What is a data reconciliation tool?

Data reconciliation tools are systems or applications that compare data from multiple sources to identify inconsistencies.

What is data governance?

Data governance is the set of policies, processes, and responsibilities for managing and processing an organization's data correctly and securely, often supported by systems, in accordance with relevant standards and laws.

Reconciliation

Q: What is reconciliation?

In an IT context, reconciliation is the process of comparing and synchronizing data from different systems or sources. Its purpose is to ensure consistency, accuracy, and completeness.

What is Reconciliation?

In the context of IT systems, reconciliation is the process of comparing similar data stored, used, and processed in multiple systems. Reconciliation identifies inconsistencies and remediates them, ensuring you work with accurate data everywhere. We explain this in more detail below, and as an IAM provider, we also examine how reconciliation is used for your identity management.

Why Reconciliation

Reconciliation is important when you manage data in multiple IT systems or databases and need to verify that the data in use is consistent.

An example is a company with multiple sales systems, such as an online store, a point-of-sale system, and a CRM platform. Each system stores data about the product range and prices; the current data is sent daily from a single server. Synchronization issues can arise, while every system must always use the correct data. It is therefore important to run reconciliation regularly to ensure data consistency across the different sales systems. Similarly, for backup processes and migration projects, it may be necessary to verify that the copied data and the original data are identical. Reconciliation helps identify and resolve mismatches in all of these cases.

In the examples above, it is still quite basic, a direct comparison of identical data. More often, reconciliation involves different processes and systems with distinct data, yet the outputs must remain mutually consistent. Consider various administrative processes. If you record a company's purchase orders in one system, those entries must be demonstrably reconciled with the supplier invoices received in accounts payable. Similarly, sales data for different sales managers must be relatable to accounts receivable. A complicating factor is that such data is created at different points in time; a sales manager will create a sales confirmation immediately, but the corresponding invoice is only sent after delivery. One order can generate multiple invoices, or multiple orders can be consolidated into a single invoice. This makes financial and administrative reconciliation complex, which is why it is a core capability of modern financial and ERP systems.

How Does Reconciliation Work?

We describe below how we approach reconciliation in HelloID specifically. First, we look at how reconciliation works in general. There are multiple methods, and we provide a few examples:

Manual Reconciliation: The simplest form of reconciliation is manual, using Excel spreadsheets to compare data across two systems or databases and resolve discrepancies by hand. This is only viable for small, lower-impact systems with limited data.
Automated Reconciliation: Using software tools or scripts, you can easily compare large datasets and identify differences. The output consists of lists of discrepancies.
Rule-Based Reconciliation: By adding rules to your reconciliation tools, you can not only compare data intelligently but also enable administrators to correct differences with a single click. The system provides suggestions that you can accept or reject.

These are a few basic examples, and there are many variants depending on the use case and objectives. For example, you can compare current data with backup or audit data to identify recent changes easily. You can also automate the reconciliation process to run a comparison daily or weekly. With very large datasets, you can process a different batch of data each day and periodically check all the data.

How Do We Approach This?

How do we handle reconciliation within our HelloID provisioning IAM platform? We first review the exact role of HelloID provisioning and then zoom in on the reconciliation process.

The HelloID Provisioning Functionality

Our platform streamlines and automates user account and access management for organizations. It works roughly as follows:

HelloID provisioning is usually connected to one or more source systems. Examples include HR and student information systems. The platform receives current information about users, their job or role(s) within the organization, and other relevant attributes such as department or work location.
HelloID provisioning uses that data to determine, based on business rules, which user accounts and access rights each user requires.
HelloID provisioning is then connected via connectors to one or more target systems, such as Entra ID and a CRM system. HelloID provisioning sends requests to those systems to create the required user accounts and assign the required access rights.

With this provisioning functionality, you automatically manage most accounts and access rights. When someone changes roles, HelloID provisioning automatically updates accounts and permissions; departing users and onboarding new users are processed automatically as well. HelloID also offers a Service Automation module to manage individual exceptions. For example, if a business analyst needs a temporary Adobe license for a specific project.

Reconciliation Within HelloID Governance

With the functionality described above, you automate account creation and access management, bringing your identity management under control. In addition, HelloID provides governance functionality. These tools enforce compliance, further optimize identity management, and resolve inconsistencies. This ensures you remain in control. A key capability is reconciliation, which resolves discrepancies between the data registered in HelloID provisioning and the actual state in connected target systems.

To do this, HelloID provisioning can import settings from the target systems and compare them with the data stored in HelloID provisioning. This helps you identify which accounts, access rights, and specific attributes are recorded as managed within HelloID provisioning but are not activated in the underlying target systems. Or vice versa: which accounts and access rights exist in specific target systems but are not yet managed from HelloID provisioning?

A report is generated to highlight these differences, and HelloID provisioning helps you resolve them. In this way, you can clean up legacy and data debris in target systems, onboard locally created accounts such as service accounts into management within HelloID provisioning, and correct unexpected mismatches between HelloID provisioning and target systems. You can also use this report to identify improvements to optimize your business rules further.

Better Compliance Through Reconciliation

Reconciliation directly supports your compliance with privacy regulations, such as the GDPR, and information security standards, including ISO 27001 and the related BIO and NEN 7510 standards. A key requirement is the ability to demonstrate that the data used in management processes and systems reliably reflects the configuration in operational systems.

Based on business rules, HelloID provisioning provides a single administrative view of all managed accounts and access rights. We therefore call this the target state. The reconciliation functionality then verifies whether the desired target state matches the current state, including the accounts and access rights across the target systems. This delivers a complete 360-degree feedback loop between HelloID provisioning and the connected systems. Because all account and entitlement changes are automatically logged for audit trails, you can keep HelloID provisioning compliant with current laws and regulations.

Future Possibilities with IAM Reconciliation

HelloID continues to evolve the reconciliation functionality; you can find concrete plans on our roadmap. At the same time, we are already considering further innovations in this area. With reconciliation, we can easily detect inconsistencies between HelloID and target systems. You also have options to resolve such an inconsistency with a single click. For example, you can create an exception for an unmanaged local account to bring it under management. If an account managed by HelloID is inactive in a target system, you can reset its settings in a single action.

The challenge remains: what is the right resolution? When should you bring an account under management, and when should you remove it instead? We expect to help administrators further with this through artificial intelligence (AI) and machine learning. We outline two example scenarios:

Unmanaged Account Can Be Removed

Suppose an administrator created a local CRM account for an employee named Petra Jansen because her role did not include standard access, even though she often needed to cover for colleagues. Later, her formal role was adjusted, and an account was automatically created in HelloID; the previously created unmanaged account is now redundant. During reconciliation, you now discover that unmanaged account, but how do you correlate it with Petra’s 'official' account in this case? Especially if typos were made in name data, or Petra previously worked as a contractor and now has a permanent contract with a different email address. She may also have married and changed her name, and so on.

That is a difficult puzzle for the administrator. It is helpful if a smart reconciliation dashboard provides automatic suggestions. For example, Petra Janssen or Petra Benali is likely the same person as Petra Jansen. Simple typos can already be recognized, but with techniques such as fuzzy matching and other AI-based solutions, you can also detect less obvious matches. This can include a match between two accounts with completely different names that still share usage-pattern characteristics in log data.

Conversely, Bring an Unmanaged Account Under Management as an Exception

The reverse is also possible. Suppose Petra continues to act as a stand-in for the department, and it is acceptable for her to keep using that locally created account. In that case, this account is labeled as unmanaged in every reconciliation report. No match with another account was found; after consultation, the administrator will create a 3-month exception. After a few reconciliation runs, the artificial intelligence recognizes this pattern, and the platform presents this exception as a suggestion, including a brief explanation. The administrator only has to confirm it.

As you can imagine, with smart AI algorithms and machine learning, we will be able to keep the relationships across source systems, target systems, and the hub, your IAM environment, in sync even better. We can identify issues earlier and provide smarter improvement suggestions. We will support administrators not only in correcting account data and access rights, but also in continuously optimizing your business rules. This is one example of increasingly advanced IAM reconciliation algorithms.

Want to Learn More About Our IAM Reconciliation?

As you can see, reconciliation enables you to professionalize account and entitlement management further and to detect and correct mismatches between your target systems and the central HelloID database. It is therefore an important part of your HelloID governance functionality. Want to know more about using the governance module in general or the reconciliation functionality specifically? View our webinar or our governance page.