Segregation of Duties – IT Audit Applications for ACL

 2011-10-01

Segregation of Duties – IT Audit Applications for ACL

Enforcing and monitoring segregation of duties (SOD) is an effective means of minimising the risk of fraud. ACL has the ability to extract security rules to independently verify whether there are any weaknesses in your SOD structure. What’s more, where potential SOD issues are identified, ACL can be used to determine whether these rights were exploited. Turning SOD on its head, certain transactions and activities could be monitored to identify whether SOD violations occur, i.e. where the authoriser and approver are the same person.

The segregation of duties analysis does not prevent fraud where more than one individual is in cahoots but it could help to harmonise the rights of individuals performing similar roles, to highlight users with powerful profiles or to identify menus, functions, or transactions that have been assigned to a user and never used, or to identify user profiles that are being modified prior to or shortly after an audit.

• Extract security rules and independently verify SOD
• Where potential SOD issues are identified, determine whether rights were exploited
• Independent of security rules, examine the user IDs associated with specific transactions to determine whether SOD violations have occurred (e.g. initiator = approver)
• Identify where users with the same role have different access rights
• Highlight users with powerful profiles / responsibilities
• Identify menus, functions, or transactions assigned to a user profile or responsibility which have never been used
• Identify user profile / responsibility changes made immediate prior to or shortly after an audit

With ACL at your fingertips, there’s no limit to what can be achieved.