Identifying Segregation of Duties Issues in a PeopleSoft Environment

1
Identifying Segregation of Duties Issues in a
PeopleSoft Environment

• Central Ohio Chapter
• Information Systems Audit and Control Association
• February 8, 2007

1
2
Your Presenters

• Brian OBrien
• Manager - Data Security
• 10 years of PeopleSoft experience with Ohio
  States 1,300 user HRMS and 2,400 user Financials
  environments
• Pat OConnor
• Senior Systems Engineer
• Ohio States leading technical security expert,
  has 8 years of PeopleSoft experience, ranging
  from configuration management and control to
  security administration

2
3
Overview

• We have created a process for
• Defining,
• Identifying and
• Reporting
• Segregation of Duties issues.

3
4
Ohio States Environment

• 7 Campuses
• 58,000 Students
• 35,000 Employees
• 3 Billion Budget
• 300,000 Alumni

4
5
Database Environment

• Oracle9i Release 9.2.0.5.0 - 64bit
• HP Hardware HP-UX 11.0 N Class
• Over 50 PeopleSoft Databases

5
6
Ohio State and PeopleSoft
HRMS App 8.00.01 Tools 8.18.07
Benefits Admin
Time and Labor
Payroll
eRecruit
eProfile
Flexible Spending
Financials University App 8.42.01 Tools 8.45.07
Asset Management
Accounts Payable
General Ledger
Budgeting
Inventory
Purchasing
Grants Suite
Financials Medical Center App 8.42.01 Tools 8.45.07
Inventory
eProcurement
6
6
7
Where Were Headed
Student Admin 8.9 Enterprise Performance
Management (EPM) Upgrade HRMS 8.0 -gt
8.9 eProcurement Module Financials 8.42 -gt 8.9
7
7
8
Identifying Segregation of Duties Issues

• What Duties Should be Segregated?
• Identify the Duties in PeopleSoft
• Building the SoD Reports

8
9
What is Segregation of Duties?

• no single individual should have control over
  two or more phases of a transaction or operation
• (University of Utah Department of Internal Audit
  Identify the Duties)
• no one individual employee can complete a
  significant business transaction in its entirety
• (UCSD Audit Management Advisory Services)

9
10
Examples of Segregation of Duties?

• Those responsible for physical receipt of goods
  should not be responsible for paying for the
  goods.
• Those responsible for custody of goods
• should not be responsible for maintaining the
  records of the assets.
• Those responsible for collection of receivables
  should not be responsible for entries in the book
  of accounts.
• Source
• Sawyers Internal Auditing
• 5th Edition, page 1198

10
11
Recent Ohio State Experience

• Ex-OSU worker charged in 312,000 theft
• The Columbus Dispatch,Thursday, March 30, 2006
• job allowed him not only to tally and submit
  the payroll in his department, but also to hand
  out the checks.
• He would prepare the payroll, submit the payroll
  and distribute the checks, O'Brien said

12
What Duties Should be Segregated?

Purchase an Item Purchase an Item Purchase an Item
PO Initiator PO Approver PO Receiver
12
13
What Duties Should be Segregated?

• Web Searches
• HEUG Contacts
• Ohio States Internal Auditors

13
14
What Duties Should be Segregated?

• Financial Duties
• Requisition Initiator
• Requisition Approver
• P.O. Initiator
• P.O. Approver

14
15
Identify the Duties in PeopleSoft

• Identify the Security Controls
• Page Access (not Role)
• Operator Preferences
• Table Data Values
• End Result is a SQL query

15
16
Build the SoD Reports

• Sample Reports
• Creation Process
• Create the SQL Program
• Create a Formatted Spreadsheet
• Paste the SQL Output to a Spreadsheet

16
17
Build the SoD Reports

• Sample Reports
• Procurement SoD Reports
• Workflow by User by Organization
• Counts by Departments
• Procurement Without SoD by Money Value
• Reverse Hill-Climber

17
18
Build the SoD Reports

• Sample Reports
• Delivery Mechanisms
• Enterprise Web Based
• Email
• Hard Copies

18
19
Questions?
20
Contacts

• Brian OBrien
• Manager, Data Security
• Office of Information Technology
• The Ohio State University
• E-mail obrien.9_at_osu.edu
• Patrick OConnor
• Sr. Systems Engineer
• Office of Information Technology
• The Ohio State University
• E-mail oconnor.33_at_osu.edu