Segregation of duties (SoD) is an area that presents significant challenges for almost every organization large or small. SoD risk is the potential exposure to financial misstatement or operational disruption due to a user having the ability to perform two conflicting job responsibilities. A company may be in the early stages of its identity and access governance journey, trying to assess where SoD is a problem area in their enterprise resource planning (ERP) applications, or are further along in the maturity curve, with automated monitoring and mitigation solutions for identity and access governance in place. In either situation, identified fraud, audit or another incident that uncovers significant financial exposure, even cases of material weakness, because of SoD access can send any company scrambling to substantiate and remediate their exposure. There are several levels to the SoD maturity curve, but we often find organizations are best prepared and empowered to handle SoD and mitigations effectively when they use automated tools like SAP’s Access Violation Management (AVM) tool from Pathlock.
For effective governance, there is great value in understanding exactly which risks pose threats to the enterprise, and to which SoD risks the company has been exposed. The former requires an initial review and consensus between stakeholders with knowledge of the business processes, based on a leading practice ruleset of conflicting functions, or SoD risks (e.g., the ability to create a vendor and pay a vendor). The latter is the central function of an access governance tool(s) like SAP Access Control, often known simply as GRC (short for Governance, Risk and Compliance). Some companies perform this analysis manually, but most companies running SAP have GRC or a similar tool connected to their SAP landscape, which monitors systems to identify SoD conflicts in user access. This SoD analysis provides the ‘can-do’ data, which answers the question: which users can act on SoD risks in our systems? Once this question is answered, a number of remediation and mitigation activities can be implemented to minimize access risk, such as fixing security roles or documenting mitigating controls within the processes. Unfortunately, these measures are often labor-intensive and costly and usually leave some residual risk.
Whether the unmitigated SoD access is due to headcount limitations, control effectiveness or something else entirely, there often remains the question: what actually occurred with this SoD access? This is called the ‘did-do’ data and can be captured through SoD quantification — an analysis focused on identifying and quantifying the financial exposure from SoD violation transactions (e.g., creating a vendor and paying that same vendor). This type of analysis, historically a monumental task, can be automated with AVM. In the past, AVM was seen as an extension of GRC but with recent enhancements in the 4.0 release, this is no longer a requirement and there are even more use cases now available.
There are two core AVM products: System Integration edition (AVM-SI) and Risk Assessment edition (AVM-RA). AVM-SI provides the ability to connect GRC to other non-SAP applications. The benefits are self-evident; with more critical systems connected to monitoring solutions, more coverage and control can be established, more insight can be gained and more effective mitigation measures can be taken. AVM-RA provides the ability to automate the ‘did-do’ analysis described previously, while routing exceptions through an approval workflow. AVM-RA also provides interactive financial impact reporting, as well as functionality to systematically delegate exception transactions to the appropriate individuals, such as control owners or users’ managers, for review.
How our clients use AVM
Protiviti has provided personalized services for several Fortune 500 companies that needed to implement AVM. One global manufacturing company embarked on a multi-year SoD remediation effort that involved security redesign as well as business transformation and now use AVM to manage the residual SoD conflicts in their landscape. They leverage AVM to connect to multiple ERP applications and monitor over 50 different SoD risks with automated quantification controls. These controls route results to a central financial controls team, which reviews the exceptions and coordinates with local controllers on an as-needed basis to investigate suspicious transactions.
Another top global energy company had a robust SoD management process in place for SOX compliance but was spending a large amount of effort and audit dollars on periodic ‘lookback’ reporting to identify transactions that occurred from SoD access. The company implemented AVM across multiple ERPs and automated the lookback control process by routing user transaction exceptions for over 20 SoD risks directly to local supervisors. This created a one-stop shop for compliance teams and auditors to validate control effectiveness on-demand, thereby nearly eliminating the significant amount of labor previously associated with the control process while minimizing violations and access risk.
Many other large organizations have implemented AVM as a reporting solution to quantify the financial impact of SoD access, to strengthen the business case for transformation initiatives, or to justify residual SoD access in their SAP environments. The recent updates to AVM have provided the capability to mine target applications for SoD transactions for all users, so there is no longer the dependency to leverage GRC results as a starting point. This can allow the AVM results to test SoD rulesets for gaps or validate GRC reporting for false negatives. With so many use cases, this product can truly be used anywhere along the SoD maturity curve to improve SAP access control and empower organizations to make informed decisions on where to go next with their SAP access management initiatives.
Protiviti has helped many organizations reach new levels of SoD maturity through implementing AVM. If you are interested in further exploring how this solution could be leveraged to support your organization, please connect with Protiviti.