Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical."— Presentation transcript:

1 Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical Company Kathy Landers, Rockwell Collins

2 Goals of this session: Shooting The Moving Target Typical SOD Scenario Key SOD/Controls Challenges SOD a Moving Target SOD/Controls Solutions Ongoing SOD/Controls Compliance Questions

3 Shooting The Moving Target Violating so many controls? This is ugly … Why can’t you ever get your act together?? Users Auditors Management Security/Controls Team I need SAP_ALL Why don’t you let me do my job? Damn it!! I need XK01 now! ASAP!!!

4 Typical SOD Scenario: Shooting The Moving Target Security implemented as an afterthought Lack of time to address SOD/Controls right from the outset Lack of understanding (and tendency to avoid issues) results in generous authorizations & more SOD issues

5 Typical SOD Scenario (continued): Shooting The Moving Target External Auditors run utilities, report SOD issues (mostly low hanging fruit) Security Team’s common defense; situation not as bad,looking at object level Some action items to satisfy management

6 Typical SOD Scenario (continued): Shooting The Moving Target Most fixes (s_tabu_dis,s_program…) No preventive SOD maintenance Companies wasting tons of money on expensive audits and consultants Problems/issues just don’t go away

7 Common Misconceptions: Shooting The Moving Target We trust our employees Our system is clean (Our programs, tables are protected & password is 5 characters!) We have external audits every year We are different & we have no risk We don’t have time/resources to worry about SOD yet, we will handle it later

8 Common Challenges: Shooting The Moving Target Defining (finding) good SOD Rules –Significant effort for building & customization –SOD at Authorization Object level (too many permutations & combinations) Defining & Documenting Mitigating Controls –Mitigating Control Approvers –Mitigating Controls Monitors –Mapping to Users/Roles, SOD Rules

9 Common Challenges (continued): Shooting The Moving Target Adhoc or home-grown Solutions –Incomplete functionality –Not fully automated –Don’t work with online data –Can’t keep pace with SAP SAP Security is complex Poor training –Authorizations Made “Difficult” –SOD/Controls Made “Difficult”

10 Shooting The Moving Target Phase Cost Most of the clients detect SOD issues here Definition Development Testing RISK FOR FRAUD Production Role Owner User Role Owner Security Admin End Users Auditors Role Owner Security Admin The later you resolve the problem, costlier it will be.

11 Key Challenge: SOD a Moving Target…. Shooting The Moving Target Constantly changing – Roles – User Access – SOD Rules – Mitigation Controls SAP Releases (3.1I…4.7) New Modules (e.g HR) Laws & Regulations

12 SOD/Controls Solutions: Shooting The Moving Target Well designed Process & Strategy –Rule building/upgrade methodology –Security/Controls Process Reengineering Who will define Mitigating Controls Who will approve, monitor Mitigating Controls Proactive SOD checks during User Access & Role changes –Training for all players including Role Owners

13 SOD/Controls Solutions (continued): Shooting The Moving Target SOD/Audit Tool –Comprehensive functionality/reports –Complete automation (including Simulation) –Analysis on live data (even SU24 checks) –Analysis at the earliest phase possible –Appropriate change management capabilities (e.g. for Rules) & access levels

14 SOD/Controls Solutions (continued): Shooting The Moving Target SOD/Audit Tool –Collaborative features (for all key players) –Reports with complete inside picture –All issues elimination in one cycle –User,Role,Profile,Composites,Job,Position.. –Easy to maintain & use

15 SOD/Controls Solutions (continued): Shooting The Moving Target Additional Features/Functionality –Automate building Rules –Automate upgrading Rules –Supplementary Analysis –Complimentary Utilities e.g. Validate Controls –Dynamic Rule selection for analysis – Negative SOD Testing

16 Ongoing SOD/Controls Compliance: Shooting The Moving Target Simulation (“What If” Scenarios) Must be real time, online with live data Fully automated For all changes (Roles,Users,Profiles etc) Available in all environments Available across Environments

17 Critical Success Factors: Shooting The Moving Target Optimum Rules Powerful Tools Sound Processes & Methodology Proactive ongoing SOD Compliance to reduce day-to-day maintenance & eliminate reinvention of the wheel Networking (Best Practices)

18 If you wish to contact us: Shooting The Moving Target Jasvir Gill: jgill@virsasystems.com Donnie R. Looper: dlooper@eastman.com Kathy Landers kalanders@rockwellcollins.com

19 Questions: Shooting The Moving Target

20 Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: 503

Download ppt "Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical."

Similar presentations

Implementation of ShipManagement Systems Project Management Prepared by Lana Al-Salem Director of Projects Management SpecTec Ltd.

Implementation of ShipManagement Systems Project Management Prepared by Lana Al-Salem Director of Projects Management SpecTec Ltd.
Configuration Management

Configuration Management
Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services 704-814-0004.

Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
Overview This session is aimed at both PeopleSoft Financials users and Security Administrators. We will discuss plans for the 9.2 upgrade including.

Overview This session is aimed at both PeopleSoft Financials users and Security Administrators. We will discuss plans for the 9.2 upgrade including.
Fahri BaturOctober 2013 SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop.

Fahri BaturOctober 2013 SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop.
Phone: (919) 573-6132 Fax: (919) 677-8470 21CFR Part 11 FDA Public Meeting Comments Presented by: M. Rita.

Phone: (919) Fax: (919) CFR Part 11 FDA Public Meeting Comments Presented by: M. Rita.
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
OAUG SOX Panel Krista Ladd Oracle Applications Manager Silicon Image, Inc.

OAUG SOX Panel Krista Ladd Oracle Applications Manager Silicon Image, Inc.
Monitoring Security With Standard SAP Tools Session Code 805 Sandi McKinney.

Monitoring Security With Standard SAP Tools Session Code 805 Sandi McKinney.
Copyright © 2003 Americas’ SAP Users’ Group Authorizations in the Finance & Controlling Modules Ranvir Singh, Sherman Wright Business Analysts, LSI LOGIC.

Copyright © 2003 Americas’ SAP Users’ Group Authorizations in the Finance & Controlling Modules Ranvir Singh, Sherman Wright Business Analysts, LSI LOGIC.
Release Management in SAP David Osborne, Planning & Release Management, Canada Customs and Revenue Agency May 20, 2003 Session 2909.

Release Management in SAP David Osborne, Planning & Release Management, Canada Customs and Revenue Agency May 20, 2003 Session 2909.
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
© 2002 Association of Certified Fraud Examiners. All rights reserved. The Certified Fraud Examiners’ Fraud Prevention Checkup - An Introduction Toby J.F.

© 2002 Association of Certified Fraud Examiners. All rights reserved. The Certified Fraud Examiners’ Fraud Prevention Checkup - An Introduction Toby J.F.
Implementation Audit and Control Background Internal Audit Role Go-Live Criteria Audit Approach - Systems Audit Approach - People Summary Agenda.

Implementation Audit and Control Background Internal Audit Role Go-Live Criteria Audit Approach - Systems Audit Approach - People Summary Agenda.
Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers.

Copyright © 2003 Americas’ SAP Users’ Group Segregation of Duties (SOD) Strategies, Techniques, and Tools Christopher Lane Manager – PricewaterhouseCoopers.
Evolution of the Siemens Experience in its Effort to Test IT Controls on a Continuous Basis Rolf Haardörfer IT Audit Professional Siemens Corporation Tenth.

Evolution of the Siemens Experience in its Effort to Test IT Controls on a Continuous Basis Rolf Haardörfer IT Audit Professional Siemens Corporation Tenth.
Managing Segregation of Duties (SOD) in R3 Session Code: 808 Donnie Looper, Eastman Chemical Company Jasvir Gill, Virsa Systems.

Managing Segregation of Duties (SOD) in R3 Session Code: 808 Donnie Looper, Eastman Chemical Company Jasvir Gill, Virsa Systems.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
SAP An Introduction October 2012.

SAP An Introduction October 2012.

Similar presentations

Ads by Google