Three Aspects of Implementing a Digital Transformation Strategy

Steve Fineberg, Partner, Internal Audit Services
Labi Rabiu, Partner, Enterprise Systems Consulting Services
Chuck Andrews, Director, IT Systems Assessment & Planning Consulting
Pamela Esparza, Senior Manager, Internal Audit Services
Devin Osterhout, Senior Manager, Cybersecurity Consulting Services
Ryan Stewart, Senior Manager, Cybersecurity Consulting Services

Many companies invest in digital transformation by using technology to automate processes and data flow. When done strategically, digital transformation can be especially beneficial, helping companies run leaner, be more effective and efficient in their operations, and enhance customer and shareholder experience.

There are several aspects to implementing a digital transformation strategy. How do you align the technology with your current business processes and controls? Is your current system sufficient, or do you need changes? What are the cybersecurity risks?

What Is Digital Transformation?

Digital transformation is the process of transforming business processes with technology. Digital transformation can offer many benefits, but it’s important to first understand potential challenges, assess existing systems, and develop a strategy that encompasses three aspects of a digital transformation strategy:

Digital Transformation Strategy Challenges

Chart with explenations on the steps for digital transformation strategy challenges

IT Systems and Infrastructure

Improving your internal business systems is a benefit of digital transformation. If any of your systems, such as enterprise resource planning (ERP), customer relationship management (CRM), or payroll, aren’t doing what they need to do, it may be worth conducting a comprehensive fit gap assessment. This is the process of assessing a system for visibility and scalability in support of all business processes.

You’ll document and prioritize your organization’s functional requirements, and assess the system’s ability to meet them with a focus on:

  • Technical platform of system
  • System setup, configuration, and reporting
  • Control and automation features
  • Vendor roadmap for future upgrades and enhancements
  • Integrated systems and other available solutions within the vendor ecosystem

Understand Common System Challenges

Before you begin an assessment of your current enterprise system, it can help to understand common system challenges.

Business Process Automation

Enterprise systems are meant to:

  • Reduce manual processes
  • Allow for increased visibility across an organization
  • Help improve decision making

If you already have an enterprise system but a particular business process isn’t automated, you may need a process-focused fit gap assessment.

Reporting Challenges

The ability to measure corporate performance is a hallmark of a truly powerful enterprise system. Qualities of an enterprise system with strong reporting capabilities include:

  • Readily exportable to Excel, Word, or other third-party analysis systems
  • Reliable reporting output requiring little analysis to reconcile the data
  • Reasonable cost to maintain, not needing a dedicated data analyst or consultant
Internal Control and Compliance

Internal control and compliance are mandatory in many situations and may be both necessary and valuable in others. Failure to meet internal controls and regulatory compliance requirements within an enterprise system can lead to fraud, fines, or both.

Key compliance regulations include:

  • Sarbanes-Oxley (SOX) Act compliance, including access, security, and change management
  • 21 CFR part 11 compliance
  • Current Good Manufacturing Practice and Food and Drug Administration (cGMP/FDA) validation requirements
  • Sunshine Act and aggregate spend reporting
  • HIPAA compliance
  • Payment Card Industry (PCI) compliance
  • General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) compliance

How to Assess Existing Systems and Infrastructure

Below is a digital transformation roadmap detailing how to assess your existing systems and what to look for when in the process of replacing those systems.

Project Management and Change Enablement

Determine who’s going to guide the project, align digital transformation goals with strategic business goals, and communicate the plan to all parties and stakeholders.

Fact Finding

Learn about existing processes by:

  • Interviewing process owners
  • Identifying what’s working
  • Identifying pain points

Then, review your findings to prioritize next steps.

Gap Analysis and Research

To perform a gap analysis, analyze system requirements, determine what functional and technical needs aren’t being met, and decide if an alternative solution is needed based on the desired end state.

Recommendation and Planning

Develop and document recommendations for your digital transformation, collaborate with the team to decide what needs to be prioritized first, and share the roadmap with stakeholders to gain buy-in.

Digital Transformation Solution Options

Once the system assessment has been completed, consider what to do. The initiatives that result from the assessment typically fall into three categories:

  • Optimize or upgrade
  • Integrate
  • Replace
Optimize or Upgrade

This option typically occurs when a midrange system hasn’t been configured correctly or features weren’t implemented that could help support business process automation and reporting needs.

Assess the return on investment (ROI) of a potential new system as well as the time required for desired optimizations or upgrades.

Integrate

Integration could be applicable when a cost-effective solution can be found within the partner ecosystem or an integrated third-party vendor.

Assess the total cost of the integration, including the license, the cost to implement, and ongoing costs, especially in terms of integration platform as a service.

Replace

If you have either outgrown the current system or it’s not hitting the mark, you can go through a new system selection process to replace the current system.

Internal Processes and Controls

In advanced technological environments, organizations can more reliably and consistently address risk if they can move to a more automated solution. IT-driven controls aren’t subject to human error, bias, or management override.

Companies can use the following controls to assist in their accounting.

Manual Controls

Though technology can be used to supplement manual controls, there will always be instances where management will need to make a subjective conclusion on a complex topic. This must be done via some type of human intervention.

Consider manually monitoring the following:

  • Management review controls (MRCs)
  • Estimates or accruals and other dissemination of critical information
  • R&D spend expectations and percentage complete
  • Vendor banking details

Spreadsheets and End-User Controls (EUCs)

In spreadsheet-heavy environments, organizations can establish entity-wide programs to help manage EUCs.

The following are strategies to implement that support security if your organization uses spreadsheets:

  • Maintain accurate inventory of all discovered, registered, and managed files
  • Implement version, access, change, and data integrity controls
  • Establish procedures that monitor changes to inputs and logic
  • Restrict access to spreadsheets so that only supervisors have access to unlock cells
  • Leverage Excel add-ons and embedded applications, such as Smartsheet, Tableau, or Domo

IT Application Controls (ITACs)

ITACs include safeguards in relation to specific applications. ITACs prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, stored, transmitted to other systems, and reported.

Several types of application controls exist with the objective to ensure that input and output data are accurate and complete, processed in an acceptable time, and a record is maintained to track the process of data from input to storage and to the eventual output.

Examples of application controls are:

  • Ensuring goods and services are only procured with an approved purchase order
  • Monitoring segregation of duties based on defined job responsibilities
  • Identifying received goods and services are accurate upon receipt
  • Ensuring fixed-asset depreciation is recorded accurately in the appropriate accounting period
  • Determining whether there’s a three-way match among the purchase order, receiver, and vendor invoice

IT General Controls (ITGCs)

ITGCs refer to the overarching controls that relate to security, change management, and the use or design of computer programs. They ensure an organization’s control environment is stable and well-managed, including the IT infrastructure and software acquisition, development, and maintenance. 

Several types of ITGCs exist with the objective to ensure that system and organization controls (SOC) reports for cloud-based systems are assessed for unmitigated risks, security and access to systems and key reports are limited via least privilege, and there is control over batch processing.

Managing third-party risk is critical for companies that rely heavily on third parties. Are you outsourcing IT or R&D? If so, work with vendors who have current SOC reports.

Organizations can gain significant effectiveness and efficiency in maintaining internal controls over financial reporting by following the steps needed to maintain this strong IT general control environment.

Automated Workflows

To further strengthen your internal processes and controls, you can utilize automated process workflows.

Examples of automated process workflows include:

  • Journal entry approval
  • New vendor approval
  • Vendor bill approval
  • Vendor payment
  • Purchase order and purchase request
Defining Scripts

Gain some efficiency and effectiveness in your operations using scripts. A script is a program or sequence of instructions that takes a series of commands and turns it into a single command. With one click, the script can run several sequential tasks.

A common example is using scripts for payroll processes.

Example for using scripts for payroll processes

There are many individual activities during this process, but with a script, the system is programmed to run the activities consistently and without error.

The script will let the user know if an error occurs. Scripts can be a very potent and effective tool for increasing the effectiveness and efficiency of your operations.

Cybersecurity

Cybersecurity should be a significant consideration as your organization develops a digital transformation strategy —including understanding what the risks are and how to mitigate them.

What Are Cybersecurity Risks?

Data held in your network or in the cloud, such as intellectual property (IP), financial data, employee information, or client or customer data, can be targeted by bad actors. Through a variety of strategies, such as phishing, ransomware, and social engineering, bad actors can try to find and exploit vulnerabilities.

How to Mitigate Cybersecurity Risks

If you can apply practical security through these basic hygiene measures, then you can reduce exploitation opportunities and reduce the risk of an attacker infiltrating your network.

Below are eight areas to focus on to lower the risk of a cyberattack and reduce data loss while developing and implementing a digital transformation strategy.

Security Awareness Training

There are reasonable, robust, and readily available ways to train and test users with realistic, orchestrated, phishing and social engineering campaigns.

Train users to inspect URLs before clicking on any links or images in their emails and conduct regular tests to help employees become familiar with phishing emails and malicious links. Provide users with guidance for reporting suspicious emails to the cybersecurity department, such as a phish alert.

Identity and Access Management

There are several important principles around identity and access management.

  • Limit privilege. Grant user access to the company network based on job roles, also known as role-based access.
  • Segregation of duties. Establish checks and balances; one user shouldn’t complete an entire process from start to finish without oversight.
  • Reviews. Regularly review user accounts to determine if access is still appropriate for certain users.
  • Privileged access management. Establish controls so that administrative accounts are only created and used when necessary.
  • Robust authentication methods. Create complex passwords or utilize multifactor authentication to enhance security and prevent attacks.

Device and Software Inventory

Maintaining accurate inventory of all software and hardware is a foundational and critical part of a cybersecurity program. It’s important that inventory records of approved hardware and software are accurate so accepted controls can be implemented to protect hardware and software from threats.

Maintaining inventories can be done manually with spreadsheets, passively with a device or software that listens to network traffic, or actively, with software that’s constantly scanning the network for active devices.

A solid inventory program allows for more effective remediation of hardware and software vulnerabilities. When updates or patches are needed, it’s more effective to identify assets that need to be updated if the inventory records are up to date; otherwise, hardware and software can become outdated over time, which increases risk to the business.

Accurate inventories also simplify the decommission process. Attackers look for outdated, vulnerable servers and software. An inventory can make it easier to assess devices and determine what needs to be decommissioned and removed from the network.

Vulnerability Management

A vulnerability management program can be multipronged. Two important aspects are patching and antivirus:

  • Patching. When a software vulnerability is identified, developers, testing teams, and security analysts will issue a patch, which is a piece of software that remedies that vulnerability and corrects it with new code
  • Antivirus. When vulnerabilities within software programs are found, attackers could write a program, or virus, to leverage those vulnerabilities

Auditing and Logging

Logging software activity can happen at two levels:

  • Application level. The actions each user takes
  • Operating system level. The number of connections, memory spikes, or high CPU usage

Benefits of creating an auditing and logging process include increased visibility, finding inefficiencies, and identifying attackers and malicious activity.

Data Encryption

Data is many companies' biggest business asset, so determining what data is most sensitive and most highly valued is paramount.

The value and sensitivity of your data and regulatory requirements will help determine what protections you put in place, such as how you access it, who uses it, and the availability.

Encryption

For data in storage or in transit, there should be a level of encryption for these environments. Encrypting data stores and data transmissions could prevent you from having to pay regulatory fines if data is inappropriately access or disclosed.

To protect data, look at your firewall settings, make sure you're using the most up to date transport layer security, and implement a file integrity monitoring system. A comprehensive data loss prevention program can help identify and address the risk of how data can be inappropriately accessed or disclosed, and how the to reduce the occurrence of these events.

Data Back-Ups

Data that’s backed up should have the same level of security, or more, as data in the production environment. Production data and data backups should both be encrypted with strong encryption keys.

Determine how often this data is being overwritten, when it will be archived, if it has continuous data protection, and who’s responsible for the data. Identify and document all regulatory requirements for maintaining data over time before destroying data archives.

Incident Response, Disaster Recovery, and Business Continuity Planning

How resilient is your organization when it comes to a data breach? Attacks are just a question of when.

  • Prioritize. Make cybersecurity a priority in your company
  • Train. Staff should be trained, and training should encompass members from many different departments
  • Perform a business impact analysis. Identify critical data, critical business functions, services, and IT equipment that could be impacted in the event of a cyberattack
  • Test. Incident response plans should be tested on a regular basis and can help reduce the time it takes to recover from an attack
  • Respond. Timely response after an internal attack, or when a supplier or vendor is attacked, is critical

Cyber Supply Chain Risk Management

Supply chain risk management is being aware of any additional risk introduced into your organization through an outside supplier, vendor, or software. If providers are at a high risk, you may not want to do business with them.

Vet a new provider to help identify any potential problems before you sign a contract. With new or existing suppliers or vendors, you can monitor what they’re doing with your data, including when they’re accessing data, why they need access, and who’s accessing it. You can also log the activity to assess what happened in the event of an attack.

After a provider has been offboarded you can continue to keep security in mind by removing access to your network and email and request that third-party service providers turn over all data in their environment or provide proof data has been rendered unreadable.

We’re Here to Help

For more guidance on creating and implementing a digital transformation strategy, contact your Moss Adams professional.

Ask a Question

Assurance, tax, and consulting offered through Moss Adams LLP. ISO/IEC 27001 services offered through Cadence Assurance LLC, a Moss Adams company. Wealth management offered through Moss Adams Wealth Advisors LLC. Services from India provided by Moss Adams (India) LLP.

Related Topics

Digital Transformation and Application Security: Implications for Your Company

Contact Us with Questions

Enter security code:
 Security code