Are you accountable for end-user security in a financial ERP system?
First of all, if you’ve never before designed or implemented end-user security, make sure you’re not going it alone. Seek the aid of your Chief Information Security Officer. Your internal audit team needs to be on your security subcommittee as well. If they aren’t on the team already, get them on. If they won’t be on the team, get yourself off it.
Note that this article does not deal with cryptography, physical security, intrusion detection, data-content security, or any security-related phenomenon except the assignment of privileges to authorized users. Anyone who’s designed security knows that the assignment of privileges is plenty all on its own.
In large part, the success or failure of your security design will be judged on how well the design allows users to do their jobs while still segregating controlled duties. That term – Segregation of Duties, gets lofted about so frequently that some may lose sight of what it really means. To clarify to the point of being reductive, consider the following duties:
- Maintain the Vendor Master list.
- Enter Vendor Invoices.
Any single user able to do both these things has a license to print money. So, these duties are to be segregated. That’s what it means. This is only one example. In the abstract, the guiding principle is that no one person should be able to authorize, record, and maintain physical custody of a company’s assets.
This has all been general. Let's get specific and consider some vendors' products.
When implementing Oracle Financials Cloud, you’ll see the vendor’s implementation of Segregation of Duties right out of the box. Oracle’s Security Reference Model defines Duty Roles which link to Job Roles. Having vetted their Duty Roles with internal controls professionals, Oracle offers assurance that no user granted a single Duty Role (via a Job Role) will be able to violate segregation of duties. Similar concepts exist in every enterprise software. Oracle PeopleSoft has Roles and Permission Lists. SAP has Roles and Profiles. Salesforce has Permission Sets and Roles. Some are more vetted than others, but they all make some effort at implementing Segregation of Duties.
If your ERP does not implement pre-vetted roles that correspond to controlled duties, you’ll have a bit more work to do than those implementing Oracle Cloud Financials. If you do have to start from scratch, here is a way to frame that effort regardless of the software involved.
1) List the 'duties' in scope for your implementation. Someone should have this list already. Don’t see anything in your project library called a 'list of duties'? Look for a list of business processes. Or look for swim-lane diagrams of business processes, and read the rectangles - those should be the duties. Or look at the training curriculum - each topic should approximate a 'duty' in our context.
2) Vet the list of duties with your steering committee. As a reality-check, the final product should be a list of verbs.
3) Gather a list of all users along with their job titles.
4) Normalize the list of job titles. Be careful. One site may define the person who enters vendor invoices as an 'AP Specialist'. Maybe another site, perhaps acquired from another company, still calls them a 'Payables Clerk'. One site's 'Collector' is another sites 'AR Specialist'. This is a heuristic effort, and you may need to talk to some line managers to get it right. Resist any gravity pulling you into considerations of the users themselves at this stage. You want a normalized list of job titles, not a listing of whatever daily procedures Joe Sundance happens to perform. As a reality check on this step, it should be a list of nouns.
5) Create a matrix where the rows are normalized job titles (roles) from '4' and the columns are duties from '1'. Collaborate with your CISO and/or your internal auditors to identify what duties are appropriate for each role. The result will look something like this.
As long as no single employee is assigned more than one such role, you’ve segregated duties. If an employee does have more than one role, note the exception and make sure the entire security team agrees it is not a problem.
In this way, your attestation reports will be self-documenting, and your company’s assets will be safer. Isn’t that a fine reason to implement ERP in the first place?