Can’t see the wood for the trees?
Eliminate false positives.
Auditors recommend Segregation of Duties as the most effective means of protecting your organization from internal fraud, by ensuring that users don’t have access to combinations of applications that would enable them to commit fraud.
But with no native functionality to help, users of ERP systems such as JD Edwards and Oracle E-Business Suite struggle to manage Segregation of Duties (SoD) effectively and efficiently.
The easiest and safest way is to use a purpose-built application that works with your specific ERP system to analyze access information. A good SoD tool comprises:
- A convenient means of specifying and storing your SoD rules
- A scanning engine which conducts detailed analysis of your live security, comparing users’ access rights against the rules to identify SoD violations
- Comprehensive reports which identify users with SoD violations and enable you to drill down to investigate them.
With tools in place to automate the process of reporting on violations, your team can focus their efforts on investigating and remediating problems to progressively reduce the number of conflicts, rather than jumping through hoops just to find them in the first place.
Don’t waste time on False Positives
But to reduce the remediation workload, you also need to eliminate time-wasting “spurious” violations (false positives) from your SoD reports.
However carefully you define your Security Model and your rules for separating duties, there will always need to be some exceptions. For example, staff may have to take on extra responsibilities to cover for temporary absences; or staff in branch offices with smaller teams may need to perform a wider range of duties.
However you choose to manage SoD, you need to be able to document such exceptions and disregard them when you produce new SoD reports, so that you don’t waste time investigating them during every auditing cycle.
Mitigations allow you to document the details of these known exceptions, including:
- The user who needs to be exempted
- The rule that her or she needs to be exempted from
- The start and end date of the Mitigation (where relevant)
- Explanatory notes – for example giving the reason for the exemption, or documenting compensating controls put in place to mitigate the risk.
Your SoD reporting process then needs to be able to recognize these mitigated exceptions and exclude them from the current SoD violations that it reports.
Fully auditable Mitigations, with retrievable evidence
This approach also enables you to document the exceptions securely in a central location within your ERP system, rather than on individuals’ PCs or in physical files where it can be difficult to retrieve them.
So when your auditor comes knocking, you’re well prepared with all the evidence you need to demonstrate the effectiveness of your SoD controls, including explanations for unavoidable exceptions.
We offer powerful tools to help you reduce the cost and effort of managing Segregation of Duties. You can visit these pages to find out more about our SoD solutions for JD Edwards EnterpriseOne, JD Edwards World and Oracle E-Business Suite.
We also run regular webinars where we demonstrate these solutions. You can view the current schedules here: