Segregation of Duties in IT systems (SOD)

The increasing reliance of business processes on the IT systems supporting their execution highlights the risks arising from the lack of proper segregation of duties (SoD) resulting from granting employees with excessive system authorizations, inadequate to their official duties. Planning for an appropriate division of responsibilities and reflecting it in the access privileges granted to users of IT systems becomes necessary for the proper, efficient and secure execution of the business processes.

KPMG Risk Consulting team comprised of experts in the field of internal audit and information technology can help you ensuring proper SoD in the integrated IT systems, as well as improve the process of managing system authorizations helping to incorporate the consideration for adequate SoD.

 

Our support may include among others:

• Performing the analysis of the current system authorizations focused on the assessment of their current state and identification of excessive roles and potential conflicts
• Help in defining the concept of segregation of duties in your organization
• Assistance in the process of solving the identified conflicts
• Assistance in rebuilding the system roles / profiles in order to solve the identified conflicts
• Assistance in establishing / improving the process for managing system authorizations giving consideration to the aspects of segregation of duties.

In the SoD related projects we utilize our dedicated proprietary utility KSoD Monitor, that enables a fast and effective analysis of user rights in the ERP systems. KSoD Monitor has been built in such a way that can be easily tailored to particular customer needs, the nature of the industry in which it operates and its particular ERP system. KPMG defined a set of model conflicts for all major SAP modules which are required input for the tool.

 

Potential benefits for the client

The implementation of an effective system for managing user rights that ensures appropriate segregation of duties allows you to achieve the following benefits:

• Build awareness among the management and process owners of the risks associated with having an ineffective system user authorizations
• Reduce the risk of fraud and error due to excessive user privileges
• Improve the internal control system through better use of the opportunities offered by utilized IT systems
• Improve business processes through better use of available system tools and eliminating unnecessary manual controls
• Improve utilization of available resources (eg, a license to use the ERP system)
• Addressing the issues of lack of adequate segregation of duties raised by the auditors, contractors, regulators and other stakeholders.