“Using ACL technology, the company improved efficiency in meeting Sarbanes-Oxley IT user provisioning control requirements.”
– Chris Jackson, User Provisioning Process Owner, Dean Foods
Dean Foods® (NYSE:DF) is the largest U.S. processor and direct-to-store distributor of fluid milk, marketed under more than 50 local and regional dairy brands and private labels. Headquartered in Dallas, Texas, Dean Foods also distributes ice cream, cultured products, juices, teas, bottled water and other products.
Challenges: Rapid growth, M&As create IT control opportunities
Every day, Dean Foods delivers fresh milk and other products to customers across the United States, and are the makers of the popular TruMoo flavored milk. The company has grown quickly through acquisitions, and while the rapid growth has been great for business, it brought together many different databases, ERP systems and order-to-cash processes. Access rules varied widely from one system to the next, and the IT department did not have an efficient, effective way to monitor elevated privileged user activities, which year over year always ended with User Provisioning IT General Control (ITGC) challenges.
The need for centralized privileged access controls
Driven to have User Provisioning ITGC’s operate effectively, Dean Foods launched a project to implement centralized system privileged access activity monitoring and robust Sarbanes-Oxley (SOX) controls. The IT and User Provisioning leadership team, led by Chris Jackson, first built an Identity and Access Management system and User Provisioning process to improve compliance with the six core User Provisioning ITGCs, and improve quality and effectiveness of the User Provisioning process. “In a nutshell, user provisioning ensures the right people have appropriate systems access, based on their roles at Dean Foods,” says Jackson.
Automating manual reviews of all administrator activity was the next step in this journey. The system logs produced huge, multi-page activity journals that required a full day of manual review from each responsible system owner. Once managers completed these painstaking reviews, they would email the results in PDF or spreadsheet form, or mark the task as complete on an internal file server. There were no central policies to guide exceptions, and every reviewer applied different criteria to determine high-risk activities.
Solution: Automated controls with ACL data analytics technology
After creating a reliable identity and access management system, the team was ready to control system authorizations. The Dean Foods Internal Audit (IA) group already used ACL technology and suggested ACL™ Analytics Exchange (AX) for this IT-driven control project.
The IT and User Access teams developed a series of configurable rule sets based on established standards for high-risk system activities. Using AX, they now join these files and activity logs to identify system activities, based on the rule set. The solution works across mid-range, local server, domain and database systems to screen the company’s full data population and flag potential problems. AX is also able to handle all data sources, ranging from IBM AS400 to MS Active Directory, MS Windows local servers and application/database systems.
The exception criteria (aka decision point) was centralized within a Risk Management team function so the same exception criteria could apply across the whole environment without deviation from personal choices made by management in reviewing their own teams. The criteria and rule sets are reviewed on an as-needed basis and at least semi-annually to confirm they are up-to-date.
Closing the loop on control exceptions
Dean Foods uses the exception management capabilities of AX to close its remediation loop. When the analytics detect a problem, the system automatically notifies the appropriate manager, who can click a link to visit the internal AX exception management web portal, examine the issue, and submit a review. Managers (or other process owners) can also see workflow histories, add comments and upload attachments – and by ruling whether each activity is acceptable or inappropriate, the review process actually refines the access rules and continually cleans the data. The Risk Management team performs the final review to ensure complete and accurate reviews.
Within six weeks, Dean Foods designed its own monitoring process and worked with ACL Consulting Services to create custom analytics and automate the data imports. The company also relies on ACL Support Services to resolve technical problems. From logic bugs to web service issues, the team can access skilled help with a single phone call.
Results: Reaching a major corporate milestone
Dean Foods has used ACL technology to:
- Assure controls operate effectively and efficiently to mitigate risk.
- Improve the quality and efficiency of User Provisioning IT General Control (ITGC) testing.
- Cut technology licensing and third-party audit costs.
- Access and analyze data from any data source, which enables monitoring of user privileged access activity across every company system and technology.
Almost immediately, the automated controls eliminated about 20 hours (five managers saving four hours each) of manual reviews per week, as reviewers can focus on identified exceptions rather than all activity. The ACL solution also connects different business systems and databases to provide complete data coverage.
Most importantly, the new activity controls recently helped Dean Foods pass its annual IT User Provisioning audit.
Reducing manual effort to reduce costs
Automated controls will also enable Dean Foods to eliminate several monitoring tools (and the associated licensing costs), increase review quality and reduce audit fees by half. “The new, robust rule set serves as a cornerstone of the SOX control and user provisioning process,” says Jackson. “The Dean Foods IT group now works closely with IA to minimize risk and improve processes.” Working toward shared goals increases the sense of partnership between the two functions as they work to continually improve solutions and systems. The Dean Foods journey began with a need to standardize system access and led to stronger, more robust internal controls.