Segregation of Duties Reporting:
What Reports Should You Provide During Your Audit and Why?
Do you have an upcoming audit?
Whether it’s an internal or external audit, you’ll need to generate several reports to provide specific information about Segregation of Duties within your company.
To establish and manage Segregation of Duties efficiently, it’s important to:
- Consider using an appropriate reporting tool
- Pilot the implementation of the tool to validate the solution, and
- Ensure that the solution is implemented by appropriate trained resources.
Segregation of Duties reporting is often a phased or iterative approach, whereby high risk items should be addressed first. As with any reporting solution, you need to test the performance and functionality. Always test to make sure that violations are included in your report as intended; the only way to prove that you’ve setup the rule correctly is to make it produce a violation.
The following is a list of Segregation of Duties reports that provide valuable information to aid conflict analysis and remediation (in order of execution).
1 Detailed Segregation of Duties Rule Report
This provides details of what Segregation of Duties rules you are checking for, and how they are constructed.
The report shows clearly identified two- or three-sided statements, comprised of objects that represent a process or task from each side of the statement, and the security details of what you are checking for.
This report should be reviewed regularly by your business leads and developers to ensure it’s up to date and signed off by management. Reviewing this report may result in rule changes, security changes or mitigation updates. It’s important to keep documentation relating to any changes.
Here is a sample report from Q Software’s Audit Manager module. This example reports on a JD Edwards EnterpriseOne system, but the principles apply whichever ERP you use.
Note that the report contains:
- Rule ID and Description
- Severity Level and Effective Date
- Application and Version Details
- Security Details
The report should account for items such as:
- Checking if a user can run an application and has action security along with it
- Allow checking for a specific version, list of versions or all versions of an application or report
- The ability to state if a user must have access to all applications or individual ones.
2 Segregation of Duties Model Integrity Report
Once you’ve created and reviewed your Detailed Rule Report, the next step, before using your rules to run a scan, is to ensure the integrity of the overall Segregation of Duties model that you’ve created.
An Integrity Report is a check of your rules to confirm there are no missing or invalid items. It reviews the construction of the rules themselves. Are you missing objects that should have been considered? Are you missing security details that are vital to capture? Or do you have objects that are no longer valid? You should always run this check prior to executing any detailed audit reports.
The example below, taken from Q Software’s Audit Manager module, shows how the result might look:
Note that the report:
- Provides a count of errors
- Lists the rules in error
- Distinguishes between object or security related errors.
The report should account for items such as:
- Missing object error – the statement has no applications / reports against it
- Missing security error – the application has no security details.
3 Validation of Segregation of Duties Rules Report (Scan)
Depending on the method you’re using to validate your SoD rules, the scan should provide a summary report indicating yes / no to each rule statement.
It gives you a good overview of the violations that exist on your system. It’s a quick look at where you stand each week, month or quarter.
If your rules are ranked high / med / low, you may want to organize the report to be run at different frequencies by severity level. This report would likely be used by the management team.
Here’s an example report produced by Audit Manager:
The timing of the scan is important. You should consider these two factors when deciding to run summary and detail reports:
- Choose a time when security change activity (i.e. roles, users) is at its lowest (for example, overnight)
- Ideal timing is just prior to or directly after the extraction of security tables for audit sampling.
Good timing will prevent time being wasted on sample selections that were not considered within the reporting.
If you have auditing software such as Q Software’s Audit Manager, reports such as this validation /scan be setup on a scheduler, with the results viewable as desired (weekly on Monday mornings for example).
4 Segregation of Duties Violation Details
This report should show the details of how a user violates a Segregation of Duties rule. Your business analyst or system admin will need to review this report in detail with the business, and plan for remediation. To facilitate proper and efficient remediation, the report should provide all the relevant information, with sufficient level of detail.
This Audit Manager report illustrates what I mean:
Note that the report contains:
- User ID causing the violation
- Sign on role (or *ALL)
- Applications the user has access to
- Security details for the associated applications.
The report should account for items such as:
- Role Chooser (turned on / off; i.e. can users choose their role upon sign on?)
- Explicit / Implicit violations – is the violation caused by *ALL in the object field in the security workbench?
- Access type – where is the access coming from (User, Role or *PUBLIC)?
- Exception records (mitigations)
- Date stamp upon each scan.
It is critical that any detailed reports of Segregation of Duties violations account for the complex security environment within your ERP System.
Inaccurate violation results can cause excessive waste of time, improper remediation or additions of costly compensating controls that are not necessary.
5 Mitigation Report
This report will list users who are known to be in violation but have documented exceptions, and it provides important evidence for you to give to your auditor.
It is recommended that mitigations should be regularly reviewed by managers / supervisors, and that compensating controls should be clearly documented.
Note that the report contains:
- Rule ID and Description
- User ID that is mitigated
- Mitigation from/to dates
- Notes / Links to external documentation.
The report should account for items such as:
- Links to external documentation
- Be based on User and Rule
- Be effective dated
- Allow for expiry.
Why good Segregation of Duties reports matter
The reporting over your ERP System for Segregation of Duties violations is both complex and critical to your audit. Knowing what reports should be produced, why they are key to the process, in what order they must be generated, and the audience for each will ensure that you cover all facets of your Segregation of Duties reporting.
Many companies attempt to employ home grown methods for Segregation of Duties reporting, such as SQL scripts or Excel spreadsheets. These methods lack the ability to report accurately on such complex ERP systems; companies often spend a lot of time trying to identify violations or creating costly unnecessary compensating controls, yet still end up with critical violations as the result of an audit.
The best investment in terms of time and money is to investigate products that are designed to produced specialized reports on these complex systems. They will provide you with automation and accurate information you can trust.
Find out more about Audit Manager for JD Edwards EnterpriseOne; WorldSoD for JD Edwards World; or CS Comply for Oracle E-Business Suite.
Or explore more general information about managing Segregation of Duties on your ERP.