Notorious frauds at many Global Fortune Companies highlight the importance of internal controls. In spite of the Sarbanes-Oxley Act of 2002 (SOX or SOA), external auditors continue to disclose large numbers of material weaknesses in internal control systems of many public companies. In some cases, external public accounting firms have reported these material weaknesses for the same companies for consecutive years. Material weaknesses result in misleading financial statements and might involve fraud.
At minimum, the Sarbanes-Oxley compliant solutions document that the CEOs and CFOs reviewed financial reports and evaluated the effectiveness of internal controls. In addition, there were references to complying with PCAOB (The Public Company Accounting Oversight Board, created by the Sarbanes-Oxley Act) Auditing Standard Number 5 requirements to reduce fraud by controlling transactions (https://pcaobus.org). The PCAOB recommends using a framework for internal controls such as the Committee of Sponsoring Organizations of the Treadway Commission framework (http://www.coso.org). An information and communication system is not only fundamental to the COSO framework, other controls within an organization depend on the effectiveness of IT controls. IT controls have the first order effect on achieving control objectives and reliable financial reporting process (PCAOB. AS 5).
Makers of enterprise resource planning (ERP) systems responded quickly to the passage of Sarbanes-Oxley by offering additional features, such as SAP Governance, Risk, and Compliance (GRC) Solutions and Oracle Hyperion Financial Management. Biometrics enforces accountability, minimizes fraud, and improves efficiency.
This article provides an overview of two biometrics systems (i.e., fingerprinting and hand vein authentication) compatible with SAP-ERP systems. The foundation of embedding biometrics in an ERP system is that passwords, alone, do not identify the real user of an ERP system. Biometric systems do.
Before the passage of the Sarbanes-Oxley Act, realtime (http://www.realtimenorthamerica.com) provided for the SAP ERP environment fingerprint authentication biometric security with transaction security down to the field level for clear accountability and to minimize fraud. This is the only biometric system to embed natively biometric data within SAP ERP.
More recently, the possible protections have been expanded to include hand vein authentication from Fujitsu: http://www.fujitsu.com/no/solutions/business-technology/security/product/palmsecure/biolock/. With Fujitsu PalmSecure, anyone requiring additional security can access SAP ERP using a Fujitsu hand vein sensor. The PalmSecure sensor captures more than five million reference points from an individual’s palm-vein pattern. Individuals have different palm-vein patterns on their left and right hands. Individuals do not touch the sensor—which makes the use very hygienic. This is especially important in hospital settings and in places such as banks where large numbers of users would be using the same sensor. Fujitsu has reported that 2% to 3% of individuals are unable to use fingerprint scanners because of problems with their fingerprints. Here, hand vein authentication offers a great alternative solution.
Neither fingerprint nor hand vein sensors save photographs of fingers or of palms. Both types of sensors create an encrypted, numerical template, not the actual images of the biometric credentials. This saves storage space and makes searches more efficient. The system is flexible sufficiently to specify which functions or users need which security options, such as: smart card, fingerprint, or hand vein. Whether a user is using fingerprint authentication or hand vein authentication, the data will be stored within the organization’s SAP ERP. Moreover, organizations may want to add other biometric systems in the future; the system is open to accept new developments as biometric technology evolves.
In summary, IT internal controls are the foundation for a reliable financial reporting process and for the minimization of fraud.
While our ID’s are checked everywhere else, companies still rely on outdated password technology to accept users into their systems and allow them to execute the most vital functions in a corporate computer system. Some of the largest fraud cases in history have all linked back to the weakest link, the possibility of users to circumvent password based controls. It is now possible to improve Sarbanes-Oxley compliance by adding hand-vein authentication to the arsenal of biometric tools. It is time for corporations to rethink the strategy and adapt their authentication technologies to the 21st century.