Best Practice Tips for Segregation of Duties in Oracle E-Business Suite
It can be very difficult to manage Segregation of Duties in any ERP system, and Oracle E-Business Suite is no exception. But it is important to get it right. It’s the best way to reduce your organization’s risk of experiencing internal fraud, so it shouldn’t be just a box-ticking exercise to keep your auditors at bay!
If you follow Best Practice techniques, Segregation of Duties in Oracle E-Business Suite doesn’t have to be as big a problem as you think. A sound approach will enable you to:
- minimize fraud risks on your ERP
- ensure that the business assumes control of their security model
- reduce your Segregation of Duties management costs.
Not all companies will judge all 3 of these objectives to be equally important, but at least two of them ought to be on everyone’s list.
But achieving best practice can be daunting, and the advice from some consultants can be misleading. They may have an axe to grind; perhaps their main objective is not to help you reduce your in-house costs, but to present you with a large bill every quarter. And sometimes the technical advice doesn’t break through to management level; some techies like to maintain the mystique levels of their jobs, and simplifying support long term might not be one of their objectives!
Best Practice approach to implementing and managing Segregation of Duties
Let me give you my 10 top tips:
1: Audit your existing security
To get to the end of your journey with as little pain as possible, you need to know where you are right now. Get a proper audit done of your existing security model. This is your starting point – you can’t produce an improvement plan without it.
2: Understand your business processes
Some people think they can download a security model from the internet and replicate it on their own system. Unfortunately, life isn’t that simple!
Business risk is all about processes, and how someone can exploit a gap in your security. To identify and fix the potential problems, you need to know how your system is set up. This is the reason why the business people responsible for these processes are best placed to fix the issues.
3: Understand and prioritize the risks
The largest risk model I’ve ever seen had over 1000 rows in a spreadsheet. It was completely unmanageable, and when the person who maintained it left the company, no-one else had any idea what to do.
Use the experience of others to help you identify the risk areas, but start with the big risks which leave you most vulnerable. You may well find that covering 50 risks will be enough for your business – it will certainly be a great starting point.
4: Create a remediation plan
Look at the audit results, identify the key 25-50 risks, and think about what you need to do to fix the issues. A skilled consultant can help you, but it really isn’t rocket science, and many companies can do it themselves.
A good audit will give you recommendations. You can use outside help to reduce the learning curve, and learn from other company’s experiences. But above all, engage with the business and get them involved. Our role in IT is to help the business solve these issues and then help them to own the solutions.
5: Define your Risk Model/Matrix
You’ve identified the risks – now build a model to fix them.
Once more, there are examples out there, and a spreadsheet is a good starting point. It can be time-consuming to work out which programs are involved in a business process, and therefore how to set up proper Segregation of Duties, but you can get samples to get you started. And don’t forget what we call “single risk objects,” ie critical programs which you need to monitor when someone is granted access.
6: Find the right tools to help
There are many technical solutions out there, at many price points. Decide what level suits your company culture; if you want the most complete solution, which will take 6 months to implement, that is fine. But there are Segregation of Duties solutions available that can be running within 1 month, which will do 95% of the same things.
Build a checklist of functions you need. Make a brief evaluation, considering usability, implementation cost (and time), ongoing management costs, and user references. For most companies, a tool is the only logical answer. Using spreadsheets for your security model doesn’t work, and over 5 years a tool will pay for itself several times over.
7: Implement both Detective and Pro-active Segregation of Duties controls
Running an audit on your live security in real time is called detective Segregation of Duties (SoD), and it is essential to understanding your vulnerabilities. But Pro-Active SoD is perhaps even more important.
Pro-active controls are the key to keeping your security model clean and your business protected from fraud, by preventing someone from unwittingly granting access that violates your SoD policies. You need to know the “net effect” in a multiple roles model, ie if this user is going to have these two roles, what access does that give him? Try working that out in a spreadsheet!
8: Conduct regular Periodic Reviews (or User Certification)
At least once a year, the business should review their access. It’s a great opportunity to make sure that redundant access is removed and that their users’ access is in line with their current responsibilities.
It shouldn’t just be a paperwork exercise; rather, it’s the best way to get the business to own their security model. But the process can be very time-consuming to perform manually, so you need a tool.
9: You need good visibility and reporting
This area often gets overlooked in the struggle to build a coherent security model, but you need to be able to see the big picture as well as find detailed information.
Dashboards have a part to play; for example, a visual representation of how many violations you have is extremely useful for management. You’ll need to be able to answer auditors’ questions and provide evidence for them, particularly if compliance is an issue in your business. And all companies should be able to find answers to questions such as who can commit the dummy company fraud? Who can access Bank Transfer? Who can edit Supplier Bank Accounts?
10: Adopt a policy of Least Privilege
I come to this last, and it is a much more detailed issue than those above, but just as significant.
I meet system administrators who tell me they MUST have access to the whole of the system, to which I always say, “why?” If someone doesn’t NEED access (or type of access) to perform their job, remove it. If they really do need privileged access, it must be controlled and monitored. Use tracking to ensure you know what they are doing. If it was my business, I would not let anyone put themselves in the situation where casual or malicious fraud is possible.
I guess this might seem like a long list, but these steps will set you on the right track for efficient and sustainable Segregation of Duties. Why not join us at our next educational webinar, where we will explore Best Practice techniques and tools in more detail? Register here.
Remember that every big job is like eating an elephant. Scope the beast, ie run an audit. And then sit down with someone who has done it before and work out how to do it “one bite at a time.”
If you’d like to explore further, find out more about our Segregation of Duties tools for Oracle E-Business Suite.