Mitigating five stubborn compliance issues: those who fight fires understand that dousing the visible blaze doesn't necessarily mean the situation is under control. That also holds for financial executives, who can face their own hidden "fires" in trying to keep businesses compliant.

• Author: Wilhelms, Dan
• Position: Compliance

Firefighters arriving at a burning building know their first priority is to knock down the visible flames. Yet experienced firefighters know that when those flames are extinguished, the job isn't done. That's when they go inside and start looking for hidden flames--the smoldering materials in a ceiling or behind a wall that could suddenly erupt and engulf them. Firefighters know those hidden fires can be the most dangerous of all simply because they can't be seen until it's too late.

For the past few years, information technology and compliance managers at small- and medium-sized businesses have been like firefighters first arriving on the scene. They've been putting out compliance fires--the big issues that have been burning brightly since Sarbanes-Oxley legislation was passed nearly a decade ago. They've done a good job in the process, creating a new compliance structure where roles are defined, segregation of duties (SOD) is the standard and transactions are well-documented.

Yet just like firefighters, the job isn't finished yet. There are still all kinds of compliance issues that, while not as visible as the first ones tackled, can still create a backdraft that will burn an organization if the manager isn't careful.

Following are five of the most pressing (and potentially dangerous) issues:

EXCESSIVE ACCESS

With the complexity of the security architecture that is part of modern enterprise risk management systems, it's easier than one might think to accidentally give some users access to potentially sensitive transactions that might be far outside their job descriptions.

Access is usually assigned by the help desk, and in the heat of battle, with many pressing issues, those responsible may not be as careful about assigning or double-checking authorizations as they should be. When that occurs, it can lead to all types of dangers.

Imagine a parts picker in the warehouse being given access to every SAP transaction in the organization (which has happened). In that instance, the warehouse worker started running and looking at transactions--including financial transactions--just out of curiosity. But what if he'd had a different agenda? He could have changed the data, either accidentally or maliciously, or executed a fraudulent transaction, creating a serious compliance breech.

Even if he didn't change anything, there's still a productivity issue. After all, if he's busy running a myriad of SAP transactions, he's not busy picking orders.

...