View
226
Download
0
Category
Tags:
Preview:
Citation preview
Managing Segregation of Duties (SOD) in R3
Session Code: 808
Donnie Looper, Eastman Chemical Company Jasvir Gill, Virsa Systems
Goals of this session:
Managing Segregation of Duties
• What is SOD?
• SOD Challenges
• SOD Solutions
• SOD Best Practices
• Questions/Discussion
What is SOD?
Managing Segregation of Duties
• SOD - “Segregation of Duties”– Most definitions include something along the
lines of: “Internal controls intended to prevent or reduce the risk of errors/fraud, identify problems, and ensure corrective action is taken.”
What is SOD (continued)?
Managing Segregation of Duties
• SOD objectives:– Avoid conflicting access and reducing risk of fraud– Ensuring system stability/integrity is not at risk.
• Examples of SOD’s:– Create a Vendor & pay a Vendor– Process Sales Orders & Rebates
• Mitigating Controls (Compensating Controls):– Accept risk for situations (i.e. limited staff) by running
specialized reports or developing additional controls.
Goals of this session:
Managing Segregation of Duties
• What is SOD?
• SOD Challenges
• SOD Solutions
• SOD Best Practices
• Questions/Discussion
SOD Challenges:
Managing Segregation of Duties
• Building/Upgrading SOD Data (Rules)
• Automating SOD Analysis
• Proactive/Ongoing SOD Compliance
• Documenting Mitigating Controls
SOD Challenges:
Managing Segregation of Duties
• Building/Upgrading SOD Data (Rules)– How do you build a good set of data relevant
to your needs?– How do you upgrade SOD rules in the future?
SOD Challenges:
Managing Segregation of Duties
• Building/Upgrading SOD Data (Rules)
• Automating SOD Analysis
• Proactive/Ongoing SOD Compliance
• Documenting Mitigating Controls
SOD Challenges:
Managing Segregation of Duties
• Automating SOD Analysis– How can you automate SOD analysis at all
levels (User, Role, Profile, Composites)?
SOD Challenges:
Managing Segregation of Duties
• Building/Upgrading SOD Data (Rules)
• Automating SOD Analysis
• Proactive/Ongoing SOD Compliance
• Documenting Mitigating Controls
SOD Challenges:
Managing Segregation of Duties
• Proactive/Ongoing SOD Compliance– How do you ensure that once your system is
clean it remains clean (free of SOD issues)?
SOD Challenges:
Managing Segregation of Duties
• Building/Upgrading SOD Data (Rules)
• Automating SOD Analysis
• Proactive/Ongoing SOD Compliance
• Documenting Mitigating Controls
SOD Challenges:
Managing Segregation of Duties
• Documenting Mitigating Controls– How do you automate Risk Mitigation Controls
and use them in SOD analysis/resolution?
Goals of this session:
Managing Segregation of Duties
• What is SOD?
• SOD Challenges
• SOD Solutions
• SOD Best Practices
• Questions/Discussion
SOD Solutions:
Managing Segregation of Duties
• Building/Upgrading SOD Data (Rules)
• Automating SOD Analysis
• Proactive/Ongoing SOD Compliance
• Documenting Mitigating Controls
SOD Solutions (Building SOD Rules):
Managing Segregation of Duties
• Identify user community
• Management Support (Proactive)
• Rule Database starting point:– Vendor Supplied Rules
– Internal Control Standards For Your Company
– Information from Other Contacts (ASUG, etc…)
• Customizing rules to meet your needs
• Automate the development of rules
SOD Solutions:
Managing Segregation of Duties
• Building/Upgrading SOD Data (Rules)
• Automating SOD Analysis
• Proactive/Ongoing SOD Compliance
• Documenting Mitigating Controls
SOD Solutions (Automating SOD Analysis):
Managing Segregation of Duties
• A tool is needed (Ad hoc solutions don’t work)
• Tool must fully automate SOD analysis:– At the role level, user level , transaction code
level and authorization object level.
• Tool must automate SOD rule definition, validation and customization.
• Tool should provide corrective analysis.
SOD Solutions:
Managing Segregation of Duties
• Building/Upgrading SOD Data (Rules)
• Automating SOD Analysis
• Proactive/Ongoing SOD Compliance
• Documenting Mitigating Controls
SOD Solutions (Ongoing SOD Compliance):
Managing Segregation of Duties
• Ensure compliance when either roles are changed or assigned to users
• All additions and modifications should have “What-If” scenarios performed
• The tool should fully automate simulation and be based on live data (Users & Roles)
SOD Solutions:
Managing Segregation of Duties
• Building/Upgrading SOD Data (Rules)
• Automating SOD Analysis
• Proactive/Ongoing SOD Compliance
• Documenting Mitigating Controls
SOD Solutions (Documenting Mitigating Controls):
Managing Segregation of Duties
• Tool must provide:– Online definition and documentation of the
mitigating controls– Capability to define:
• Controls at the User, Role or Rule Level• Mitigation approvers and monitors• Validity date for mitigation controls
– Analysis with/without mitigation controls
Goals of this session:
Managing Segregation of Duties
• What is SOD?
• SOD Challenges
• SOD Solutions
• SOD Best Practices
• Questions/Discussion
SOD Best Practices:
Managing Segregation of Duties
• Identify and resolve issues at the earliest phase possible.– Once SODs creep into PRD they are more expensive
and time consuming to resolve.
• Incorporate the use of the tool into your corporate processes and procedures– Changes should be simulated prior to submission.
• Rule definition process should be optimized– All objects aren’t needed all the time.
Goals of this session:
Managing Segregation of Duties
• What is SOD?
• SOD Challenges
• SOD Solutions
• SOD Best Practices
• Questions/Discussion
Questions/Discussion:
Managing Segregation of Duties
???
If you wish to contact us:
Managing Segregation of Duties
Donnie Looper:
dlooper@eastman.com
Jasvir Gill:
jgill@virsasystems.com
Thank you for attending!Please remember to complete and return your evaluation form following this session.
Session Code: 808
Recommended