Managing Segregation of Duties (SOD) in R3

Session Code: 808

Donnie Looper, Eastman Chemical Company Jasvir Gill, Virsa Systems

Goals of this session:

Managing Segregation of Duties

• What is SOD?

• SOD Challenges

• SOD Solutions

• SOD Best Practices

• Questions/Discussion

What is SOD?

Managing Segregation of Duties

• SOD - “Segregation of Duties”– Most definitions include something along the

lines of: “Internal controls intended to prevent or reduce the risk of errors/fraud, identify problems, and ensure corrective action is taken.”

What is SOD (continued)?

Managing Segregation of Duties

• SOD objectives:– Avoid conflicting access and reducing risk of fraud– Ensuring system stability/integrity is not at risk.

• Examples of SOD’s:– Create a Vendor & pay a Vendor– Process Sales Orders & Rebates

• Mitigating Controls (Compensating Controls):– Accept risk for situations (i.e. limited staff) by running

specialized reports or developing additional controls.

Goals of this session:

Managing Segregation of Duties

• What is SOD?

• SOD Challenges

• SOD Solutions

• SOD Best Practices

• Questions/Discussion

SOD Challenges:

Managing Segregation of Duties

• Building/Upgrading SOD Data (Rules)

• Automating SOD Analysis

• Proactive/Ongoing SOD Compliance

• Documenting Mitigating Controls

SOD Challenges:

Managing Segregation of Duties

• Building/Upgrading SOD Data (Rules)– How do you build a good set of data relevant

to your needs?– How do you upgrade SOD rules in the future?

SOD Challenges:

Managing Segregation of Duties

• Building/Upgrading SOD Data (Rules)

• Automating SOD Analysis

• Proactive/Ongoing SOD Compliance

• Documenting Mitigating Controls

SOD Challenges:

Managing Segregation of Duties

• Automating SOD Analysis– How can you automate SOD analysis at all

levels (User, Role, Profile, Composites)?

SOD Challenges:

Managing Segregation of Duties

• Building/Upgrading SOD Data (Rules)

• Automating SOD Analysis

• Proactive/Ongoing SOD Compliance

• Documenting Mitigating Controls

SOD Challenges:

Managing Segregation of Duties

• Proactive/Ongoing SOD Compliance– How do you ensure that once your system is

clean it remains clean (free of SOD issues)?

SOD Challenges:

Managing Segregation of Duties

• Building/Upgrading SOD Data (Rules)

• Automating SOD Analysis

• Proactive/Ongoing SOD Compliance

• Documenting Mitigating Controls

SOD Challenges:

Managing Segregation of Duties

• Documenting Mitigating Controls– How do you automate Risk Mitigation Controls

and use them in SOD analysis/resolution?

Goals of this session:

Managing Segregation of Duties

• What is SOD?

• SOD Challenges

• SOD Solutions

• SOD Best Practices

• Questions/Discussion

SOD Solutions:

Managing Segregation of Duties

• Building/Upgrading SOD Data (Rules)

• Automating SOD Analysis

• Proactive/Ongoing SOD Compliance

• Documenting Mitigating Controls

SOD Solutions (Building SOD Rules):

Managing Segregation of Duties

• Identify user community

• Management Support (Proactive)

• Rule Database starting point:– Vendor Supplied Rules

– Internal Control Standards For Your Company

– Information from Other Contacts (ASUG, etc…)

• Customizing rules to meet your needs

• Automate the development of rules

SOD Solutions:

Managing Segregation of Duties

• Building/Upgrading SOD Data (Rules)

• Automating SOD Analysis

• Proactive/Ongoing SOD Compliance

• Documenting Mitigating Controls

SOD Solutions (Automating SOD Analysis):

Managing Segregation of Duties

• A tool is needed (Ad hoc solutions don’t work)

• Tool must fully automate SOD analysis:– At the role level, user level , transaction code

level and authorization object level.

• Tool must automate SOD rule definition, validation and customization.

• Tool should provide corrective analysis.

SOD Solutions:

Managing Segregation of Duties

• Building/Upgrading SOD Data (Rules)

• Automating SOD Analysis

• Proactive/Ongoing SOD Compliance

• Documenting Mitigating Controls

SOD Solutions (Ongoing SOD Compliance):

Managing Segregation of Duties

• Ensure compliance when either roles are changed or assigned to users

• All additions and modifications should have “What-If” scenarios performed

• The tool should fully automate simulation and be based on live data (Users & Roles)

SOD Solutions:

Managing Segregation of Duties

• Building/Upgrading SOD Data (Rules)

• Automating SOD Analysis

• Proactive/Ongoing SOD Compliance

• Documenting Mitigating Controls

SOD Solutions (Documenting Mitigating Controls):

Managing Segregation of Duties

• Tool must provide:– Online definition and documentation of the

mitigating controls– Capability to define:

• Controls at the User, Role or Rule Level• Mitigation approvers and monitors• Validity date for mitigation controls

– Analysis with/without mitigation controls

Goals of this session:

Managing Segregation of Duties

• What is SOD?

• SOD Challenges

• SOD Solutions

• SOD Best Practices

• Questions/Discussion

SOD Best Practices:

Managing Segregation of Duties

• Identify and resolve issues at the earliest phase possible.– Once SODs creep into PRD they are more expensive

and time consuming to resolve.

• Incorporate the use of the tool into your corporate processes and procedures– Changes should be simulated prior to submission.

• Rule definition process should be optimized– All objects aren’t needed all the time.

Goals of this session:

Managing Segregation of Duties

• What is SOD?

• SOD Challenges

• SOD Solutions

• SOD Best Practices

• Questions/Discussion

Questions/Discussion:

Managing Segregation of Duties

???

If you wish to contact us:

Managing Segregation of Duties

Donnie Looper:

dlooper@eastman.com

Jasvir Gill:

jgill@virsasystems.com

Thank you for attending!Please remember to complete and return your evaluation form following this session.

Session Code: 808