…Moff Tarkin can update salary information in the company HR system and approve payroll in the Death Star 365 ERP system. He increases the salary amount for Admiral Motti and then approves the payment in the ERP system. As a result, Motti receives a fraudulent salary. *Little known fact: When Darth Vader finds out, this is the real reason he force chokes him, not due to a “disturbing lack of faith in the force.”
…Jabba The Hutt has access to the company’s CRM and ERP systems. He creates a sales order in the CRM system and then approves shipment to his address in the ERP system. He receives the goods fraudulently.
…Boba Fett is an ERP user who can modify customer master data and create a sales order/bounty. Using this access, he creates Not Tea Boba Co and an associated sales order resulting in a cash receipts theft.
In these cases, each person had access to both sides of a separation of duties (SOD) risk. As a result, they had complete control and could create and approve a fraudulent transaction themselves. The Emperor may be all about the “dark side”, but the fraud running rampant through his organization is costing him millions of Imperial Credits that could hamper construction of a second Death Star. You know, if something were to happen to the first one. To prevent this, organizations should ensure that they assign different tasks within the process to different people.
It is becoming commonplace for companies to move away from a single monolithic software solution to manage all their business operations. Instead, they are deploying best-of-breed software to gain a competitive advantage. An organization could have separate applications for its ERP, procurement, HR, ticketing and CRM. They could even be running multiple applications for each due to mergers and acquisitions or different business requirements.
Managing risk in each application’s silo is no longer possible – organizations and galactic empires need a cross-application approach.
With the hundreds of roles, duties, privileges, authorization objects and transaction codes that come as standard “out-of-the-box” in these systems, there are potentially thousands of risks that conflicting privileges could introduce.
The increased complexity of having different tasks to complete a process spread across multiple business applications makes detecting and enforcing separation of duties particularly difficult. In addition, proving separation of duties controls to auditors becomes a significant challenge.
…where the separation of duties risks are across all your business applications?
…who has the authority in one or more of your applications to make potentially fraudulent changes in your database?
…how to perform SOD analysis across multiple applications to prevent fraudulent activity?
It’s not realistic to perform SOD analysis manually anymore – automation is the key.
To learn how you can effectively manage separation of duties across multiple applications and prevent fraudulent activities like the ones above, grab your lightsaber and watch our webinar on-demand to learn how to use the Force of strong internal controls in your business applications and protect your organization from the dark side of fraud. May the Fastpath be with you.
In case you missed it, our "Jedi Audit: Mastering Internal Controls in Business Applications" webinar is available on-demand: