A Segregation-of-Duties conflict can be defined as the situation where one ERP user has access to a combination of critical functions. This combination exposes the risk of fraud or error and eventually jeopardize the credibility of financial reports.
Identifying SOD conflicts in an ERP system is a difficult task. It requires knowledge of all functions in the ERP system, combined with knowledge of what constitutes a conflict, which combinations should be prevented. Typically, these two areas are covered by different disciplines. How this practically can be done will be explained in the next Habit blog.
Experience shows that when conflicts are identified for the first time this often results in a significant amount of conflicts in an average ERP system. Since conflicts are counted for each user, the number of conflicts can grow exponentially if multiple users have similar access. Therefore, to make this process manageable, the conflict resolution and/or mitigation should be performed in the following phases:
- Perform statistical analysis on the conflicts to identify the following 3 categories. This analysis gives guidance in which next steps are most effective.
- Employees with most conflicts
- Employees with most roles assigned
- Roles with the most conflicts.
- Identify In-Role conflicts. This step focuses on the role level, not yet on the employee level. Each role should be reviewed to ensure that no conflicts arise in the role-related authorizations. Resolving these conflicts first, prevents that a multiplier of employee-related conflicts are identified later in the process.
- Exclude super-user related conflicts. Super-users typically have all possible conflicts and therefore have to be managed separately, for example by only provide super-user access when needed, recording and auditing their activities (which essentially is a mitigating control) and so on.
- Focus on conflicts for critical functions and/or sensitive data. This step identifies only the conflicts that bears considerable risk to the company, such as access to accounts payable or purchase orders. Some functions are more critical than others and some data is more sensitive than others. Filtering on these aspects is a logical step to focus attention to the high-risk areas.
- Identify conflicts for used access. Taking the above steps into consideration, the number of conflicts still might be very high. Therefore, the conflict resolution can be based only on the granted authorizations that are actually used by the ERP user. This step requires additional log data about the functions that were actually used, but ERP systems typically are capable to capture and publish this information.
Putting first things first means focusing on the areas that needs attention most and makes the Conflict Evaluation manageable.