Segregation of Duties
The main elements required for fraud are motivation and opportunity. Accordingly, the best opportunity a company can offer a fraudster is weak or nonexistent Segregation of Duties (SoD). SoD is a critical internal control aimed at limiting opportunities for abuse by a single person, such as requiring two signatures on a check or separating the creation and approval of sensitive transactions. In today’s automated business processes, SoD is enforced through business applications and ERPs, making breakdowns in these controls difficult to detect. SoD conflicts caused by insufficient staffing create the physical inability to properly segregate duties, and are worsened by poor or missing controls, such as the segregation of authorization and approval, or budgeting and actual reconciliation.
CaseWare™ Analytics SoD Monitoring
CaseWare Analytics enables a holistic approach to monitoring segregation of duties, giving a bird’s eye view of all applications. This ensures that user authorizations are properly compartmentalized regardless of the business application, and as a secondary benefit, provides assurance that interfaces between different systems and business operations are working correctly. The CaseWare Analytics platform is an open framework and not application specific, so it can easily adapt to business process changes. Notifications and workflow management are built into the platform, ensuring that issues receive proper attention and their resolutions can be managed.
- 360° View
Within a common portal, all stakeholders can examine SoD holistically across the enterprise, allowing for greater transparency and fraud prevention.
- Reduce SoD Risk
Automated monitoring of SoD controls immediately recognizes violations and sends notifications to relevant personnel to ensure that the organization is not negatively impacted.
- Evaluate transactional data against control settings
- Identify where custom transactions or programs may be inadvertently bypassing standard system controls
- Compare application control settings to control tables to identify potential changes
- Identify excessive use of system override
- Identify program changes not appearing on change control logs
- Compare key program or file size, timestamps, and other characteristics to a control table to identify instances where a change has occurred
- Evaluate emergency change frequency by user, application, department, etc.
Application & System Security
- Extract security rules and independently verify SOD
- On potential SOD issues are identified, determine whether rights were exploited
- Examine the user IDs associated with specific transactions to determine whether SOD violations have occurred (e.g. initiator = approver)
- Identify where users with the same role have different access rights
- Highlight users with powerful profiles / responsibilities
- Identify user profile / responsibility changes made immediate prior to or shortly after an audit
- Identify concurrent logins of the same ID
- Look for patterns of failed access attempts to key users (CEO, CFO, Payroll, etc.)
- Analyze master data for missing information
- Identify inconsistencies in data input
- Detect duplicate records
- Assess data for suspicious or erroneous entries (e.g., description fields with less than 2 characters input)
- Stratify quality metrics by employee to identify training opportunities
- Identify outdated or unused information