The importance of ERP Controls

ERP Controls
ERP Controls

“Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here. From compromised systems integrity and faulty regulatory oversight abroad, to the concentration of control in the hands of a very small group of inexperienced, unsophisticated and potentially compromised individuals, this situation is unprecedented.” the new CEO of FTX, John Ray.

The recent FTX scandal has, among other things, also highlighted the need for effective IT general controls. ITCGs are hugely important, not only for effective financial reporting, and compliance but also for cybersecurity programs. However, there is a lack of understanding of how ITCGs are supposed to work, what role they play, and why you need them.

This thought leadership discussion will address the complexity of controls and why organizations fail if they have the best auditors, best management and best systems. We'll be discussing:

FTX - the exception

The misalignment between approaching risk management holistically and systems.

Why organizations struggle to understand the why of controls

Embedding controls into systems

How organizations can put better controls into systems

Why controls are critical for start-ups and pre-IPO

Join Deepak Iyer and Adil Khan, founder of SafePaaS, as they discuss why ERP controls are critical not only for effective compliance and security but success. 


Emma: Good afternoon, everybody. And welcome to today's session, ERP Controls. What Are They and Why They Matter. For those of you who don't know me, my name's Emma, and I'm here on the marketing team, at SafePaaS, and I'm delighted to be joined by risk and controls expert Deepak Iyer and SafePaaS CEO Adil Khan.

So, in the light of the FTX story and the general lack of understanding around the complexity of controls, I invited thought leaders Deepak and Adil to share their insight and real-life experiences and discuss with you today why controls matter.

But more importantly, we wanted to discuss why organizations are failing.

So, you know, if companies are audited by the best audit firms in the world, why are they failing? If they're using best-of-breed systems why are they failing?

So, Deepak has worked with some of the world's largest organizations, including TMF Group, Tesco and Ocado assisting them and helping them understand the importance of risk and controls. So, Deepak, can you tell us why have you decided to focus on risk and controls for the past 15 plus years or so?

Deepak: Sure. Thank you for inviting me to this session. So, my background, overall 22 years of experience. After 15 years of working in different facets of accounting, including shared services, transformation, audit and investigation I decided, I realized that, prevention is better than cure. And then I was doing roles, in audit. Often, it becomes quite tricky to actually go and put preventive controls in place.

Or because of the independent nature of the audit function, there is less opportunity for us to actually go and work on the ground and make things better. So, I kind of distanced myself from the third line, which is the internal audit, and started focusing on the second line, which is internal audit. Sorry, which is risk management, and that's essentially been my area of specialization. So, I help companies identify risks and manage risks, both in the enterprise risk world, right, as well as the financial controls.

World, and in the broader context of what I do, financial information is often held within IT databases, and therefore apart that database and the security around the database and access becomes included in what I do. So that's broadly my kind of expertise and experience.

Emma: Excellent. Adil? You founded SafePaaS after the collapse of Enron. Is that right?

Yeah, so, you know, being in Texas, there was a company in Texas that collapsed, and, you know, we had some friends and family that were impacted. That was 20 years ago, right, more than 20 years ago now, President Bush signed the law here in US. Sarbanes Oxley law, as we call it, back in 2002. So yeah. Gosh, 20 years have gone by, and it's terrible to see that in 20 years with all the all the, you know audit improvements that we brought into the market through the SEC Securities and Exchange Commission in the US.

And all their regulatory improvements that have been made, auditors that have been no reform to audit differently to a higher standard what we call the COSO framework that companies are still failing. So, I think this FTX really hit close to home because you know, it's a start-up organization in an environment that is difficult for many to understand. I know it's hard for me to understand how they operate and so it kind of prompted us to think about, you know, what can we do better moving forward. As you always learn, from mistakes and lessons, not just our own, but others, too.

So, this certainly created another inflection point and our drive towards our mission to help companies reduce risk and improve their businesses. And so, we have some exciting information to share with you today, you know, that might help people.

Because as I was telling you guys, I mean, most people that get on these calls with us, and want to hear about controls, are folks that already believe in controls. Right? So, I think the topic today around complexity is where the challenge I see from our customers. Our customers tend to have really good intentions to implement good controls, but, you know, time to time, they have findings. Sometimes they even have penalties and some rare cases they have disclosure issues, which can create market cap, losses and so forth. So that's what our mission started 20 years ago as a consulting firm, and over the last five years as a product company, it has kind of led to really focusing in this space.

Emma: Great. So, let's start off by discussing FTX. And in this case, our audience here today should realize that what happened at FTX is an exception, right, Deepak?

Deepak: Yes, I think this is an exceptional situation. I don't think the crypto market is yet regulated the same way as banks or financial institutions are regulated. I think part of the issue that's coming up with FTX is they have kind of, you know, support, some of the Congress party's some of the political parties in US to keep some of the regulation at bay. So basically, it's not being regulated the same way as other companies.

And, therefore, there is not much of an insight into how, in terms of expectations and standards that such organizations need to have and maintain.

So, I think, looking at it, I think they have used fairly off the shelf products. Very, you know, QuickBooks and Slack for recording transactions, from what I can see and read. They are not the right kind of tools to go to for such a big organization that's dealing with billions in terms of the value of transactions. So, yeah, I think it's a one-off, and, I think it's, it's one of those things that has happened while we waited for the regulation to come in. And people who are investing in crypto and markets, which are unregulated yet, do unfortunately, take the risk of, you know, it's a big risk, big profit, if not big loss, and that's essentially the nature of the game. It's very different to banks, or financial institutions or any other forms of investment, which have far more regulation. And, like what Adil was saying, there's a lot of SOX and various other regulations and assurance activities around, that gives investors the confidence, that, you know, these companies have the necessary policy frameworks in place to report the right numbers. And for the capital to be deployed safely, and so, that it tends to be generated. Well, I think this is a one-off I guess, and it's applicable for all those organizations here. Then, it's unregulated, and crypto I think is one of them.

Emma: Going to share any additional insight there, any thoughts?

Adil: I concur with Deepak, right? So, I think most people that are listening to our webcast will recognize that, I mean, I think the only place I would add a little bit is that, you know,  I don't want us to sit back and feel comfortable that the systems, that companies  deploy systems that are often audited are significantly better because my experience has been that you know, even with the best of the systems on the market today, controls, especially ERP control, where I spend, most of my time, still a challenge. So, in this case, Deepak, I completely agree with you that, you know, the risk is unmitigated essentially in this business model right now, there is lack of regulation, as you said, but also the folks, the type of investor profile that is willing to play the money is taking risks that's beyond the tolerance level of most of our, you know, typical customers, I would say, right. And I think it's been many, many failures just based on that market. But I think what we really want to use, this opportunity is to farm up our approach and our beliefs in good controls. And, and I think system controls are challenging even with the best of systems. And we'll talk a little bit about that later in the session.

Deepak: Yup. And I think just to add to that, in terms, of course, we have talked about regulation not being applicable.

Adil: Go ahead, Deepak.

Deepak: OK, now I was just adding to, what I did was saying, I think, keeping the regulation of site. If you look at a company of a certain value, the choice of tools that they have made. And the nature of you know, the transaction and how they were recorded what we're reading, which clearly shows the huge lack of governance at the top. And it’s almost like it's been set up to fail. And the intent, management intent, which is very important. That is kind of being reflected. We still don't know the details of the case. We need to wait for whatever has come out in public. It shows that there wasn't an intent at all, in the first place to, to basically do this in a proper manner.

And that's reflected, and that is why it's an extremely one-off case, and I think what we are talking about, is companies which invest a lot of time in choosing the right tools.

Also, unfortunately, at times, go and implement them, or don't prepare enough to implement them properly. And that is a bit of a concern, I think, that is where there is a huge opportunity, and that's where I feel a majority of organizations fall.

So, that's, that's all I wanted to add.

Emma: So why in your opinion do you think there's such a big misalignment in approaching risk management holistically? And so, you know, what about the role of systems? Where do they come into play? And, you know, why do you think that organizations are struggling to understand the why of controls?

Deepak: Good question Emma. I think the name risk management itself, I personally am not a fan of the name risk management, because it means many things to many people, and also denotes a kind of a negative view of somebody being a bottleneck.

Somebody who prevents a specific activity from happening that's kind of the niche, it could be risk and opportunity. There could be different ways in which we can call it. So, risk management means different things to different people number one. Second is, risk management also means enterprise risk, which is all about strategic risks that company faces, and how do you write that up? How do you present that? How do you challenge the board, and how do you prepare the board to meet those challenges and how is that finally disclosed in the Annual statements? So that's a specific piece of work that's called under the Enterprise Risk Management category. Then you have your financial controls and risks that come, that's for financial reporting, which comes

essentially, it's on the audit world and the SOX world where you're talking about, you know, making sure that the transactions are recorded well, they are accurate, and they are disclosed in the right manner.

There is a huge influx of various auditing standards that keep that are applicable there. So that's one, and then you have now, the information security aspects of it, which also used as similar wording, such as risk controls. So, the words risks and controls mean different things to different people number one. Second, is there is a lot more focus on controls. While there are so many people who tend to focus on, the computer says this is happening. They say they put in a control and then people are expected to follow the control, but people are not told what the risk is, if they don't go ahead and implement the control. So, the lack of appreciation of what the risk is, a control is a response to a risk.

And a lot of times, people go in and the way it's put into various processes and systems is these are a set of rules that you have to do. But people are not often told why this has to be done. So, the way in which the subject is taken to the people at different levels of the organization, is also a big challenge. So, this is the second point.

And the third one, which is very important, which I've seen as an emerging risk in the last 5 or 6 years, it's been consistently, I'm observing this is, sometimes, I feel the IT general controls seems to be falling in no man's land, to a certain extent because the CISO and Chief Technology Officer, they work on specific databases, and certain infrastructure requirements, and then you have the financial people who talk about the controls within the processes, etcetera. And there is this small area, which is controls within a specific application. And who can access a specific application. Those specific aspects do not have an owner, they end up as a residual activity, and then they seek ownership in many transformation programs that I've seen sometimes, it's the own, the beneficiaries of the data sets. For example, if you have a database that Oracle fusion, for example, if you have fusion, and it holds all the financial data in it, now the question is: who can access this database? What is the security within the database? Those are things that the transformation program initially needs to understand. They need to get information security involved, and the right people have to be involved. And it requires people from security, finance, or internal audit, sometimes for guidance. And it also needs risk and controls. All these four people to come in, along with the technology experts who are configuring the various systems to make sure that the right setup is done. And that most often, does not happen, because they take the software.

You go and implement it, and then you realize, oh, probably, there are so many aspects that have not been taken into account. And that is why I said, sometimes it feels in a no man's land, no man's land, because we wait for a specific transformation program to complete to get completed. And then there is a question on, OK, so who's going to own the security aspects of this specific application that we have implemented? Is it going to be information security? Or is it going to be risk and controls? Is it going to sit within finance, etcetera? I think that's the third reason, Lack of a clear understanding at the top and responsibilities as a part of the transformation program. Those are the three reasons why I think there is a lot of confusion in the area of risk and controls.

Adil: I agree with those points. I just want to bring maybe, I'll just add to those few examples of what I've seen, in my travels, with 200 customers, enterprise customers. I was just going to add a few examples of where companies can maybe pick up on what we have learned in the market on how to improve that risk management, to control alignment.

So, the first thing, in my mind, what I see is most of our large portion of our customers don't have a very formal, integrated enterprise risk assessment process. So, risk assessment is the process where you actually rate your risk based on likelihood, and other factors, some cases velocity, and there's a whole, you know, books and books written on that, and not everybody has the time or has a responsibility to learn that. But what it does, it basically, I'll give you a practical example. It tells you that you're not going to spend a thousand dollars to put a control in that protects $100 or petty cash. And we call that a risk based approach. to controls, right? So, to pick on Deepak’s point, that's what's lacking. I think that's what creates the beginning of the misalignment, because we don't have good risk assessment processes in place at most organizations, and it's tough to do, right? Because you've got the strategic folks at the top of the organizations that are focused on macro risks, about liquidity and market conditions, inflation, recession, all those kinds of things.

And then you've got department level folks, business line folks that are about customer retention and product liabilities, and, you know, cash flow management and those kinds of operational issues, right? So, the alignment there breaks down in many cases and I think there are systems out there that can help you ensure that alignment does not break down. And when that breaks down, what happens is what example that you're picking up on what Deepak said is that people start or continue to perform controls without understanding why that control is important, and what happens if that control fails, you know, what are the mitigations?

So, when a control fails, many times it can be catastrophic because even though someone at the top understands the secondary control, let's say the process owner or the compensating control –that level of maturity is not in many organizations. And it’s not the fault of the people that are operating the control. This is not their day job, they're not controls experts. I worked with some of the, for example, top universities where I've met some of the smartest people that are solving, you know, cure to cancer and all the biggest world's problems, and they pull their hair out. Saying: We don't understand why we're failing our audit because we believe we have the best controls. We are smart people, we know what a control is.

A lot of time is the challenge is that what the control somebody designed in a corner office, based on a risk assessment that was done someplace else, is not aligned with the operating effectiveness of the control the auditor is testing using the samples. So, the answer is that the reactive approach to controls, which is what I just described, or the informal approach, where people think they know controls. And they think they know risk is just not working for most businesses, they're fatigued with audit with audit findings. And it's time really for companies to consider that a more integrated approach to risk management. Which what it means to us is that these different activities, like enterprise risk management, risk assessment, control design, and operational control and then testing of the control, they all need to be integrated. Now, it's easier said than done, because organizations have many systems. Many, especially the enterprise customers, we focus on, many locations they operate in. So, it’s not everybody, you know, having a kumbaya moment in a single office and saying, yeah, we'll follow this, it's a continuous improvement process. What we have found is, the answer is to embed the controls in your systems, because once you can understand the control and design it and align it with your risk, you can embed that in a control. So, it becomes a habit.

It's not an afterthought, it’s not something you do at the year-end for the auditors. It's just the way you do your business. And that's what we're here to talk about.

Deepak: But, just to give one more example there. Just to add to what Adil was saying. That he talked about embedding. I think that's a root cause, if you give that example, I think the problem becomes a lot clearer. Suppose if they are implementing an ERP system, and there is a purchase order that needs to be raised and there is a certain limit, say, for example, up to £10,000, somebody can approve, and then beyond that, it goes to somebody else, person B, for approval. And then beyond that, it's person C who needs to approve if these controls. These controls, ideally, have to be embedded within the system. If this is not implemented properly, then what happens is then there is a workaround that starts that you need to put in saying, get a pre-approval from the person who is authorized to make that approval, And that is by e-mail. Attach the e-mail to the PO and then you submit the button, so it's almost, you are reverse engineering, what the system can do it, it's been configured badly, and the controls have not been embedded.

Therefore, you are creating a workaround of asking somebody to take an email approval by, then attaching that approval to this system and then going ahead with the purchase order submission.

Now, this is a classic example of when it is not properly implement and controls are not properly implemented, it creates a range of workarounds. And the workarounds are the first things that they get picked up after transformation is done. And then it creates work. A lot of work, because once it's designed, and implemented, and people have been trained, it is very difficult to go back and update it. It's very costly, time consuming, and there is also this fatigue. People who don't want to do that same training again. So, it creates a lot of fatigue as well.

And that is a classic example of why it is important to consider controls and risk management before we started during, and before the Blueprint phase in transformation project, and why you need that knowledge to come from program managers. Sometimes CTO, CFOs, that question needs to be asked.  Do you have the right people in your program involved in your program of transformation? So, that is why it's a joined up, integrated activity to make sure that you have all the right people working, you know, doing their roles well, so that the project is delivered to a good design and on time.

And I think that's essentially, where the internal controls kind of fails in many transformation programs.

Emma: And that's obviously easier said than done, though. So, how can they achieve that?

Deepak: I think it's a collective exercise. I think, based on my own experience, the times that we have been, I've been brought in three times out of three out of five times, I've been asked to come in and support once the transformation was over. But, the good news is, once they realized it, subsequent transformation programs within the same big organization, meant they included me in the beginning. So, they realized what they had done. And then from the subsequent programs, they included me. But I'd like to us one specific client. However, and I look at a number of clients. Like I said, three out of five clients tend to do this as an afterthought to have either implemented Dynamics or Fusion or SAP. And then they say, OK, now, can we have risk and controls embedded to basically the, you know, into the system? And that's, that's where the problem is.

It's more about awareness, more about education, and making sure that people at the board level understand. And, we need the external audit profession to play a larger role in explaining that to the program, you know, did the board and the program management teams. So that's one of the causes I'm trying to champion using LinkedIn and as many forums as I can to demystify this and explain to them that we need to design that properly.

Emma: Yeah, would you add anything there Adil?

Adil: I think that is the reality. You know, companies get budgets approved from the board to go and transform, you know, digital transformation is the big topic today for most boards and executives. So, there's a, we're in the middle of this digital transformation era. And so, when these systems are being put in, whether companies move to the cloud, their IT infrastructure their applications, or whatever that is. As Deepak said, you know, the idea of controls somehow gets left behind because people think that, you know, they can retrofit the controls in the system and there's a lot of pressure to get the project done on time. And unfortunately, controls are the first things that get overlooked or pushed out and companies pay a heavy price because without controls their processes are failing, right? Either they have bottlenecks, you can also have too many controls, right? You have bottlenecks you can create where we have seen customers but people are sitting there twiddling their thumbs, they cannot get onboarded for two weeks because the have just issues with too many controls than the controls from the CIOs, organization, CISOs organization, versus the audit organization versus whatever, those systems are, departmental controls. So, you're over fatigued overburdened with control. Thus, slowing down your business. On the other hand, more common, some places you're missing controls. You know, you're not tracking changes that are happening in your ERP system after, right after go live. That's a common one that I'm seeing a lot, especially in the cloud customers. Where you still need, you know, support or hyper care from your supplier, that helped you implement the software and they're still in there holding her hand because offers to complex, taking longer than you expected. Certain processes are not quite streamlined as you had hoped. And so, you've got people that shouldn't be entering suppliers and paying suppliers and thanks for “helping out” But that's creating audit findings left, right and center, right. So, I think that, obviously, you know, we live in an ideal world, and sometimes in this side of the aisle, in ideal world, you know, we would want everybody to design the controls when they design the process. That alignment, we cannot expect our customers to always abide by because of reality of the business. We understand that. But I think having, for us, having partners like Deepak and others, that can roll up the sleeves. If you call us early. on, you know, during the system's implementation or discussions. You know, we can, we can bring in folks like Deepak to the table that have really done this work for many organizations. And really can help you get the ball started. Even if you're, you already know, you're already middle of the project, we can still help you save a significant amount of headache, not to mention cost and embarrassment with audit and your executives, by, accelerating design workshops and embedding control workshops into the process workshops of your migration deployment, maintenance of your software.

Deepak: And if this is implemented, it reduces a lot of headache. It reduces a lot of audit as well, internally, that comes up. And it also reduces the number of substantive audits that your external auditor will need to do. Otherwise, they will start looking at, you know, checking a number of transactions. if they are not able to place reliance on the design of the control. Then they had no option, but to look like a huge number of transactions to kind of go through to get that kind of comfort level, saying, yep, you are happy with the way the control is working, so this reduces a long-term cost for the organization. That's why that is the reason why I moved from audit into risk management is a stitch in time. This genuinely saves a lot of headache and cost for companies in the long run.

Emma: and we've talked about, you know, software vendors, Oracle, SAP, so what about the software vendors?

Adil: Maybe I can take that one because I've spent a lot of time on software. Deepak,

I'd love to hear your perspective as well from a risk management perspective. But look, I've been in the software industry, most of my life, like many of my colleagues here at SafePaaS, many of us worked at Oracle, for example. So, I'll pick on Oracle, which I'm comfortable with. And, you know, Oracle is a great company, and we love the software they have out there. I used it, implemented it, but I think the challenge is that this software started the ERP idea started back in the seventies, I think, with that SAP saying that coming to market and saying, look, if you could just put all of these processes into one big software so that your procure to pay cycle aligns as a manufacturing company that's where SAP started. So, your procure to pay cycle, aligns with the order to cash cycle, and that it links into your financial record to report cycle.

You will solve a lot of your bottlenecks, and that was an excellent idea, right? And the whole world has believed in it. And companies now, like Workday and Salesforce, and many others have come to the market and really, you know, build some great software that integrates your entire business. But having said that, you know, these softwares weren't designed by control experts, right? So, the control has always been an afterthought, not only among how it's implemented by the companies, but also how the vendors supply the software. I'll pick a very simple example.

You can pick any software not. You don't have to pick on Oracle pick any software for your business. It's not going to come with roles and privileges that align with the policies of your organization. I can assure you, every software that's out there has roles that you can grant out of the box to your purchasing department, where they can create suppliers, pay suppliers, create invoices, pay invoices, and maybe even post journal entries, right? Deeapk is probably cringing when I say that. Because that's what auditors would do, right, and risk managers would do, because they just can't believe software does that. I've actually had discussions with some novice buyers of enterprise software where they just didn't even think about that. They can't even fathom that, millions of dollars they're spending on buying the software, and then millions of dollars implementing software would have some basic flaws like that. So unfortunately, that's the way software was built and we have been doing rinse and repeat since last 50 years to implement that same software. It does produce great results. Don't get me wrong. In terms of the objective that it was built for, back in the seventies, it connects all your departments. But, guess what, it does, also, it gives you ability to screw up faster too because it has no controls.

So, that's where SafePaaS, kind of, we woke up and said, OK, well, what do we do to solve this problem, you know, for many years, traveling the world, we're scratching our heads at the companies are adopting these best software in the world. They're hiring the best auditors, they have the best management. They have the best intentions. Why are they failing?

I'll give you an example of a customer on the east coast of US, that has lost over a billion dollars in market cap overnight. There are many of them that you would know as you're as well. So, I'm not picking an extreme example. This happens every day.

And the reason that happened is because they had an interface from one other systems that failed and that used to fail often. And so, what they had done was enable their support staff to go in and manually enter those entries. Guess what? The interface? Well with journal entries coming from another system that's a very typical example of an interface. So, you buy a big software that does, you know, all your back office and then you have front office software that is different because you have a special business model. And that feeds into your journal entries on a monthly, weekly, daily, nightly basis depending on size of your business and the transactions that are happening well, because they were going in there and manually entering those journal entries to the interface failure, they thought they were doing, Again, people working late hours, the thing they're doing, the best thing for their company.  Making, you know, the oil, well-oiled machine run. Also, the CFO can get the financial statements on time.

Their auditors, one of the Big four I won't disclose which one, refused to sign the financial statement and that they could not file their financial statements with the SEC on time, and they took over a billion dollars’ market cap, which is probably, this, is 10 years ago, so, this would be worth probably 10 X now, right? Where the market is now.

So, imagine losing that much market capitalization overnight for one simple interface failure.

Now, why does that happen? We had a good person intending to do the right thing. We had a system with, provide flexibility to send interfaces. We had reports to see interfaces, but the system does not control the interface, Right? So, when that interface fails, the auditor says, I don't know what transactions went in and did somebody back out of big liability. They're picking a big revenue number, and to close the quarter, we can't rely on your systems anymore. To Deepak’s point we will do substantive testing, which will take us three extra months because you are so complex, so you we won't sign on the financial statements for this quarterly or the annual results. So, this can be significantly damaging. I like to talk in real-world examples where I've seen these issues and what SafePaaS has done is to build a solution that governs all your systems, sits on top of it. So, these kinds of mistakes don't happen. And you don't lose billions of dollars in market cap and millions of dollars in fraud and other waste. That happens every day in organizations.

Emma: Have you seen anything like that out there, Deepak?

Deepak: Yeah, I think spot on. Adil is spot on on that. I think that, for me, that interesting point was the software. If you look at the top software's, they all provide a range of control options. A company has to choose the option that is relevant and appropriate for them. That is important on one side. So, let us look at this way. When you've got auditors, who are all trained accountants, the background generally comes from an accounting way. They know how controls work. They know what they should look like, what it should do, what it shouldn't, but they are not IT experts. Then you got engineers who designed the solutions and they have given a range of things like how a control can be configured, but they don't know what is right. What is the right level of control and they shouldn't, they only implement. Somewhere in between these two worlds there is a gap - it's not implemented properly.

So sometimes for example if somebody wants to do a bungee jumping, the control could be somebody may put a parachute on them and get them off the cliff. And that's not going to help because that's not the right control for a bungee jumping. You don't put a parachute and get somebody to experience that. So, you need to have the harness. That's the issue that we have, so you have the software, but you don't have the right, people who are, who understand what the right materiality is. What is the right level of control that we need to have while designing and deploying a specific software? And what we need out of this in terms of reporting from an audit point of view from getting us through that What is that, we need, and what is the right amount of control you need to have? So, that design element is missing and while valid for all, you know, a lot of the work I do, I have to go back into the system and just enable controls there, but, they have just, not been activated.

It looks very simple, but instead of a work around, it could be. So, it just, it happens. So often that we go sit with the technology team, that say, we want this control to be enabled. Why was this not enabled? Oh, no. Nobody told us about that. Right, and then you, when the process mapping app and then the controls are put in and that's the time, then, before it goes into a busy state, that's when you design these things.

Emma: So, going back to why I had the idea of inviting you both here to discuss controls. FTX we've said was an exemption. It was also a young company, so why, in particular, are controls critical for start-ups and even pre-IPO companies?

Adil: Yeah, I can take that. I lived in the Bay Area, spent a lot of time with start-ups, venture capital funded start-ups including one very famous one sort of invented social media and I had the opportunity to work with them in the early days when way before IPO When they were, still, you know, in the private markets, and their investors were asking them for controls and they couldn't understand what they needed controls.

So, they hired their first control expert from EBAY and I, they invited me to come and talk to them, but they had, they were using Oracle. They asked me to come and talk to them about controls, because I've written a book on those of you that don't know on Controls for Oracle. So, so I've had the opportunity to meet them and, and these people were fantastic engineers, right.  There were some of the brightest people I've met from the top schools in the world, from Academia from, you know, just overall smartness.

But they just couldn't understand why. Controls would slow them down. We were going at a million miles, an hour here. And if we break a few things that's OK. That was the vision of their CEO at the time. So, I had a hard time kind of convincing them that controls are how you run a business, you can't control your business, you can control your growth. And so that story, what that told me, I mean, that's one extreme example, but I think what I see is that there are different, but not all companies are the same, you know, some pre-IPO companies that are been in business for, you know for many decades. You know, Aramco is an example of a one of the world's largest IPO that happened out of Saudi Arabia. That company is more profitable than, I think, all the 3 or 4 top US tech companies put together, and they have excellent controls.

So, there are different ranges of companies from just a very informal company that wants to be on a fast path to go public, and then those companies that are on just very mature companies that are just considering a change in their capitalization, you know, they’re going from private to public, and that often happens. I mean, there's a company, again in Texas. You all probably heard of Dell computers, Dell technologies, you know, they've gone private, they will go public at some point.

So that's part of financial management. The board decides, and companies go through many times, and so each company is different. But I think generally about companies why they need controls. And what I tell people that need to, I guess, learn from this is that controls are basically how you run a good business.

It's not something you should think about that I'll do this only if I have to go and list on the New York Stock Exchange or London Stock Exchange. Because they all require that. It's not it's not requirement. And us, people, folks, like Deepak and myself one things, we think about, when we think about controls, is the controlled environment.

You know, how do people behave in this company, know, what are the, sort of the end, what we call entity level control or company level control? As part of that, we also pay attention to the tone at the top. You know, how does the leaders of these companies think about controls? Do they believe in the controls? And clearly, in case of FTX, since we've been talking about that, you know, the founder and the CEO did not.

So, if you have tone at the top, that is not friendly towards a control environment. The people that work for that leadership, follow what the company's culture is and what the leaders are doing. And if they're not following controls or not, simple things like turning expense reports, if the executives are getting away by turning, fudging, the expense report, chances are there's a problem in that company below as well. And somebody, they're not doing what's in the best interest of their stockholders So controls in a start-up is basically an informal process. For start-ups that have not been running they’re new company like FTX was or the social media company I talked about. So, what they need, are folks like Deepak, that can come in and give them a good education about risk management, about risk assessment, about linking controls to risk, and really setting up a framework. And there are many frameworks available out there. You don't have to follow COSO, which is a framework that most public companies follow. You can pick a simpler control framework. So COSO framework goes back to the 19 seventies again, so it's a very mature framework and we like it for that reason. But there's also ISO 31000 that's popular in certain parts of the world, there's many others. So, whatever your risk management framework is, you know, folks like Deepak can come in with us and help you get up to speed on it. And once you have that framework and you create that common knowledge, that lingo, of how you speak about controls in the organization, then you can start thinking about maturing.

Now, if you're already a mature company, and like I said, many mature companies that go public and private and switch back and forth, and we see that, especially in the economy that we're entering next year, everybody's pretty much declared is going to be a recession. You will see lot more M&A, that environment. you will see more private companies, you know, a big hedge funds, private equity is coming in, taking companies off the public market, the most obvious one in our recent history, the joke at Twitter, right? Elon Musk taking that private. So, you'll see that happen, and so what people think is that OK, now We've gone private or private. We don't have to comply controls. But I think that's the short-sighted view. Certainly, there's not that burden I won't disagree with that because you don't have to file the disclosure statements with the SEC. However, you still have to make sure your processes are effective so the results you're producing, disclosing to the to the stockholders or investors. You still have investors, right? Any sizable company will have investors, even if it's employee owned, right? So, employees are the investors in that case. So, you'll have investors in any sizable company and if those investors are not getting the right picture of the business, they have the right to litigate. They have the right to demand management changes.

Model changes, even shut down the business, in many cases, right, through bankruptcy, etcetera. So, it's not a good thing to not have control. I think people generally understand that. I think the challenge is, that, when companies are private, the formality of the control goes down a bit. And that's why I recommend that, you know, please maintain your framework and adopt a framework. Whatever you think is right for your organization. And maintain that level of control over your business. Because you still have investors, you still have employees, you still have customers, and they're all going to demand those controls. And if you're sleeping at the wheel and you're not paying attention, it also restricts your ability to raise more capital. Because one of the clauses you'll see in any investor is that view comply with these control standards and what do your auditors do when they last audit you? So, that's the kind of confirmation information we want to share now, if you are a, most companies, like I said at the beginning of the past, is that many of them have good intentions. So, if you do have good intention, you want to maintain good controls as a start-up, as a pre-IPO company that you should consider maintaining that level of testing of controls and try to go from an informal approach, which is where you might be if you're a start-up to more of a maturity level. So, we have the CMM level five maturity model for controls, but it goes, you know, from informal controls, all the way to optimize controls, right? Everything in between, proactive, and so forth. So, you can follow that path. I think it's on our website.

We can share more details with you where you are, the roadmap today, and where you can be. So, we help you baseline your controls. And that'll help you move forward to a level where your investor ready, your growth ready, you're ready for, you know, running your business well.

Emma: What would your words of Advice be, Deepak?

Deepak: I think it's spot on. Just a couple of points. One is the way I tell a number of my clients is that think of controls as a break in a Formula one car. The break is not there to reduce the speed, you know, to prevent the driver from going to, you know, as fast as you can or she can, the idea is to safeguard it. The driver is able to go that fast, only because he or she knows that there are breaks. So that is the job of internal controls. So, we're not there as a bottleneck and relating that to FTX, which is the starting of the organization. If FTX would have had decent internal controls, they would have, even despite the currency, follow whatever they would have still managed to salvage and sell on whatever that is, to another company and exit, or, you know, move away from it. The utter lack of controls, the lack of management intent opponent the top, as Adil was saying, is clear and you can see what's happened. So that's the first point. The second point, in terms of companies getting ready for IPO, I think, again, these companies, the most likely, they're not in the crypto area, at least, they will all be regulated under our regulations on what you need to disclose. How frequently. So, there are lots of rules and regulations on how things have to be reported and in a certain way. And I know that it takes a considerable amount of preparation for companies to get their companies listed in stock market. And sometimes they have to restructure some of the management roles, responsibilities they have to, and also put a new processes of management accounting reporting and auditing plays into place before they can get and set up. A couple of companies mandatory pieces for audit committees. So, there's a lot of preparation that is required. And all this preparation is, essentially, aimed at strengthening the internal control, and to make sure that whatever results are being reported are standard, accurate, and reliable for the consumers, or the shareholders. I think that's essentially, the reason why, you know, companies at all levels need internal controls in their organizations.

Emma: Yeah, absolutely. And to finish off our discussion today, you know, we've been talking a lot about controls and, there are lots of different types of controls that exist, manual, automatic controls. Are there any solutions out there that can help organizations automate the controls and be more efficient and succeed ultimately?

Deepak: I think most most of the software have controls that can be embedded, or which are preventive in nature. My personal view is that we need to get controls embedded so that they are seamless in the process. And that cuts out workarounds and future rework. Therefore, the attention is to embed as much as we can into the process into the technology so that it becomes easier. And then for those occasional ones where we can't have a preventive control, or the need or another pair of eyes then look at how we can get good reports out of it. Those are all detective kind of, you know, controls the periodical reporting, etcetera, just to make sure things are consistent and to track anything that's out of the ordinary, to catch anything that's not working So, I think most organizations, most the ERP solutions offer a range of these. Like, again, it's subject to how well it is customized. How well the client is prepared

Adil: Yeah, just to close on that thought that. So, Deepak pointed out the importance of detective and preventive controls in the business systems like Oracle and SAP, Dynamics etc.… And I think that's a great way to look at controls. I would also encourage you to look at controls in terms of categories of controls so there are business controls, we sort of fall into, you know, how do you prevent this from happening within a process or procure to pay process here? Your requisition, your sourcing, your order to cash process, etc.…

And then there are the controls that are what we call IT general controls. These are controls on how you control the systems that manage these processes today. So ITGCs are those controls that could be at the network level database if you're doing cloud infrastructure, application level change management within the application.

And there's another category, ITAC which is the IT Application Control, right?

You think about controls in those categories, and who owns what controls. Some of these controls are pervasive, right? So, we talked about that earlier. Deepak mentioned ITGC, since I wanted to just close by saying that. So, so once you decide which way you want to go, you want to select that subset of Ownership, who owns what controls?

And that can be tricky, right? So, it's good to talk to some experts that have spent decades like Deepak has, helping companies do these kinds of controls, and they can guide you on where to best provide responsibility, accountability for these controls.

And where SafePaaS comes in, is really to take that mystery or confusion out of the controls alignment of the first question we started with. Basically, SafePaaS is a governance platform that governs the enterprise and all that risk and chaos that happens in an organization where, because of the misalignment, it basically steps in and does it for you. So, it has the ability to design a policy, assess the risk against that policy, ensure the control is deployed to prevent risk in the process through an automated control. And if it's a manual control, it has capabilities.

So that alignment stays there. So, let's say your business changes. You open up a new business office in a new region in China or whatever. Or you acquire a company or you put a new system in. So, you're using Oracle, you moved to SAP. Or you have people personnel re-organized, or hybrid workforce. All those things that happen, your organization can remain agile whereas SafePaaS will protect your organization and safeguard your organization. With the controls they will always be there to monitor you, right? So, whether the ERP controls turned off or on, we will catch that great example of the three-way match. You know, if you turn on three-way match, it's a control. So, your purchase orders, your invoices and receipts match up, but there's also possibility someone may turn it off and you don't catch it. So now you have controls. But again, as I mentioned the beginning, ERPs are not designed to govern over their processes.

So that's where SafePaaS comes in, it governs these controls risk is mitigated and prevented from happening.

Emma: Well, we've had a great discussion today. I will turn back on my camera. I was having network issues. So, a huge thank you to Deepak for joining us today and a big thank you to you Adil and to everybody who's taken the time out of their busy schedules to join us today. We hope the session provided some great insight. And if you do wish for further discussion, then don't hesitate to reach out to either myself or Deepak or Adil and we can have that discussion with you.