Separation of Duties: Defining Organizational Risk

 What are Separation of Duties?

Separation of Duties (SoD) is a concept that applies to a set of activities performed in an accounting or financial system that present an opportunity for error or fraud. Typically, these are activities that present higher risk, such as the ability to maintain vendors and process payments to vendors. The risk of fraud or error is significantly reduced by splitting these activities across multiple personnel. In today’s modern business operations there are many ways to identify, manage, and mitigate these types of risks to help bolster the preventive internal controls and reinforce a company’s compliance policy.

The Sarbanes-Oxley Act of 2002, commonly known as SOX, introduced regulations and compliance related to SoD as a response to a number of significant corporate scandals involving malfeasance, embezzlement, and false financial reporting. Once monitored and managed through a series of complex spreadsheets, resulting in a number of bottlenecks, and limited success, the ability to accurately track and monitor the SoD related risks has increased significantly. This is through the evolution of both proactive and reactive tracking tools, along with the adjustments and integrated nature of today’s modern business process and reporting solutions. These solutions have enabled business teams, along with support from their Information Technology groups, to more effectively manage SoD risks through a targeted matrix of predefined business risks. The combination of these risks, captured in an SoD rule set, and today’s complete SoD monitoring tools enable a complete view of the risk profile of the organization.

In addition, this risk is further reduced following industry recognized access management principles, such as assigning least-privileged access rights to individuals. This tends to limit the number of opportunities that incompatible system actions are assigned to one individual. Tighter control over access rights helps reduce the overall reliance on mitigating controls for the broader control and monitoring of SoDs.

The Importance of Separation of Duties Management

With the transition to a more remote workforce, the need to provide strong governance, monitoring, and reporting of financial and operational activities is increasing. System users having access to perform high risk tasks, both in and across applications, need to be identified and monitored. This is a key component of the overall risk management function in an organization and needs additional support as the risk surface area rapidly increases. Organizations are rolling out new applications at an unprecedented pace and adding more users and devices to their network, more applications, and a faster transition to SaaS (Software as a Service) and PaaS (Platform as a Service) models. Enterprise applications such as Oracle Cloud ERP, Oracle E-Business Suite, PeopleSoft, JD Edwards, SAP S/4 HANA, NetSuite, Workday, and Microsoft Dynamics enable organizations to better engage and empower employees in the marketplace, improve collaboration with business partners, and effectively manage customer relationships. However, ineffective separation of duty access control within and across enterprise applications can result in operational losses, financial misstatements, and fraud.

In the face of all of this change, risk management and governance are under increased pressure to keep up with the speed of technology deployment and business transformation. Monitoring and providing governance around SoD and access risks spanning applications creates unique challenges that needs a strong understanding of business processes and technology to identity risks. These risks can then be monitored as part of a robust set of processes and tools to provide adequate governance of user access across those applications.

User Access Management

Separation of Duties should be considered as a critical step in the provisioning process. The most effective approach to managing the risk is to prevent incompatible access or risky entitlements from being provisioned in the first place. Enforcing an SoD and/or sensitive access check during the provisioning process is a proactive way to bolster internal control procedures and provide additional comfort to user access management. As such, most IT and compliance organizations have moved to requiring that SoDs be evaluated prior to any user access being added to an application. As some organizations are learning, managing user access to application has grown in complexity with the increase in application functionalities, availability of data to remote workers, and increasing complexity of security architecture. Further, as more enterprise applications are being deployed and increasing amount of transactional data is flowing in, out, and across these applications. The standard application access management tools to provision user security and maintain access controls over roles, responsibilities, and entitlement configurations may no longer meet the access policy management needs, which can impede effective process enablement, and present vulnerabilities.

Business managers responsible for access controls, often cannot obtain accurate function-mapped entitlement listings from enterprise applications and have difficulty in building effective access controls to enforce SoD policies.

Access monitoring reports within the enterprise applications are not well-designed to identify segregation of duty violations, especially when it comes to policy-based user provisioning, cross-application SoD control monitoring and ability to validate user access rights across disparate systems.

User Access Provisioning tools such as Identity Management (IDM) systems operate at such a high level that they cannot see what is going on in an enterprise application at the user function level. They also do not consolidate detailed user activity logs unless those logs pertain to the administrators of the IDM.

Lastly, as enterprise applications are being updated and retrofitted for modern operation there is often a need for updating entitlements and permissions. These updates are hard to track and pose yet another vector for risk due to access and incompatible duties. Therefore, it is crucial to provide governance over these activities. A robust set of tools and reports should be leveraged and maintained to detect any new risk introduced to and across enterprise applications due to changes in entitlements to support evolving business operations.

How can SafePaaS & Altum Strategy Group Help?

SoD is a basic internal control, yet so many organizations struggle. Organizations struggle with both the definition of the SoD rule set, as well as the implementation of a technical solution to assess and detect SoD risks. Altum Strategy Group and SafePaaS provide a compelling partnership in assisting with this challenging and complex problem. SafePaaS, as a solution, enables a risk-based approach to Separation of Duties that makes the process manageable and helps control, mitigate, and remediate risk in business-critical applications. When combined with Altum’s deep experience in enabling and facilitating the implementation of solutions, processes, and customization of rule sets to focus on specific, and critical business risks.

Altum Strategy Group have over 40 years working with the implementation of SoD focused systems and their highly experienced practitioners have expertise in the development and customization of rule sets, with experience across multiple financial systems. These systems include on premise and cloud applications, such as SAP, NetSuite, Workday, and Oracle. Significant experience with these systems, the security architecture, compliance, governance, and vast levels of experience with business processes position Altum to be a key partner for SafePaaS in implementing technology to support governance and help limit risk exposure.

SafePaaS has specialized, automated, cross-platform solutions to enable a fast and effective analysis of Separation of Duties and Sensitive Access risks in ERP systems and across business-critical applications. SafePaaS identifies Separation of Duties conflicts across multiple business-critical applications before the violations get introduced into the ERP. SafePaaS Separation of Duties solution segregates access privileges within ERP systems and restricts sensitive data access to privileged users. Auditors, security managers and IT administrators use SafePaaS’ cloud-based software solution to define SoD policies, assess SoD risk, detect violations, and remediate access controls. It allows the assessment of SoD risks by uploading role, responsibility and user access data, and subsequently testing that data with a content base of over 300 rules and then enable reporting of the results on a secure portal.

 Download SafePaaS' latest eBook: Protect Your Business and Reputation by Securing ERP Application Access by clicking on the image below. 


Co-developed with SafePaas Logo-1 , leading provider of GRC Solutions  


Contact Us for More Information