I am now in my 15th year in the financial-software space, over 10 of which have been in treasury software. During this time, I have been on both the buy and the sell sides, and have seen various methodologies for selecting the financial software that is right for a particular company.
However, regardless of the method, there is almost always an IT and audit review. That is to say, as the evaluated vendors are whittled down to the final two or three, the evaluating company inevitably requires a thorough review of the vendors’ IT and audit stability, including, but not limited to:
- Service Organization Controls 1 (SOC 1) report
- Service Organization Controls 2 (SOC 2) report
- Disaster Recovery & Business Continuity plan
- IT infrastructure description and map
- Encryption protocols
- Intrusion and penetration testing methodology and results
- Development practices and testing procedures
- Upgrade processes and controls
- Datacenter review and on-site visit
- System administration options (i.e. dual administration)
- Login security (i.e. dual-factor authentication, password policies)
The best software vendors spend millions of dollars annually to ensure they have exceptional security-and-control practices in support of their clients’ needs; as they should. All of these are very good questions and should be thoroughly evaluated by the potential buyer. However, there does appear to be a double standard in the financial-systems arena that I cannot seem to reconcile.
While companies are requiring “military-grade” security and controls from their financial-software vendors, they simultaneously allow their finance and treasury teams to build and maintain their own financial systems in Excel, without the same level of scrutiny.
If we just look at that treasury space for a moment, we find companies have spent days, weeks and even months developing spreadsheets to manage daily cash balancing, forecasting, multi-lateral netting, foreign exchange hedging, hedge accounting, bank-account management, etc. These are the very same business requirements and processes managed by specialty-software providers. The same specialty-software providers that are put through the proverbial IT wringer to ensure they meet the latest and greatest IT and audit standards.
So, here is the question I continue to ask:
If these spreadsheets, which are financial systems, are used to process the same important financial information as the specialty-software vendors, why are they not held to the same standards as the vendors? And, if they were held to these standards, would they pass the IT and audit tests?
Granted, internally developed systems may merit a different level of “security” scrutiny than an external system, especially if data is housed externally. However, should the development of our financial spreadsheets pass through the same standards as our internally developed systems that would perform the same functions?
I would love to hear your opinions on the matter.