1 / 24

Segregation of Duties in the Real World

Segregation of Duties in the Real World. A Risk-Based Approach Chris Rossie VP of Business Development Oversight Systems. Agenda. SoDs and the Sarbanes-Oxley Imperative Defining the Problem State of SoD Testing Leveraging Continuous Monitoring. Evolving Sarbanes-Oxley Imperatives. 2002.

taran
Download Presentation

Segregation of Duties in the Real World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Segregation of Duties in the Real World A Risk-Based Approach Chris Rossie VP of Business Development Oversight Systems

  2. Agenda • SoDs and the Sarbanes-Oxley Imperative • Defining the Problem • State of SoD Testing • Leveraging Continuous Monitoring © 2006 Oversight Systems

  3. Evolving Sarbanes-Oxley Imperatives 2002 2003 2004 2005 2006 2007 Legislation Enacted PCAOB established Filers and auditors plan for the unknown The year of documentation Companies focus on controls and SOX 404 compliance Auditors scramble to help clients while looking for PCAOB guidance © 2006 Oversight Systems

  4. Evolving Sarbanes-Oxley Imperatives 2002 2003 2004 2005 2006 2007 Legislation Enacted PCAOB established Filers and auditors plan for the unknown The year of documentation Companies focus on controls and SOX 404 compliance Auditors scramble to help clients while looking for PCAOB guidance Auditors find 2004 access provisioning “ineffective” Companies spend 2005 focused on access provisioning © 2006 Oversight Systems

  5. Evolving Sarbanes-Oxley Imperatives 2002 2003 2004 2005 2006 2007 Legislation Enacted PCAOB established Filers and auditors plan for the unknown The year of documentation Companies focus on controls and SOX 404 compliance Auditors scramble to help clients while looking for PCAOB guidance Auditors find 2005 SoD posture “ineffective” Companies focus on addressing SoD conflicts, violations, and deficiencies Auditors find 2004 access provisioning “ineffective” Companies spend 2005 focused on Access provisioning © 2006 Oversight Systems

  6. Evolving Sarbanes-Oxley Imperatives 2002 2003 2004 2005 2006 2007 Legislation Enacted PCAOB established Filers and auditors plan for the unknown What’s Next? The year of documentation Companies focus on controls and SOX 404 compliance Auditors scramble to help clients while looking for PCAOB guidance Auditors find 2005 SoD posture “ineffective” Companies focus on addressing SoD conflicts and SoD deficiencies Auditors find 2004 access provisioning “ineffective” Companies spend 2005 focused on access provisioning © 2006 Oversight Systems

  7. Evolving Technology Solutions 2002 2003 2004 2005 2006 2007 Legislation Enacted Controls monitoring and business process results monitoring PCAOB established Filers and auditors plan for the unknown Governance and Risk Compliance software for controls documentation Segregation of Duties management Identity and Access Management solutions for user provisioning © 2006 Oversight Systems

  8. Segregation of Duties: Defining the Problem • Complex Matrix of User Access Rights & Privileges • Heterogeneous Financial Systems • Over-reliance on manual, mitigating controls • Confusion over applying a risk-based view of SoDs • Mitigating every “theoretical” risk can be prohibitively expensive • Discovering the “relevant” risk can require new data © 2006 Oversight Systems

  9. Procure-to-Pay Order-to-Cash Financial Management-to-Reporting Evaluate the SoD Risk for Each Process © 2006 Oversight Systems

  10. Managing User Rights & Responsibilities © 2006 Oversight Systems

  11. SoD applies to Business Processes • Average $1B company has: • 2.7 ERP Systems • 40+ financial apps © 2006 Oversight Systems

  12. Manual Mitigating Controls • Embedded controls within financial systems can’t prevent every SoD conflict • Lack of user provisioning in consolidation tools (BI) jeopardizes strong SoDs in ERP systems • Remote offices: Not fiscally possible to hire enough people to maintain SoDs • Result: Ongoing, scheduled manual review of reports • Rely upon over-worked finance manager to identify violation © 2006 Oversight Systems

  13. Applying a Risk-Based View of SoDs • Auditors shifting focus to risk-based assessment of controls • What does that mean for your user access rights & SoDs? • Identify all SoD violations – not just conflicts • Prioritize SoD conflicts for remediation based on real violations and risk © 2006 Oversight Systems

  14. State of SoD Testing • Platform-specific tools identify all SoD conflicts • Identify 1000s of conflicts • No way to see actual violations, measure risk & set priority • Lockdown major ERP systems • Tighten SAP or Oracle • Ignore the feeder systems: Ariba, MFG Pro, Infinium, legacy apps, etc. • Can’t prove remediation • Found the problem, but no documentation to prove compliance • Not a mitigating control • If you can’t resolve all the SoD conflict, you still must rely on manual review of reports © 2006 Oversight Systems

  15. Procure-to-Pay Order-to-Cash Financial Management-to-Reporting A Risk-based Approach Transaction Integrity Monitoring Real-Time Transaction Inspection Real-Time Transaction Inspection © 2006 Oversight Systems

  16. A Risk-based Solution for SoDs • Identify SoD conflicts across all financial systems including feeder systems • Validate risk: Analyze historical transactions to identify violations of SoD principles • Prioritize remediation based on real risk of violations • Provide an ongoing mitigating control for SoD conflicts that cannot be eliminated (Real-Time Transaction Inspection) • Prove that SoD deficiencies were reviewed and resolved © 2006 Oversight Systems

  17. Vendor Maint. Requisition PO Goods Receiving Invoice Voucher Payment Recovery Transaction Inspection for Compliance • Payment for 0 • Payment without Voucher • Payment Payee differsfrom Vendor • Payment to Ghost Vendor • Payment to Employee • Payment Detail Mismatch • Payment/PO SOD • Payment Duplicate • Payment Line Duplicate • Payment Line Exceed Voucher • Payment Line Without Voucher • Payment Line/Voucher Mismatch • Payment Line for DuplicateVoucher • Payment/Voucher SOD • Invalid Vendor • Duplicate Vendor • Ghost Vendor • Vendor ChangeChange-back • Vendor Maint SOD • Receipt/PO SOD • Invalid PO • PO to Inactive Vendor • PO to Invalid Vendor • PO to Ghost Vendor • Duplicate PO • PO/Vendor SOD • Invalid Voucher • Voucher for 0 • Voucher to Invalid Vendor • Voucher to Duplicate PO • Voucher Duplicate Amount • Voucher Duplicate Invoice • Voucher/PO SOD • Voucher Line with no PO • Voucher Line/PO Mismatch • Voucher Line/Receipt SOD • Voucher Line/Receipt Mismatch © 2006 Oversight Systems

  18. Requisition Goods Receiving Payment Transaction Inspection for Real-World Compliance • Payment for 0 • Payment without Voucher • Payment Payee differsfrom Vendor • Payment to Ghost Vendor • Payment to Employee • Payment Detail Mismatch • Payment/PO SOD • Payment Duplicate • Payment Line Duplicate • Payment Line Exceed Voucher • Payment Line Without Voucher • Payment Line/Voucher Mismatch • Payment Line for DuplicateVoucher • Payment/Voucher SOD • Invalid Vendor • Duplicate Vendor • Ghost Vendor • Vendor ChangeChange-back • Vendor Maint SOD Risk • Receipt/PO SOD Vendor Maint. PO Invoice Voucher Recovery Relevance • Invalid PO • PO to Inactive Vendor • PO to Invalid Vendor • PO to Ghost Vendor • Duplicate PO • PO/Vendor SOD • Invalid Voucher • Voucher for 0 • Voucher to Invalid Vendor • Voucher to Duplicate PO • Voucher Duplicate Amount • Voucher Duplicate Invoice • Voucher/PO SOD • Voucher Line with no PO • Voucher Line/PO Mismatch • Voucher Line/Receipt SOD • Voucher Line/Receipt Mismatch Priority © 2006 Oversight Systems

  19. Oversight has loaded control settings from Peoplesoft

  20. As well as from MFGPro © 2006 Oversight Systems

  21. Control-Weaknesses and Violations are available for Single System (PeopleSoft and MFG-Pro) and Across Systems. In this example no cross system weaknesses or violations were found. © 2006 Oversight Systems

  22. Precisely Identifying Problems Procure to Pay Transaction Stream © 2006 Oversight Systems

  23. Summary • SoD is this year’s “What’s next” from your auditors • Continuous monitoring can precisely identify the SoD risks, efficiently address deficiencies and provide proof of resolution • Continuous monitoring also addresses next year’s “What’s next?” while providing bottom line benefits © 2006 Oversight Systems

  24. 75 Fifth Street, NW2nd FloorAtlanta, Georgia 30308www.oversightsystems.com

More Related