Toyota Industrial Equipment began production in Japan in 1956, and exported its first forklift two years later. In 1968, it imported its first forklift into Australia. By 2000, the brand had sold its 1.3-millionth Toyota forklift worldwide, with more than 30,000 having been sold into Australia.
In 2017, Toyota was Australia’s top forklift company according to statistics released by the Australian Industrial Truck Association. By 2018, the Australian operation had a market share of approximately 40%.
Profitable growth is the goal of every company, but it comes with challenges. For one, as a larger company, Toyota Material Handling Australia (TMHA) faced stricter auditing requirements than in the past.
TMHA’s Japanese parent company Toyota Industries Corporation (TICO), ensures all its business divisions establish an appropriate operating internal control system to maintain the reliability of financial reporting, based on the Financial Instruments and Exchange Law (so-called Japanese Sarbanes-Oxley Act or J-SOX). As each division grows, based on revenue, assets and the number of employees, more stringent controls are put in place.
Due to its growth, TMHA recently crossed over the threshold into being classified internally as a large corporation. With that new designation came more of the stringent requirements concerning the auditability of the company’s governance. TICO now requires that TMHA perform comprehensive annual governance audits, including on its Infor M3 ERP system, running on the IBM iSeries. Every second year an auditing firm, PwC, conducts the external audit. TMHA performs the audit internally and reports the results to PwC in the intervening years.
As a start to meeting the new governance requirements, PwC and TICO performed a “dry-run” audit. This was a full audit, but, rather than the results being binding, it was considered as something of a health check on the security and controls of company’s data and systems, among other things.
The result of the dry run audit was broadly favorable, but it identified a number of remediation requirements. These primarily involved internal issues concerning documentation, processes and policies. One of the key problems the audit identified was TMHA’s inability to fully trace financial database changes. Many of the other issues identified were easily fixable with minor tweaks to policies and processes, but this one was a significant deficiency that TMHA couldn’t fix internally.
Another issue identified was that controls around vendor authority needed to be tightened. The process of requesting access for a vendor, granting it and then revoking it or decreasing the privileges when the vendors no longer needed them involved considerable manual effort. This meant that vendor authorities were sometimes not revoked or reduced when they should have been.
TMHA chose the Assure Monitoring and Reporting and Assure Elevated Authority Manager components of Syncsort’s Assure Security to plug the gaps identified by the dry run audit.
There were a number of reasons for this choice. One was ease of use. TMHA evaluated three alternatives, and the other two made it much too difficult to work with the large number of tables—3,000—that TMHA maintains in its Infor M3 application. With those products, administrators would have had to identify every table that needed to be audited and identify the required audit granularity. With Assure Monitoring and Reporting, TMHA simply had to say, in effect, “audit M3.” The administrative burden of the other products was amplified by the fact that table structures are changed from time-to-time, which would have required redefining the audit requirements for those tables after every change.
Assure Monitoring and Reporting also delivers an appropriate level of granularity. “Its reports provide the right level of detail,” explained David Lloyd, General Manager - IS&T. “Other products we looked at were so detailed that working with them would have been impractical, but Assure Monitoring and Reporting tells us everything we need to know, without overburdening us.”
With the help of consulting and implementation services from Syncsort’s business partner, Kantion, implementing Assure Monitoring and Reporting was fast and easy. “It worked pretty much straightaway,” said Martin Stephens, Systems Manager. We just said, ‘these are the parameters, these are the system-defined users we want to exclude,’ and it really worked right out of the box.”
Now vendor access to the M3 system database is closed by default. Using Assure Elevated Authority Manager, TMHA grants vendors the level of access they need for a specified period. At the end of that time access is automatically revoked, although it can easily be extended, modified or granted again if necessary.
Assure Monitoring and Reporting also greatly improved the auditability of the M3 database. TMHA produces monthly reports of database changes. Using these reports and Assure Security capabilities, the auditor returned and repeated the audit. The result was a clean bill of health.
The most important benefit Assure Elevated Authority Manager delivers is peace of mind. TMHA, its parent company, and its J-Sox auditors are now more confident in their ability to audit and control access to the company’s data and systems.
Its automation also adds value. In the past, TMHA’s IT staff had to manually track vendor authorizations and grant and revoke them as appropriate. This led to authorizations being left on unintentionally. By automating the process, Assure Elevated Authority Manager eliminates these human errors.
Automation also reduces the human resource requirement. “It used to be quite fiddly,” said Martin Stephens, Systems Manager “In the past, we had to go in and enable the account, supported by a form, keep tabs on it, and disable the account when appropriate. Now it’s all automated.”
The graphical user interface further simplifies and streamlines the processes compared to green screen, commandline administration. This saves the company even more time and further reduces the chance of human error.
The level of granularity of Assure Monitoring and Reporting’s reports is another important benefit. With other tools, the reports can become unusable or too long to pour through if there’s too much detail, and as a result, critical information could get lost. On the other hand, if they didn’t give enough detail, then critical information might not be presented at all. In TMHA’s opinion, Assure Security gets this balance just right.