The Need to Identify Cross-Application Segregation of Duties Risks


By Patrick Wadland posted 11-23-2021 10:02 AM


As little as ten years ago, companies would tell you that they are an Oracle shop, or a Dynamics shop, or an SAP shop – identifying themselves with the ERP they used to run their business.

Now, with best-of-breed solutions, companies might be using Oracle as their ERP, Workday to manage their employee master data, and Coupa for procure-to-pay (payments, purchase orders, etc.). So, it is no longer true that all transactions take place in one particular system. Instead, transactions and even entire business processes can flow through multiple applications.

This opens the door to a significant segregation of duties (SOD) issue: A transaction might begin in one application and be completed in another.

For example, Salesforce is a common CRM system, so it is entirely possible to book a sales order or maintain customer master data in Salesforce, but the AR invoice associated with that sales order is issued through the ERP, like Oracle Cloud.

Unless attention is paid to how each transaction is processed through the various business applications, a user might be able to commit fraud and avoid detection for some time.

According to Gartner, "Effective segregation of duties (SOD) controls can reduce the risk of internal fraud by up to 60% through early detection of internal process failures in key business systems."

A common misconception is that "segregation of duties" only applies to the name given to the user's access into the application ("job role" in Oracle Cloud, "responsibility" in Oracle EBS, "security group" in Workday, "profile" in Salesforce, etc.).

The truth is that SOD conflicts are not driven by the names given to the job roles (or responsibilities) themselves but by access to the underlying security objects ("function" in Oracle EBS, "privilege" in Oracle Cloud, etc.) allowed by them.

Instead, businesses should focus on what the user can do at the granular level to properly analyze and determine all of the true SOD conflicts within your business applications.

Management should work with department subject matter experts, internal auditors, and risk management teams to perform business process walkthroughs related to SOD and access risks. Start with the highest risk areas first and work your way down. And be aware that some of these processes can span across business systems.

Fastpath provides tools that analyze access in your business software, by user or job role, down to the lowest security level and report conflicts or risks associated with that access. Fastpath's Segregation of Duties module also can evaluate conflicts across applications to provide full SOD management in today's multi-application and cross-application environments.