According to the Association of Certified Fraud Examiners’ (ACFE’s) 2010 “Report to the Nations,” 5 percent of the global gross domestic product (approximately $3 trillion) was lost to fraud in 2009. In the United States, the loss due to fraud in 2009 amounted to $700 billion. What are security teams at businesses doing to protect themselves from fraud? How do they monitor their organizations to make sure that all employees are complying with their security policies? I interviewed Sonny Dasgupta, senior director, solution marketing, SAP Governance, Risk, and Compliance Solutions at SAP, and asked him those questions. He talked about what measures security and auditing teams can take to protect their organizations from fraud. I also asked Sonny to comment on how organizations can improve their performance with Oversight Systems’ continuous transaction monitoring (CTM) software, to explain the functionalities that Oversight Systems’ CTM application offers to users, and to share feedback he has heard from companies that have implemented Oversight Systems’ CTM application. Have you spoken with any security teams at companies using SAP solutions? If so, what measures are these teams taking to prevent fraud? Yes, for my day-to-day job in GRC, I speak with security managers at different companies in various industries using the SAP BusinessObjects GRC solutions. On that topic, our SAP BusinessObjects Access Control product provides segregation of duties to ensure employees have appropriate access. Many aspects of security are built into our product and maintained by users. However, when it comes to continuous transaction monitoring, our audience at clients is not restricted to security staff. For continuous transaction monitoring, we focus heavily on the line-of-business users because generally they have a good understanding of their business processes and are responsible for preventing fraud, error, abuse, and other such exceptions. In this economy, most companies are aggressively looking for ways to cut cost and improve their bottom lines. So it’s no wonder that companies are taking action and starting projects to prevent fraud, abuse, errors, and other such events that take away from the bottom line. What software can be used to monitor SAP systems for signs of fraud? SAP solutions come off the shelf with controls embedded in them. A good example would be SAP ERP, which has key controls already in place for companies to implement, based on their business scenarios. But having controls is not enough. You have to also prove that these controls are working efficiently and mitigating risks for your company. As part of the SAP BusinessObjects GRC portfolio, SAP BusinessObjects Process Control provides users with capabilities, and our EBS (Enterprise Business Solution) partner, Oversight Systems, also enables businesses to monitor every transaction in their ERP and other systems to look for opportunities to improve business processes and reduce cost by eliminating fraud, waste, errors, and abuse. How would an IT team use SAP BusinessObjects Process Control with Oversight Systems CTM software? Would many integration steps be necessary to use the two applications? Oversight has certified integration with the SAP BusinessObjects Process Control application. Through the integration, Oversight alerts SAP BusinessObjects Process Control of potential control violations identified by transaction monitoring based on event-driven defined rules, proactively providing the last line of defense. In the GRC Guru Network on LinkedIn, Norman Marks recently cited an ebook from SC magazine that suggests that businesses might be “focusing too much on prevention and should think more about detection.” How does CTM software help businesses improve their focus on detection rather than prevention? Norman has a good point. I don’t think businesses should stop prevention efforts, but there are powerful tools available for monitoring payments after the fact. In some cases, prevention may not be feasible or cost effective, but we should still look at detection and look for ways to improve the time lag between a fraud event and its detection. CTM software has the ability, for example, to analyze patterns of payments to vendors to discover anomalies in amounts, frequency, approvers, or types of purchases. I viewed Patrick Taylor’s (CEO of Oversight Systems) whiteboard presentation on creative accounting 101 (i.e., cooking the books). Can you explain how Oversight Systems’ continuous transaction monitoring software helps prevent financial reporting fraud? When you look at the sheer volume of transactions that an average company deals with on a daily basis, it is very difficult to find an anomaly in that volume. For example, if there is a transaction in your GL that significantly exceeds the usual range for that type of transaction, it is very difficult to detect it, unless you know of it beforehand. An automated continuous transaction monitoring solution, like Oversight, can notify you that the journal entry line for a credit posting is significantly higher than the average credit posting to this account. The Oversight solution comes packaged with predefined integrity checks to catch these types of exceptions not just in financial reporting, but for other areas of business as well. What steps are necessary to implement Oversight Systems’ CTM software in an organization? Can the software be easily integrated with SAP applications? Oversight provides a proven methodology to implement its CTM solution. On average, it takes about three to six months to implement the CTM solution. In the design phase, it is important to carefully define success metrics for CTM projects and measure success based on those metrics. Another important thing to remember is that even after you implement CTM, you have to continuously adjust your rule sets as the business changes. In a sense, a CTM project truly is a CIP (continuous improvement project). I read recently that Celanese implemented Oversight Systems’ CTM software to monitor its transactions. Have you spoken with any employees at Celanese about their experiences after this implementation? What improvements did they notice? Yes, that is correct. Celanese has implemented the Oversight CTM solution. The Oversight team is in constant communication with Celanese. After the initial rollout, Celanese plans on implementing other areas to improve process efficiency. For example, by analyzing a historical transaction using Oversight reasoning engine analytics, the Celanese team has automated many of its SOX (Sarbanes-Oxley) controls. The team has also identified duplicate invoices by vendors that have an impact on the company’s bottom line. Apart from that by automating its manual processes around monthly GL close, Celanese is saving actual labor hours. Have you spoken with any other people who have implemented Oversight’s software in their organizations? If so, what comments did you hear from them? Oversight customers are household brand names in all industries. When we talk to them, what we hear is that all of these companies have improved their cash flow, lowered their G&A cost, and improved their audit efficiency. What functionalities are users of Oversight Systems’ CTM software able to use versus users who have not implemented Oversight’s application? Oversight’s CTM solution is complementary to SAP’s solution. As an EBS partner, Oversight can provide a CTM solution that has application-level integration with SAP solutions for end-to-end business processes. The Oversight CTM solution covers all the major business processes — Procure to Pay, Order to Cash, HR – Payroll, General Ledger, Payment, and Travel Card Spend. The use of advanced analytics with best practices-driven integrity checks is unique to the Oversight CTM. Let’s say you heard comments from security administrators or members of an auditing team that they were confident that their current policies adequately protect them against instances of fraud in their organizations and therefore they don’t need to implement any CTM applications. What would you say to them to persuade them to implement a CTM application?   That is not surprising. Before implementing the Oversight CTM solution, many of the current Oversight CTM customers believed that their current policies were adequate to catch fraud, waste, abuse, and errors and that they didn’t need a CTM solution. These companies, after implementing CTM, are very happy that they have Oversight in place instead of relying on their manual processes. What advice would you give to a security team that is just starting to implement a CTM system to protect SAP systems? Any time you start a CTM project, collaboration is definitely the key to success. Even though security teams may be very efficient in implementing the controls, the controls need to be defined by the line of business. Also, having clear objectives before you begin your implementation would help to measure your success with CTM against these objectives.