Identifying Segregation of Duties Issues in a PeopleSoft Environment

1. Identifying Segregation of Duties Issues in a PeopleSoft Environment Central Ohio Chapter Information Systems Audit and Control Association February 8, 2007 1

2. Your Presenters • Brian O’Brien • Manager - Data Security • 10 years of PeopleSoft experience with Ohio State’s 1,300 user HRMS and 2,400 user Financials environments • Pat O’Connor • Senior Systems Engineer • Ohio State’s leading technical security expert, has 8 years of PeopleSoft experience, ranging from configuration management and control to security administration 2

3. Overview • We have created a process for • Defining, • Identifying and • Reporting • Segregation of Duties issues. 3

4. Ohio State’s Environment • 7 Campuses • 58,000 Students • 35,000 Employees • $3 Billion Budget • 300,000+ Alumni 4

5. Database Environment • Oracle9i Release 9.2.0.5.0 - 64bit • HP Hardware – HP-UX 11.0 N Class • Over 50 PeopleSoft Databases 5

6. Ohio State and PeopleSoft 6 6

7. Where We’re Headed Student Admin 8.9 Enterprise Performance Management (EPM) Upgrade HRMS 8.0 -> 8.9 eProcurement Module Financials 8.42 -> 8.9 7 7

8. Identifying Segregation of Duties Issues • What Duties Should be Segregated? • Identify the Duties in PeopleSoft • Building the SoD Reports 8

9. What is Segregation of Duties? • …no single individual should have control over two or more phases of a transaction or operation… • (University of Utah Department of Internal Audit Identify the Duties) • …no one individual employee can complete a significant business transaction in its entirety… • (UCSD Audit & Management Advisory Services) 9

10. Examples of Segregation of Duties? • Those responsible for physical receipt of goods should not be responsible for paying for the goods. • Those responsible for custody of goods • should not be responsible for maintaining the records of the assets. • Those responsible for collection of receivables should not be responsible for entries in the book of accounts. • Source: • Sawyer’s Internal Auditing • 5th Edition, page 1198 10

11. Recent Ohio State Experience • Ex-OSU worker charged in $312,000 theft • The Columbus Dispatch,Thursday, March 30, 2006 • “…job allowed him not only to tally and submit the payroll in his department, but also to hand out the checks. • “He would prepare the payroll, submit the payroll and distribute the checks,” O'Brien said…

12. What Duties Should be Segregated? 12

13. What Duties Should be Segregated? • Web Searches • HEUG Contacts • Ohio State’s Internal Auditors 13

14. What Duties Should be Segregated? • Financial Duties • Requisition Initiator • Requisition Approver • P.O. Initiator • P.O. Approver 14

15. Identify the Duties in PeopleSoft • Identify the Security Controls • Page Access (not Role) • Operator Preferences • Table Data Values • End Result is a SQL query 15

16. Build the SoD Reports • Sample Reports • Creation Process • Create the SQL Program • Create a Formatted Spreadsheet • Paste the SQL Output to a Spreadsheet 16

17. Build the SoD Reports • Sample Reports • Procurement SoD Reports • Workflow by User by Organization • Counts by Departments • Procurement Without SoD by Money Value • Reverse Hill-Climber 17

18. Build the SoD Reports • Sample Reports • Delivery Mechanisms • Enterprise Web Based • Email • Hard Copies 18

19. Questions?

20. Contacts • Brian O’Brien • Manager, Data Security • Office of Information Technology • The Ohio State University • E-mail: obrien.9@osu.edu • Patrick O’Connor • Sr. Systems Engineer • Office of Information Technology • The Ohio State University • E-mail: oconnor.33@osu.edu