This document elaborates the SoD Management Process that is a key part to reduce Segregation of Duty (SoD) conflicts in a company. In fact SoD is a key contributor for fraud activities within an organization and hence to achieve seamless compliance (e.g. SOX) it is absolutely necessary to follow a straight process.
The SoD Managment Process has six single steps that need to be completed one after one. Each step has its own outcome that you have to achieve before proceeding with the next.
| Steps | Description |
|---|---|
 | Gather a list of applicable SOD conflicts that allow fraud or generate significant errors. The outcome of this step is that your business has determined what is an unacceptable risk that they want to report on and manage wia remediation or mitigation. Helpful documents: |
 | Build the rule set based on the recognized risks from step 1. The outcome of this step is the technical rule set to analyze the user and/or role assignments. Helpful documents: |
 | Analyze the SoD output. This can be performed with the help of SAP GRC Access Control. In case of manual analysis, for each user, analyze if he/she has the access to perform any of the conflicting functions defined in step 1. The outcome is basically to provide the business insight to alternatives for correcting or eleminating discovered risks. Helpful documents: |
 | In this step, evaluate if the conflicting tasks can be performed by an alternate person. If so, role changes and/or user reassignments can be performed to segregate duties properly. The outcome must be a very low number of remaining risks that need mitigation. Helpful documents: |
 | If it would not be possible to remediate the existing conflicts, consider formulating an appropriate control to mitigate the risk. This would typically entail working with the business to setup additional monitoring procedures that ensure to compensate the risk. The outcome must be no remaining risks. Helpful documents: Internal Controls - a step towards strong controls Defining Mitigating Controls / Compensating Controls |
 | Finally, establish a new continuous process wherein every access request is reviewed against the SoD conflict matrix prior to provisioning on the system. Also make sure that all role changes must be analyzed and remediated before implementing. The outcome, and also final result, your system remains clean.
|
Best regards,
alessandr0 & m.lee
