I recently chaired a webcast discussion on the topic of Segregation of Duties (SoD) with an invited audience of over 200 internal controls, risk and compliance professionals. Given the numerous requests, I have succumbed to the pressure to document and summarise the key observations and conclusions. It was an interactive webcast with a number of polls, so I am also sharing here some of the new survey data.
The advent of the Sarbanes-Oxley Act in the US some 15 years ago launched the ‘Governance Risk & Compliance’ (GRC) industry in which tens of billions of dollars have been spent on technology, consultancy services and audit fees.
One of the earliest drives in the GRC industry was the automation of Segregation of Duties (SoD) analysis for ERP systems. With the dire warnings of jail sentences for CFOs who did not invest in SoD, it was, in retrospect, the GRC industry’s Year 2000 moment, when Fear, Uncertainty and Doubt (FUD) reigned supreme.
Today’s organisations are being encouraged to invest further in software for GRC and SoD in particular, now extolling the virtues of extending automation and new visualisation technology and dashboards.
Having worked in this field for 17 years as a service provider, challenging received wisdom and trying to develop smarter ways of operation, I had my ‘Eureka’ moment a couple of weeks ago.
In preparing the webcast entitled ‘The Last Mile of SoD’ , I was struck by a comment on LinkedIn “Why is implementing GRC Access Control so easy, but cleaning up access such an uphill task?”
It made me think more deeply
When polled about the current state of SoD in the organisation, the single largest response from the webcast attendees was “We have an SoD process and technology in place, but the process is not operating smoothly”.
Most SoD journeys have a painfully similar narrative, and one that is destined to be a repetitive loop if we do not address the fundamental issue;
- A long running, low level awareness of ‘dial-tone’ user access compliance issues
- An eventual Audit finding
- Sudden frenzy of activity
- SoD ‘project’ initiation
- GRC Software selection & acquisition
- Access Control ‘project’
- Remediation of low-hanging fruit
- Audit focus moves on to higher priority issues, followed by management focus
- Residual operational SoD and sensitive access issues remain, evolve and increase
- The organization evolves like any other dynamic, living organism, with constant change of
- Organisation, processes, systems, job roles, people
- Staff, subcontractors and business partners
So there should be little surprise that with no sustaining business activity to manage SoD compliance, the initiative will fall into disrepair and disrepute.
64% of respondents stated that the biggest inhibitor to sustainable SoD success is “business commitment, ownership, clarity and buy-in to the process”. “What process?” I hear you cry!
Having reviewed the literally hundreds of SoD related engagements we have run over the past 17 years, we came to the following conclusions on the most critical factors for success in sustaining effective SoD policies;
- SoD is not a project, it’s a PROCESS,
- This confusion is the cause of more pain and wasted effort than everything else combined. It is understandable that it is typically perceived as a project ‘to fix something’, especially as it is usually built around the business case for acquisition of software and associated consulting services. But projects have a start and an end and a clear set of deliverables. A process, on the other hand, comprises a repeated sequence of tasks that are known at the outset. When it comes to applying SoD policies in the dynamic life-form of a business, with organisation changes, process changes, system changes and the constant movment of joiners, movers, promotions, leavers in both employed staff, subcontractors and business partners, there is clearly a process required. Part of the the problem in understanding is the way that SoD has been portrayed by the GRC industry as a ‘Get Clean’ project (implying a start and end) followed by something more amorphous and often postponed called a ‘Stay Clean’ project.
- Process governance is key
- Like most processes, overall governance trumps everything else. We have documented lessons learned by all the organisations we have worked with. We call it the ‘Pentagon’ playbook.
- “Think Global, Act Local”
- Whilst these initiatives start centrally and may be managed centrally, risk management is a front line operational task. We need to work out how to genuinely engage devolved business management in risk remediation. They are the first line of defence after all!
- The poll respondents were largely evenly split in terms of technology usage between those using ERP vendor provided SoD tools, best-in-class independent tools and “no tools/desktop tools only”. Given the findings were common amongst all, it does tend to reinforce the sense that biggest issues are elsewhere!
- The technology card is usually overplayed. If you have a complex ERP, you probably need an off-the shelf tool to monitor the 70,000-90,000 transaction options that can be allocated and to monitor for SoD
- The SoD process ‘business as usual’ is hard to sustain without the controls step being automatically embedded in a workflow.
A good start to process thinking is to develop a template for your end-to-end access control process for each business process and system, or at least the systems in compliance scope (although I recommend that you address all systems over time). It’s a simple matrix to build in Excel or Word, but, for most organizations, very difficult to complete! Try it, it’s a good indicator of maturity of process and system governance in the organization.
One of the biggest issues we identified is that SoD remediation (the decisions and actions that need to be taken when SoD issues/violations arise) is a local business task, but business management are rarely prepared with the relevant information, knowledge and organizational best practice to discharge this responsibility effectively. As a result, it often gets ‘parked’, delegated or abdicated.
We shared some techniques in the webcast, which are free to use. You can see the webcast recording at http://www.consider.biz/webcast-last-mile-sod/
One of the key recommendations is to understand and agree the appropriate ‘Unit of Management’ (UoM) in the business for risk related SoD decisions. In some, this is a region or a country, in others it’s a business unit/company. The key is to agree amongst stakeholders and process owners what the right level is, get it confirmed and communicated and then to set about ‘Getting Decisions Made’.
Key lessons in ‘Getting Decisions Made’ are summarised below. Again you can get more insight in the webcast.
- Develop an End-to-End Process Governance Framework and Understanding
- Develop an understanding of business risks vs business tasks vs business priorities
- Engaging Units of Management in Decision Making Process (NB not training them in your GRC tool)
- Design & operation of EFFECTIVE compensating controls, and clarify the responsibility and accountability that comes from accepting residual SoD risk.
- Develop a sustaining Business-as-Usual ‘Stay Clean’ user access control process
Interestingly, only 2% of those surveyed claimed to have compensating controls that worked effectively across the organisation. There are several reasons for this, but it underlines the fact that today’s end-to-end SoD approach is not serving organisations very well.
It seems that the answer is all in the process. Any process that works effectively across an organization has some common characteristics;
- Consensus on Purpose or Desired Outcome
- A clear set of owners, stakeholders, and participants
- A mechanism to measure and communicate progress or successful completion
- A governance structure by which the process is steered, managed and overseen
- A clear process design – ‘what good looks like’
- Clear agreement on who is executing the individual parts of the process and where it takes place
- Some automation or enabling technology
- A defined set of skills and capability required against which resources can be allocated
- A mechanism to assess the impact on the customer, areas of success or underachievement, and to identify areas of improvement or required change
The end-to-end SoD process is no different. We need ALL these things. Without any one of these, the process falters and no amount of technology can assist!
Delegating the process to the IT department is not the answer. In fact, when you take this approach, it becomes obvious that it is not even possible. The majority of risk is in the business … IT can help but they are not in a position make business decisions on job roles, organization and process in business functions such as finance.
A template governance framework has been developed and shared. The image is at the top of this post.
If you are involved in this journey, to avoid a lot of frustration down the road, please ENSURE that you engage (candidate or existing) process owners, stakeholders and participants in an objective self-assessment of current and desired achievement levels on each of the nine themes, axes, segments (whatever you want to call them). This will drive consensus on achievements, issues and priorities for the future.
It is worth a small investment of effort.
Thanks for reading . . .