How to select a Segregation of Duties tool
Does your organization find itself struggling with selecting the appropriate Segregation of Duties (SoD) tool so that you can make your next Sarbanes-Oxley (SOX) audit less painful? You're not alone. Many organizations are just waking up to the fact that they need to purchase an SoD tool to help them sort out the complex web of SoD controls and why they are so important. But let's back up and talk a bit about the SOX audit.
The main objective of a SOX audit is to verify and check your organization's financial statements. The audit reviews internal controls and procedures to ensure adequate controls are in place and ensure data is accurate. During your annual SOX audit, your financial statements and internal controls management are analyzed by external auditors to ensure that your accounting practices are above board and to to protect the public from fraudulent or erroneous practices.
All of this sounds relatively straightforward, right? But as you’ve probably already discovered, just beneath the surface of SoD controls is a tangled web of users, applications, roles, and privileges. And in the past decade, auditors have been particularly focused on testing your access management and SoD controls. These controls assess whether you are adequately preventing errors and fraudulent activity by creating a system of checks and balances in your ERP.
Implementing reliable controls in ERP systems can be very challenging. And proving the effectiveness of your controls is even more difficult, especially if the auditors uncover SoD violations or ask questions you are not readily able to answer.
When it comes to SoD audit tools, you can either build your own in-house or choose between a few vendors currently on the market. But buyer beware, not all tools are created equal. Many of the "tools" on the market to assess your SoD controls only have the capability of running a report listing your violations. These tools do nothing to correct the violations they find or track your responses to those violations.
What to look for in an SoD tool
Depending on how far you are down the rabbit hole of exploring SoD tools, you may have come across the alarming occurrence of false positives. When reporting from an SoD tool with no filters, it is not uncommon, depending on the size of your organization, to have your violation report list violations in the millions. However, if your organization had millions of violations, you would no longer be in business.
False positives arise from the complex configurable security model in your ERP system. False positives show up on reports as inactive users, end-dated roles, business constraints, and employees who have departed the organization. While these violations pose no actual threat to your organization, it is helpful to filter them out and correct them, so you can have visibility over your actual risk.
Investigating false positives during each audit cycle is a huge burden and a waste of time. When selecting an audit tool, look for solutions that can equip you with the evidence you need to demonstrate to auditors the effectiveness of your SoD controls.
Unfortunately, your job doesn't end once you identify your actual risk. This is where the real work begins, remediating all the data to eliminate the false positives from appearing in future reporting. This leads us to the next consideration when selecting an SoD tool, manual vs. automated remediation of SoD conflicts.
Manual vs. automated remediation of conflict
SoD tools provide violation reports, as initially intended for audit reporting. However, businesses need to record their response to risk and remediate it to manage risk effectively. Without the capability to maintain a complete and accurate risk response through a closed-loop process, your organization can face audit findings and control failures.
Today's environments are complex. There are hundreds and sometimes thousands of employees, all with different types of access to various systems, including your ERP. To fix or remediate these violations, you must manually update the data and controls in your ERP or have a solution to automate the process.
Remediation is an essential task in addressing access violations. The remediation process is time-consuming and painstaking. It requires multiple business, audit, and IT participants to determine the appropriate corrective action.
Risk remediation of user access falls into two categories of corrective action:
- The user has conflicting privileges in the system (i.e., the same user can create and pay vendors). In this instance, a configuration in the application requires updating.
- The user can access two or more conflicting roles (i.e., the same user can input payroll and approve payroll). In this case, role reassignment needs to take place.
User role configuration is the cause of most access violations. But updating roles in your ERP with hundreds or thousands of active users can negatively affect business performance. Companies and auditors can get bogged down during remediation because of the difficulty in changing security design while allowing users to work.
Look for an SoD solution that can automate the role configuration process for you. Solutions that can analyze violations and create "test" roles against access compliance before making changes in the production system. This prevents any impact from being felt by users that require a change to their role.
Like many businesses, your organization probably assessed its SoD strategies twenty years ago as part of its SOX compliance effort. And your organization may not have given these strategies a second thought since.
As your organization adopts enhancements and automation with upgrades, changes in business processes, or restructures, your SoD controls also need to be reviewed and updated.
Controls that are essential for your organization today can become obsolete tomorrow. This reality magnifies the importance of having your SoD controls maintained in a solution that can scale with your business. If the tool you select does not integrate into new applications or is too rigid in its application of controls, then it will only be a band-aid on a long-term challenge.
How to Automate Controls with SafePaaS
SafePaaS is more than a tool. SafePaaS is a real-time platform solution with continuous monitoring capabilities. SafePaaS can: run reports, filter violations to show only actual risk, scale as your organization grows, document your response to violations, and remediate them.
SafePaaS Segregation of Duties provides a complete solution that puts you, your audit and compliance teams in total control of your segregation of duties. Instead of engaging in elaborate manual checks, SafePaaS can monitor, and maintain absolute visibility and control of SoD risk in your ERP environments.
Robust rules catalog
SafePaaS’ has a catalog of 1000+ rules. We provide out-of-the-box controls for any leading compliance framework.
Real-time alerts to ensure a proactive approach to access risk.
Seamless integrations with all major ERP systems including Oracle EBS, Oracle ERP Cloud, J D Edwards, PeopleSoft, NetSuite, and SAP as well as any IDM, IGA and ITSM including Okta, SailPoint and ServiceNow. It also integrates with vertical solutions such as Coupa and Tririga.
SafePaaS provides cross-application SoD analysis for complete visibility into user and identity behavior.
Continuous Controls Monitoring
When a change is made to a configuration object, SafePaaS sends real-time workflow alerts to the process and control owners to approve, reject or prevent the change. These alerts allow businesses to be proactive and respond to risk events in a timely manner – preventing financial, IT, and operational risks.
SafePaaS customers can prevent the risk of application access control failure by completely automating the enterprise certification process for ALL IDENTITIES across the application and ALL other data sources, including IDM, IGA, ITSM, Database, and Servers.
Segregation of Duties solutions to suit all needs:
SafePaaS makes it easy for you to address segregation of duties depending on your needs.
SoD insight - quickly identify your problems
SoD Scanner - for organizations with limited segregation of duties requirements
Policy Manager™ - comprehensive solution with built-in remediation capabilities
How to prevent fraud risk
An SoD solution allows your organization to proactively prepare for the unexpected by setting internal controls. No one likes to think about risk prevention; we’d rather focus on revenue-generating opportunities and moving our organizations to the next level. Protecting your assets doesn’t have to be complicated or time-consuming with the right technology.
The truth: SoD Assessment vs Management
During an audit, cycle companies are tasked with correcting these privilege conflicts. To do this companies can opt for a one-
time SoD assessment of their ERP security configuration or elect to acquire a continuous, self-service SoD management
solution to handle the job permanently. To help illustrate the difference between an SoD assessment and SoD management,
let's walk through an example to see why SoD violations are so complex, expensive, and time-consuming to manage.
IT Security and segregation of duties
Learn why insufficient SoD policies are so detrimental, and how policy-based identity governance can ensure that proper internal controls are established to reduce adverse impacts on the organization.