…of a 17 part series. future posts will break down each of these separate areas in detail with supporting processes and documentation…
Segregation of Duties (SoD) and managing Sensitive Access (SA) are critical components of ensuring robust internal controls within organizations. By effectively performing SoD and SA analytics, businesses can mitigate the risk of fraud, errors, and non-compliance. Follow along for a step-by-step guide on how to conduct SoD and SA analytics, along with actionable remediation outcomes.
Understand the Basics
Define SoD Rules
SoD involves separating responsibilities to prevent any single individual from having complete control over a process or transaction.
Identify SA Rules
SA refers to permissions that grant users the ability to perform high-risk activities, i.e. change the way applications behave or make changes to master / standing data (vendor, customer, banking).
Recognize Risks
Understand the potential risks associated with inadequate SoD and SA, including fraud, errors, and regulatory violations.
Establish Clear Objectives
Define Goals
Determine the specific objectives of your SoD and SA analytics, such as identifying conflicts, assessing access levels, and ensuring compliance with regulations.
Set Criteria
Establish criteria for what constitutes an SoD conflict or SA risk based on industry standards and organizational requirements and risk appetite.
Gather Data and Perform Analytics
SoD Analysis
Utilize software tools or manual methods to analyze user roles and permissions for conflicts that violate SoD principles, such as the ability to create and approve transactions.
Evaluate SA
Identify users with permissions for high-risk activities and assess whether these access levels are appropriate based on job roles and responsibilities.
False Positives
Most SoD and SA tools can’t understand some of the technologies behind user access and report a violation when the access isn’t actually present. Perform a walkthrough and document the findings.
Review Results
Analyze Findings
Review the results of your analytics to identify instances of SoD conflicts and SA risks, categorizing them based on severity and impact.
Investigate Root Causes
Determine the underlying reasons for each identified conflict or risk, such as role misalignment or inadequate access controls.
Implement Remediation Actions:
Remediation Plans
Create actionable plans to address identified SoD conflicts and SA violations, prioritizing based on severity and criticality.
Adjust Access Controls
Modify user roles and permissions to eliminate conflicts and reduce SA where necessary, ensuring compliance with SoD principles.
Access to Users
After reviewing the results with business, agree where appropriate to deprovision the access from the user.
Mitigating Controls
Where access is required to remain and the violations are “accepted”, ensure relevant and mapped controls to the Risk and Control Matrix from the rules library. The more ITACs the better. In some cases your mapped control will be the ITGC Change Management process.
Enhance Monitoring
Implement ongoing monitoring processes to regularly review and mitigate new instances of SoD conflicts and SA risks.
Communicate and Educate
Share Results
Communicate findings and remediation outcomes with relevant stakeholders, including management, IT teams, and internal auditors.
Provide Training
Offer training sessions or resources to educate employees on the importance of SoD and SA, as well as best practices for maintaining compliance.
Need help?
HALEY Consulting and Advisory Services are here every step of the way. Contact us for a free consultation.
