260 likes | 484 Views
Segregation of Duties in the Real World. A Risk-Based Approach Chris Rossie VP of Business Development Oversight Systems. Agenda. SoDs and the Sarbanes-Oxley Imperative Defining the Problem State of SoD Testing Leveraging Continuous Monitoring. Evolving Sarbanes-Oxley Imperatives. 2002.
E N D
Segregation of Duties in the Real World A Risk-Based Approach Chris Rossie VP of Business Development Oversight Systems
Agenda • SoDs and the Sarbanes-Oxley Imperative • Defining the Problem • State of SoD Testing • Leveraging Continuous Monitoring © 2006 Oversight Systems
Evolving Sarbanes-Oxley Imperatives 2002 2003 2004 2005 2006 2007 Legislation Enacted PCAOB established Filers and auditors plan for the unknown The year of documentation Companies focus on controls and SOX 404 compliance Auditors scramble to help clients while looking for PCAOB guidance © 2006 Oversight Systems
Evolving Sarbanes-Oxley Imperatives 2002 2003 2004 2005 2006 2007 Legislation Enacted PCAOB established Filers and auditors plan for the unknown The year of documentation Companies focus on controls and SOX 404 compliance Auditors scramble to help clients while looking for PCAOB guidance Auditors find 2004 access provisioning “ineffective” Companies spend 2005 focused on access provisioning © 2006 Oversight Systems
Evolving Sarbanes-Oxley Imperatives 2002 2003 2004 2005 2006 2007 Legislation Enacted PCAOB established Filers and auditors plan for the unknown The year of documentation Companies focus on controls and SOX 404 compliance Auditors scramble to help clients while looking for PCAOB guidance Auditors find 2005 SoD posture “ineffective” Companies focus on addressing SoD conflicts, violations, and deficiencies Auditors find 2004 access provisioning “ineffective” Companies spend 2005 focused on Access provisioning © 2006 Oversight Systems
Evolving Sarbanes-Oxley Imperatives 2002 2003 2004 2005 2006 2007 Legislation Enacted PCAOB established Filers and auditors plan for the unknown What’s Next? The year of documentation Companies focus on controls and SOX 404 compliance Auditors scramble to help clients while looking for PCAOB guidance Auditors find 2005 SoD posture “ineffective” Companies focus on addressing SoD conflicts and SoD deficiencies Auditors find 2004 access provisioning “ineffective” Companies spend 2005 focused on access provisioning © 2006 Oversight Systems
Evolving Technology Solutions 2002 2003 2004 2005 2006 2007 Legislation Enacted Controls monitoring and business process results monitoring PCAOB established Filers and auditors plan for the unknown Governance and Risk Compliance software for controls documentation Segregation of Duties management Identity and Access Management solutions for user provisioning © 2006 Oversight Systems
Segregation of Duties: Defining the Problem • Complex Matrix of User Access Rights & Privileges • Heterogeneous Financial Systems • Over-reliance on manual, mitigating controls • Confusion over applying a risk-based view of SoDs • Mitigating every “theoretical” risk can be prohibitively expensive • Discovering the “relevant” risk can require new data © 2006 Oversight Systems
Procure-to-Pay Order-to-Cash Financial Management-to-Reporting Evaluate the SoD Risk for Each Process © 2006 Oversight Systems
Managing User Rights & Responsibilities © 2006 Oversight Systems
SoD applies to Business Processes • Average $1B company has: • 2.7 ERP Systems • 40+ financial apps © 2006 Oversight Systems
Manual Mitigating Controls • Embedded controls within financial systems can’t prevent every SoD conflict • Lack of user provisioning in consolidation tools (BI) jeopardizes strong SoDs in ERP systems • Remote offices: Not fiscally possible to hire enough people to maintain SoDs • Result: Ongoing, scheduled manual review of reports • Rely upon over-worked finance manager to identify violation © 2006 Oversight Systems
Applying a Risk-Based View of SoDs • Auditors shifting focus to risk-based assessment of controls • What does that mean for your user access rights & SoDs? • Identify all SoD violations – not just conflicts • Prioritize SoD conflicts for remediation based on real violations and risk © 2006 Oversight Systems
State of SoD Testing • Platform-specific tools identify all SoD conflicts • Identify 1000s of conflicts • No way to see actual violations, measure risk & set priority • Lockdown major ERP systems • Tighten SAP or Oracle • Ignore the feeder systems: Ariba, MFG Pro, Infinium, legacy apps, etc. • Can’t prove remediation • Found the problem, but no documentation to prove compliance • Not a mitigating control • If you can’t resolve all the SoD conflict, you still must rely on manual review of reports © 2006 Oversight Systems
Procure-to-Pay Order-to-Cash Financial Management-to-Reporting A Risk-based Approach Transaction Integrity Monitoring Real-Time Transaction Inspection Real-Time Transaction Inspection © 2006 Oversight Systems
A Risk-based Solution for SoDs • Identify SoD conflicts across all financial systems including feeder systems • Validate risk: Analyze historical transactions to identify violations of SoD principles • Prioritize remediation based on real risk of violations • Provide an ongoing mitigating control for SoD conflicts that cannot be eliminated (Real-Time Transaction Inspection) • Prove that SoD deficiencies were reviewed and resolved © 2006 Oversight Systems
Vendor Maint. Requisition PO Goods Receiving Invoice Voucher Payment Recovery Transaction Inspection for Compliance • Payment for 0 • Payment without Voucher • Payment Payee differsfrom Vendor • Payment to Ghost Vendor • Payment to Employee • Payment Detail Mismatch • Payment/PO SOD • Payment Duplicate • Payment Line Duplicate • Payment Line Exceed Voucher • Payment Line Without Voucher • Payment Line/Voucher Mismatch • Payment Line for DuplicateVoucher • Payment/Voucher SOD • Invalid Vendor • Duplicate Vendor • Ghost Vendor • Vendor ChangeChange-back • Vendor Maint SOD • Receipt/PO SOD • Invalid PO • PO to Inactive Vendor • PO to Invalid Vendor • PO to Ghost Vendor • Duplicate PO • PO/Vendor SOD • Invalid Voucher • Voucher for 0 • Voucher to Invalid Vendor • Voucher to Duplicate PO • Voucher Duplicate Amount • Voucher Duplicate Invoice • Voucher/PO SOD • Voucher Line with no PO • Voucher Line/PO Mismatch • Voucher Line/Receipt SOD • Voucher Line/Receipt Mismatch © 2006 Oversight Systems
Requisition Goods Receiving Payment Transaction Inspection for Real-World Compliance • Payment for 0 • Payment without Voucher • Payment Payee differsfrom Vendor • Payment to Ghost Vendor • Payment to Employee • Payment Detail Mismatch • Payment/PO SOD • Payment Duplicate • Payment Line Duplicate • Payment Line Exceed Voucher • Payment Line Without Voucher • Payment Line/Voucher Mismatch • Payment Line for DuplicateVoucher • Payment/Voucher SOD • Invalid Vendor • Duplicate Vendor • Ghost Vendor • Vendor ChangeChange-back • Vendor Maint SOD Risk • Receipt/PO SOD Vendor Maint. PO Invoice Voucher Recovery Relevance • Invalid PO • PO to Inactive Vendor • PO to Invalid Vendor • PO to Ghost Vendor • Duplicate PO • PO/Vendor SOD • Invalid Voucher • Voucher for 0 • Voucher to Invalid Vendor • Voucher to Duplicate PO • Voucher Duplicate Amount • Voucher Duplicate Invoice • Voucher/PO SOD • Voucher Line with no PO • Voucher Line/PO Mismatch • Voucher Line/Receipt SOD • Voucher Line/Receipt Mismatch Priority © 2006 Oversight Systems
As well as from MFGPro © 2006 Oversight Systems
Control-Weaknesses and Violations are available for Single System (PeopleSoft and MFG-Pro) and Across Systems. In this example no cross system weaknesses or violations were found. © 2006 Oversight Systems
Precisely Identifying Problems Procure to Pay Transaction Stream © 2006 Oversight Systems
Summary • SoD is this year’s “What’s next” from your auditors • Continuous monitoring can precisely identify the SoD risks, efficiently address deficiencies and provide proof of resolution • Continuous monitoring also addresses next year’s “What’s next?” while providing bottom line benefits © 2006 Oversight Systems
75 Fifth Street, NW2nd FloorAtlanta, Georgia 30308www.oversightsystems.com