80 likes | 133 Views
How Herman Miller automated its SOX Segregation of Duties validation across multiple business applications. Session GB-06 Mon, April 24 , 2006. Don Morren – Herman Miller Inc. Session abstract.
E N D
How Herman Miller automated its SOX Segregation of Duties validation across multiple business applications Session GB-06Mon, April 24 , 2006 Don Morren – Herman Miller Inc.
Session abstract Like so many organizations seeking SOX certification or adequate governance, Herman Miller needs to certify that users do not have access to applications that create a conflict of interest. Our challenge, however, was to perform such “Segregation of Duties” (SOD) validation across 3750+ users, 250+ user-roles, 350+ business processes and thousands of application/session accesses associated to various business systems. For our first round, we came up with home made scripts, tables and spreadsheets along with countless hours of analysis to perform this tedious task. We have since then implemented a rules-driven SOD conflicts identification engine, enabling us to scan dynamically of all the above elements … in less than 10 minutes! Not only we know precisely who is able to access what, we have direct visibility of any SOD conflicts for us to investigate and resolve. In addition to saving us considerable effort, this SOD compliance solution enhanced the accuracy of our conflicts identification, critical to maintain our SOX certification for years to come. Benefit from our experience, mark this session in your agenda …
Herman Miller Case Study Herman Miller Inc. and My Position • A Great Place to Work • An International Company That Builds Great Office Furniture Solutions • On Track for 1.7 Billion for 05/06
Herman Miller Case Study Herman Miller Inc. and My Position • Technical Analyst • Business Process Analyst • No Financial Back Ground • Started With: • Business Process Change Control • Software Change Control • Business Systems Access Request • Evolved Into • SOD Review, A Finance Issue, That Needs IT Help
Herman Miller Case Study 404 requirements • Past Present and Future: • Adoption of and Achieving the COBIT Standard • Business Process Change Control • Software Change Control • Business Systems Access Request • SOD Review
Herman Miller Case Study SOD Review, Past Present Future • System Generated User Access List Across Multiple Apps • Combining Into One Place for SOD Analysis • Building of the Complete List of All Available Session • Ability to Identify New/Old Session • Building of the Complete User Access List • Who has What, Sessions, Roles, Systems, Limited Sessions… • Writing The Risk’s, Controls, Conflict Rules • The Conflict Scan • Total Visibility to All Conflict in All Systems in One Place • Analysis by, Rule, Role, Session, User, Status…
Herman Miller Case Study SOD Review • The Resolution of Conflict • Writing ‘Resolution Rules’ • Appling The Resolutions to the Conflicts • Timing and Automation of the Entire Chain of Events. • Hours not Days • Scheduled on off Hours • History, and Archiving • Targeted Preventative Action • Repetitious Monitoring as a Preventative Measure • Monitoring Super Users
SOD Conflict Rules Employees Employee / Applications Access List SOX – SOD Conflicts List (1) (2) Conflict Scan Access Scan Roles Resolution Scan SOD Resolution Rules Business Controls Business Processes Mitigated Conflicts List Business Risks Corp-wide Applications (3)