March 3, 2022
Using Analytics to Identify Incompatible Role Based Access
We all know Segregation of Duties (SOD) is key to fraud mitigation, but how are you utilizing digital technologies and capabilities to gain timely, meaningful insights into compromised SOD rules?
We regularly read news articles about indictments of individuals who have diverted funds over many years that total up to a material dollar amount. SOD is as important now as it ever was, and when you leverage our digital technology, you have greater assurance that there is no incompatible role based access.
The complexity of a company’s IT environment, implementation of new systems, manual administration processes, and staffing constraints make ensuring effective SOD a daunting task. As such, we see many of the same challenges for organization after organization. Below are five of the most common issues we see as they relate to SOD and role based access controls:
|1. Improperly Designed Roles||The rush to implement a new administration platform, and ensure functionality to support the business may have allowed security and user role design to take a lower priority. Roles may be stacked to grant users functionality, or even set to grant access to all functions due to complexity of securing access at menu, screen field/button level. |
Users may be assigned to multiple roles within one system or roles across a combination of systems that would create a SOD risk.
|2. Mirroring Users||Assigning access that mirrors another user may replicate access that violates SOD across multiple users. The user rights assigned may have been updated and include a mix of authorities that would cause alarm.|
|3. Transferred Users||As a user transfers from one job function to another, the access for their prior position may not be removed. Long tenured employees who have filled multiple roles may have access that has built up over the years.|
|4. Privileged Access Management||User administration functions should be performed by personnel that are not responsible for processing transactions. Too often, we see business users tasked with administering users for their primary systems. These users could create false users or grant additional access to conceal transactions and then remove the access.|
|5. Manual User Administration||Manual processes are subject to error, and risk granting additional access to users.|
Recognizing that SOD-related risks are high while easily implementing SOD rules is a challenge for many organizations, Johnson Lambert utilizes a comprehensive suite of digital tools and technologies that allow us to evaluate user access data across systems in an optimized and precise way. Our custom-designed suite of tools includes streamlined document exchange, workflow automation, advanced data analytics, and data visualization to evaluate every user, across every system, identify outliers or users with excessive access, and provide executive management and the Board with actionable insights. We can work with you to automate the analysis of your user access, identify SOD concerns and determine the extent of the risk.
Contact us to learn more and to discuss how we can mutually design a project to greatly reduce your SOD-related risks.