Towards a Framework for Achieving Effective Segregation of
Download
Report
Transcript Towards a Framework for Achieving Effective Segregation of
University of Waterloo Centre for Information
Systems Assurance
5th Symposium on Information Systems Assurance
Towards a Framework for Segregation of Duties
Akhilesh Chandra, The University of Akron
Megan Beard, Deloitte & Touche USA LLP
Toronto, Canada: October 11-13, 2007
• SOD is not a new concept
• But few developments have made it
necessary to revisit the concept…
• SOD is a common element across
– control frameworks (e.g., COSO, COBIT, ERM
etc.), and
– corporate governance (e.g., SOX) frameworks
• Revisiting SOD stems also from the
features of the current business model:
– Integrated business processes,
– Extended, collaborative supply chain
• SOD as a preventive control mechanism is
probably the most effective and economic
alternative
• Therefore, both theory and practice can
benefit from models of effective SOD that
companies can adapt to their control
environment and business practices
To protect information resources, an effective SOD
model should:
1. Balance security and availability needs
2. Lend to automation for:
• Design and implementation
• Verification and assurance
• Quickly adapting to changes
These features should help to achieve the three
goals of security and control: confidentiality,
integrity, and availability
• SOD based on business roles users play
in organizations provide a stable and
effective means to achieve these goals.
Role based SO
Role based SOD
• Access granted to information resources
based on roles performed by users
• Controls are tied and mapped to roles
• A cross functional team evaluates existing
roles and associated tasks to
accommodate changes in business
processes and practices
Steps…
• Identify a set of tasks necessary to
complete a business function.
• Map tasks to the application system
functionality.
• Group tasks by business cycles.
• Within each cycle, define roles by the
necessary function and access for each
information resource.
Business function is decomposed into series of interrelated tasks
Business functions
Task1 Task2 Task3 Task4 Task5 Task6 Task7 Task8 Task9
Sequential process
…
Taskn
Identify tasks that need to be segregated based on risk-vulnerability analysis
Segregation of Duties
Risk Impact on Value
H
L
Risk
Mitigation
through
Compensating
Controls
Implement
Segregation of
Duties
Custody
Authorization
Recording
No
Restrictions
Required
Risk
Cumulative
Impact?
Mitigation
through
Compensating
Controls
Vulnerability
SOD Evaluator
H
Tasks are grouped by business cycles
Business functions
Task1 Task2 Task3 Task4 Task5 Task6 Task7 Task8 Task9
Revenue cycle
Inventory cycle
Financial cycle
…
Taskn
Roles are defined within each cycle
Financial cycle
Task6 Task7
Role 1
Task8 Task9
Role 2
Illustration of role based SOD model – single application
assigned
Roles
Users
Business
Cycles
Revenue
Cycle
Application
Systems
Expenditure
Cycle
Financial
Cycle
R/3
Production
Cycle
HR
Cycle
Illustration of role based SOD model – multiple applications
assigned
Roles
Users
Business
Cycles
Revenue
Cycle
Application
Systems
Expenditure
Cycle
Legacy
R/3
Financial
Cycle
11i
Production
Cycle
…
HR
Cycle
Inheritance
Roles
Roles
Roles
assigned
Roles Roles Roles
Roles
Users
Role hierarchy
Business
Cycles
Revenue
Cycle
Application
Systems
Expenditure
Cycle
Legacy
R/3
Financial
Cycle
11i
Production
Cycle
…
HR
Cycle
Some specific features
• The model lends to automation.
• Changes are made at the root level.
• Hierarchical modeling of roles can allow
inheritance of privileges based on
business rules
• Invariant to best-of-breed ERP business
models
Syste
ms
analy
sis
Appli
cation
progr
ammi
ng
Busin
ess
decisi
ons
Systems
analysis
x
Application
programming
x
Business
decisions
x
DB
administration
x
x
Network
administration
Tape library
function
Systems
programming
Quality
assurance
function
x
x
Netwo
rk
admini
stratio
n
Syste
ms
admini
stratio
n
Tape
library
functio
n
x
x
Syste
ms
progra
mming
x
x
x
x
x
x
x
x
x
x
x
x
Systems
administration
DB
admini
stratio
n
x
x
x
x
x
x
x
x
x
x
x
‘x’ indicates segregation of duties conflicts.
Adapted from ISACA Guidelines
x
x
x
x
Qualit
y
assura
nce
functio
n
x
x
x
x
x
Few examples
Expenditure cycle
Related Accounts: Operating Expense, Payables, Accrued Expense, Prepaid Expense
Business Cycle SOD Conflict
Expenditure
Expenditure
Expenditure
Expenditure
Expenditure
Expenditure
Expenditure
Expenditure
Expenditure
Risk
Voucher Entry & Payment Creation
Payment Create conflicts with Voucher Entry. Checks should be approved
by someone who did not initiate or prepare the check, in order to minimize
the potential for concealment of fraud.
Vendor Maintenance & Voucher Entry
User has the ability to create/maintain vendor, in combination with the ability
to create a voucher for that vendor.
Authorize Payment & Create Payment
Authorize Payment conflicts with Create payment. Checks should be
approved by someone who did not initiate or prepare the payment, in order
to minimize the potential for concealment of fraud.
Vendor Maintenance & Payment Entry
User can create/maintain vendors and create payments for the vendor.
Bank Account Maintenance & Vendor Payment
User can modify vendor bank information and create payment.
Authorize Payment & Maintain Vendor Master
Review, Authorize or Sign Checks conflicts with Edit Vendor Master File. If
one individual has responsibility for more than one of these functions, that
individual could conceal errors or fraudulent activity.
Payables Configuration & All other Payables Functions User can change configurations that would violate all other SOD rules
Print Checks & Enter Vouchers
Printing Checks conflicts with Enter Voucher. Checks should be approved
by someone who did not initiate/prepare the payment or someone who
entered the voucher in order to minimize the potential for concealment of
fraud.
Voucher Entry & Payment Approval
Authorize Payments conflicts with Voucher Entry. Checks should be
approved by someone who did not initiate or prepare the check, in order to
minimize the potential for concealment of fraud.
Expenditure
Authorize Payment & Maintain Vendor Master
Expenditure
Vendor Maintenance & Purchase Order Entry
Expenditure
Approve Purchase Order & Vendor Maintenance
Expenditure
Expenditure
Purchase Order Entry & Approval
Purchase Order Entry and Receive Goods
Review, Authorize or Sign Checks conflicts with Edit Vendor Master File. If
one individual has responsibility for more than one of these functions, that
individual could conceal errors or fraudulent activity.
User has the ability to create/maintain vendors, in combination with the ability
to create purchase orders for that vendor.
Authorize Purchases of Fixed Assets conflicts with Edit Vendor Master File. If
one individual has responsibility for more than one of these functions, that
individual could conceal errors or fraudulent activity.
Purchase orders are processed without prior approval (unauthorized)
User can enter purchase orders and receive goods on the order.
Revenue Cycle
Related Accounts: Sales, Receivables, Allowance for Doubtful Accounts
Business Cycle
Revenue
SOD Conflict
Customer Maintenance & Cash Application
Revenue
Customer Invoicing & Cash Application Entry
Revenue
Revenue
Sales Order Entry & Cash Application
Customer Maintenance & Invoicing
Revenue
Revenue
Customer Maintenance & Sales Order Entry
Sales Invoicing & Customer Credit
Revenue
Sales Invoices & Sales Update
Description
User can create/maintenance customer information and apply cash to
the customer.
User can create customer invoices, in combination with the ability to
perform cash application.
User can create a sales order and apply cash to the sales order.
User has the ability to create/maintain customer information, in
combination with the ability to invoice the customer.
Creation of sales orders for unauthorized customers.
User can create a sales invoice and modify the customer
credit/payment terms.
User can create sales invoices, and perform the sales update process.
Revenue
Revenue
Revenue
Revenue
Revenue
Sales Order Entry & Invoicing
Sales Order Release & Sales Invoicing
Sales Invoices & Sales Price Maintenance
Sales Order Entry & Release
Sales Order Entry & Sales Pricing
User can create a sales order and invoice the sales order.
Used has the ability to release and invoice a sales order.
User has the ability to create invoices and modify pricing structures.
User can both enter and release/ship a sales order.
User has the ability to enter sales orders and modify pricing structures.
Revenue
Sales Invoice & Receive goods
Access to Enter Invoice and create Automatic Receipts will allow a user
to create a fictious inoice and then record receipts against the invoice.
Fixed Assets
Related Accounts :Property, Depreciation Expense
Business Cycle
SOD Conflict
Description
Fixed Assets
Fixed Asset Maintenance & Transaction processing
(Disposal or acquisition)
Initiate Disposal of Fixed Assets conflicts with Edit Fixed Asset Master File. If one
individual has responsibility for more than one of these functions, that
individual could misappropriate assets and conceal the misappropriation.
Fixed Assets
Fixed Asset Maintenance & Depreciation
Record Fixed Asset Transactions conflicts with Edit Fixed Asset Master File. One
person should not have responsibility over both the access to assets and the
responsibility for maintaining the accountability for such assets.
Fixed Assets
Fixed Asset Disposal & Adjustment
Initiate Disposal of Fixed Assets conflicts with Record Fixed Asset Transactions. One
person should not have responsibility over both the access to assets and the
responsibility for maintaining the accountability for such assets.
Fixed Assets
Asset Depreciation & Depreciation Adjust
One person should not calculate depreciation and create journal entries to adjust the
depreciation account. There is increased risk of mis-stating depreciation due
to inaccurate calculations.
Fixed Assets
Asset Acquisitions & Transaction Authorization
Asset Acquisitions conflicts with Transaction Authorization. One person should not
have the ability to create and approve a purchase requisition for an asset.
Fixed Assets
Transaction Authorization & Recording
Transaction Authorization conflicts with Transaction recording. If one individual has
authority to authorize and record transactions there is a high risk for fraudlant
activity. Assets maybe acquired for personnel use but recorded on the books.
Fixed Assets
Custody of Assets & Disposals of Assets
Custody of Assets conflicts with authority to dispose assets. There is a risk of early
asset disposal for personal use.
A Primary challenge…
• is the time intensive nature of
implementing role based access controls.
• But this is the investment on preventive
controls that is more cost effective than
the alternative (corrective or detective)
Comparison with alternative
models
• Discretionary controls
– On a need-to-know basis
– Users can potentially transfer privileges to
others
– Enhanced risk when users have ability to set
their own access privileges
• Mandatory controls
– Access based on distinct level of authorization
– Control problems in security data with lower
level classification
– As security clearance broadens, users begin
to gain access that may not correspond with
their responsibilities
• Role based
– Role is a generic concept
– More stable
– Relatively invariant to frequent changes in
business or systems
Implications
• Reduced cost of regulatory compliance
(e.g. section 404 of SOX)
– Especially for SMEs that are relatively more
burdened
• Reduced cost of audit
• Increased operational efficiency
• Continuous monitoring (e.g., section 409
of SOX)