Fastpath Blog- Articles on Security, Audit and Compliance

Automating Segregation of Duties (SoD) Controls Reduces Risk

Written by Frank Vukovits | Jul 30, 2024 12:00:00 PM

There are more employees with access to critical business applications than ever. These business applications improve your efficiency, but they also increase your risk of fraud.

Organizations lose 5% of their revenue to fraud each year, and the average fraud loss per case is $1.7M, according to the Association of Certified Fraud Examiners in Occupational Fraud 2024: A Report to the Nations.

Strong detective, preventive, and mitigating controls such as Segregation of Duties (SoD) lower your risk. In this blog, you’ll learn best practices for automatically managing and monitoring access to business applications by aligning SoD requirements with identity security workflows. Whether you’re a member of the finance team, auditor responsible for internal reviewing controls, or part of the IT ops team responsible for managing access for privileged users, understanding these best practices will help you save time and protect your organization.

What is Segregation of Duties?

Segregation of Duties is an internal control whereby various steps of a task or transaction are assigned to different individuals, avoiding over-provisioning and toxic combinations of access rights. You can learn more about the basics of SoD here.

Let’s look at common tasks managed by an accounting department, where 12% of fraud cases originate, to explain how SoD works. SoD can be as simple as specifying that the person entering accounting information into your Enterprise Resource Planning (ERP) system isn’t the same person approving entries. In addition, a single individual shouldn’t be allowed to set up new vendors AND pay those same vendors. A malicious insider could make fraudulent payments to vendors, siphoning off money in an embezzlement scheme.

Why automate SoD controls? 

Internal controls such as SoD are an established best practice for risk management and required for organizations that must abide by the Sarbanes-Oxley Act. And yet, incidents of fraud occur due to a lack of internal controls 32% of the time.

What makes internal controls so difficult?

With the rise of remote work, distributed workforces, and cloud environments, preventing fraud in business applications has never been more important or more complex to achieve. Many organizations have 10-15 business applications that manage critical functions like financial transactions. It’s virtually impossible to manually keep track of all the access provisioned for employees, let alone check for Segregation of Duties conflicts, where access has been over-provisioned, introducing fraud risks.

Across the modern enterprise, there are literally thousands of security access records to review and compare for SoD.

Consider:

  • SAP “out of the box” starts with 5,000+ authorization objects and 125,000+ transaction codes.
  • Microsoft Dynamics 365 F&SC “out of the box” starts with 120 roles, 1,478 duties, and 11,863 privileges.

Some internal audit and finance departments have attempted to review for SoD conflicts with manual processes, supported with large spreadsheets generated from the IT department, only to find the data is too large to handle, too time-consuming to review, and most importantly—the manual exercise is prone to omissions and errors.

Things are further complicated in manual SoD processes as more interconnected applications and processes are introduced into business environments.

Managing access risk across critical applications in your IT environment can only be accomplished with solutions that deploy automation.

  • Automation ensures all user access data is pulled from 100% of individual applications for comprehensive analysis. For each user, you can see what access has been assigned to execute tasks in the business application.
  • With automation, detailed SoD analysis, including all permutations and combinations of toxic access, can be done quickly. This analysis is supported by a SoD conflict ruleset that is best developed and maintained in solutions that have automated the SoD review process. The ruleset is the source of truth for all toxic combinations and best served in a tool which automates the creation and maintenance of SoD conflicts.

What access management workflows should you automate? 

Let’s highlight a couple of areas where automation of workflows strengthens your internal control system.

Provisioning user access

When you check for SoD BEFORE granting/provisioning access, you can make an informed decision whether to allow the SoD conflict risk or not.

Within the enterprise, provisioning user access may be conducted by IT ops, the team responsible for overall identity management as people join, change roles, and leave the organization. When it comes to applications, provisioning may be managed by the business team or application owner, directly within the application. Automation ensures SoD checks are completed regardless of where provisioning occurs, so that both IT and business teams are following best practices and SoD conflicts are avoided.

During the user access provisioning process, there is too much data to perform SoD checks manually. Automation can help ensure access isn’t granted on an ad hoc basis but rather follows established workflows and policies.

Access reviews

Automating user access reviews ensures enforcement and accountability, proactively identifying risk and holding individuals and departments accountable to mitigate risks as they arise. Owners of business applications are responsible for monitoring access to their applications, including reviewing SoD risks, and automation provides the best way for this monitoring to occur.

Automation saves access management and auditing time

Finance and risk professionals weren’t primarily hired to conduct SoD reviews and monitor controls. The sooner these employees can get back to the tasks they were hired for, the happier they’ll be.

Automation also reduces the time needed for auditors to review your internal controls and procedures. SoD reports can easily be saved as audit evidence.

Automation requires proper planning and execution

Hopefully by now, you understand how automation can help with business application controls monitoring, especially around Segregation of Duties. However, there are no silver bullets.

Effective implementation of automation to provide for strong internal controls requires that various roles across the company must work together. This includes the risk management team, including finance, IT, internal auditors, compliance, and legal, among other departments, all with support from department managers, data owners, and business operations.

Finally, the support of the executive management team to make automation support a strong internal control system is paramount as well.

Migrating from manual processes to automated controls doesn’t happen overnight; it requires careful planning by the implementation team. Where do you start? Not all controls are considered equal in terms of risk, and neither are all business processes. Controls need to be strongest inside your highest-ranking business applications, such as ERP and other systems that manage financial processes or sensitive, personal information (PII).

With automation comes great benefits, from resource savings to elimination of errors, and Segregation of Duties is one of the best places to deploy automation to lower your fraud risk and enhance your internal control system.

Download our whitepaper to learn how to introduce automation into your control environment.