Fraud and Compliance have begun replacing Cash Forecasting and Liquidity Management as the top priorities for Corporate Treasurers. While Risk Management has always been a priority for Treasurers, managing risk typically meant implementing a good hedging policy or ensuring sufficient liquidity to meet cash obligations.
The prevalence of fraud and cybercrime has raised the bar for the CFO, and their entire team. While every finance professional is aware of Sarbanes-Oxley’s (SOX) impact on treasury compliance for the past 14 years, less has been written about the recent changes to SOX requiring greater technology controls, which the CEO and CFO are now signing-off on as part of Section 302 and 404 compliance.
Additional reading: How Treasury Technology Supports Business Continuity Planning
The emphasis on technology controls within regulatory compliance is primarily due to the success of internal fraud schemes and cybercriminal penetration of finance systems. CFOs and Treasurers often had technology at their disposal, but continued to use spreadsheets and manual processes in place of more secure information platforms. Spreadsheets, as we know, can easily hide a multitude of errors due to their lack of audit trails. But they also lack controls such as separation of duties, digital signatures, and other workflow tools to prove the treasury team is following a secure process.
When signing off on regulatory compliance such as Sarbanes-Oxley, CFOs want to ensure that they are signing off on something more robust than a spreadsheet. As a result, the Treasurer now has to step up and take ownership of their own information security requirements.
While it is the Treasurer’s responsibility to prove treasury operations are governed by robust controls and auditability, a big challenge for the Treasurer (a.k.a. the Chief Treasury Information Security Officer) is that treasury has historically been on an information island. Treasury often had its own systems, generally refusing to be part of an ERP implementation. Treasury required more demanding service levels, due to their requirement for 24×7 attention should a payments or cash system fail. And, to be fair, few in the organization truly understood what treasury actually did. The end result was that treasury was disparate as a department and treasury technology operated under a different set of rules.
With the rise in fraud and cybercrime – along with the recent need for CEOs and CFOs to attest to financial technology controls – the need for treasury to align with the rest of the organization’s information security policies is more critical than ever. Most treasury systems operate in the cloud, although few treasury system providers have invested sufficiently in their cloud technology to offer adequate application and data protection to meet the CIO, CTO, and/or CISO’s security requirements.
However, without coordination between the Treasurer and the CIO/CTO/CISO, treasury does not have enough information to know what standards they must comply with. This collaboration is therefore critical to treasury information security – and to the CFOs confidence in agreeing that sufficient technology controls exist in treasury.
Yet, surprisingly, information security representatives are influencing security requirements in little more than 50% of treasury technology selections. When I’ve asked why IT isn’t in the room, the response is typically “we’re flying below their radar” or “every time they get involved it ends up costing us money because they ask for more security features from the software provider.”
My response is always the same: that is exactly why they should be in the room.
The Treasurers’ job is to reduce risk, not take more on. By refusing collaboration with the CIO/CTO/CISO to align treasury information security with the entire organization’s information security, the treasurer is increasing operational risk and putting the CFO’s reputation and compensation on the line. Clearly that is not a risk worth taking.