Apps Segregation of Duties

8/13/2019 Apps Segregation of Duties

1/31

2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.

SOD Remediation for Oracle Applications

January 17, 2008

NorCal OAUG Training Day


2/31


Introduction

Vision without action is a daydream. But action withoutvision is a nightmare.

- Japanese Proverb


3/31


Oracle Implementation/Upgrade

PEOPLE

PROCESSES

TECHNOLOGY

Users/Roles

Business Flows

Oracle Applications


4/31


Training Objectives

Segregation of Duties Overview (SoD)

SoD Assessment Approach

Segregation of Duties Assessment Case Study

Controls Areas to Consider During An Upgrade or ImplementationProject to Prevent Future Stand-Alone Remediation Projects


5/31


Segregation of Duties Overview


6/31


Common Compliance Pain Points

Using/customizing seeded responsibilities and menus

Responsibilities were not designed with SOX in mind or were notdesigned at all (seeded responsibilities are used out of the box)

Trying to find/assess SoD conflicts without a tool (manual methodswill miss places where users have access)


7/31 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.

Segregation of Duties (SOD) Basics

Segregation of Duties is meant to reduce the risk of concealment ofemployee error or fraud by separating the following high levelfunctions:

The recording of a transaction

The authorization of the transaction

Custody of the asset Control procedure (i.e. reconciliation)

An essential feature of segregation of duties or responsibilitieswithin an organization is that no one employee or group ofemployees has exclusive control over any transaction or group oftransactions.



Opportunities for Automated Controls to Enforce SoD

Transact ion

Processes

Transact ion

Approvals

Access to

Physical AssetsReconci l iat ions



Segregation of Duties (SOD) Conflict Types

Three-way SOD conflict - An individual can perform three of thesefour duties for a given asset:

Custody of assets

Authorization or approval of related transactions affecting those assets

Execution of the transaction or transaction activity

Reconciliation of related transactions

Two-way SOD conflict - An individual can perform two of these fourduties for a given asset



Segregation of Duty (SOD) Issues

Role-based access often drives potential SOD issues

Access should be granted based on pre-defined job descriptions

Role-based security access should be customized per the businessneedsnot using out of the box profiles that typically do notaddress SOD and grant powerful access



Segregation of Duties (SOD) Examples

Users with Voucher Entry & Purchase Order Entry

Users with Voucher Entry and Create Payments

Users with Create Receipts and Enter Sales Invoices

Users with access to business process should not have access topost Journal Entries

Users with Administer Payroll and Administer Workforce

Users with access to Payroll and HR present a risk of adjustingsalaries, running payroll, then changing salaries back

Beware of Sysadmin , Super User and other IT users withpowerful access!


12/31


Segregation of Duties

Assessment Approach


13/31


Our Approach to Optimizing & Sustaining ERP Compliance

SoD, Security, Access, Provisioning, Application &Process Controls

Project to Process

AutomateStandardizeAnalyze

ContinuousMonitoring

Software

ERPAssessments

Consulting

&

Remediation

Services

Analyze

Perform assessments via Protiviti Assure

methodology

Deploy on internal audit and SOX clients

or new clients to prove the case

Standardize

Clean-up Security/SOD issues

Design automated controls

Re-engineer SOX testing approach

Design controls into new implementations

Automate

Implement continuous monitoring systems


14/31


An integrated implementation approach is necessary to design effective internal controls,understanding that system-based controls are more reliable and desirable. This pertains to

both General Computer Controls as well as embeddedapplication-specific controls. It is

more efficient to get these right at the time of implementation.

System-

Based

Detective

Controls

System-

Based

Preventive

Control

People-Based

Detective

Control

People-Based

Preventive

Control

Desirable

Rel

iable

Standard within the

Software

Configuration Options

Application Security

Effectiveness in SOX

Testing Efforts

Policies

Procedures

Monitoring Exception

Reporting

Reconciliations

Extensive SOX Testing

Efforts

Optimize Automated Controls


15/31


Segregation of Duties

Assessment Case Study


16/31


Case Study Scenario

Project: SoD Remediation

Objective: To assist the client with remediation of SoD conflictsand user access to sensitive abilities in Oracle prior to theirExternal Audit.

Tools:

Oracle Internal Controls Manager (ICM) The client's corporate SoD Rule Set

Approach:1. Review the initial SoD conflict and Sensitive Abilities results using ICM constraint

reports

2. Identify any false positives and enter the appropriate waivers in ICM

3. Review the remaining SoD conflict and Sensitive Abilities results with theappropriate business owners to determine what security changes can be made toresolve the issues

4. Develop mitigating control suggestions based on input from management toaddress remaining conflicts


17/31


Examples from the Procure to Pay (PTP) Cycle

Sensitive Ability Constraints Reviewed:Transaction Maintain Buyers - BuyersSet Up Maintain ApprovalsSigning limits

SOD Constraints Reviewed:Create PO/Blanket PO Maintain Buyers

Maintain PO/Blanket PO Maintain BuyersReceive Goods Create PO/Blanket POReceive Goods Maintain PO/Blanket POProcess Invoices Process PaymentsProcess and Maintain Invoices Create PO/Blanket POProcess and Maintain Invoices Maintain PO/Blanket POProcess and Maintain Invoices Receive Goods

Process and Maintain Invoices Maintain GoodsProcess Debit/Credit Memos Maintain PO/Blanket POProcess Debit/Credit Memos Receive GoodsProcess Debit/Credit Memos Maintain GoodsProcess Debit/Credit Memos Process and Maintain PaymentsRelease Invoice Holds Receive Goods


18/31


Examples from the Order to Cash (OTC) Cycle

Sensitive Ability Constraints Reviewed:Set Up AR and OM SetupSet Up Interface Processing

SoD Constraints Reviewed:Enter Cash Receipts Enter Sales OrdersEnter Cash Receipts Approve Invoice AdjustmentsEnter Cash Receipts Process AR Invoices

Create Customers Enter Sales OrdersCreate Customers Enter RMACreate Customers Process Debit/Credit MemosCreate Customers Process AR InvoicesCreate Customers Process TransactionsCreate Customers Enter / Maintain Cash Receipts (2)Create Customers Maintain Misc Cash ReceiptsMaintain Customers Profile Enter Sales OrdersMaintain Customers Profile Enter Cash ReceiptsMaintain Customers Profile Maintain Cash ReceiptsMaintain Customers Profile Maintain Misc Cash ReceiptsApp Invoice Adj Process Inv AdjProcess AR Inv / Process Trans Approve Invoice Adj (2)

App Invoice Adj Maint Inv Adj


19/31


Sample PTP ICM Violation Report

Inter-Responsibility

Conflict


20/31


Sample OTC ICM Violation Report

Intra-Responsibility

Conflict


21/31


PTP Conflict Compensating Control Suggestions

Conflict Risk Possible Compensating ControlCreate PO / Maintain Buyers Unauthorized Buyer can

create POConfigurable Control: PO ApprovalGroups and Assignments; Do not allow"Owner can Approve" his own PO

Process DM CM / Process Payments Erroneous or unauthorizedpayments to vendors

Check Signatures, Invoice MatchingProcess; Hold Unmatched Invoices

Process Invoices / Create PO Erroneous or unauthorizedpayments to vendors

PO Approval hierarchy, Invoice MatchingProcess; Hold Unmatched Invoices

Process Invoices / Maintain(Receive) Goods

Erroneous or unauthorizedpayments to vendors

Inventory Cycle Counting, InvoiceMatching Process; Hold UnmatchedInvoices

Process Invoices / Maintain PO Erroneous or unauthorizedpayments to vendors


Process Invoices / Process Payments Erroneous or unauthorizedpayments to vendors

Check Signatures, Invoice MatchingProcess; Hold Unmatched Invoices

Receive Goods / Create or MaintainPOs

Unauthorized purchase orerroneous recording of liability


Release Invoice Holds / ReceiveGoods

Erroneous or unauthorizedpayments to vendors

Inventory Cycle Counting, InvoiceMatching Process; Hold UnmatchedInvoices


22/31


OTC Conflict Compensating Control Suggestions

Conflict Risk Possible Compensating ControlApprove Invoice Adjustment /Maintain Invoice Adjustment

Unauthorized write off ofinvoices

Configurable Control: Approval Limits

Create Customer / Enter CashReceipts

Fictitious customer; hide cashreceipt

Customer Statements; SoD of handling,logging and depositing of checks receivedfrom customers; bank reconciliations

Create Customer / Enter RMAs Unauthorized credit given tocustomers

Customer Statements, review of openRMAs

Create Customer / Enter SalesOrders

Unauthorized sales order andshipment of goods

Configurable Control: Sales OrderApproval workflow

Create Customer / Maintain CashReceipts

Hide cash receipt Review of Reversed Cash Receipts; CashReceipt deletion not allowed by the system

Create Customer / Process DM CM Unauthorized credit given tocustomers; Unauthorizedchanges to customer records;

hide cash receipt

Customer Statements; Review of ARAging; SoD of handling, logging anddepositing of checks received from

customers; bank reconciliationsEnter Cash Receipts / ApproveInvoice Adjustments

Unauthorized write off ofinvoices

Configurable Control: Approval Limits

Maintain Customer Profile / EnterSales Orders

Unauthorized sales order andshipment of goods

Configurable Control: Sales OrderApproval workflow

Maintain Customer Profile /Maintain Misc Cash Receipts

Hide cash receipt SoD of handling, logging and depositing ofchecks received; bank reconciliations


23/31


Additional Recommendations

The following are improvements that would eliminate the need forcompensating controls: Restrict Access for Release Holds and Sales Order entry. Access to the Sales Order

form is required to be able to release holds. The ability to Release Holds,however, should be excluded from those users who should NOT be able to releasean order. The best practice is to restrict this access to those in credit management

who approve the release of credit hold on an order. This is normally consideredthe higher risk area with regards to Sales Order processing.

Rearranging department responsibilities to make supervisors only an approver andreviewer, not doers. This would mean that access for supervisors is mostly ViewOnly, except for the approval of transactions. The team would have the access toprocess transactions. Supervisors would approve any changes or adjustments anddelegate to processing to their teams.

Functions with Inquiry Only access should by designated as View Only in thefunction name to simplify future audit related activities. This can be done bycreating a copy of the normal function, giving it a name with View Only in it, andadding the parameter in the function, QUERY_ONLY="YES". By designating thesefunctions clearly, the access would be more easily justified.


24/31


Additional Recommendations (Cont.)

The following are improvements that would eliminate the need forcompensating controls:

Access to Setups should be limited to Inquiry Only Access. The IT and BusinessAnalysts should be given a responsibility that has Inquiry Only access to all setupsin production, but read/write access in a development environment. This wouldenable them to view any setup for troubleshooting. When they determine that achange should be made in the system, they should follow the Change Managementprocess: file a change request and have it tested in dev and approved by thebusiness owner. When the approval is received, the System Administrator wouldgrant the BA temporary access to the Super User responsibility to make thechange in production. This is considered a best practice, as it keeps Super Accessto a minimum.

Access to Super User responsibilities should also be granted on a temporary basisonly and be controlled through the change management process. The processshould require appropriate business/process owner approval prior to grantingtemporary access. Responsibilities granted temporarily should be end dated at thetime the access is granted based on the amount of time access is needed.


25/31


Control Areas to Consider During An

Upgrade or Implementation Project to

Prevent Future Stand-Alone RemediationProjects


26/31


Transaction Processing Controls

Business processes supported and impacted by applications must ensure informationintegrity through effective design, development, and usage of:

Manual Process Controls

policies and procedures

reconciliations, reviews and approvals

management reporting Application Interface Controls

restart and recovery procedures

control totals

job monitoring

error handling

Facilitation of Audit Needs

transaction logs

historical data access

transaction references

meaningful descriptions/ classifications

Automated Application Controls

field edits

workflow approvals

error messages matching tolerances

number ranges

default values

posting keys

document matching

recurring entries


27/31


Security Administration

Security strategies, tools, personnel, and processes should be coordinatedeffectively to address the following key components:

Administration

provisioning (granting, termination, and modification) of user IDs

workflow / approvals

tool administration

password resetting password parameters

Segregation of duties

separation of incompatible functions

data owner monitoring of access levels

Sensitive access

powerful authorities

post-implementation support


28/31


Data Management

As part of the implementation, data must be converted and then maintained to ensurethe integrity of system processing. The following are critical considerations in this area:

Master Data Maintenance

data ownership policies and procedures

impact analysis

Data Archiving

system performance and storagerequirements

data access requirements

data redundancy

Data Conversions

data mappings conversion design

conversion testing

reconciliation

Data Cleansing

inactive data

duplicative data

erroneous data

During an upgrade data management activities may just relate to completing theupgrade process steps of what to correct by module (i.e. data re-mapping, etc.)


29/31


Change Management & Testing

Change management is critical for ensuring consistency of processing throughoutan applications life cycle. This effort includes:

Client strategy (e.g. dev, test, prod)

Image refreshes

Object migration

Problem management for ongoing changes

Version control

All development and implementation efforts must include thorough testing toensure defined solutions are complete and accurate. This effort includes:

Comprehensive test plan for functionality, security, and controls

Documented test cases and test results

Sign-off and acceptance

Use of positive and negative testing techniques


30/31


Things to Consider When Implementing/Upgrading

ERP systems are already built with standard business process functionalityand it is best to try to avoid programming, meaning we want toimplement the out of the box solution, and limit customizing theapplication as much as possible

Limiting customizations and designing them correctly can prevent problemswhen upgrading in the future. For example, creating new customized

menus with unique names with prevent overrides during upgrades whichcan occur if you customize a standard menu.

The difference between a manual control and an automated one is mostly achange of focus from detective to preventive control. Preventive controlsare considered to be stronger and therefore preferred controls.

The more automated controls you can implement (instead of relying on

manual controls) can significantly reduce audit/testing efforts. Automatedcontrols can be tested immediately and require only 1 sample , whilemanual controls must be demonstrated over time and multiple samplesmust be tested based on control frequency (i.e. daily, monthly, etc.).


31/31

Summary

Segregation of Duties Overview (SoD)

SoD Assessment Approach

Segregation of Duties Assessment Case Study

Control Areas to Consider During An Upgrade or ImplementationProject to Prevent Future Stand-Alone Remediation Projects

Questions?

Date post:	04-Jun-2018
Category:	Documents
Upload:	mahmoud-fawzy
View:	239 times
Download:	6 times

Apps Segregation of Duties

Documents