Professional Documents
Culture Documents
Segregation of Duties Review Report
Segregation of Duties Review Report
REVIEW REPORT
AGENDA
03 Project Overview
07 Lessons Learned
10 Remediation
16 Rollout Plan
2
PROJECT OVERVIEW
3
PROJECT STATUS
We are Here
Develop a
communication Initiate the Initiate the Identify lessons
plan and initiate Create violation violation learned
communication and agree review process review and completed the
Agree upon upon with NABU process with knowledge transfer
Engage external N.A. rulebook support- Fixed Assets (Location)
process Initiate the
Prod. consulting and the rules and SAP Fixed Assets
definitions configuration
hardware external auditor with BPOs and BASIS
for assistance of rulebooks
arrives the QA team
Purchase Install a
Complete Complete Identify Install a Conduct a
segregation development Enter all
production steering customized production second Create a
of duties system rulebooks Pilot project
certification committee rules system steering post-pilot
tool wrap-up
of software kick-off for the pilot committee rollout
software
in meeting plan
environment Train the
BPOs, project
team and key
members
4
VALUE-ADDED
5
SOX: THE LONG-TERM STRATEGY
Comply at all costs Basic control rationalization Detailed control rationalization and tool
automation
100 60
50
80
40
60
30
40
20
20 10
0 0
Finance Fixed Assets Inventory Order to Cash Procure to Pay General Finance Fixed Assets Inventory Order to Cash Procure to Pay General
Controls Controls
6
LESSONS LEARNED
LESSONS LEARNED (1/2)
8
LESSONS LEARNED (2/2)
9
ROLLOUT PROCESS AND
REMEDIATION PLAN
ROLLOUT PROCESS AND REMEDIATION
Goals
11
ROLLOUT PROCESS
12
REMEDIATION PLAN (1/2)
13
REMEDIATION PLAN (2/2)
o Can the use of access on-demand resolve the issue? (To avoid the overuse of AoD, this
should one of the last considerations.)
− If the violation can not be resolved with the questions above, a comprehensive mitigating control should be
considered.
14
THINGS TO REMEMBER
Below are a few reminders as you rollout new rules and remediate the violations:
• Focus on high-risk SoDs first.
• Identify remediation that will reduce a significant amount of violations with a small amount of changes.
• Upon initial rollout of a rulebook, hundreds and/or thousands of violations will be produced. Remediation and
configuration changes will resolve a large portion initially but will be more difficult with the last few violations.
• Avoid taking away access that will need to be granted later.
• IT and business organization need to work together to move the project forward.
• Plan ample time with the business to determine corrective action and with SAP security to resolve role changes. Time
will be important as you roll out further phases.
• Automatic alerts should eventually be turned on once remediation is complete for an individual area – consider only
alerts (and remediation) for audit-related issues.
• A rule-naming convention should be agreed upon and used consistently.
• Ensure that the BPO and BPAs clearly understand what constitutes a risk. You could consider involving IA/SOX or the
ICS to resolve any confusion.
• Conflicts may exist over multiple SAP modules/functional areas. Although this was not encountered in the project, a
plan should be created to address such issues.
15
ROLLOUT SCOPE AND TIMELINE
DETERMINING FACTORS FOR SCOPE
• European fixed asset contacts are the same as general ledger contacts, which will
allow for an easy transition into the next phase.
• SAP Basis suggested using Legacy R/3 in the next phase, which will reduce overhead.
• Fixed Assets recommended using an evidence-based practice (EBP) on the next phase since it will complete the end-
to-end process in this area. In addition, the rule set for EBP is limited.
• ROI analysis – IT has the highest definite ROI from a SOX/IA testing perspective.
• Risk factors are determined.
17
RECOMMENDED NEXT WAVE
• The following modules and processes are recommended for the next phase of this project:
− SAP General Ledger: A shared services organization with a high ROI.
− Complete IT (e.g., SAP Security, superusers, etc.): The largest ROI currently identified for sensitive access and
SoD to be automated.
− SAP EBP: A natural extension from fixed assets, as it utilizes many of the same players as well as a high ROI.
− What-If Analysis Process: Allows the creation of a preventive process to eliminate/reduce new violations to the
environment.
− Access On-Demand: Allows for additional access on a temporary basis.
18
ROLLOUT PLAN
Initiate Complete
Phase 1 Work on process Initiate Phase 3
Hire an fixed assets Complete all Initiate Phase Initiate the Complete Complete
rollout improvement and rollout:
internal and SAP remediation 2 kickoff: remediation of Phase 2 Phase 3
(see Slide ROI opportunities Phase 2 PR, MM and
controls Basis for Phase 1 AP, AR and remediation Remediation
23) with IA/SOX consolidations
strategist remediation HR
19
NEXT STEPS
20
COMMON ISSUES DURING IMPLEMENTATION
• Implementing a compliance tool is not a technology Effective implementation requires business process owner
project. support to design, respond to exceptions and build into
ongoing processes.
• The rulebooks do not reflect business rules/controls. Understand business rules and information requirements
before configuring rulebooks.
• The process infrastructure is not defined or considered. Tool implementation requires the definition of processes,
procedures or guidelines to use, own and maintain the
application. The security monitoring framework must
embrace the tool.
• The project is not synchronized with the SOX control and Understand SOX requirements prior to configuring the
testing strategy. rulebooks and link them to the SOX control objectives.
• Key owners, potential users, internal audit and SOX Owners, users, internal audit and SOX leadership should be
leaders are not involved in the design and implementation part of the design and implementation activities to ensure
phases. that the best possible decisions are made for the entire
company.
21
ROLLOUT ASSUMPTIONS
• Assume that the rollout schedule will start four months from today.
• Ignore organizational changes.
• Complete the 20XX phase even if it means slightly reducing scope or adding resources.
22