towards a framework for segregation of duties akhilesh chandra, the university of akron megan beard,...
TRANSCRIPT
Towards a Framework for Segregation of Duties
Akhilesh Chandra, The University of Akron
Megan Beard, Deloitte & Touche USA LLP
Toronto, Canada: October 11-13, 2007
University of Waterloo Centre for Information Systems Assurance
5th Symposium on Information Systems Assurance
• SOD is not a new concept
• But few developments have made it necessary to revisit the concept…
• SOD is a common element across – control frameworks (e.g., COSO, COBIT,
ERM etc.), and – corporate governance (e.g., SOX) frameworks
• Revisiting SOD stems also from the features of the current business model:– Integrated business processes,– Extended, collaborative supply chain
• SOD as a preventive control mechanism is probably the most effective and economic alternative
• Therefore, both theory and practice can benefit from models of effective SOD that companies can adapt to their control environment and business practices
To protect information resources, an effective SOD model should:
1. Balance security and availability needs2. Lend to automation for:
• Design and implementation• Verification and assurance• Quickly adapting to changes
These features should help to achieve the three goals of security and control: confidentiality, integrity, and availability
• SOD based on business roles users play in organizations provide a stable and effective means to achieve these goals.
Role based SO
Role based SOD
• Access granted to information resources based on roles performed by users
• Controls are tied and mapped to roles
• A cross functional team evaluates existing roles and associated tasks to accommodate changes in business processes and practices
Steps…
• Identify a set of tasks necessary to complete a business function.
• Map tasks to the application system functionality.
• Group tasks by business cycles.
• Within each cycle, define roles by the necessary function and access for each information resource.
Business functions
Task2 Task5Task4 Task7Task6 TasknTask1 Task9Task8Task3 …Sequential process
Business function is decomposed into series of interrelated tasks
L
HRisk
Mitigation through
Compensating Controls
CumulativeI mpact?No Restrictions
Required
Vulnerability H
Implement Segregation of
Duties
Ris
k I
mp
act
on
Valu
e
CustodyAuthorization
Recording
Risk Mitigation through
Compensating Controls
Segregation of Duties
L
HRisk
Mitigation through
Compensating Controls
CumulativeI mpact?No Restrictions
Required
Vulnerability H
Implement Segregation of
Duties
Ris
k I
mp
act
on
Valu
e
CustodyAuthorization
Recording
Risk Mitigation through
Compensating Controls
Segregation of Duties
SOD Evaluator
Identify tasks that need to be segregated based on risk-vulnerability analysis
Business functions
Task2 Task5Task4 Task7Task6 TasknTask1 Task9Task8Task3 …Revenue cycle Inventory cycle Financial cycle
Tasks are grouped by business cycles
Task7Task6 Task9Task8
Financial cycle
Role 1 Role 2
Roles are defined within each cycle
Roles Users
RevenueCycle
ProductionCycle
FinancialCycle
ExpenditureCycle
HRCycle
assigned
R/3ApplicationSystems
Business Cycles
Illustration of role based SOD model – single application
Roles Users
RevenueCycle
ProductionCycle
FinancialCycle
ExpenditureCycle
HRCycle
assigned
Legacy 11iR/3 …ApplicationSystems
Business Cycles
Illustration of role based SOD model – multiple applications
Roles
Users
RevenueCycle
ProductionCycle
FinancialCycle
ExpenditureCycle
HRCycle
assigned
Legacy 11iR/3 …ApplicationSystems
Business Cycles
Roles
RolesRoles
RolesRoles
Roles
Inhe
ritan
ce
Role hierarchy
Some specific features
• The model lends to automation.
• Changes are made at the root level.
• Hierarchical modeling of roles can allow inheritance of privileges based on business rules
• Invariant to best-of-breed ERP business models
Systems analysis
Application programming
Business decisions
DB administration
Network administration
Systems administration
Tape library function
Systems programming
Quality assurance function
Systems analysis x x x
Application programming x x x x x x
Business decisions x x x x x x x x
DB administration
x x x x
Network administration
x x x
Systems administration
x x x
Tape library function x x x x x x x
Systems programming
x x x x x
Quality assurance function
x x
‘x’ indicates segregation of duties conflicts.Adapted from ISACA Guidelines
Few examples
Expenditure cycle
Related Accounts: Operating Expense, Payables, Accrued Expense, Prepaid Expense
Business Cycle SOD Conflict DescriptionRevenue Customer Maintenance & Cash Application User can create/maintenance customer information and apply cash to
the customer.Revenue Customer Invoicing & Cash Application Entry User can create customer invoices, in combination with the ability to
perform cash application.Revenue Sales Order Entry & Cash Application User can create a sales order and apply cash to the sales order.Revenue Customer Maintenance & Invoicing User has the ability to create/maintain customer information, in
combination with the ability to invoice the customer.Revenue Customer Maintenance & Sales Order Entry Creation of sales orders for unauthorized customers.Revenue Sales Invoicing & Customer Credit User can create a sales invoice and modify the customer
credit/payment terms.Revenue Sales Invoices & Sales Update User can create sales invoices, and perform the sales update process.
Revenue Sales Order Entry & Invoicing User can create a sales order and invoice the sales order.Revenue Sales Order Release & Sales Invoicing Used has the ability to release and invoice a sales order.Revenue Sales Invoices & Sales Price Maintenance User has the ability to create invoices and modify pricing structures.Revenue Sales Order Entry & Release User can both enter and release/ship a sales order.Revenue Sales Order Entry & Sales Pricing User has the ability to enter sales orders and modify pricing structures.
Revenue Sales Invoice & Receive goods Access to Enter Invoice and create Automatic Receipts will allow a user to create a fictious inoice and then record receipts against the invoice.
Related Accounts: Sales, Receivables, Allowance for Doubtful Accounts
Revenue Cycle
Business Cycle SOD Conflict Description
Fixed Assets Fixed Asset Maintenance & Transaction processing (Disposal or acquisition)
Initiate Disposal of Fixed Assets conflicts with Edit Fixed Asset Master File. If one individual has responsibility for more than one of these functions, that individual could misappropriate assets and conceal the misappropriation.
Fixed Assets Fixed Asset Maintenance & Depreciation Record Fixed Asset Transactions conflicts with Edit Fixed Asset Master File. One person should not have responsibility over both the access to assets and the responsibility for maintaining the accountability for such assets.
Fixed Assets Fixed Asset Disposal & Adjustment Initiate Disposal of Fixed Assets conflicts with Record Fixed Asset Transactions. One person should not have responsibility over both the access to assets and the responsibility for maintaining the accountability for such assets.
Fixed Assets Asset Depreciation & Depreciation Adjust One person should not calculate depreciation and create journal entries to adjust the depreciation account. There is increased risk of mis-stating depreciation due to inaccurate calculations.
Fixed Assets Asset Acquisitions & Transaction Authorization Asset Acquisitions conflicts with Transaction Authorization. One person should not have the ability to create and approve a purchase requisition for an asset.
Fixed Assets Transaction Authorization & Recording Transaction Authorization conflicts with Transaction recording. If one individual has authority to authorize and record transactions there is a high risk for fraudlant activity. Assets maybe acquired for personnel use but recorded on the books.
Fixed Assets Custody of Assets & Disposals of Assets Custody of Assets conflicts with authority to dispose assets. There is a risk of early asset disposal for personal use.
Related Accounts :Property, Depreciation Expense
Fixed Assets
A Primary challenge…
• is the time intensive nature of implementing role based access controls.
• But this is the investment on preventive controls that is more cost effective than the alternative (corrective or detective)
Comparison with alternative models
• Discretionary controls– On a need-to-know basis– Users can potentially transfer privileges to
others– Enhanced risk when users have ability to set
their own access privileges
• Mandatory controls– Access based on distinct level of authorization– Control problems in security data with lower
level classification– As security clearance broadens, users begin
to gain access that may not correspond with their responsibilities
• Role based– Role is a generic concept– More stable– Relatively invariant to frequent changes in
business or systems
Implications
• Reduced cost of regulatory compliance (e.g. section 404 of SOX)– Especially for SMEs that are relatively more
burdened
• Reduced cost of audit
• Increased operational efficiency
• Continuous monitoring (e.g., section 409 of SOX)