Embed Size (px)
Citation preview
Segrega&on of Du&es SOD
Introduc&ons
Pat Whoriskey Program Manager, Finance Op1miza1on
Day & Zimmermann – We are the 53rd largest privately-‐held, family-‐owned business in the U.S.
– Our 24,000 employees provide industrial, defense and workforce solu1ons to commercial and government customers.
– What makes us truly unique is our promise – We do what we say. – which embodies how we operate and how we have performed for our customers for more than 100 years.
Introduc&ons
Bonnie Parent AP Director, Global AP Process Owner
Fluor – One of the world’s largest publicly owned engineering, procurement, construc1on and maintenance services companies.
– Global workforce of 42,000 employees in 25 countries across 6 con1nents.
– Founded in 1912; recognized for ability to successfully execute large, financially complex projects around the globe.
Where We Were..
Day & Zimmermann • 10+ years since SAP implementa1on, etc. • Security and roles constantly changing
– People move posi1ons and take security roles with them – Old access is not cut off when new access is requested – No formal assessment or audit procedure of SAP job roles – No formal enterprise risk management soXware
• Risks – Compounds the number of risks
Where We Were..
Fluor • 10+ years since SAP implementa1on
• Homegrown security request system – Handful of high level SOD rules with manual review – Not integrated with HR
• Manual role assignments into SAP • Manual reconcilia1on to synchronize with SAP
What is SOD? • Segrega&on of Du&es is a basic, key internal control and one of
the most difficult to accomplish. – Founda1on of internal financial controls – Cornerstone of SOX Compliance – Groundwork of policies/procedures
• The key principle of SOD is that an individual or small group of individuals should not be in a posi1on to control all aspects of a transac1on or business process. – Appropriate level of checks and balances on ac1vi1es of individuals – No single person can make fraudulent entries without detec1on
SOD
SOD
• There are three strategic domains of Segrega1on of Du1es that are addressed in policies and procedures.
– The Organiza&onal domain addresses SOD issues that may develop due to organiza1onal structure of the company
– The Func&onal domain addresses SOD that may develop due to the job func1ons for which individuals are assigned responsibility.
– The Technological domain addresses SOD issues that may develop due to the security configura1on of various IT systems
How did Day & Zimmermann approach our SOD?
• Purchased soXware ( Versa ) to iden1fy the combina1on of transac1on codes in SAP and the complexity of how the combina1on of t-‐codes affects the everyday transac1onal input and repor1ng in addi1on to the level of risk and exposure for the company.
• Our approach was to tackle the “high” risks. • Internal auditors submided their list of high risk to be completed in 2011
SOD at Day & Zimmermann
Our Process • Review the risk database. Each risk is iden1fied by a “risk ID number” and descrip1on.
• Submit the “risk ID number” to the IT security team • IT runs report with per1nent informa1on: example User name :Whorispr
Full name: Pat Whoriskey User Group: DZCO T-‐code List 1 , T-‐code List 2 & Descrip1ons Risk Descrip1on and Risk Level Usage: Yes or No
Day & Zimmermann SOD Process
• Began this project summer of 2010 • Our goal was to have 60% of “high risks” iden1fied and
eliminated by December 2011
• We reached our goal and currently have been successful with elimina1ng 74%
• The next phase will be to incorporate mi1ga1ng controls – Will approach by iden1fying clusters
Day & Zimmerman What’s Next?
How did Fluor approach SOD resolu&on? • Common star1ng point for all offices
– 2008 -‐ started collec1ng global user & access informa1on – 2009 – all countries were using SAP – 2010 -‐ purchased SAP GRC Access Control Suite
• Governance, Risk and Compliance – Consultant assisted with scope and approach to address remedia1on/mi1ga1on
for 2008 & 2009 SOD viola1ons • Risk Analysis & Remedia1on (RAR)
– SOD rules – Detec1on – Monitoring
• Compliant User Provisioning (CUP) • Automates approval process • Mandatory real-‐1me risk assessments
SOD at Fluor
• Iden1fy business contacts in each country/office • Iden1fy risks in a single role and role combina1ons
– Transac1on codes are assigned to roles – Roles are assigned to jobs – Jobs are assigned to employees
• Evaluate user access and associated risks • Resolve / mi1gate risks
– Coordinate with user manager – Remove unneeded access – Recommend op1ons
Fluor SOD Process
• Responsible for one of the company’s most valuable assets; it’s money
• Controls must be in place to insure that money is properly managed – Don’t wear mul1ple hats – At least 2 knowledgeable people to see every transac1on
Why focus on AP?
• Vendor master maintenance / Disbursement – Create fic11ous vendor and issue payment
• AP Processing / Cash Disbursements – Process vendor invoice and issue payment
• Vendor master maintenance / AP Processing – Create fic11ous vendor and post an invoice
• AP Processing / PO Processing – Post invoices for unauthorized purchase
High Risk Job Combina&ons
• Disbursements / Bank Reconcilia1on – Issue payment and accept bank entry
• Vendor master maintenance / PO Processing – Create fic11ous vendor and ini1ate PO
• AP Processing / Goods Receipts – Post fic11ous invoice and accept goods
• PO Processing / Goods Receipts – Purchase and accept unauthorized goods
High Risk Job Combina&ons
Establish Control Points • Policies / Procedures
– Communicate – Update regularly – Apply key controls to mi1gate risks – Auditable mi1ga1ng controls
• System Access – Align with du1es assigned (matrix)
• Remediate SOD viola1ons – Schedule periodic assessments of user ac1vity – Prohibit sharing logons
• Enforce with disciplinary ac1on
APer the SOD scrubbing
Ques1ons???
