Governance snake oil warning
According to a Tweet message I've seen that is being repeated:
The GRC market is believed to boom after the indian enron "Satyam" case came into picture last wednesday. SAP and ORACLE seeks opportunities
In an application sales starved market, all vendors will be scrambling for opportunities.
I'm going to say flat out - this is irresponsible scare mongering. If you're approached by a sales person in the governance space promising to button up your governance procedures then FORGET IT. The same person also said:
implementation of sap grc access controls and process controls could have saved satyam from fraud in accounts
How can they know that? Anyone with a smidgen of audit experience would know that is simply flat out wrong. The fact is no-one knows precisely what happened and until an investigation gets under way and reports back, we will remain in the dark. According to Satyam's former chairman B Ramalinga Raju:
The gap in the balance sheet “has arisen purely on account of inflated profits over a period of last several years”
Let's put this into perspective. Governance tools, which typically cover access and process controls, can do a great deal to prevent certain types of fraud. However, they are only as good as the culture of governance within the organization. Rarely, if ever do they reach the C-suite. Is it realistic for example to assume that even in a well run organization, the internal governance and audit people are going to have executive oversight of the kind implied by the person making these claims? No chance.
Then there is Satyam itself. The company's governance has been under question for months. One assumes that something was being done to ensure that the finances were sound. Given this fraud took place at the C-level it must be patently obvious that fiscal governance could not prevent the problems that are unfolding. Satyam has been an SAP global services partner since March, 2008 so given the scrutiny it was under, they cannot have been unaware of the need for access and process controls or the solutions that sit around the topic.
Note also that our intrepid sales person says 'could.' In today's climate that isn't going to cut it. Anyone hearing that and assuming that 'could' equates to 'would' should think again. The phonic difference is subtle but critical. As with all software it is not the tool but how it is used that makes the difference between success and failure. Not that sales people will emphasize that aspect of the negotiation.
Equally important are the wider issues that will impact GRC solution development. Discussing this topic with my fellow Irregulars and others who are close to compliance issues, it is clear that the notion of global governance is in tatters. PwC has been shown to be ineffective. The audit profession is under intense scrutiny. Questions are being asked about India's governance structures and systems. Some are casting doubt over the SEC's effectiveness. What happens next?
There is a real prospect of radical change in the systems of governance that will apply in the US and elsewhere. In that kind of environment, who can second guess what the landscape might look like? A software company? If ever there was a case of watching out for snake oil salesmen then this is it.
UPDATE: Raju is reported to have been arrested. Among other charges: 'falsification of records and forgery. Unless you're looking for it, falsified records are hard to spot. Forgery is very difficult to deal with and way beyond the capabilities of any auditor undertaking a review in the normal course. I don't know any GRC software that would address the latter problem.