The truth about Segregation of Duties assessments
The Truth: SoD Assessment vs. SoD Management
Segregation of Duties (SoD) is a control used to prevent financial misstatement risks, fraud, theft, and misuse of data by dividing a process into separate tasks so a single user doesn't have control over an entire process.
SoD presents significant challenges for almost every company, regardless of size. Verifying SoD violations involves digging through dozens of screens in your ERP for hundreds of users to investigate potentially conflicting job responsibilities. Evaluating thousands of complex security and configuration settings through manual research on error-prone spreadsheets is inefficient. And in business, where time is money, these mistakes can easily cost your company millions.
Within your ERP, many roles grant a user the ability to complete an entire process. For example, a Procurement Manager has the ability to create a new supplier and an invoice for that supplier. This allows that person to create a fake supplier, generate an invoice for that supplier, and receive payment. SoD controls identify and mitigate these risks by preventing this mix of conflicting privileges.
During an audit cycle companies are tasked with correcting these privilege conflicts. To do this companies can opt for a one-time SoD assessment of their ERP security configuration or elect to acquire a continuous, self-service SoD management solution to handle the job permanently.
To help illustrate the difference between an SoD assessment and SoD management, let's walk through an example to see why SoD violations are so complex, expensive, and time-consuming to manage.
Suppose your company has 50 employees with access to the ERP, and you are looking for the risk that one person can create both suppliers and invoices.
To find the risk of this combination of privileges, you need to look at each of the 50 employee's access privileges within the ERP and check to see if they can perform both tasks. If you find an employee with this combination of privileges, you can:
A) remediate the risk or
B) mitigate the risk in another way
Easy right? WRONG!
In a slightly more realistic example let’s suppose your organization has:
500 users
5 roles (Purchasing Agent, Ap Clerk, etc) per user
5 SoD rules to check for each user and
5 SoD rules violated by each user
500 x 5 x 5 x 5 = 62,500 violations to manage
In this example, the number of rules and violations are relatively low, and we are only looking at one business unit. Suppose you have 5 business units, in that case, the number of violations you have to investigate spikes to 312,500. You can easily see how this number can increase exponentially into hundreds of thousand and in some cases millions depending on the size of your company.
This is a staggering number of violations to review manually and highlights the problem with one-time SoD assessments, especially when you consider that there is a better option on the market.
To date, SafePaaS has detected and managed 444,607,107 SoD violations. That is a whopping 78 SoD violations per user.
The differences between SoD assessment and SoD management
During an SoD assessment, risks (violations of SoD policy) are identified in a violation analysis. In a violation analysis, each business unit manually examines its user’s roles and privileges for violations in spreadsheets line by line. The violation report is run and rerun until your auditors are satisfied that all of your violations have been addressed. This cycle involves working with incomplete and inaccurate spreadsheets with hundreds of thousands of lines to verify manually. Not only that, you are at the mercy of your auditor's ability to run the violation reports (sometimes up to a month between reports). All of this back-and-forth is inefficient and wastes time and money.
The first step in addressing your violations in an SoD assessment is identifying false positives and excluding them from the violation report. False positives are challenging because they are exceptions to SoD policies. For example, a Systems Administrator with superuser access, as a business requirement, will always generate SoD violations in an SoD assessment. Roles with read-only access are also problematic because they too will always generate a violation in the violation report. And each individual violation (an average of 77) must be manually examined and documented on a spreadsheet by IT and audit staff through verifying roles and privileges. Manually verifying violations line-by-line on a spreadsheet creates additional effort and struggle. And with a one-time assessment, there's no way to filter or remove the false positives from your report. Recently a Fortune 500 company produced 16,000,000 violations. By removing the false positives, we reduced the violations to 3,000,000 - but imagine going through all that data line by line!
Removing false positives may reduce your violation count by 20% (from 62,500 violations to 50,000), but you’re still left with 80% of the problem. With an SoD management solution like SafePaaS, false positives are automatically filtered out of your report, and adding your compensating control policies into the platform can reduce your violation burden even further. By filtering your false positives and adding compensation controls the inherent risk is reduced from 62, 500 down to 12.500. That means that you can reduce your violation count from 80% to 20% within days instead of months. SafePaaS retains these compensating controls policies for the next time you run your report or start your next audit cycle. With an SoD assessment, you will need to manually exclude these violations each audit cycle.
Once your false positives are identified and documented, you must remediate the violations that are left. With a one-time assessment, you can either remediate the violations yourself or hire an overpriced consultant to perform the remediations for you.
Remediation
The next step in the SoD assessment process is remediation. Remediation is a labor-intensive effort that involves your IT security team, your assessment company, and your external auditors to reassign users' privileges and redesign roles with privileges that don’t conflict with SoD policies.
In an assessment, this process is again handled manually in a spreadsheet detailing all of the remaining roles that need adjustment. Manually remediating roles involves a five-part process known as SDLC, where each role is designed and tested, undergoes user acceptance training, and the new role is moved into your ERP. Even in an accelerated approach, each phase of this process takes at least one week to complete. That means you're looking at a minimum of five weeks before your secure roles can be deployed into your ERP.
Like the other steps in an SoD assessment, remediation is fraught with manual labor and an almost certain likelihood of error. But this time, errors can potentially stop your business in its tracks. It is not uncommon for audit fatigue to set in and the decision is made to expedite the process by removing access. For example, if you decide to take away the Procurement Manager’s ability to create suppliers but discover that access was taken away from everyone in Procurement, your company will be left spinning its wheels with no way to create a supplier until the changes can be reversed.
With an SoD management solution, like SafePaaS, you can simulate new roles in minutes and bypass the SDLC process described above. With an SoD management solution, you can simulate role changes and ensure user access is restricted to only the appropriate roles and not the entire business unit. What's more, you can see the effects of any changes BEFORE they hit your ERP. Simulation is an extremely critical part of remediation to ensure that the business does not suffer any adverse impact during remediation.
At this point you may think you are in the clear, your false positives are excluded, and you've remediated your outstanding violations and redesigned your roles. But you still can't prevent future risks even after all the added expense and time spent addressing your SoD violations. That is because, without a means of assuring conflict-free provisioning and access certification to review privileges, you can’t prevent risk from manifesting in your systems. The only real way to prevent risk is with SoD management.
Completing the tasks in an SoD assessment effectively and efficiently without an SoD management solution is near impossible. With an SoD management solution, you can run analysis reports as often as needed, filter false positives, add compensating controls, simulate role design, and AUTOMATICALLY remediate SoD violations. This allows your company to focus on identifying HIGH-RISK issues that need immediate action.
To prevent risk from manifesting in your ERP, you need a means of:
A) identifying potential risks
B) remediating or mitigating risks, and
C) preventing risks
Another benefit of an SoD management solution is automated remediation. With automated remediation, you can effortlessly remediate risks through easy-to-use workflows with self-documenting reports that mark violations with corrective actions - change user access or role redesign.
An SoD management solution sets you free from the treadmill of violation analysis, remediation, and reanalyzing because SoD access conflicts can be corrected before they are granted. An SoD management solution allows you to manage risk not just report the risk. An assessment tool still leaves you with the burden of manually investigating each user's access privileges. SoD assessments only flag risks, create millions of dollars of manual work, ignore compensating controls, and do nothing to remove, mitigate or prevent risks. With an SoD assessment, you are only provided a report.
SoD management solutions are quick and easy to set up and require minimal training. You can also get a jump start on your next audit with out-of-the-box rules and easy reporting to fast-track role deployments.
Are you ready to beat the vicious audit cycle?
Recommended Reading
How to select an SoD tool
When it comes to SoD audit tools, you can either build your own in-house or choose between a few vendors currently on the market. But buyer beware, not all tools are created equal. Many of the "tools" on the market to assess your SoD controls only have the capability of running a report listing your violations. These tools do nothing to correct the violations they find or track your responses to those violations.
How to prevent fraud with SoD
Many companies struggle to implement adequate SoD controls in their ERP systems even though the concept of SoD is simple. SoD roles, responsibilities, and access controls are difficult to define within your ERP. Below are the two most common reasons why SoD violations occur.
SoD and Privileged Access Policies
Detect access policy violations to control financial, operational, fraud, and cyber risks. Define policies in terms of risk descriptions, impact, likelihood, and fine-grained rules that constitute discrete and fuzzy logic in terms of IT system security entitlements and privileges for governance models such as Segregation of Duties, Sensitive Access, Data Protection, and Trade Secrets.