Effectively Using SAP SOD Analysis to Meet Audit Needs

1
(No Transcript)
2
Segregation of duties (SOD) is a potent weapon
in the fight against fraud, equipping businesses
with robust internal controls. In this article,
we explore the importance of SOD in fraud
prevention and present real-life examples of its
effective implementation. Discover how
organizations have leveraged SOD to safeguard
their assets, reputation, and operational
integrity, reinforcing trust and resilience in
the face of evolving fraudulent threats.
In todays complex business environment,
organizations depend on robust internal controls
to maintain compliance, mitigate risk, and
protect operations. Companies using SAP (Systems,
Applications, and Products) systems must meet
audit requirements and maintain SAP Segregation
of Duties (SOD). The purpose of this blog is to
share some real-life examples of how SAP SOD
analysis can be used to address audit needs in an
effective manner.
3
Understanding SAP SOD Analysis
The concept of segregation of duties refers to
the separation of key duties and responsibilities
among multiple individuals to avoid fraudulent
activities, errors, or unapproved access. An SAP
SOD analysis is an essential internal control
activity that helps organizations identify and
mitigate the risks associated with conflicting or
incompatible user authorizations. It protects
against fraud or unauthorized activity by
preventing a single person from having a
combination of activities.
4
The Significance of SAP SOD Analysis
Regulatory Compliance Compliance with industry
regulations and legal requirements is a
fundamental aspect of any organization. SAP SOD
analysis assists in meeting regulatory demands
such as the Sarbanes-Oxley Act (SOX),
International Financial Reporting Standards
(IFRS), Health Insurance Portability and
Accountability Act (HIPAA), and others.
One notable case in Singapore is the SingHealth
cyber-attack that occurred in 2018. SingHealth,
the countrys largest healthcare group, suffered
a sophisticated cyber-attack where hackers gained
unauthorized access to its IT systems. This
breach compromised the personal data of
approximately 1.5 million patients, including
their names, addresses, and National Registration
Identity Card (NRIC) numbers. This incident
highlighted the critical need for robust
cybersecurity measures and effective access
controls within the healthcare sector. Read
through the Medium report on this case.
5
While the incident is not directly involved
with the Segregation of Duties, it is crucial to
implement robust security measures and adhere to
strict access controls. The incident happened due
to multiple failures and weak maintenance of the
system security. By conducting thorough SOD
analysis, organizations can ensure that access to
patient records is appropriately restricted,
limiting the possibility of unauthorized access
and reducing the risk of data breaches. SAP SOD
analysis helps identify conflicts in user
authorizations within the healthcare system, such
as a single user having both the ability to view
patient records and modify them. By addressing
these segregation conflicts through appropriate
mitigating measures, such as separating the
duties of viewing and modifying patient data
between different individuals, organizations can
enhance the security and privacy of healthcare
data.
6
Fraud Prevention
Fraudulent activities can lead to significant
financial losses and reputational damage. By
conducting SAP SOD analysis, organizations can
proactively detect and prevent fraud by
identifying segregation conflicts that could be
exploited for malicious purposes. Consider a
manufacturing company where an employee with both
procurement and payment authorization can create
fictitious purchase orders and approve them for
payment without detection. SAP SOD analysis would
identify this conflict, prompting the
organization to implement proper controls to
prevent such fraudulent activities. One notable
real-life case involving fraud prevention through
segregation of duties is the Wells Fargo
unauthorized accounts scandal that came to light
in 2016. Wells Fargo, one of the largest banks in
the United States, faced significant scrutiny and
legal repercussions for the creation of
unauthorized accounts by its employees.
7
In this case, it was discovered that Wells Fargo
employees, driven by aggressive sales goals and
incentives, opened millions of unauthorized bank
and credit card accounts in the names of existing
customers without their knowledge or consent.
This fraudulent activity allowed employees to
meet sales targets and earn bonuses. To address
this issue and prevent similar fraud in the
future, Wells Fargo implemented robust
segregation of duties controls. The bank
redefined and separated key responsibilities
within their sales and account management
processes. They introduced checks and balances to
ensure that no single employee had the ability to
both create and authorize new accounts.
8
Under the new system, different employees were
assigned specific roles, such as customer
inquiries, account creation, and account
approval. This segregation of duties reduced the
opportunity for employees to manipulate the
system, ensuring that new accounts were only
created with proper authorization and customer
consent. By implementing effective segregation
of duties controls, Wells Fargo aimed to enhance
transparency, prevent unauthorized activities,
and restore trust among customers and
stakeholders. This case serves as a reminder of
the importance of implementing strong internal
controls, such as segregation of duties, to
prevent fraudulent activities and protect the
interests of both the organization and its
customers.
9
Risk Mitigation
Effective risk management is essential for the
sustainable growth of any organization. SAP SOD
analysis provides a comprehensive view of access
controls, enabling companies to identify and
mitigate risks associated with unauthorized
activities, data breaches, and system
vulnerabilities. For instance, a financial
institution can use SAP SOD analysis to identify
conflicts that may allow a single user to
initiate and approve high-value transactions,
potentially leading to embezzlement. By
eliminating or mitigating such segregation
conflicts, the organization protects its
financial assets.
10
Operational Efficiency
Optimizing user access privileges through SAP
SOD analysis helps streamline business processes.
By aligning user authorizations with job
responsibilities, organizations can enhance
operational efficiency, reduce errors, and
improve productivity.
For example, in a retail company, SAP SOD
analysis can identify conflicts where the same
user has both inventory management and purchasing
authorization, leading to potential inventory
discrepancies or unauthorized purchases. By
resolving these conflicts, the organization
ensures accurate inventory management and
prevents financial losses.
11
Here is how you can implement an effective
Segregation of Duties in SAP

• Conduct a Comprehensive Analysis Utilize
  specialized SAP SOD analysis tools such as SAP
  GRC Access Risk Analysis, ToggleNows Verity or
  engage experts who can perform a detailed
  examination of user authorizations and identify
  the existing segregation of duties. SoD Analyzer
  tools utilizes pre-defined rule sets that can
  identify the existing risks at the user and role
  level within no time.

12
Define Roles and Responsibilities

• Establish well-defined roles and responsibilities
  within the organization. Clearly define job
  functions and document the corresponding
  authorization requirements. For instance, clearly
  outline the access rights required for positions
  like finance manager, HR manager, or system
  administrator. Further, it is recommended to make
  task based roles that are grouped at the job
  profile level. ToggleNow has experience creating
  roles that are 90 free from Segregation of
  Duties.

Read more here
13
Contact us
Level 2-4, 49, Shakthi Nilayam, Silicon Valley
Society, Madhapur, Hyderabad 500084, India