towards a framework for segregation of duties

Towards a Framework for Segregation of Duties

Akhilesh Chandra, The University of Akron

Megan Beard, Deloitte & Touche USA LLP

Toronto, Canada: October 11-13, 2007

University of Waterloo Centre for Information Systems Assurance

5th Symposium on Information Systems Assurance

• SOD is not a new concept

• But few developments have made it necessary to revisit the concept…

• SOD is a common element across – control frameworks (e.g., COSO, COBIT,

ERM etc.), and – corporate governance (e.g., SOX) frameworks

• Revisiting SOD stems also from the features of the current business model:– Integrated business processes,– Extended, collaborative supply chain

• SOD as a preventive control mechanism is probably the most effective and economic alternative

• Therefore, both theory and practice can benefit from models of effective SOD that companies can adapt to their control environment and business practices

To protect information resources, an effective SOD model should:

1. Balance security and availability needs2. Lend to automation for:

• Design and implementation• Verification and assurance• Quickly adapting to changes

These features should help to achieve the three goals of security and control: confidentiality, integrity, and availability

• SOD based on business roles users play in organizations provide a stable and effective means to achieve these goals.

Role based SO

Role based SOD

• Access granted to information resources based on roles performed by users

• Controls are tied and mapped to roles

• A cross functional team evaluates existing roles and associated tasks to accommodate changes in business processes and practices

Steps…

• Identify a set of tasks necessary to complete a business function.

• Map tasks to the application system functionality.

• Group tasks by business cycles. • Within each cycle, define roles by the

necessary function and access for each information resource.

Business functions

Task2 Task5Task4 Task7Task6 TasknTask1 Task9Task8Task3 …Sequential process

Business function is decomposed into series of interrelated tasks

L

HRisk

Mitigation through

Compensating Controls

CumulativeImpact?No Restrictions

Required

Vulnerability H

Implement Segregation of

Duties

Risk

Im

pact

on

Valu

e

CustodyAuthorization

Recording

Risk Mitigation through

Compensating Controls

Segregation of Duties

L

HRisk

Mitigation through

Compensating Controls

CumulativeImpact?No Restrictions

Required

Vulnerability H

Implement Segregation of

Duties

Risk

Im

pact

on

Valu

e

CustodyAuthorization

Recording

Risk Mitigation through

Compensating Controls

Segregation of Duties

SOD Evaluator

Identify tasks that need to be segregated based on risk-vulnerability analysis

Business functions

Task2 Task5Task4 Task7Task6 TasknTask1 Task9Task8Task3 …Revenue cycle Inventory cycle Financial cycle

Tasks are grouped by business cycles

Task7Task6 Task9Task8

Financial cycle

Role 1 Role 2

Roles are defined within each cycle

Roles Users

RevenueCycle

ProductionCycle

FinancialCycle

ExpenditureCycle

HRCycle

assigned

R/3ApplicationSystems

Business Cycles

Illustration of role based SOD model – single application

Roles Users

RevenueCycle

ProductionCycle

FinancialCycle

ExpenditureCycle

HRCycle

assigned

Legacy 11iR/3 …ApplicationSystems

Business Cycles

Illustration of role based SOD model – multiple applications

Roles

Users

RevenueCycle

ProductionCycle

FinancialCycle

ExpenditureCycle

HRCycle

assigned

Legacy 11iR/3 …ApplicationSystems

Business Cycles

Roles

RolesRoles

RolesRoles

Roles

Inhe

ritan

ce

Role hierarchy

Some specific features

• The model lends to automation.• Changes are made at the root level.• Hierarchical modeling of roles can allow

inheritance of privileges based on business rules

• Invariant to best-of-breed ERP business models

Systems analysis

Application programming

Business decisions

DB administration

Network administration

Systems administration

Tape library function

Systems programming

Quality assurance function

Systems analysis x x x

Application programming x x x x x x

Business decisions x x x x x x x x

DB administration x x x x

Network administration x x x

Systems administration x x x

Tape library function x x x x x x x

Systems programming x x x x x

Quality assurance function

x x

‘x’ indicates segregation of duties conflicts.Adapted from ISACA Guidelines

Few examples

Expenditure cycle

Related Accounts: Operating Expense, Payables, Accrued Expense, Prepaid Expense

Business Cycle SOD Conflict DescriptionRevenue Customer Maintenance & Cash Application User can create/maintenance customer information and apply cash to

the customer.Revenue Customer Invoicing & Cash Application Entry User can create customer invoices, in combination with the ability to

perform cash application.Revenue Sales Order Entry & Cash Application User can create a sales order and apply cash to the sales order.Revenue Customer Maintenance & Invoicing User has the ability to create/maintain customer information, in

combination with the ability to invoice the customer.Revenue Customer Maintenance & Sales Order Entry Creation of sales orders for unauthorized customers.Revenue Sales Invoicing & Customer Credit User can create a sales invoice and modify the customer

credit/payment terms.Revenue Sales Invoices & Sales Update User can create sales invoices, and perform the sales update process.

Revenue Sales Order Entry & Invoicing User can create a sales order and invoice the sales order.Revenue Sales Order Release & Sales Invoicing Used has the ability to release and invoice a sales order.Revenue Sales Invoices & Sales Price Maintenance User has the ability to create invoices and modify pricing structures.Revenue Sales Order Entry & Release User can both enter and release/ship a sales order.Revenue Sales Order Entry & Sales Pricing User has the ability to enter sales orders and modify pricing structures.

Revenue Sales Invoice & Receive goods Access to Enter Invoice and create Automatic Receipts will allow a user to create a fictious inoice and then record receipts against the invoice.

Related Accounts: Sales, Receivables, Allowance for Doubtful Accounts

Revenue Cycle

Business Cycle SOD Conflict Description

Fixed Assets Fixed Asset Maintenance & Transaction processing (Disposal or acquisition)

Initiate Disposal of Fixed Assets conflicts with Edit Fixed Asset Master File. If one individual has responsibility for more than one of these functions, that individual could misappropriate assets and conceal the misappropriation.

Fixed Assets Fixed Asset Maintenance & Depreciation Record Fixed Asset Transactions conflicts with Edit Fixed Asset Master File. One person should not have responsibility over both the access to assets and the responsibility for maintaining the accountability for such assets.

Fixed Assets Fixed Asset Disposal & Adjustment Initiate Disposal of Fixed Assets conflicts with Record Fixed Asset Transactions. One person should not have responsibility over both the access to assets and the responsibility for maintaining the accountability for such assets.

Fixed Assets Asset Depreciation & Depreciation Adjust One person should not calculate depreciation and create journal entries to adjust the depreciation account. There is increased risk of mis-stating depreciation due to inaccurate calculations.

Fixed Assets Asset Acquisitions & Transaction Authorization Asset Acquisitions conflicts with Transaction Authorization. One person should not have the ability to create and approve a purchase requisition for an asset.

Fixed Assets Transaction Authorization & Recording Transaction Authorization conflicts with Transaction recording. If one individual has authority to authorize and record transactions there is a high risk for fraudlant activity. Assets maybe acquired for personnel use but recorded on the books.

Fixed Assets Custody of Assets & Disposals of Assets Custody of Assets conflicts with authority to dispose assets. There is a risk of early asset disposal for personal use.

Related Accounts :Property, Depreciation Expense

Fixed Assets

A Primary challenge…

• is the time intensive nature of implementing role based access controls.

• But this is the investment on preventive controls that is more cost effective than the alternative (corrective or detective)

Comparison with alternative models

• Discretionary controls– On a need-to-know basis– Users can potentially transfer privileges to

others– Enhanced risk when users have ability to set

their own access privileges

• Mandatory controls– Access based on distinct level of authorization– Control problems in security data with lower

level classification– As security clearance broadens, users begin

to gain access that may not correspond with their responsibilities

• Role based– Role is a generic concept– More stable– Relatively invariant to frequent changes in

business or systems

Implications

• Reduced cost of regulatory compliance (e.g. section 404 of SOX)– Especially for SMEs that are relatively more

burdened• Reduced cost of audit• Increased operational efficiency• Continuous monitoring (e.g., section 409

of SOX)