One key aspect of governance, risk, and compliance (GRC) that many enterprises struggle with is achieving their segregation of duties (SoD) controls objectives. A lack of or ineffective SoD controls can open the gates to in-house fraud and misuse, leading to serious financial repercussions. For example, a 2012 study by the Association of Certified Fraud Examiners found that the financial impact on an organization from insider fraud is $120,000 per incident, with more than one-fifth of the cases causing more than $1 million in losses. What can organizations do to strengthen or establish SoD controls to avoid monetary catastrophe?
Meet SoD Access Control Goals
Implementing effective SoD controls is a pervasive challenge. But rather than think about SoD violations as a security problem, companies should consider them a business problem. IT organizations do not always have the context to understand the access requirements for a given functional role in the business. In an effort to solve this issue, many IT organizations provide an automated process for the business to review and certify user access across the entire enterprise. During the access review and certification process, the reviewing managers on the business side can decide to accept an access risk and maintain conflicting access permissions for a given user. However, it is important to remember that simply providing a report on all of the users who have the potential to conduct an SoD transaction should not be considered active access risk mitigation.
When an access risk for a user is missed, the organization’s primary access controls are being violated. A compensating control should be put into place to mitigate the access risk, which requires an organization to monitor its transactional systems to identify when users who have conflicting sets of access permissions actually conduct an SoD transaction. In doing this, you can provide the business with the transactional details to understand the true financial risk impact of each SoD transaction, as well as a process for performing a second-level supervisory review on all of these transactions. This will also lower the financial impact on department budgets by eliminating the manual processes that most organizations use to detect and report SoD transactions.
Add Value to Your Existing Environment
To meet SoD controls objectives, which in turn prevents insider fraud, enterprises should use an effective, automated controls solution, such as SAP solutions for GRC. If your company has already invested in SAP solutions for GRC for access and process control, your goal should be to consolidate access controls into one authoritative source — your SAP system — to simplify risk analysis, enable compliant user provisioning as part of an access request process, and ensure that controls are being applied consistently across all non-SAP applications. Companies that evolve and extend their SAP controls frameworks can:
Reduce the operational cost and organizational burden of compliance and risk management
Support business ownership of governing user access risks by providing a financial context to risk
Incorporate cross-application compliance checks with the access request processes
Reduce fraud and loss by monitoring highly privileged users’ actions in critical applications and databases
Achieve the requirements of internal and external audits in a sustainable fashion
SAP partner Greenlight Technologies offers solutions that integrate with SAP solutions for GRC to help manage the financial impact of access risks across enterprise applications, users, and transactions. For more information, visit www.greenlightcorp.net.