About BWise

Blog

Sensitive access and Segregation of Duties made easy

March 31, 2011 by
Filed under: Continuous Monitoring, General, Internal Control

Systems of internal control consist of many different kind of controls. Usually we speak about manual controls / IT dependent controls (such as system reporting and manual review) / IT Application controls. The latter are typically system customizations settings, things that once enabled are effective by nature since it is covered by the system. In a way, a proper setup of authorizations using role based access controls can also be regarded as an Application Control.

Roles and profiles for SAP or Responsibilities and Functions for Oracle EBS are used on a granular level to provide people with authorization to perform business functions. Some of these are sensitive in nature such as the preparation of a payment run, changing employee master data records or performing manual journal entries. Others are less sensitive, but only if not used in combination with other business functions. Having access to change vendor bank account details and at the same time having access to post invoices (accounts payable) constitutes what is typically referred to as a Segregation of Duties Conflict. A person could change the bank account number of a vendor to his/her own bank account number and post a payable invoice to the vendor.... in essence a fraudulent action.

Segregation of Duties
In traditional Internal Control literature, Segregation of Duties is a primary control measure to prevent fraud (and errors). Nowadays a lot of the Segregation of Duties is enforced by Application Controls and thus it is very important to have a periodic (e.g. Quarterly) review on the current setup of your ERP system to prevent conflicting functions from being possible therefor effectively preventing fraud or misuse.

Part of the BWise Continuous Monitoring Suite is the Segregation of Duties Monitor which is fully integrated in the BWise GRC suite. It helps you manage your system authorization by providing direct insight in the number of conflicts, sensitive access assigned to users and trending on the remediation of incorrect authorization assignments for both SAP and Oracle EBS. The system is prepackaged with best practices definitions for sensitive access for both SAP and Oracle and is very easy to use. No interfaces are required to any of the ERP systems and the system offers advanced reporting capabilities.

Some of the primary characteristics:
  • Compatible with Oracle EBS 11 and up or SAP 4.6c and up;
  • Includes advanced set of Best Practice analysis on SOD and Sensitive Access for SAP and Oracle;
  • Template reporting;
  • Direct drill down capabilities in dashboards;
  • Detailed insight in reason for SOD Conflict (Roles/Profiles/Responsibilities/Functions etc.);
  • Fully integrated with BWise GRC Suite;
  • No client software required and analysis can be performed remotely.

Please contact us for more information.

Tags: BWise, Continuous Monitoring, Internal Control

More Information

What is GRC?

Read the definition of Governance, Risk and Compliance


Gartner ORM report

Nasdaq's BWise has been positioned as a Leader in Gartner's Magic Quadrant for Operational Risk Management Report, 2015. 


Forrester report

Forrester positioned Nasdaq BWise as a Leader in New Report, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016.


Why BWise

Download the brochure: Three Key Reasons why Hundreds of Customers Rely on Nasdaq BWise.

Scroll up