Effectively performing SoD and sensitive access assessments for ERPs
INSIGHT ARTICLE |
Implementing effective segregation of duties (SoD) controls is critical to mitigating fraud, and preventing errors in several key internal processes. Following Sarbanes-Oxley, many organizations invested in governance, risk and compliance (GRC) tools to assess their environments, but in subsequent years, many companies adopted more of an entity-level approach. However, regulators are increasing scrutiny and demanding that companies be more granular in SoD testing, underscoring the importance of assessments and GRC tools to prove a system works and is secure.
SoD separates key sensitive functions, manual or automated tasks that are critical to support the business, financials or regulatory requirements. An SoD should not be considered key, if the functions within it are not already key. The way to build an SoD is to determine the sensitive functions within the organization, as well as the actions that people should not perform that have access to those sensitive functions.
No business will ever be able to create a system that is completely SoD free. But you must have a balance and a governance for risk and controls. Therefore, if you utilize SoD, you know what they are and you have mitigating controls established, rather than not having awareness of what true SOD is.
Without effective SoD controls, excessive system access can cause a host of problems. For example, we have seen an employee with a garage of goods that were paid for by the company, because the employee had access to not only create the sales order, but also the credit memo after the products were shipped. In other situations, data deletion programs were run to hide fraud, unbeknownst to the CFO.
Unfortunately, SoD is sometimes difficult to manage with enterprise resource planning (ERP) systems. Today’s ERP platforms have many layers of security, and it can be hard to understand what is going on in your environment without a tool in place. Establishing the right roles and right access is complex; some companies don’t have good general controls, and user access reviews either don’t occur or occur at the wrong levels.
Performing SoD assessments is a critical element of ensuring effective controls. Some companies perform them in real time, or as someone gets access to a system, while others do them quarterly or on an annual basis. The timing of an assessment can be dictated by several factors; for example, if the company is public and it has an assertion for SOX, a full SoD assessment must be performed at least once a year. Basically, the more regulations you face, the more frequent your assessments must be.
There are different ways to perform an assessment; some companies do them manually, and others utilize tools or scripts to automate the process. However, a best practice is to perform an assessment prior to, or immediately following, an ERP implementation. We recommend companies run an assessment during the implementation while building out the roles and security, and then perform a benchmarking assessment before going live. Therefore, you know that nothing has changed in the development, and you are starting the system clean.
Selecting an ERP GRC tool is an important process, as not all tools offer the same capabilities. Most only cover SoD and sensitive access monitoring, but other, more comprehensive tools provide more extensive controls monitoring, manage user access with approval workflows and enable emergency access with approval workflows and logs. Therefore, you must be careful to select a tool that aligns with your needs, providing the right amount of functionality.
Leveraging an ERP GRC tool provides several key benefits, including reducing compliance testing time, and monitoring and preventing conflicting access. In addition, a tool can automate user provisioning, monitor and control temporary elevated access, and monitor automated IT general controls and business controls.
When SoD issues are identified, many companies are quick to mitigate the concern and remove the access, but they do not look back to figure out whether they have ineffective controls that led to that access, and whether another assertion is required. To effectively account for SoD issues and ensure they do not become an ongoing concern, exposure testing must take place, which is a common capability with ERP GRC tools.
Prior to the last decade, the number of tools that could provide automated SoD assessments was limited. However, an abundance of tools has emerged, many with extensive features and capabilities. Some only work with certain ERP systems, while others are flexible and can align with multiple platforms. An advisor can help your organization select a tool that best fits your needs, considering your organizational structure and regulatory demands.
While many middle market organizations think automated SoD tools are costly, the efficiency they provide can easily justify the expense. With the amount of automated processes that take place within an ERP system, testing all of the controls could take 40-80 manual hours. However, a tool could perform the same amount work in only eight hours, providing a significant return on investment.
Automated SoD tools contain rules or a rule set, which are customizable to meet your specific security environment. Mitigating controls can be assigned directly to a rule to exclude it from an SoD violation report so the same conflicts are not reviewed after each run.
It’s important to customize the rule set, instead of utilizing the rules out of the box from a tool vendor. The standard rules may miss custom functions, transactions menus or activities that could be key and considered in a rule. In addition, the general rules may over- or under-assess SoD conflicts that either may be important to you, or may be missing from your environment. On average, we have found that a vendor’s out-of-the-box rules are missing 25-30 percent or more of critical items.
To provide the proper level of controls and security, your organization should undergo an SoD ruleset assessment. Such an assessment will assess the current rule set, develop and implement a new rule set, execute the rules in the tool, remediate security issues and benchmark any findings.
An advisor can help you modify your ruleset, or provide a ruleset assessment for your existing SoD tool. Or, if you do not have the budget for a tool, but want to evaluate and understand your environment, an advisor can leverage an SoD tool, modify a ruleset and perform an audit. That can help bridge the gap before your organization can afford to implement a tool, while providing the necessary visibility into your control environment.
Better understanding your options for performing automated SoD assessments with GRC tools will help reduce risks within your ERP environment. Implementing the right tool, and customizing SoD GRC rulesets can streamline your access processes and expand monitoring capabilities, ultimately discouraging fraud, misuse and costly errors.