Which employees have access to the most sensitive data in your organization? You might say human resources because they have performance reviews and salaries. From a company viewpoint, that is not quite right. There are two other areas to consider: customer data and financial data. Let’s look at financial data more closely and why you need access governance to control it.
Why Finance Needs Special Protection
The finance department owns the company’s most sensitive data concerning profitability, costs, and financial reports. Here are a few of the problems that can occur when confidential financial data is inappropriately accessed.
- Threaten vendor relationships. Your company works hard to negotiate preferred pricing with a major supplier. If that pricing information becomes public, your contract with the supplier may be void. Further, you will have a painful time recovering from the breach.
- Unauthorized disclosure of “what if” analysis. To aid senior management, finance professionals are asked to produce a variety of reports. For example, the costs of opening a new office in multiple locations or the benefits of outsourcing a particular function. If these documents are made public before a firm decision is made, senior management’s ability to act will be limited.
- Harm employee morale. What happens if your company’s compensation data becomes public or circulated? Employees may view different pay levels on a spreadsheet without knowing the context. Public criticism and employee attrition are more than possible in this scenario.
- Diminished customer trust. Some customers, especially large enterprises, have exacting standards for cybersecurity. If your financial data is disclosed inappropriately, you may have to face penalties or spend extra time explaining the situation to your Fortune 500 customers.
The above examples are just a few of the problems your company may encounter with poor access governance for finance. Publicly traded companies face even higher demands.
Access Governance Is Mission Critical for Public Company Financial Data
As a public company, you have access to the stock market. However, investors and regulatory agencies expect published accurate financial data to conform to regulatory and industry norms. Specifically, you must take steps to prevent insider trading which is based on “material information.” According to Investopedia, material information includes:
- Dividend increase, decrease or omission
- Quarterly earnings or sales significantly different from consensus
- Gain or loss of a major customer
- Changes in management
- Major development specific to that industry
- Government reports on economic trends (housing starts, employment, etc.)
- Major acquisition or divestiture
- Offer is made to tender shares (acquisition)
Several of the above examples — quarterly earnings, dividends, offers — directly relate to finance information. To use a simple example, if a trader gained access to a quarterly earnings report several days before the results were publicly announced, there is a strong chance of insider trading charges. Even worse, the CFO and finance managers will be asked to explain how this disclosure happened on their watch.
Evaluate Your Access Governance Current State
There are different ways to improve access governance. Before you leap into a solution, you need to understand your current situation. To assess where you should direct your resources, take the following steps.
- Catalog Your Financial Systems. You might think there is just one financial system in your company. In reality, there are usually multiple sources, such as “shared drives” and specialized analytics tools. Imagine you are a “rogue employee” seeking to steal financial data — list every resource they might use.
- Identify All Users With Financial Data Access. Start at the top: list all the finance managers and executives. Next, list out all the individuals who work for those people. To be truly comprehensive, you will want to look beyond the finance department.
- Document Access Governance Review Processes. What policies and procedures do you use to review, change, and delete access governance in finance? Do not settle for the access governance procedure: verify whether it is put into action.
The last step above — review processes — generally turns up a variety of problems. Either access governance reviews are not carried out at all, or they are done inconsistently. Use the next section to start fixing those problems.
Ways to Improve Access Governance for Finance
Now that you understand your access governance problems and gaps, it is time to improve. These steps will put you on the right path.
- Organize an access governance training event. With security matters, poor training tends to be a root cause of failure. Organize a short training session for all finance managers to attend so they can understand the importance of access governance and their responsibilities.
- Create an access governance checklist for managers. If access governance remains theoretical, nothing will change. That is why we recommend developing easy-to-use documents, such as access governance checklists for managers. Keep them to one page or less for best results.
- Obtain an access governance software solution. Manually tracking access governance requests is a pain. Use a solution like Compliance Auditor to automate the process and keep reliable records.
- Develop access governance reporting. Without reporting access, governance is easy to ignore. Include a metric on your quarterly reports to executives demonstrating “all finance user access has been reviewed and approved.”
- Seek input from your auditors. Your auditors are essential stakeholders for access governance. Take the time to meet with them and ask them what they expect to see. Usually, they want to look at a consistent process aligned with your policies.
Once you have the finance department access under control, start to look at other areas to improve access governance. As a next step, look at your customer service and sales departments. They have critical data that needs to be protected.
Next Steps for Access Governance
As you carry out your access governance analysis, it is easy to get overwhelmed. There are so many systems to protect. Finance has monthly and quarterly deadlines to hit. In the heat of meeting those deadlines, access governance is easy to forget. If that sounds like your situation, make sure you obtain an access governance solution. Access governance is too important to leave to chance.
