The reasons to acquire a tool to control authorizations within critical enterprise wide systems may vary. The goal is always the same – manage risks. In the case of SOD issues the risk lies in the abuse of rights granted to individuals within critical enterprise systems.
- Why would a loyal employee want to do that?
- How do I prevent individuals to misuse their privileges?
- Where should I start with the remediation?
- What should be the scope of my SOD checks?
- What are the effective strategies how to minimise a major part of the SOD risk?
- Do all SOD issues have the same potential impact?
Well there are different theories explaining fraudulent tendencies of employees. In the basic model we speak of the so-called fraud triangle.
As seen in the image below, there are three factors that lead to fraud being committed by employees.
- Pressure – is what causes a person to commit fraud (i.e. gambling, greed, medical bills etc.)
- Opportunity – is the ability to commit fraud
- Rationalization – involves a person reconciling his / her view
Of course these models offer a simple view and there are more advanced models like the Fraud pentagon used by Crowe Horwath introducing also other factors influencing the behaviours of individuals like arrogance and competence . Never the less the only element that can be systematically influenced is the opportunity factor. By granting employees the opportunity to execute more than one process step, companies run the risk of arrogant employees under pressure without ethical constraints to use their competence and by-pass the given process controls and commit fraud.
A tool for SOD management enables to analyse the opportunities arising from authorizations granted in critical systems. To assess if the authorizations provide the employees with opportunities, there has to be a set of rules reflecting the combinations of critical process steps enabling a misuse of privileges.
How do I prevent individuals of such a misuse of their priviledges?
There is a wide range of options:
– ACCEPT the opportunity risk – there is a
minimum risk due to
- High ethical standards (Pre-employment screening, Training, Procedures & Policies or Incentives)
- Detection Mechanism (Whistle-Blowing, Audits, Investigations)
– MITIGATE the SOD risks by implementing
and executing Compensating Controls
- There is on-going effort associated with this solution
- For more see “Closing the loop on the remediation cycle – Automating your compensating controls”
– Removing access and ensuring SOD also
- Ensuring the authorizations are limited to one process step
I have tens of thousands SOD violations in my systems. Where should I start with the remediation?
One could get easily overwhelmed by the amount of violations discovered in the systems after the initial installation and first data extraction and SOD analysis run with Out-of-the box rules. The basic principle should be to start with the rules itself and assess the relevancy and risk of opportunities provided by sets of authorizations in the target system. Finally after identifying and assessing the dangerous process step combinations we are able to define the organization- and system – specific rules. With these rules I get an indication of opportunities provided to employees – SOD violations.
Even with my custom tailored rules I have thousands of SOD violations. What are the effective strategies how to minimise a major part of the SOD risk?
There is a general principle we can make use of in this case also – the Pareto principle. The Pareto principle (also known as the 80 – 20 rule) states that, for many events, roughly 80% of the effects come from 20% of the causes . In our case a few of the most dangerous authorisations generate usually most of the violations.
Authorization concepts in most systems group functional responsibilities into entities (i.e. in SAP these are defined as roles). The remediation focus should be in the first iterations centred on strong authorisation entities (containing a wide range of authorisations) assigned to employees and superusers with multiple violating authorisation entities.
1. Strong authorisation entities increase user management transparency and decrease administrative overhead associated with authorisation provisioning. Benefits associated with a limited number of strong entities are in most cases overweighed by required mitigation effort. A split of strong authorisation entities is highly recommended to remediate high volumes of indicated SOD violations.
2. Super-users with multiple violating authorisation entities are inevitable and can be part of sound business processes. Different strategies can be applied to cope with the associated risk chunks depending on the type of user group:
- Employees in small organisational units can’t be doomed to have only certain process steps assigned due to a limited number of staff. On the other hand the authorisations should be limited on organisation and document type level to prevent a far reaching misuse.
- System or Business Process Owners (SO and BPO) are in charge of a certain area or function. From the nature of their responsibility a strong application rights are provided.
In this case the control management function is at stake. The authorisations can be limited to display only access decreasing the number of violation.
- Not all business streams provide an effective process step oriented responsibility split. Some commodities or services require a specific business stream oriented responsibility split. It means that certain employees have control of major business process parts. Analogically to small organisational units authorisations should be limited on organisation and document type level to prevent a far reaching misuse.
- Modern systems are complex and with complexity the potential of system issues increases. The requirement to offer a stable and reliable system has to be ensured by wide ranging authorisations enabling quick reaction to unexpected problems for IT Support functions. This is a valid requirement but the execution has to take place in a controlled way to minimise the associated high SOD risk potential. A rigid automated Emergency Access process with pre-defined access levels and log monitoring safeguards the necessary transparency.
Do all SOD issues have the same potential impact?
No, there is a difference between the number of violations and real risk associated with individuals actually having wide access and SOD violations. The individual has to have knowledge and experience to misuse the opportunity demonstrated by the tackled number of SOD violations. The results of a KPMG study show that one of the characteristics of a typical fraudster is long-term employment of over 10 years  and the Crowe Horwath’s fraud pentagon uses competence as one of the fraud prerequisites . A good understanding of standard business processes acquired during long years of service and necessary IT knowledge make the system owners and technical support teams of the critical systems the number one candidate having the ability and motivation to commit a fraud in case an opportunity is provided. The rise of modern matrix organisation structures and outsourcing strategies represent another potential risk area. The resulting increase of skilled individuals with the necessary competence pose a threat which should be treated with priority.
SOD tools help to identify, remediate or mitigate opportunities to commit fraud in critical enterprise systems. The opportunities given by specific authorisation combinations have to be defined in rules. The rules need to be first assessed and evaluated in context of enterprise specific processes. During remediation itself the Pareto principle will guide the focus to user groups with multiple authorisation entities. By nature of given responsibilities, acquired competencies and granted opportunities employees with extensive IT and business process knowledge represent the biggest threat to the SOD risk.
 http://www.crowehorwath.com/ CroweFraudPentagon/
 http://www.kpmg.com/EU/en/ IssuesAndInsights/Articlespublications/Pages/ Profileofafraudster.aspx
 Bunkley, Nick (March 3, 2008), “Joseph Juran, 103, Pioneer in Quality Control, Dies”, New York Times
 What is 80/20 Rule, Pareto’s Law, Pareto Principle