General Computing Controls (GCC) Part 2: Segregation of Duties
In the last article we discussed common risks associated with Access Management, but it’s not just about restricting access to specific applications; it’s also necessary to prevent dangerous combinations of applications.
Do any of your users have the ability to carry out end-to-end functions and, if so, how does the business manage that risk?
Segregation of Duties (SoD) Controls
SoD is the best practice approach to managing this risk. These internal controls are designed to prevent fraud and error by requiring more than one person to carry out the various tasks required to complete a business process.
Your auditor may seek evidence of how your company manages Segregation of Duties and what controls are in place to detect users who have access that violates your SoD policies.
This may be more difficult to manage in smaller companies where staff have to take on more responsibilities, but in this case compensating controls should be implemented to ensure that the risk is monitored.
The first step is to define your SoD policies or rules. Although IT can provide tools to help manage SoD, it is important that the business takes responsibility for assessing the business processes to identify the risks and determine which tasks should be segregated. They can then work with IT users to map the tasks to specific applications and define the SoD rules.
When defining rules it’s important to include:
- Custom objects
- All versions of an application
- All associated applications e.g. there’s often more than one application that updates certain records, so you need to make sure you include them all.
Once the rules are in place, you need to be able to produce SoD reports to identify anyone who has access which violates your rules.
Preventive SoD Controls
To avoid inadvertently creating SoD violations when users are granted new access privileges, you should also implement preventive controls to check for SoD conflicts before the new access is granted.
There will be occasions when users legitimately need to breach SoD rules, perhaps to cover for staff absence, or where small teams mean that individuals need to take on a broader range of responsibilities.
These exceptions should be documented and you should also put in place compensating controls to monitor the activities of those users. To satisfy your auditor, you’ll also need to provide evidence that you’ve tested the compensating controls and that they are sensitive enough to catch inappropriate activity.
It can be extremely difficult and time-consuming to implement effective preventive and detective Segregation of Duties controls within your ERP system. Consider using specialized tools; they will help you to do it efficiently, reduce risk and make it easy to provide evidence for your auditor.
You can find out more about our SoD solutions and services here.
In Part 3 of our GCC series, we take a look at Change Management Risks and Controls.