The event was co-hosted with the Financials, BI, and HR events as well, providing a great mix of people and topics. Most of you know that I’ve been attending these events for more than a decade, but I must say that this event was one of the best ones yet. Throughout both the keynote sessions as well as many of the breakouts, SAP provided insight into core areas of focus for the upcoming years. Not surprisingly, one of the big trends is towards going mobile.

I must confess that I’m not a big fan of the standard SAP interface, so my excitement grew as SAP introduced a host of mobile applications for both the iPad and the iPhone. I also love the idea of being able to not only see real-time data on a mobile device, but also interact with that data to drill into details and collaborate from anywhere. As someone who travels extensively, I’m a huge fan of being able to stay productive when on the move.

During one of the keynote sessions, one of the SAP presenters mentioned that in the near future SAP will deliver applications that integrate with standard workflow, allowing approvers to review and address the items they are responsible for on their mobile device. The example he gave was of a manager receiving a CUP (Central User Provisioning) workflow requesting approval for security-related access related to a new hire. He asked the audience to image how, sitting at a conference room table during a lull in a meeting, this manager could quickly review the access request and approve it without leaving the room. He further suggested that this would enhance internal controls, because people can review and approve items at time when that fit best into their own busy schedules. This comment intrigued me, and has caused me to ponder: Are mobile approval processes more likely to improve internal controls, or contribute to their demise?

I understand the premise. If I’m able to deal with items like this at a time that is most convenient to my ability to process them, I’ll be in a position to do a more effective review. And if I’m in a position to do a more effective review, than that in theory should result in a higher quality review because of my focused attention. The auditor in me wonders, though, if the fundamental assumption underlying this premise flawed.

I agree that if someone is actually choosing to review workflow items like this when they have an appropriate amount of time and mental capacity, this would improve the review and thus improve internal controls. Is it really reasonable to expect that the majority of users will behave this way, however? We live in a world where multi-tasking is prevalent. People check their phones in the middle of dinner conversations. They respond to emails in the middle of conference calls. They text while driving (and the problem is so bad we actually have to implement laws to curb this behavior vs. relying on common sense). Is this an environment that fosters a better review, or merely one that is faster (and less thorough, as a result)? If I have a big green “Approve” button, how often will I actually read the related detail vs. simply clicking that button so I can move quickly to the next item in my inbox?

Don’t get me wrong…I’m not suggesting that everyone will shirk their responsibilities and work this way, but we have to suspect that some will, correct? It’s also true that not everyone does an effective review of the items assigned to them today, even without mobile. But the question remains, is mobile approval more apt to encourage those who currently do an ineffective review to be better, or is it more apt to provide a means for those currently doing an effective review to become lax? Which way will the scale tilt?

I mentioned earlier that as someone who travels extensively, I’m a fan of staying productive while on the move. I commend SAP (and other application providers offering mobile solutions) to allow me to do that. As an auditor, however, I must also think about the risks this introduces, and how we as an organization can address those risks. I speculate that, assuming sufficient information is captured, it might be possible to implement some monitoring procedures, (likely using data analysis techniques), that could detect bad behavior. For example, if we’re able to track how quickly a manager approves a workflow item after receipt, we can distinguish between those who consistently “Accept” quickly from those who take more time with the review (particularly if the application captures when they first open the item relative to the approval/rejection, as well as the time they update it). Better yet, if the system tracked whether someone scrolled through the detail, it would at least allow us to see those who didn’t even try.

I also wonder what type of preventive controls we could enact to mitigate our risks. Obviously user training and clear policies & procedures need to be part of such a system, but are there any application controls that could be of use? Will it ever be possible to consistently prevent an ineffective review/approval process rather than just detect the symptoms? Perhaps time will tell. Until then, I welcome your thoughts.

Steve Biskie, Managing Director, High Water Advisors
Steve Biskie is one of the most sought-after speakers, trainers and consultants in the governance, audit, and internal controls arena, particularly for organizations running complex software application systems. Throughout his career of more than 20 years, he has excelled at helping others in the audit and GRC space better understand the risks and opportunities embedded within complex application systems, and develop high-efficiency processes and technology to optimize management monitoring and risk identification processes. He is a Certified Information Systems Auditor (CISA), Certified Information Technology Professional (CITP), Chartered Global Management Accountant (CGMA), and a non-practicing Certified Public Accountant (CPA).

www.highwateradvisors.com/blog

Lisez gratuitement chaque jour (5j/7) le quotidien Finyear.
Recevez chaque matin par mail la newsletter Finyear, une sélection quotidienne des meilleures infos et expertises de la finance d’entreprise.
Lien direct pour vous abonner : www.finyear.com/newsletter

Lisez gratuitement chaque mois :
- le magazine digital Finyear sur www.finyear.com/magazine
- la lettre digitale "Le Directeur Financier" sur www.finyear.com/ledirecteurfinancier
- la lettre digitale "Le Trésorier" sur www.finyear.com/letresorier
- la lettre digitale "Le Credit Manager" sur www.finyear.com/lecreditmanager
- la lettre digitale "Le Capital Investisseur" sur www.finyear.com/lecapitalinvestisseur