Today, the world is online and while this is great in making communication easier and data access open, it also comes with a set of risks. As a result, governments all over the globe have made security and compliance requirements stringent. While these requirements pose a challenge to companies across the world, there are, fortunately, solutions that can help.
Before we dive into the solution aspect of security and compliance, let us take a look at what you need to do and the three stages of preparation. As per AICPA, the Segregation of Duties or SOD is the basic building block of sustainable risk management and internal controls of a business. The principle of SOD is based on shared responsibilities of a critical process that disperses the critical functions of that process to more than one person or department. Without this separation in critical processes, fraud and error risks are far less manageable.
The primary purpose to apply segregation of duties is to prevent the instances and opportunities for committing and concealment of fraud and/or error in the normal course of an organization’s activities, since having more than one person to perform a task minimizes the opportunity of wrongdoing and increases the chances to detect it, as well as to detect unintentional errors.
The three stages of this process include:
- Define and list down organization risks
- Continuous audit and compliance
- Best practices to Implement SOD
The stage one, we will look at the process to define and list down organization risks:
Define and list risks: Even if your organization is not pursuing a specific regulatory compliance objective like SOX, ISO, or GDPR, we recommend that you create a list of applicable SoD conflicts that are vulnerable to fraud or cause significant security or financial risks. You can achieve this by revisiting the organization's GRC objectives along with the organization structure. The final result in this phase is to determine potential risky ERP transactions and categorize them as either high, medium or low severity.
Finetune the SoD rules: Your solution can help you arrive at the final set of SOD based on a set of rules, internal key controls, and risks identified and mark them as ‘severity,’ ‘risks,’ and ‘mitigation’ for each record. The head of finance, internal and external auditors, and the head of IT should be a part of the team that puts together this list.
Analyze risks: In this stage, you need to analyze the threats against the rule set to identify conflicts. You should highlight conflicts and escalate the same with recommendations to the appropriate department, such as internal controls or finance. You may need to further interact with the business to identify a suitable solution to eliminate risk.
Use the role-based access control to finalize security roles: You will need to review the security model to implement the necessary changes to either a conflicting role or role assignment. Risk assessment can help you redefine and recreate many standard security roles. Your solution can also help create new, modify, or merge multiple functions as required by the organization structure. You can also identify ways to segregate duties in a business process within various functional areas and departments.
Mitigate security risks: It may not always be possible to strictly go by the SoD rule set due to business setup, low employee count, and other organizational constraints; then, the best practice is to have in place an appropriate control to mitigate the risk. You need to look for a solution that can provide you a predefined list of ‘SOD’ ruleset designed to exclude transactions to same role that can cause fraud. These are also of great help for organizations pursuing specific compliance requirements like SOX.
As you can see, security and compliance is an essential requirement for your company’s reputation and continued growth. At To-Increase, we understand your needs in this aspect and have a solution ‘Security and Compliance Studio’ that can help you with all related aspects.
In the next blog, we will be elaborating on the second stage, which is 'Continuous Audit and Compliance.'