In fairness, years ago in the world before Sarbanes-Oxley, there was little need for companies to dig deeply into the effectiveness of their internal controls, and it wasn’t even technically feasible. With $200,000-per-gigabyte storage and processing power limitations, on-premise systems maxed out just capturing journal entries and rolling them up to ledger balances.
Today is a different story. In the current business climate of heightened corporate accountability, governance can no longer be an afterthought. Without the right controls and governance in place, businesses can suffer serious consequences.
Legacy finance vendors have responded to this need by acquiring new technologies and bolting them to their stacks. However, this “aftermarket” approach comes with a number of drawbacks that create the potential for significant errors and risks. In more detail, this approach is:
Inefficient. Aftermarket controls add weight to processes that were never designed to handle the load, resulting in “dim-the-lights” performance. As a result, users often turn off system controls and manage compliance manually.
Hard to document. Legacy software requires manual documentation of controls via spreadsheets, written descriptions, and flow diagrams that then must be manually updated.
Difficult to maintain. The bolted-on controls model never completely connects people with automated business processes, so control parameters—such as which employees can approve what processes—must be manually updated when there are personnel and organizational changes. In addition, security must be managed separately for each system, making it complex and costly to maintain.
Not comprehensive. Since concepts like workflow arrived many years after legacy systems were designed, a control framework wasn’t core to the system design. Controls had to be individually established for specific processes. This piecemeal approach isn’t comprehensive and means that for any new or adjusted process, control and audit requirements have to be addressed separately.