How often should you run a segregation of duties analysis?
How frequently should we run a segregation of duties analysis? This is a question our customers often ask and there is no correct answer. The frequency of running a segregation of duties analysis varies based on your company’s situation.
At a minimum, companies close their books monthly or on a quarterly basis. Most publicly-listed companies have to disclose key events to the market so at a minimum, companies should run the analysis once a quarter, and it’s an absolute must once a year when they report financial results to the market.
In the past, auditors would run a segregation of duties analysis for their clients once a quarter. The auditor would then tell the customer what needed to be fixed. The customer would remediate the issues so that the following quarter those problems were no longer there, and so by the end of the fiscal year, the system would be segregation of duties compliant.
With next-generation segregation of duties solutions, customers now have complete control over their data. Data no longer has to be sent out to third parties like auditors or consultants to run an analysis.
The challenge, however, is that old habits die young, and because this practice of running it once a quarter is ingrained into a company’s mindset, organizations are slow to change.
In modern, dynamic businesses performing a segregation of duties analysis once a year or even once a quarter is no longer viable. There are too many users and too many changes happening in systems. For example, Oracle ERP Cloud customers have new patches coming in before month or quarter end. These patches can change the security. As businesses become more agile and more dynamic, roles no longer remain static, and changes happen that can affect your segregation of duties; therefore running the analysis once a quarter isn’t sufficient. Because of these changes, by the time the quarter end arrives, you have audit findings and are vulnerable to cyber threats. With increased cyber and insider threats on the rise, companies should be running their segregation of duties analysis more frequently. How frequently depends on the change in the organization. Change can include:
Technology factors -
- new patches
- configuration changes
- deployment changes, and
- user provisioning.
How user provisioning affects how often you run your segregation of duties analysis
To decide how often you run the analysis, you should also consider how many user access requests you process. Running it once a quarter is fine if you don’t process any (which is unlikely). However, if you’re making changes to user requests every week, you’re introducing risk into the business. Businesses can’t afford to wait until the end of the quarter to find out if there’s a problem. Therefore, dynamic, agile companies with lots of changes should run the analysis as often as once a week. Large, complex organizations with daily changes are recommended to run it daily.
- Large complex organizations with lots of changes = daily
- Medium-sized companies with a moderate amount of changes = weekly
- Smaller companies with low or no changes = Once a quarter
Running your segregation of duties once a year is a recipe for disaster!
Organizations have complete control of their environment with modern segregation of duties, tools, and solutions, meaning they can be more proactive and manage the risk rather than just report the risk. Organizations can prevent escalations and reputational compliance issues by being more proactive when it comes to segregation of duties.
Who owns segregation of duties?
Traditionally it’s been audit that has run the segregation of duties analysis and then instructed the business on what needs to be fixed. By moving the accountability of controls to the organization through workflow-enabled solutions, the business becomes more proactive at managing the risk. Workflow enables the control owners to be proactive and prevent issues before they happen.
Accountability of controls needs to be pushed out to the business and make the business more accountable for the controls they’re operating. A platform like SafePaaS allows organizations to be more proactive, improve governance and actively reduce risk.
Segregation of Duties Assessment vs Management
During an audit, cycle companies are tasked with correcting these privilege conflicts. To do this companies can opt for a one-time SoD assessment of their ERP security configuration or elect to acquire a continuous, self-service SoD management solution to handle the job permanently.
How to select a segregation of duties tool
When it comes to SoD audit tools, you can either build your own in-house or choose between a few vendors currently on the market. But buyer beware, not all tools are created equal. Many of the "tools" on the market to assess your SoD controls only have the capability of running a report listing your violations. These tools do nothing to correct the violations they find or track your responses to those violations.
Prevent fraud risk with effective segregation of duties
Segregation of Duties (SoD) is an internal control to prevent fraud, theft, misuse of information, and other security breaches. SoD accomplishes this by dividing the responsibilities of users to complete your business processes, so no one user has control over an entire process. SoD is the most effective approach to placing internal controls over your organization’s assets and preventing the kind of fraud seen at Yale.