Source:- ACL Blog
Dean Foods is the largest distributor of milk and dairy products. It’s a combination of two large entities. It was Suiza Foods out of the south and the original Dean Foods, which was where I came from, out of the north. Basically, they put together both companies and now we’re based out of Dallas, Texas. That being said, there’s wonderful synergy as far as transportation, production and all those other good things. But when you become a company that big in an industry, you become a large target for being audited, for being looked at a higher standard even from the publicly traded level. My most recent role is Senior Manager of IT Risk, Security & Compliance. So I actually have both hats; I deal with compliance and security. As your friends at Target and other places will tell you, even though they cooperate with each other, compliance isn’t security and security isn’t compliance.
Operational risk in the past, if you look at it, there’s this wonderful “software system” out there that people like to use as a software system, which would either be Microsoft Excel or Access. I have seen more presentations or more “ah-ha” moments that were actually someone flipping a pivot table the wrong direction or not lining up columns when they were sorting things or not realizing they had hidden columns when moving things around. To be able to get to a trust level where what you’re doing is going to be constantly monitored. What somebody was doing yesterday—when they leave—somebody tomorrow can do that same analytic and you know it was run the same way, you’re getting the same results.
It starts with privileged activities. You have a server, let’s say an iSeries server. There is a user with elevating authority and they issue a command that’s considered potentially unauthorized. That command is run through ACL Analytics Exchange, which then spits an exception over to ACL GRC Results Manager. Once that exception is hit in the exceptions manager, we have a trigger or we have a notification setup so that the manager is notified. “Hey, you have a user who has potentially done an unauthorized command.” We can then follow up with a questionnaire asking, “Do you think this command is part of your daily job responsibilities?” If so, then we can change our analytic.
From an audit perspective, it’s definitely had a great return on investment. In the past, audit has used the tool to conduct fraud analysis, identifying 1-2 million dollars in waste and procurement. These were just ad-hoc projects. When you think about the return on investment from a continuous monitoring perspective, having the ability to look at an our unauthorized activities on a more automated approach, we’re saving 8-10 hours a week, every 2 weeks, and a manager’s time running through logs of data that’s full of white noise. If you can just imagine the amount of money that we’re saving in having that level of employees spend that type of time looking for unauthorized activity—the return on investment is unlimited.