Access Governance for Higher Education
How Access Controls can help higher Education avoid unwanted surprises.
An administrator for the Department of Emergency Medicine at Yale University recently pled guilty to defrauding the university of $40 million. And statistics from the last two years tell us that fraud cases are on the rise.
Higher Ed institutions are under increasing pressure to ensure they are not next.
For Yale, a $40million loss is taken right off their bottom line. And what’s more, it could have been prevented. That’s not to say that prevention is easy. Enforcing Internal Controls over Financial Transaction Processing and Risk management, especially in large institutions, is complex and requires dedicated teams and solutions to prevent it.
Join our thought leaders Mastek Jeffrey Admonius and SafePaaS CEO Adil Khan as they discuss how building an ecosystem of effective internal business process controls provides a solid foundation for managing and controlling risk and how technology plays a key role in safeguarding you moving forward.
How to build an effective internal controls framework
How controls can help not only mitigate risk but propel you forward
What steps can be taken to prevent risk
How Access Control solutions can help
HOW ACCESS CONTROLS CAN MITIGATE RISK
Emma - Good afternoon, and thank you for taking the time out of your busy schedule to join us today for “How access controls can prevent Higher Education from unwanted surprises.” I'm delighted to be joined by Jeff Admonius from Mastek today, along with our very own CEO at SafePaaS Adil Khan. They'll be discussing the challenges that higher ed face in today's current landscapes, and how they can, and how you can overcome them. So, just a few housekeeping items before we get started. The session will be recorded for reference and on demand viewing afterwards. And we will leave a little bit of time for Q&A at the end of the session. So if you do have any questions, feel free to pop those across in the control panel.
So this is the agenda we will be following today. , why are we all here, today? Why are we hosting this session? How to build an effective internal controls framework, how controls can not only mitigate risk, but propel you forward, solutions, and a case study towards the end of the session. So, Jeff, if you, oh. sorry. Adil if you'd like to briefly introduce SafePaaS, and then I'll hand it over to you, Jeff, and you can dive into the discussion.
Adil - Yeah, thank you, and welcome, Jeff, and welcome, everybody, attending. It's a really timely topic. We're talking to a number of our higher ed customers that are interested in improving their access governance to get ready for the New Year, Cyberthreats continue to bog down operations and IT folks so, yeah, just quickly unsafe, as most of , who we are, but now, on this call, but, basically, what we stand for is the governance platform that enables customers to prevent risk in their businesses, and detect risk and so forth. So, to accomplish that, we have built this platform on a solid foundation that is, SOC-compliant. It's got almost six million users on it no which makes us the, from what I've been told, the largest platform on the internet for access governance. And we apply all the modern fault tolerant and technology to make sure the system stays up. So, and it's monitored and secure 24/7, so it's a really solid platform. If you're looking to go on and build a solution, this may be one of the options to consider, because obviously, it's more scalable, secure, and so forth.
We also integrate into all major platforms that customers, especially in higher ed, use, to control the risk in their business, So, what's popular in higher ed, for example, there is PeopleSoft and Workday and those kinds of systems. There's also, we worked with Cash Edge, which is a campus payment solution, and many other systems that are used on campus to ensure smooth operations.
We've been recognized by Gartner and all major audit firms that either use SafePaaS or audit their customers using the input from SafePaaS. We've been around for a long time, and have just the management team over 100 years of experience. I alone have about 20 years in this industry, written book, with Oracle security folks, called the Governance Risk and Compliance Handbook for Oracle, and many other white papers and e-books that are available online, on our website, please take a look at that.
So that's a quick overview of SafePaaS
Jeff - Thanks, Adil.. Hi folks, I lead the Education and Government Practice for Mastek Inc. We're really happy to be here today, speaking with Adil, with the SafePaaS folks. I have been with Mastek for about three years, and prior to that, about 20 years in the industry with Oracle. And the majority, of that time, I've been working with, higher education, as one of the markets that I worked at. I’ve probably been inside about 150 different universities and colleges across the country. And wanted to talk a little bit about who Mastek is, as well as a little bit about the topic of governments and fraud in the market.
So, Mastek, many of you may not have heard of our organization, but we've actually been in business for over 40 years. And we have a global workforce of about 5000 employees. So, pretty substantial company. One of the keys about organization is, we've actually done over 1400 cloud implementations, and about 130 of those within the higher education and public sector space. I think that you'd find that is very large number within the consulting market, as far as for cloud implementation. We've also had a lot of impact. We’ve impacted millions of citizens through our, some of our custom solutions actually around fraud detection, legal, immigration, and things that we do for, for government, as well as more than a million stakeholders that have been impacted through some various public initiatives that we've done through our student partnership called Deep Blue. So we basically have partnered with about one thousand students in developing these programs to go and try to solve some of the big problems, out in the public.
Our organization has pretty broad coverage of solutions, whether that's customer experience on the front end, both Cloud Front and back-end solutions, digital engineering, or custom development. Our innovation labs, where we bring some of the latest technology to bear on your business problems, data reporting, artificial intelligence, and finally, support for all of those solutions.
As part of our work, we've developed a transformation process called Glide. We're in our fourth iteration of Glide, which is really focused on being a business or industry-based solution for moving your on-premise applications, whether it's EBS, PeopleSoft, SAP or Banner to the Oracle cloud.
We're really proud of our partnerships, both with Oracle as Platinum Partner, and Salesforce, as Summit-level partner. And we're also really, really proud of being named as one of the top 20 global implementers in the Gartner Magic Quadrant for the last four years. So, really proud, and really excited about that, and hopefully gives you a better idea of who Mastek is going forward.
Next. Next slide.
So, the big picture of what we're talking about today is. I think everyone has seen the headlines. A recent one here in 2022, a case of fraud in the Department of Emergency Medicine. More than $40 million defrauded out of the University. Accounting errors that have more than $20 million impact in Australia.
Charges raised in the University in Texas for financial schemes to take money out of the University. And then stolen funds and employees see like funds out of the University of Missouri. These are the headlines and probably all being in the higher ed industry. If all you notice these headlines. But that Actually, if we get to the next slide. It actually gets worse.
So, actually the total loss in all industries, where there was a study by the Association of Certified Fraud Examiners for all industries, total fraud was about seven billion between 2016 and 17, at least 70 million of that was at higher education.
But that's really what was reported, it's actually worse, only about half of the fraud is either reported. So, these are significant numbers in, the median loss is about $68,000 in various schemes, corruption, or basically you using influence to make money off of financial transactions with the university. Or billing schemes where you bill for some product or service that have the funds routed to your own accounts. And sadly, what's even worse is, typically, it's folks who have been with your organization more than five years, that, are the biggest risk, because those losses associated with folks who have been around the organization longer are much larger.
So how does this happen? I think it's a combination of things, and why it’s not only an issue within higher education and all industries have these types of challenges. I think higher education as a mark has some of these are even more exacerbated within higher education. Weak control environments. I think some of that some of this I think, goes to sometimes the distributed nature of work within higher education institutions. You have different colleges, different departments, things are spread out. And there may not always be a clear control over the accounting and financial services across the organization.
Certainly over the last couple of years. And even prior to that, impacts on staffing. Whether it's resources, budget cuts, and resources being lost or being laid off through periods of time, It has made the problem worse with less oversight and also the challenges of segregation of duties across those kinds of diverse environments. A lot of times, approvals, maybe more of a rubber stamp just getting through, and there may not be clear asset management across all departments, colleges, or even major projects within the University. A lot of times, even if there are policies, and procedures, they're not fully communicated it to be may have folks around the organization. It may not be clear what those policies are or if they're enforced. The reporting structure being siloed among different colleges within the university can make it harder to track what's happening with the finances. So, that gives you a bit of the picture of what some of the challenges are, what the size of the impact of these problems is.
I’m going to hand it over to Adil now, and he can start to talk about what are some of the solutions that are available to address this.
Adil - Yeah. Thanks, Jeff, for that insight. So, from a SafePaaS perspective, where we can bring value here is really help you understand the internal controls framework that has been adopted widely by many industries, including education, higher education.
So this is a framework that's been around for a long time. I became more involved with it when Sarbanes Oxley became a law. I was running a US-listed public company on Nasdaq at the time. And my auditor Deloitte came and said, this is the new framework for disclosure. And since then, it has become the industry standard for higher ed, and many other industries, and so, basically, this framework is well proven, real-world-tested, and your auditors - the major audit firms that I referred to earlier in the introduction, all are expecting you to have these controls. And my experience working with universities - I met some really bright heads of departments that really understand the concept of controls at the high level. But when it comes down to how those controls are audited and how, why fraud occurs as the examples that were just shared by Jeff. That's where people are scratching their heads, they're saying, we have some of the smartest people working in our groups, and why are we having this problem? A lot of the challenges Jeff laid out can be addressed through a framework, and I'm not saying this is the only framework, it is just the most widely used framework. That's what companies are audited against, around the world, but there are many other frameworks. There's an ISO 31000 framework, There are specific IT-level frameworks that we look at ourselves and are bound by that, like, ITIL or COBIT. But I wanted to keep the conversation at the level that you can drill into where you want to take it. So, the control environment is the concept of having an environment that, starting with the tone at the top that your people at the top of the company are doing the things, and setting the examples on how they'll follow their own company policies and ethical guidelines and the core values that the organization has.
So that's, that's where it starts.
Then you hire people in the organization that abide by those values. And you hire competent people, to do their job, which is hard to do these days, People are, had a lot of options where they want to go work for and, and we're lucky to find people to come and work at any company now. The same applies to higher ed, Then having a delegation of authority, Structure, Roles and Responsibilities are well defined.
Policies are written and followed, so that creates a control environment that higher ed can benefit from. Now, most higher ed have that in place, so the question is: what can you do better? It's the enforcement of that. It's the operationalization to make that all sustainable.
I've seen a lot of three-ring binders in my days over the last 20 years where there are well meant, well-written procedures and policies that were developed sometimes decades ago. And they're part of your training program, onboarding program.
But somehow, when push comes to shove as Jeff just indicated one of the challenges, is, people want to get the job done, and they will sometimes rubber stamp approvals as an example, share passwords, or, give too much access to people that probably shouldn't have that much access.
So, that's where risk assessment comes in, That's the second layer. Think of these things as lines of defense. So, you've created an organization, culture, the tone at the top, the processes, the policies, that's your framework for your governance. You've already created, and that's what your internal control framework ... begins with. But then you have to test it. How are we doing against those ambitious goals? You have those policies that are sitting in three-ring binders. So you perform some sort of an assessment with objectives in mind.
In the case of higher ed, I’ve had experience being part of the assessment teams, at a number of top universities in the US. And I have a case to talk about an example later on specifically around risk assessment. And so, what that means is that basically going and testing those policies and controls, and that's where I start to see, especially in higher ed, with lack of large internal audit organizations, or even that centralized controls because each department, as Jeff was saying, has its own, sort of groups, and most average, or larger universities in US.
So, what you see is that the design is good, the control design is well done, but it hasn't been updated for a long time. And when the controls are being tested, they're tested, in an informal way. So, one thing we have learned in the audit world is that operational effectiveness of a control is tested by being able to perform that control independently.
What that means is that your external auditors can come in, read a control, design document, and then follow that operation of that control to ensure that control is affected. And that's, again, that's where you identify risks.
So if you find that in terms of the three-way match, which is a common procure to pay control, if that is your control but you don't pay invoices until the receipts match the PO to the invoice, or you pay within a small tolerance level, But people are paying invoices, and the process is not being followed. That's what creates the risk in the business. It's a very formal process. All the big four perform that service for higher ed.
Many internal audit organizations within higher ed can do it themselves, and then share the results of their sample size, randomization, and their methodology, essentially, with the external auditors. So, that's where I started to see that there are some rooms for improvement, even at the best of the best universities out there because of the pressure to get done more with less, especially in the last few years, as we have gone into this hybrid work world where we work sometimes in the office, sometimes, from home, and all that stuff.
So, once you've done the assessment, then you start looking at control activities, and these are essentially the activities you perform as the process is happening, ideally. So, I pick the example of procure to pay cycle, which means that you may have activities on how do you set up a new supplier. So you want to set up a new supplier, how do you check do the credit checks? How do you set up their personnal to you. now, what's really important to universities and higher ed is being able to do third-party verification, not only on the typical financial stability, but also on IT risks. For example, we've all heard about the stories of where, companies getting infected by patches, that come in from a third party IT provider. So all of those are control activities that must be verified to ensure that they're happening. So if the control activities are not happening, your control environment is not successful because even though it says that you do a three-way match, it's not actually happening, that's an example of control activity, creating opportunity for fraud, or waste or errors in the business.
The purple element there talks about information and communication. So once you get control over your control activities, in other words, your processes are operating with all the controls in place, and people are executing based on their roles and responsibilities, then you look at also the layer around communication and information. So this is into, it gets into, how are you disclosing information? How are you communicating internally, as well as externally? So, you have good methods for report fraud, who reports, what fraud where, by department, by overall university level. And so all of those channels have to be pre-established and be in place, and tested - just like everything else, to make sure they're operating effectively. The external disclosure issues that we have seen in the news articles that Jeff shared with us where the disclosure is not only something that gets in the paper because it leaks out etc, it’s a requirement to disclose any deficiency of your control to your stakeholders. Many successful universities in the US, the top universities, have these obligations because it's written into their contracts for grants.
So, you take a big, huge portion of your R&D come from the grants that are given to the top universities, and all major universities in the US, by the industry to do research and development work. But they come with those conditions, that you have disclosure requirements. So, if you don't meet those requirements, you're going to lose the grant, which is a big setback in your ability to succeed.
And then there's monitoring activities. Last but not least, this is about doing it on an ongoing basis. What I find in universities are limited budgets, and so forth that, it's happening in a reactive way. So reactive way means that your auditors come in, they find something that's strong. They call it findings, and then you go fix it. That may be too late because damage may have already been done and reputational risk may have already occurred. So by monitoring what we mean is doing that at a frequency that's suitable for the controls. So, not everything gets monitored daily. Some financial close items may get monitored once a month. Transactions like payments and so forth may get monitored on demand or every day. So you have this framework that guides you.
And once you build this framework, which and in many cases universities have pieces of this framework, sometimes it's on spreadsheets and Word documents and SharePoints and it's hard to follow, which creates a lot of confusion.
So what we're going to talk a little bit later in this session is how do you streamline and take advantage of the latest and greatest technologies that are available to you at reasonable costs and high ROIs to accomplish that? And we'll share some examples with you.
So that's, in a nutshell, what you can take from this session, to assess where you are in your maturity level, around an internal controls framework, whether you use this example or some other it'd, be good for you too. Go back and assess your internal controls environment - how well you're doing. And I can give you a maturity model where companies are informal all the way to optimized. So you go from informal to formal then onwards.
So here's an example of a kind of a more optimized view of the procure-to-pay cycle where that, where your processor decisions are data-driven. So, when you move from that informal to formal to maybe a kind of a structured approach to a really optimized state, you want to create these feedback loops, as I said, of not only having all the controls in place, but also having that continuous monitoring capability around your key processes. So, we pick the procure-to-pay cycle here. So, you can see that business risks are being, defined in the very first silo, where you are looking for unapproved or illegal suppliers, maybe suppliers with known risks of cyber attacks, or other difficulties, financial, and so forth. You're also looking for supplier relationships that are inconsistencies Whatever those criteria are. You are checking those business risks on, um, on a basis today, So these are things that you already have in place. What the systems and technologies can do, where Jeff and I can help you is really talk about what are your objectives and how are they embedded into your business. So maybe you have control objectives in that second swim lane that, hey, we want to capture all the discounts when we pay invoices to 10 net 30. We want to take that 2% and not forget to do that. We are maintaining the right bank accounts, as I mentioned. We don't have the risk of somebody changing a bank account on our supplier, because we bring in a contractor that changed some value in our supplier. Now the payment is going to the contractor instead of the supplier. Valid invoices, the three-way match piece I talked about. Purchase orders are approved by the right people. So it's not rubber stamp approvals and today, that's happening in your ERP system. If not, you need talked to Jeff, you can help you upgrade your ERP system. So these are the things that we expect our customers to be automating today from a control perspective, you're doing it manually. That alone becomes a risk in many of the audit firms will simply write you up for the findings that you don't have enough controls around the process, just because of the manual nature of that. So, once you have your control objectives in place, and now you're performing these control activities, that brings me to this third silo, which is the monitoring of these activities in an automated world.
So, in the old world, we would go and look for 25 POs from purchasing, then we go to Payables and look for 25 invoices. Then we go to shipping and receiving and get 25 receipts. And we will sit down and match that. Those days are long gone, we all know that, but that's where this all started. Now, it's about, real-time, agile business, whether you're higher ed or a commercial business, or a government agency, you all have to do business in real-time to meet your goals. And so, what we are offering, and what our customers, leading customers, are doing, they're embedding all of that controls monitoring into their operations.
So, the systems are now smart enough where we can detect duplicate invoices and what does that mean? Of course, you can’t put in duplicates in an Oracle database. So, if you've put in the same invoice number, twice is going to say, no, I can't do that.
But, that's not how an ERP system works. They have complex logic.
So, if you have the same invoice number, you can put a dash A at the end of the day and put in the end of the invoice number, you can put in a different amount, slightly different. And sometimes people just do that, because they want to go home and be with the family, and they just can't figure out this darn ERP system, because either they're new at the job, or they've just upgraded an ERP, they don't have enough training.Many other reasons, re orgs and so forth. So you can fool the system. As long as you put something after, so where we come in as we're monitoring that process, and we're catching those things. And then stopping that from becoming a bigger problem, or reputational risk, or ending up in the news like we talked we saw earlier from Jeff.
Same thing we can apply to all of your control objectives, a typical customer higher ed customer has, I would say, between 15 to 25 of such monitoring controls just in their procure-to-pay cycle. And that makes their life easier, but also saves you millions of dollars. You may be losing and discounts. You may be losing and overpayments that are very hard to collect, especially from one-off vendors.
So all of that is now happening in real-time. So instead of chasing the paper, or running spreadsheets, downloading reports, or building custom reports, you are monitoring incidents. An incident is basically a violation of your rule or policy. So, as I mentioned beginning, SafePaaS is all about governing the business based on policies, so now those policies become alive. Your controls are alive. And when the risk occurs in your procure-to-pay cycle, it goes out there all the way to even put a hold on the invoice automatically.
So instead of looking at hundreds of incidents each month or each week, depending on your volume, now you're simply looking at high risk results out of the procure to pay cycle. And you have business owners and control owners focusing on how to prevent that risk and maybe removing some false positives or making exceptions.
The CFO comes down and says, “Hey, we just signed this major agreement, McKinsey, we're doing analysis on our growth potential for certain types of students. How can we do that?” So they need a check today and when anyways, the illegal settlements, so they are exceptions, and we hear about and procure to pay cycle. So we can manage those as well. But now you have streamlined that, and you've taken that controls framework. And in this instance just for the procurator pay cycle, you improve risk assessment, improve control activities, you have automated controls monitoring, obviously, you have improved information and communication. So starting with your big goal of creating a framework, and having that control environment at the top. You have taken all the rest of those pieces of the framework and streamlined and automated those so that you can focus on your day jobs, and really be proactive with your controls monitoring. So, as you think about these benefits, how do our customers justify those as business drivers to move forward? As we said earlier, it's hard to get budgets for anything, especially at higher ed. So, this requires some work, and there are some we can leave you with. Each of you are in a unique position, but I'll talk through some of the common things that our higher ed clients have used to justify controls management and controls automation, and even ERP upgrade, like Jeff, 's going to talk about.
One thing is pretty obvious. It reduces fraud, because guess what, once the money leaves the bank, it's very hard to get it back. Whether you have to sue people, or first of all find them, maybe they're sitting in some other country. And this was done through some no scheme through inserting some software in your business, or you're taking over a rogue account, or violating a insider threat, or whatever that is. So it reduces fraud.
And so, you can do, to basically take the slide that Jeff just shared, apply that to your business, and you know the fraud in your business has that has occurred. If not, you can check with your CEO for the audit folks, and they'll give you that answer.
The second thing, moving from top left to right , is the increased efficiency. So you noticed that instead of doing those manual risk assessments or pulling purchase orders and matching them with invoices and receipts, your system is doing it for you. So, your focus is focusing more on the incidents of risk assessments, findings, if you want to use that term, as opposed to performing the function to actually gather data. Also, you're not waiting for this to be discovered by your external auditors. You are proactive, which, by the way, improves your compliance. So you have a fiduciary responsibility as a higher ed, when you take funds for grants and other donations that come in to follow those compliance guidelines that are in those contracts. So you have to comply with them. You also have state and national guidelines that are specific for higher ed that apply depending on which state you're in. So, those are all now being met, because you have the evidence that controls are operating effectively. So you're not overstating or understating your liabilities or your assets. So, that solves your problem of compliance, and compliance gets ignored because compliance is really pushed out to the managers. Many times managers are required to certify. Each department had to certify that they are complying with the policies that are enforced by the state or the federal. And now you can certified with confidence because they actually have data to look at on what happens. So if there is a finding or there's an issue, that's an exception, they can bring it up before the compliance auditors come in and embarrass you with it. So there's, there's value in that. Reputational risk, you're obviously controlling there as well. And that's the driver for our customers.
Moving down to the second row, increased cost efficiencies. I think that's a no-brainer from what I've said. So because it's happening in an automated way, and those control deficiencies are reducing your cost, security is a big deal. So we hear a lot about insider threats. There's actually a blog on our site and resource, to go and read more about it, that gets into the details of it, but that insider threat, is a big impact to your reputation, as the stories we just heard, as well as the way it happens is, because, especially in higher ed, I don't wanna like single that out. It happens in other industries to like high-tech, where Access is granted based on more informal requests. What we're seeing. in more structured settings is where industries are moving to a very scrubbed user Access Request Management process. Unfortunately, I haven't seen a lot of that happening in universities, And that's a key source of security risks at universities, because obviously, everybody wants all access. One CFO told me once at a higher ed institution, we are part of open minds, everything is open here, so we gladly give people whatever they ask for. And my answer was, yeah, that's great when you're doing research. And that's a great part of your culture. But when it comes to giving keys to the kingdom, you have to put some security around it, even if you're an open-minded higher ed. And that's part of your mission. So, provisioning users is a big problem, people get more access than they need, and sometimes, they need it only for a day, but they've been given access that never gets taken away. and that is the single biggest source of insider threats I've seen because that's what your external factors are looking at as well to come in and find those keys to the kingdom through a dormant account that somebody had access a year ago. But they have left and the access is still dangling out there. And what I find is employee records don't always match the user records. Now, there's a gap. You have more access and users and less employees. So, that creates a risk, and that's an opportunity for bad actors to come in and highjack those accounts.
Continuous monitoring is important because that moves you from that reactive world to a proactive world. So, what does that mean to you in terms of business drivers? So, let's say you have, you're, you leave your car open, door open, you don't lock, it is higher risk that somebody will come in and, and break in and walk out with your carradio and there, whatever that is. But if you lock it secure, so same thing. Continuous monitoring prevents that from happening because we're monitoring no duplicate invoice payments going out. We're monitoring, the three-way match is happening. We're monitoring supplier bank accounts aren't changing. We're essentially preventing from, it's like a lock because we're preventing somebody to come in and take advantage of your system. Whether it's an insider or an outsider threat. And so, as the risk goes down, and you put a value on that. So, let's say you lose 2%, which is typical in certain industries of your top line to risk every year. And if continuous Monitoring can reduce that by 1% of your intake what does that mean? So in many universities that I worked with, it's multi-million dollar savings. If you sit down and review your losses, each year to risk. So continuous Monitoring is a great driver, so take a look at these drivers. You may have your specific ones as well, and please reach out to us, and we'll help you put together a business justification for putting a framework and then automating that framework of internal controls.
Jeff- I can back you up on this as well. About a third of the time, we're going into customers, post-implementation and reviewing what's in place. And almost every time we do that, we do find roles or responsibilities set up with fraud, responsibilities across the application. And it could be that they set it up that way for implementation to facilitate being able to do the implementation, but they never go away. And not only does that increase their fraud risk it can also increase the cost of their licensing for the software itself. Because basically, they're paying for each of those roles, and by examining that and doing more of a best practice around roles and responsibilities, they can save both license cost as well as reduce the risk.
Adil - Absolutely, great, great example. So, let's talk a bit about what can we do to prevent this. So, monitoring is one example. So, you start with policies, we're going to focus on today, around access, governance. So, in the case of access governance, you have to have really good policies on what, what are segregation of duties, and what are a high-risk privileges. As Jeff said, he found that many universities still have it. So, by starting with policies and a good plan, the good news is that most of you have it - higher ed which is great. The mature institutions that I worked with, have policies, you can imagine. It's the challenge that policies have, and what I've seen is that they're not detailed enough. The policy may say, “We don't want people to create suppliers and pay suppliers.” That's a great policy. Of course, we don't, nobody wants that. And that's the policy you've written out somewhere. The challenge when you get into these complex ERP systems, especially some of the legacy systems where Jeff and his company can help you move forward, these systems were built, many of them in the eighties. You may still be using them because they've been working fine. But what's happening now is that, as the cyber threats are growing, and as these bad actors are coming in, targeting higher ed, to take advantage of their funds, insider threats that are increasing compliance is becoming a bigger challenge. Those policies aren't effective, they're just written-up policies, But your business is happening in Oracle, the business is happening in SAP. How are you controlling that? So now you've gotta have real good expertise and building those roles, rebuilding them, I've seen customers spend millions of dollars in redoing this.
It's almost cheaper to go to a new ERP system than rebuild it. And that may be a case that Jeff can talk to you more about. But what we find is those policies have to be done at the granular level, they have to be done if you're using a PeopleSoft system, it's the permissions and privileges on pages - that level because you even know that in PeopleSoft you can change that. Same thing if you're using Workday or if you're using Oracle, you have to go down at that level. So you have to have the skill sets, you have to go through it, and not to mention the impact on your business because now you're gonna tell a bunch of department heads, Hey, you can't approve the grants anymore on these projects where we're upgrading what you can do in your accounting system or your procurement system. So, it becomes challenging and that's why policies have to be revised. The other thing I noticed is sometimes there are too many policies. So, all the risk is not the same. One thing any risk professional tells you is take an approach based on likelihood impact and other parameters, and rate your risk. Don't just consider every risk if there's $100 in my petty cash and I’m spending one thousand dollars. Protecting it, I'm not really doing my university any favors. So you have to think about policies, which ones to select, which ones to automate. And that's where policy access, lifecycle management becomes really important because it has to be part of the entire lifecycle of your identity management solution. So you're using Azure or Okta using all the other identity systems, you're granting access into your assets, your information assets through these but policies are not applied. So I can come into university and it says a contractor and say, “hey, I need access to the general ledger, I need access to payables, procurement,” I get it all because I have a very efficient IAM system. But nobody checks my policies because they're hard to eyeball systems in Campus Solutions and Cash Edge and PeopleSoft - three different systems, , how do I eyeball that I can’t humanly possible. Each of those systems have thousands of entry points. So people just, just grant access. That creates a big problem because another access is given when people think they're entitled right, their inherent right to do that. And pretty soon you find out that that's what created the problem of how somebody was able to buy laptops at Yale and sell them on the open market because she had too much access. So, that's where policy prevents those kinds of news in the media.
Then periodic access reviews. So, first of all, you prevent it. So you don't give people too much access, Give them access, they need. But as we know that sometimes during implementation, people get more access and we think it’ll go away. But let's say it didn't go away, which is by the way, always the case as you Jeff just mentioned as well. So now you've got to do this review on a periodic basis. We recommend at least quarterly. Most college universities I talk to do it maybe semi-annual or annually which is not enough, I think quarterly gives you enough time because it likely ties with your quarter ends. So do that review and you'll find, I assure you will find, things like you’re paying more for licenses to pick on Jeff’s point. You're also giving people access, they shouldn't have, And the review process is not that simple, so you think that I'm just going to download my user listing and roles and send a spreadsheet to each of the department heads - not going to happen. Because guess what has happened in the last 10 years? You don't just have one system. You don't have a mainframe, you don't have just one ERP. People are logging into all kinds of systems that have bits of information that's all integrated to make your organization work, do you make sure higher ed or institution work. So you have a cash edge about posting journal entries about what student cach is coming in. You have a grant system that's posting journal entries into GL. There are interfaces coming and you have a procurement system, maybe Coupa or some other procurement system that's a bolt on. You have an HR system that has payroll information. So now, and then you have a provisioning system. So people are using ServiceNow. So, let's say you have a catalog of roles, but they have, they're matching those roles that you have, are actually abstract roles that people don't know what privileges are tied to it. So, now you have to go down to the privilege level, and that's months and months of effort, and that's why it's not happening and it's creating continued exposure and risk for the company.
The last point I would make is privileged access management, . This is your support staff, your tech experts, and your super users we used to call them back in the day, that are given our trusted and given waivers, to do more things than an average user.
So, they go in the back of the application and change the setup, they can change the approval hierarchy on purchase order approvals, because University decided that every department head can now prove up to a million instead of half a million. So, these are the people that can do that, but, then, when they're in there, they could also change their own approval hierarchy - you don't know that. So, being able to monitor activities that your IT folks, your support staff, you're basically people with privileged access can perform you to track that , and that's a common problem. That gets caught in audits, and usually results in a major effort. And then tracing everything back, looking back, what happened, what did this person do? It just takes a lot of your time away, , doing remediation and mitigation that you can prevent through, through risk management.
So, those are the four points that I've made here, on where you can move forward immediately, once you implement a controls framework, and automate it. I could pick like 1 or 2 since I've talked a lot about segregation of duties. Maybe we can do this one and then move to the case study.
Emma - OK.
Adil - So, where do you start. If you're thinking, OK, I think I can get a business case, and I'm ready to consider something like that what does it cost? And timeline, I'll have resources. Where do we even start? So, it's, it's a pretty straightforward journey. And we are we won't have time to cover all of them, as Emma indicated. But let me just walk you through the first one or the swim lanes. The first thing, let's say, you're worried about, is your current policies being automated. And so first thing you want to do is pick the policies. So again, you don't have to boil the ocean and pick all a thousand policies, start with maybe a handful that are really important to you. High risk, we call it in the business. So let's say your top 25 policies may be around your procure-to-pay cycle, which is where all the exposure is right now at higher ed. Maybe it's record to report, maybe it's a grants process, maybe it's Campus Solutions, some of those policies would be more important to you. So pick those handful of policies and then connect it to the cloud.
Let's say you're using Cloud ERP or SafePaaS We can collect your on premise if you’re using PeopleSoft, on premise, you connect to that, SAP or whatever. And so you connect those system together. That's what your IS security would do. Your audit and compliance folks will pick out the policy. So that's your first swim lane - takes about it, about a week or two to agree on that depending on of course, size, and your decision making, and all that. So pretty quickly, you're ready to go. And then you run the analysis against your data sources, and let's say you're working with Jeff and his company, and they've just implemented, or just signed to implement a cloud ERP.
So, we could work with cloud ERP, as an example, and, and pull in the current configurations of the security model and apply our policies against that to produce an analysis of results or findings through an automated process.
So, it will go through, traverse through the roles, responsibilities, inherited roles and privileges, data security, all of those components of a security model, and we have all the security models on our website again, so, I won't go through those here. It'll go and analyze and produce results, and what you'll find is there are tens of thousands, and people roll their eyes first time this year. It's like, why is that? Well, it's because each user has multiple roles. Let’s say that each user has five roles, fiveroles have 5 violations of policies, and five rules are violated. And there are five privileges that are violated, so you multiple and let's say you have 500 users in the system, you're going to end up with, I did the math the other day, 62,000 or more issues. So now, you've got a lot of analysis to do and you need a system to do that. Your BI systems are not built for that, because they're built for reporting, not finding exceptions, because you have false positives. You have compensating controls. You have mitigation etc… And I won't have time to go into that, But all of that is part of the analysis. Then, you are left with something called corrective action and that's how you go in and work with Jeff and his team to fix the roles in cloud ERP or whatever your ERP system is deploy those in the ERP system. And that's where Mastek, we work with these guys to really make sure that your systems are solid secure by providing the input from SafePaaS into those corrective actions, and then managed services and other things that Jeff’s company does. They can help you manage and maintain this moving forward, as well. So when Oracle sends their quarterly patches. Or if you're applying your on premise, still, you're doing your patching. All of that requires review, and that's where partners that have a lot of experience in this area can offer a lot of benefits to you.
Jeff, would you like to add anything?
Jeff- Well, I think what's really attractive about the process that you're describing is compare it to the alternative. So I have been involved where we've done that kind of remediation without this type of tool. So now you're back to the world's favorite tool, Excel, the tables and filters. So, you can imagine, if you've got the 62,000 examples within your list, that is a very, very time-consuming approach.
Adil- Exactly, that's, that's where these things get bogged down, and quite frankly fail in many cases,
Emma- OK, I'm going to skip over the next few flows, so we can go into the case study.
And obviously if anyone wants a copy of the deck, then reach out to me and we can send some explanations over with those. So, let's go through the case study.
Adil - This is an example of an organization, a Higher Ed institution that I worked with on the West Coast. It's a leading research and teaching university that is ranked among the top in the world and I really had the honor of assisting them with their controls folks with a lot of the open-mind example that I was using, you already covered these pain points that apply to a lot of our higher ed customers. Similarly, in this case, we found that most of the internal controls were manual. And some controls are good to be manual, not in favor of automating everything, by the way. The tone at the top is not going to be an automated control in my lifetime, anyways until robots replace everybody! So, there's some manual controls, but there are controls that are just very difficult to do manually. Like segregation of duties, it's not an easy control to eyeball. You can’t feel that you have to really analyze the data. Whereas tone at the top, you can feel it. So, we looked at the controls framework, we looked at where they had weaknesses, we found that segregation of duties in general and sensitive access, and some of the other interfaces and so forth, were the challenge. There, they take all kinds of cash from students, cash management system, how it integrates into their accounting system. So, interface fails, IT has privileged access. They go in and a fix things, but it makes the auditors very nervous, not to mention the CFO, that what else was changed when somebody fixes that cache edge interface. So, we looked at that, that was a huge challenge for them, and tracking changes, when setup so changed. So not only interfaces failing, but universities are pretty dynamic organizations. They get new grants, It's very exciting. They get donations from the big alumni. So all of that creates change in how to set up a new project, let's say, to perform something that's endowed through the Grants System. So being able to go and look at supplier setups, bank account setups, approval, hierarchy, all of those setups are really important to that. And that was literally not happening. They were taking screenshots, best efforts, so being able to look at, all these changes that are impacting their process and the control activities, the framework that I talked about and we're creating big risks, and this was getting louder and louder. Funds and grants, data, those kind of transitions are hard to monitor. So the solution we came up with was to describe part of what I've described here today is the ability to set up an automated approach to identify risks in their ERP systems and their higher ed systems that we're managing student cash inflows, grants. Other endowment items. And then also, how that money was spent through projects, project billing, project costing. And so our big success and what my customer told us, is that they were able to apply some of these techniques that I've shared today with you to become more proactive. And there's a lot of value in being proactive. We all my life, there’s value, but in business it's very important to stay out of the bad news in the media cycles. So that's the benefit. Not to mention all the savings and ROI and all the other details they're able to detect. They can do periodic reviews a lot faster. It's all automated. They can go and go and look at users access, not at the abstract role level but down to the attribute level. So, coalescing that, cross-linking across provisioning system, their IAM system, their applications, which are multiple in higher ed, you don't just run your business on an ERP system - you have a lot of other apps, so being able to get all those certifications, timely and accurately. Identifying risks in the cash entry system, correcting that over or under payments changes to configurations are now workflows. So as soon as the changes occur, they're routed to the department lead, department head, to verify that that's what they requested. You can also tie to the ticketing system. We integrate with ServiceNow and all the major ticketing systems. So whatever's out of your ticketing system requested that change matches with the information in SafePaaS that track the change.
But now that reconciliation time has gone down quite a bit. And then the typical errors that were happening. Because of the universities also have this nature. Whether to hire a lot of temporary workers, students so forth. So, training is always a challenge, especially when you get to complex ERP systems, that are not readily available out there. So errors, misuse, fraud, all those risks went down, by significant number: you want to learn more about it or call us, and we can share some details to help you build your plan.
Then compliance with the big donors and the state, and the federal for the grant counts and so forth, we're able to help them build more confidence with their sources of grants and so forth, so that their due diligence process became easier for them. So, those are the big success items. There are a lot of small things, like, the availability of resources to do more productive stuff. You’re not are wasting as much time on audits and audit fatigue goes down.
Jeff - Yeah, Adil this case study is a great example, because it's a large, complex organization. And they have large sums of money coming into a number of different systems into the University. So, you've got that information. In that environment also a lot of these different colleges that are part of the university, in and among themselves, are very powerful. So there's not a great tendency to want to necessarily share from college, to College Department, to department, So just a solution like this can really kind of break down some of those barriers and put in place those safeguards that otherwise would be hard to do.
Adil - Absolutely.
Emma- We are at the top of the hour, but, I will ask just one quick question and the others we can answer through e-mail. So, I think we touched on this a little bit earlier, but, so, what can we do today? To be more proactive, like, now, what can we do now to be more proactive?
Adil - Yeah, I mean, from a SafePaaS perspective. I mean, it starts basically by thinking about your framework. So, how are you doing your risk assessment? How are you doing your control activities? And, I think if you just even create a simple checklist of those key control environment elements, and see, how are you doing it today. And if you are reactive and you come to that conclusion, what you can do is plan it out. Planning is the best way to become proactive. So, put together a team plan, look at some tools, I mean SafePaaS is not the only tool, you can start with spreadsheets, we don't mind, But, talk to folks like Jeff, these companies have great experience in transforming organizations through their methodology. And we can certainly support Jeff in areas where they're doing that type of work.
Jeff- Yeah. I was going to say, kind of the same thing - the starting point. In addition to the planning Adil talked about, we could start with an assessment. We can we have tools to be able to examine your existing systems, and to see how they are set up, and take that information and use that to help inform a best practice approach.
Adil- It's a great start.
Emma - OK, well, I think we'll leave it there today, and it's been a fantastic session. A huge thank you to you, Jeff, for joining us today. A big thank you to you Adil as always, and a big thank you to our audience for taking time out of your busy schedules to join us.