Management of separation of duty (SoD) issues continues to be a challenge at organizations of all sizes. Unaddressed SoD conflicts may pose potential risks to financial statements, operational activities and the alignment of roles and responsibilities for employees. In recent years, there has been an increased focus on the remediation and mitigation of SoDs by internal or external compliance teams. In this paper, you will find guiding principles that can help your organization develop an approach for addressing SoD challenges.

1. Define and Understand Access Risks

The foundation for the management of SoDs is to identify them based on the risk tolerance of the organization. It is important to develop a custom rule set that addresses financial and operational access risks and is flexible as changes occur within the organization. The rule set should encompass SoDs and sensitive access risks. Ideally, a GRC access management technology solution is in place to automate the identification of SoD and sensitive access risks within the user and role population. In addition, assessing risk based on a quantitative approach allows an organization to define risks in relation to internal measurement factors. 

2. Analyze User and Role SoD Conflicts

Leveraging the custom rule set, identify SoD and sensitive access conflicts within the user and role population. Performing this analysis will allow the organization to gain visibility to the current state of access risks within the ERP system and help to gauge the level of effort required to remediate or mitigate access risks.

3. Remediate Role and User Level SoD Conflicts

Based on the SoD and sensitive access conflicts, identify the roles that contain SoD conflicts. Determine the approach to remove SoD conflicts from roles by removing transactions or separating sensitive tasks from within roles. Once the roles are cleansed, focus on the user to role assignment to realign security roles based on the core responsibilities of the user.

4. Identify and Define Mitigating Controls

Map available business process and IT controls to the appropriate SoD and sensitive access risks. Where an existing control cannot be used, a new mitigating control will need to be designed and implemented. Once the controls are linked to the appropriate access risk(s), the user(s) can be mapped to the appropriate risk and control combination.

5.  Assess Sustainability of Role Design Methodology

As part of the remediation activities, new roles may need to be created and existing roles may need to be modified. It is important to determine which security approach will enable the organization to have a flexible and sustainable security design. By having a consistent approach to the security design that supports a compliant provisioning process, the organization will maintain visibility to key sensitive activities within the business processes.

6. Streamline the Provisioning Process

Implement an automated or semi-automated process to capture approvals for the assignment or removal of security roles. The approvals should be tracked and retained for reference by the security and compliance teams. Through the use of an automated tool, the provisioning process can be driven by a GRC access management solution.

7. Implement Preventative SoD Analysis

Embed a preventative SoD and sensitive access check into the provisioning process. This will provide greater visibility to the access risks that exist or may be added to a user by the security role assignments. During the provisioning process, the identified SoD and sensitive access risks should be appropriately mitigated, if the access is required by the end user and approved by an appropriate role or risk owner.

8. Implement a Comprehensive Emergency Access Process

Implement a process and enabling technology to automate and control the use of elevated or excessive access. This will provide greater control and visibility to the activities that are taking place when emergency access is needed.

9.  Develop Effective User Access Recertification Process

Implement an effective process and enabling technology to manage the user to role assignment recertification process. This is becoming a stronger requirement for internal and external compliance teams. The recertification process will allow approvers to review user to role assignments and take the appropriate steps to retain or remove the access.

10. Implement Effective Mitigating Control Recertification Process

The linkage of mitigating controls to access risks should be recertified on a set, periodic frequency. Doing so allows the controls and compliance team to confirm that the mitigating controls are operating effectively and appropriately addressing the risk. As part of the recertification process, the link between the user(s) to risk(s) to control(s) should be reviewed to validate that the control-to-risk combination is appropriate for that user. The mitigating control recertification process can be executed in parallel with the user access recertification process.

These guiding principles provide a framework for organizations to effectively and efficiently address SoD and sensitive access risks within their ERP systems. These steps can help organizations become compliant with regard to access risks and implement a culture, process, and enabling technology to manage access risks going forward.