while grabbing a cup of coffee, and quite another when the approval stems from a regimented process originating from outside the company. Auditors, in particular, would really rather have an external process, such as the one implemented by Approva‘s BizRights program, which actually is the remediation system used by two of the Big 4 accounting firms.
The Sarbanes-Oxley Act has been a tremendously disrupting influence on IT shops over the last few years. IT managers have had to take long, hard looks at how they implement security on their back end servers and the applications that run on them. They’ve been forced to institute systems that track every time people or other applications touch financial data and applications, and to segregate user duties to reduce the opportunity to commit fraud.
While Approva was already in the works when the Enron and WorldCom scandals of 2001 hit the news, the company was largely made out of the legislation that followed these notorious events, notably Sarbanes-Oxley. Since then, it has attracted more than 100 customers, mostly Fortune 500 companies running the big tier-one ERP packages, such as SAP R/3, Oracle E-Business, and PeopleSoft Enterprise, which is now owned by Oracle.
Earlier this month, the company announced BizRights version 3.5.2, which introduced support for J.D. Edwards World and EnterpriseOne, once the gold standard for OS/400-based ERP suites, and now Oracle’s offering for “small to mid size businesses.”
‘Get Clean, Stay Clean’
Approva is a Windows-based product designed to help users find the areas of their enterprise applications where they are lacking the audit tracking and segregation of duties functionality required by Sarbanes-Oxley. The software does this by analyzing actual ERP transactions downloaded from the production system into Approva’s SQL Server-based database, and then running a range of queries and algorithms against it to root out problems.
“We help you get clean, and then monitor the system on an ongoing basis to keep you clean,” says Steve Elliot, Approva’s chief technology officer. “You have to build the controls around how they run their business and their security. First you need to get to a clean environment. First you expose issues, then remediate them and track any transaction issues.”
BizRights looks for a range of problems, including the potentially fraudulent–such as the contact on the vendor list that has the same address as an employee–to the troublesome–such as the lack of necessary separation around developer duties. In each case, the software suggests ways to help the user resolve the issue.
While some companies are successful at detecting potential Sarbanes-Oxley violations on their own, many companies find the process daunting, according to Elliot. “Segregation of duties is one of the most difficult requirements to deal with, especially with the larger ERP systems,” he says. “It’s very granular and iterative, and difficult for users to write their own algorithms, and keep up with the changes from version to version. We are experts at that.”
Although Approva tailors its software for the big-name ERP systems, BizRights works with practically anything you can throw at it, and is increasingly seeing more mid size ERP applications, such as J.D. Edwards and Lawson. “We work with anything–homegrown, mainframe,” Elliot says. “Most of the customers we talk to are so big they don’t have just one ERP. Out of all the deals, 80 percent are cross-application.”
Some customers are hit with a bit of “shell shock” the first time they run BizRights through the system. “It exposes so many issues they didn’t even know were there–thousands and thousand of issues,” he says. But once the customer has gotten “clean,” the number of violations flagged by BizRights should drop dramatically, and managers will only receive the occasional e-mail alerting them to potential problems.
The BizRights ecosystem is healthy and growing at a good clip, according to Elliot. Some of its partners have adapted the product with their own industry-specific content, such as meeting requirements for federal contracting. The company is also seeing increased demand for HIPAA remediation skills, and expertise in handling leases in the oil and gas business.
The product sees a lot of use thanks to KPMG and Ernst & Young, two of the world’s Big 4 auditing firms that have adopted BizRights for Sarbanes-Oxley audits. “Whenever they go out and look at ERP systems, they use our software,” Elliot says. “It forced us to make our software permanent for our customers but portable for our auditors. We had to get good at solving problems very quickly.”
To support these customer engagements, Approva built co-location centers where it uses VMware‘s software to carve Windows servers into multiple virtual servers, to run pilots for potential BizRights customers. A week or so after downloading a sampling of data into the BizRights data warehouse, customers can begin working with the software to see how it would work with their systems.
BizRights version 3.5.2 is available now. Pricing typically ranges from about $250,000 to $400,000. For more information, visit www.approva.net .