Embed Size (px)
Citation preview
04/19/23 1
Business ConsiderationsExample Approach to an SOD
ProgramClient PreparationSample SOD ControlsSample Output from SOD
AssessmentCost Estimate for SOD Assessment
04/19/23 2
Business Considerations
04/19/23 3
Segregation of Duties (SOD) is the separation of incompatible duties that could allow one person to commit and conceal fraud that may result in financial loss or misstatement to the company. Segregation of duties may be within an application or within the infrastructure.
04/19/23 4
• Represents a key internal control that ensures no single person has too much influence over any business transaction or operation
• Serves to prevent unintentional errors or fraud and ensure timely detection of errors that may occur
• Provides a method of improving organizational, business process and IT control alignment
Segregation of duties has always been an important component of a properly
functioning internal control environment
Control deficiencies, typically, stemmed from changes or actions taken outside of the formal processLimited mechanisms to consistently enforce policies at an enterprise levelLack of strong executive-level support and insufficient alignment between IT and the businessLack of user education & awareness regarding SODManagement’s preference to rely on mitigating controls in place of implementing proper SODInadequate policies and procedures for effectively changing or removing access when users change jobs or leave the companyLimited automated reporting capabilities for IT controlsNo monitoring tools/capability to periodically review “access rights”
04/19/23 5
Typically, leads to access creep, fraud risk, and failed user management processes
Drivers causing companies to consider use of Segregation of Duties (SOD) in the management of their business
Regulatory Compliance - Sarbanes-Oxley and other regulatory issues are forcing companies to increase their awareness and accountability of their employees actions within the companySecurity and Data Management – Recent privacy laws and prosecution of security violations is bringing a new awareness to monitoring and controlling security and access to data within the organizationAccess Management – Provisioning and management of users access to applications have not been enforced, resulting in access creepRapid Implementation of ERPs – Application Security was often overlooked or implemented incompletely (Segregation of Duties was not addressed)
04/19/23 6
Sarbanes-Oxley is now providing a compelling case for the implementation and maintenance of appropriate segregation of duties at the organizational, manual process and system Level.
Not only should business functions be separated departmentally, and at an even more granular level within departments, companies now find that they need to provide system enforcement of traditional segregation of duties modelsExternal auditors are insisting on evidence that proper segregation of duties exists
04/19/23 7
Recent privacy laws and prosecution of security violations is bringing a new awareness to monitoring and controlling security and access to data within the organization.
Lack of application specific Segregation of Duties are resulting in Access Creep, Fraud Risk, Failed User Management ProcessesDisclosure of sensitive information can have a negative impact on shareholder valueIncreased use of web services (online auctions and banking) has brought increased risk of identity theft and fraudPrivacy laws and disclosure of violations is increasing the need for proactive segregation and control over access to data
04/19/23 8
Recent privacy laws and prosecution of security violations is bringing a new awareness to monitoring and controlling security and access to data within the organization.
Lack of application specific Segregation of Duties are resulting in Access Creep, Fraud Risk, Failed User Management ProcessesDisclosure of sensitive information can have a negative impact on shareholder valueIncreased use of web services (online auctions and banking) has brought increased risk of identity theft and fraudPrivacy laws and disclosure of violations is increasing the need for proactive segregation and control over access to data
04/19/23 9
Implementation of identity management and ERP tools provides an avenue to leverage technologies to enforce and regulate enterprise level segregation of duties.
Established authoritative sources of information through ERP systems (HRMS)Leverage user lifecycle through role based access control and system integrationAutomated provisioning to lower operational costsGreater visibility by management to monitor user activityCentralization of user ID management for multiple applications through the single sign-on concept
04/19/23 10
Client Preparation
04/19/23 11
Take a copy of Production Instance to create Test Instance Provide OIC with System Administrator Access to Test
Instance Identify Business Owner (BPO) for each Business Process
Flow who can make decisions regarding access privileges to grant to users
Identify System Administrator who will modify Oracle Menus and/or Responsibilities to Remediate SOD incidents
Provide Copy of Change Controls Policies so that we can revise the Production Instance in accordance with Client Policy
Review SOD Rules with External Auditors Finalize SOD Design with BPO
04/19/23 12
Example Approach to Segregation of Duties
Assessment
04/19/23 13
Establishing a process for defining SOD rules and policies, aligning organization and process, establishing enforcement, mitigating controls and monitoring are essential components of an SOD solution that helps meet business objectives.
Comply with the regulatory requirements, example Sarbanes- Oxley legislationImprove company-wide internal control structureMitigate the risk of intentional fraud or unintentional error to the organizationAlign functions organizationally with common best practicesGain a level of comfort that the financial statements are free from misstatementImprove financial data, thereby improving management reportingSatisfy increasing customer and investor demands for sound internal controls
04/19/23 14
Component Tasks Comments
Rules and Policies • Confirm SOD requirements (including regulatory compliance
• requirements)• Develop segregation of duties rules• Develop restricted access rules• Eliminate false positives from rule set• Define manual segregation of duties components
We have several hundred SOD Rules developed by Oracle and the Big 4 Accounting Firms that we use to evaluate SOD Controls.
Organizational and Process Alignment
• Perform risk assessments to identify requirements and strategies
• Identify key stakeholders and establish a communication plan
• Understand and adapt standards (including policies and procedures)
• Build and maintain support within initiative and within organization
• Align processes to effect the proper balance between control value and operational efficiency (cost vs. benefit analysis)
• Identify appropriate segregation points within relevant processes
• Obtain buy-in to SOD solution from process owners
These are best practices that every organization should implement
Establish Enforcement
• Assist in selecting the appropriate technology solution• Pilot the implementation to validate the solution• Implement the solution; deliver in phases (highest value
first)• Test performance and functionality• Assist in selecting the appropriate technology solution• Pilot the implementation to validate the solution• Implement the solution;
We recommend that you use Oracle Application Access Controls Governor (AACG) to facilitate enforcement of SOD Controls. You can establish preventive enforcement by integrating Oracle AACG with Oracle Preventive Controls Governor (PCG)
04/19/23 15
Component Tasks Comments
Remediating Controls
• Revise security model to eliminate SOD control violations• Eliminate false positives from rule set
We review the GRC reports with your Business Process Owners (BPO) and System Administrators to help you revise your Oracle Application Security Model to resolve SOD Control violations.
Mitigating Controls
• Develop compensating controls to address functions, which cannot be adequately segregated.
We help you define, document and implement (if necessary) compensating controls for functions that cannot be adequately segregated.
Monitoring and Governance
• Adhere to business policies and procedures after initial deployment
• Perform periodic SOD assessments to validate adherence to policies and rules
• Adapt solution as the business changes (e.g. M&A, reorganizations, upgrades, implement new Oracle applications, etc.)
This process would be very difficult to complete without installing and deploying the Oracle GRC Controls, which includes Oracle Application Access Controls (AACG) for Restricted Access and SOD, and Oracle Transaction Controls.
The OIC offers periodic SOD Assessment Services.
04/19/23 16
The ability to fine-tune user access—and to track that access—is key to complying with regulatory requirements and ensuring corporate security. Oracle Application Access Controls Governor provides real-time monitoring and proactive enforcement of crucial access policies, such as those that support segregation of duties (SOD). The system anticipates potential SOD conflicts before they arise, and even prevents any assignment of roles or responsibilities within an application that would compromise proper segregation of duties. Application Access Controls Governor also extends key access controls to "super-users" and temporary or contract workers.
Real-time monitoring and enforcement of SOD controls, including prevention of access provisioning that would jeopardize SODGraphical simulation to look into access points, detect SOD conflicts, and evaluate treatment optionsComprehensive library of best practice SOD controls
04/19/23 17
04/19/23 18
04/19/23 19
Task #
In Scop
e
Task Responsibility
Comments
1 Yes Extract Data from Client EBS Test or Production instance
Client We recommend that you take a copy of your Production to perform this step. We provide you with a script that extracts the information that we need to complete an analysis of your SOD Controls
2 Yes Create a Database for Client Data OIC We create a Database on the server that hosts our instance of Oracle Application Access Controls Governor (AACG). We will use this Database to import the data that we extract from your EBS Instance.
3 Yes Import Data into Database Import Data that we extracted from your EBS instance into the Database that we created to store that data.
4 Yes Define Client’s Database as a Datasource in AACG
OIC Our DBA will create a Datasource in Oracle AACG so we can generate Access Synchronization to synchronize the Oracle GRC Schema data in AACG with the same data that we imported into the Database that we created for you.
04/19/23 20
Task #
In Scop
e
Task Responsibility
Comments
5 Yes Create SOD Controls for Client OIC We use the Oracle predefined SOD Models to create the SOD Controls that we use to assess your SOD Controls. We provide you with a report that lists these DOD Controls and we recommend that you review them with your internal and external auditors to finalize the list of controls.
6 Yes Define Global Access Conditions Client We define Global Access Conditions for your organization to eliminate false positives including Oracle Responsibilities that have been end-dated, Oracle Responsibilities assigned to Users that have been end-dated and other instances where a true SOD incident does not exist.
7 Yes Create a Database for Client Data OIC We create a Database on the server that hosts our instance of Oracle Application Access Controls Governor (AACG). We will use this Database to import the data that we extract from your EBS Instance.
8 Yes Generate Access Synchronization We generate Access Synchronization for the Datasource we created for your organization. This process updates the GRC Schema tables in Oracle AACG with the most current data contained in the Database that we defined to import the data that we extracted from your EBS Instance
04/19/23 21
Task #
In Scop
e
Task Responsibility
Comments
9 Yes General SOD Control Analysis OIC We generate SOD Control Analysis to record the SOD Incidents (i.e. Conflicts) associated with your EBS instance.
10 Yes Generate and Review Incident Reports OIC Upon completion of the SOD Control Analysis, we generate several SOD Incident Reports for Intra-Role and Inter-Role SOD Conflicts. We review these reports with you and make high level recommends to remediate or mitigate these SOD Incidents.
11 Remediate SOD Incidents Client We work with your Business Process Owners (BPO) and System Administrator to Remediate (i.e. Resolve) any SOD incidents that you have not Mitigated. This includes identifying the responsibilities, menus or functions that we need to remove from a user. Similarly, we work with your System Administrator to make the necessary revisions in your EBS instance.
12 Mitigate SOD Incidents Client At times, organizations simply do not have sufficient resources to strictly enforcement one or more SOD Controls. In these instances, we work with you to help you document the compensating controls you have in place to mitigate the risk associated with these SOD Incidents.
04/19/23 22
Task #
In Scop
e
Task Responsibility
Comments
13 Repeat steps 1 through 12 for the EBS Test Instance until you have remediated or mitigated the SOD Incidents you wish to resolve.
OIC and Client
14 In EBS Production Instance, replicate the revisions you made in the EBS Test instance to remediate SOD Incidents
Client Using your change control procedures, your System Administrator will revise your security model to reflect the revisions he or she made to your EBS Test instance to resolve your SOD incidents.
15 Repeat steps 1 through 12 for the EBS Production Instance until you have remediated or mitigated the SOD Incidents you wish to resolve.
OIC and Client
We generate SOD Control Analysis to record the SOD Incidents (i.e. Conflicts) associated with your EBS instance.
Sample SOD Controls
04/19/23 23
Working with the Big 4 accounting firms, Oracle has predefined approximately 150 SOD Controls. We imported these controls into our instance of Oracle AACG. We have supplemented these SOD Controls with additional SOD controls as well as Access Controls that we defined in conjunction with E&Y and our customers.
We have predefined SOD Rules for the following Business Process Flows:Procure to PayOrder to CashAccounting to ReportingHire to TerminateAcquire to Retire
04/19/23 24
04/19/23 25
Procure to Pay Order to Cash Accounting to Reporting Hire to Terminate
Approve & Create Invoices Control Budgets & Create Sales Order
Asset Workbench & Asset Depreciation
Modify Employee Information & Define Payroll Information
Approve Invoices & Create Payments
Control Budgets & Enter Customer Receipts
Asset Workbench & Mass Transactions
Modify Employee Position & Define Payroll Information
Approve Invoices & Print Checks
Control Budgets & Release Sales Order
Asset Workbench & Physical Inventory
Modify Employee Salary & Define Payroll Information
Approve Invoices & Void Payments
Control Budgets & Remittances
Enter Journal Entry & Assets Depreciation
Modify Employee Information & Define Payroll Information
Approve Purchase Orders & Approval Authorization Controls
Control Budgets & Ship Customer Goods
Enter Journal Entry & Assets Workbench
Approve Purchase Orders & Approve Invoices
Create Customer & Create Sales Order
Enter Journal Entry & Capitalizing Assets
Approve Purchase Orders & Create Invoices
Create Customer & Customer Credit Information
Enter Journal Entry & Mass Transactions
Approve Purchase Orders & Create Purchase Orders
Create Customer & Enter Accounts Receivable Invoice
Entry Journal Entry & Physical Inventory
Approve Purchase Orders & Received Goods and Services
Create Customer & Enter Customer Receipts
Enter Journal Entry & Post Journal Entry
04/19/23 26
Procure to Pay Order to Cash Accounting to Reporting Hire to Terminate
Control Budgets & Approve Invoices
Create Customer & Release Sales Order
Enter Journal Entry & Setup General Ledger
Control Budgets & Approve Purchase Orders
Create Customer & Remittances
Mass Allocate Journal Entries & Enter Journal Entries
Control Budgets & Create Invoices
Create Customer & Ship Customer Goods
Perform Cash Reconciliation & Bank Account Reconciliation
Control Budgets & Create Payments
Create Items & Cycle Counting
Physical Inventory & Receive Goods & Services
Control Budgets & Create Purchase Orders
Create Items & Inventory Transactions
Post Journal Entry & Assets Depreciation
Create Invoices & Create Payments
Create Sales Order & Inventory Transactions
Post Journal Entry & Assets Workbench
Create Invoices & Print Checks
Post Journal Entry & Capitalizing Assets
Create Invoices & Void Payments
Post Journal Entry & Mass Transactions
Create Purchase Orders & Approval Authorization Controls
Post Journal Entry & Physical Inventory
04/19/23 27
Procure to Pay Order to Cash Accounting to Reporting Hire to Terminate
Create Purchase Orders and Approve Invoices
Post Journal Entry & Setup GL
Create Purchase Orders & Create Invoices
Create Purchase Orders & Receive Goods and Services
Create Requisition & Approve Purchase Order
Create Requisition & Create Invoices
Create Requisition & Create Items
Create Requisition & Create Payments
Create Requisition & Create Purchase Order
Create Requisition & Create Suppliers
04/19/23 28
Procure to Pay Order to Cash Accounting to Reporting Hire to Terminate
Create Requisition & Setup Auto Create Purchase Orders
Create Suppliers & Approve Invoices
Create Suppliers & Approve Purchase Orders
Create Suppliers and Create Invoices
Create Suppliers & Create Payments
Create Requisition & Create Items
Create Requisition & Create Payments
Create Requisition & Create Purchase Order
Create Requisition & Create Suppliers
04/19/23 29
Restricted Access Controls Restricted Access Controls Restricted Access Controls
AP Invoice Item Master Transaction Batches
Approve Payroll Maintain Assets Vendor Master
AR Billing
AR Open/Close Accounting Periods Maintain Employee Vendor Payments
Customer Master Maintain Periods
Edit Pay Element OTC Configuration
FA Configuration Post Journals
GL Configuration Price List
INV Configuration P2P Configuration
Oracle AACG enables you to maintain Restricted Access Controls , which enable you to maintain access to privileged functions such as those listed in the following table. Each of these functions should be “restricted” and assigned to very few users who need access to perform their job tasks.
Sample Output from SOD Controls Assessment
04/19/23 30
Control Detail Extract Report Incident Summary Extract Report Incident by Control Summary Extract Report Access Incident Details Extract Report Access Point Report Access Violations by User Report Access Violations Within a Single Role Report Intra-Role Violations by Control Report Users with Access Violations by Control Report Conditions Report Global Users Report
04/19/23 31
A Control Detail Extract Report provides information about controls configured in EGRCC. For each control, the data includes name, description and comments, type (Access or Transaction), priority, the users who created and most recently updated the control, the dates on which they did so, and status (Active or Inactive), as well as the number of pending incidents it has generated. The report also lists tag values assigned to the control, its participants, and related controls. Finally, it displays the processing logic of the control and, for an access control, any conditions defined for it and entitlements that belong to it.
04/19/23 32
04/19/23 33
Use this report to identify conflicting functions defined for a single Oracle Responsibility. In our example, the responsibility is OIC General Ledger Super User. The Control is “Enter Journal Entry & Post Journal Entry”. Only one user, HAROLD_SCHMITT is currently assigned this responsibility, which enables Harold to enter and post journal entries. The Grouping identifies the path that provide access to each Conflicting Access Point. Harold should be able to Post Journals and AutoPost Criteria or Enter Encumbrances and Enter Journals; however it should not be able to Enter an Encumbrance or Enter Journals AND Post Journals or AutoPost Criteria.
04/19/23 34
Use this report to list the controls with SOD Incidents and the Roles (i.e. Oracle Responsibilities) that provide access to the incompatible functions identified in the SOD Control. In our example, the first control is “Create Customer & Create Sales Order”, which is used to identify Roles that enable a user to perform both of theses tasks. As you can see, the Roles Order Management Super User and Order Management User enable a user to create a customer and create a sales order.
Incident by Control Summary Extract Report
Intra-Role Violations by Control Report
Access Violations within a Single Role Report
Users with Access Violations by Control Report
04/19/23 35
Estimated Cost of SOD Assessment with Remediation and Mitigation of
SOD Control Violations
04/19/23 36
04/19/23 37
Task Comments Responsibility
Estimate Hours
Rate Cost
Complete SOD Assessment in Test Instance
Complete Assessment of SOD Controls in Test Instance and Generate SOD Incident Reports. Includes Tasks 1 through 10 for SOD Assessment Tasks.
OIC Fixed Fee per
Assessment
$2,500
Test GRC Incident Reports
Perform random tests to ensure that GRC incident reports are accurate.
OIC 4 $125 $ 500
Remediate / Mitigate SOD Conflicts Test Instance
Resolve Conflicts in Test Instance and Document Mitigating Controls. Also, train System Administrator to remediate SOD incidents
OIC/Client 40 $125 $5,000
Perform SOD Controls Assessment Again in Test Instance
Complete Assessment of SOD Controls in Test Instance again and Generate SOD Incident Reports to ensure that outstanding SOD incidents have been remediated or mitigated. Includes Tasks 1 through 10 for SOD Assessment Tasks.
OIC Fixed Fee per
Assessment
$2,500
Revise Security Model in Production to Remediate / Mitigate SOD Conflicts in Production Instance
Replicate Revisions made to Responsibilities in the Test Instance in accordance with Client’s Change Controls Policies
Client 40 (non billable)
$ 0
Complete SOD Controls Assessment in EBS Production Instance
Complete Assessment of SOD Controls in Production Instance and Generate SOD Incident Reports. . Includes Tasks 1 through 10 for SOD Assessment Tasks..
OIC Fixed Fee per
Assessment
$2,500
Estimated Cost Note: This is an iterative process and we may have to generate the SOD Assessment more
than once to remediate/mitigate SOD Incidents. Cost is $2,500 per Assessment.
$13,000
Oracle Independent Consultants LLC (OIC) is a leading provider of Risk Advisory and Oracle Fusion Governance, Risk, and Compliance (GRC)-based solutions. OIC GRC Express is an approved Oracle Accelerate program for Oracle GRC Controls and provides fixed scope methodologies for the rapid deployment of Oracle GRC Controls. The solutions are designed to make Oracle GRC Controls applications more affordable for midsize organizations. OIC’s Oracle Accelerate solution significantly reduces implementation costs and timeframes and lowers the total cost of ownership of Oracle GRC Controls.
Contact Us to Learn More.
04/19/23 38
