Resources Global Professionals

1
Resources Global Professionals

National Express Corporation Segregation of Duty
(SOD) Control AssessmentPrepared by
Roger Drolet MBA, CPA, CISA, CISM, CITP, CRISC
Oracle Independent Consultants LLC

2
Segregation of Duties

• Segregation of Duties (SOD) is the separation of
  incompatible duties that could allow one person
  to commit and conceal fraud that may result in
  financial loss or misstatement to the company.
  Segregation of duties may be within an
  application or within the infrastructure.

Represents a key internal control that ensures no single person has too much influence over any business transaction or operation Serves to prevent unintentional errors or fraud and ensure timely detection of errors that may occur Provides a method of improving organizational, business process and IT control alignment
Segregation of duties has always been an important component of a properly functioning internal control environment
3
Common Challenges and Pitfalls of IT Controls

• Control deficiencies, typically, stemmed from
  changes or actions taken outside of the formal
  process
• Limited mechanisms to consistently enforce
  policies at an enterprise level
• Lack of strong executive-level support and
  insufficient alignment between IT and the
  business
• Lack of user education awareness regarding SOD
• Managements preference to rely on mitigating
  controls in place of implementing proper SOD
• Inadequate policies and procedures for
  effectively changing or removing access when
  users change jobs or leave the company
• Limited automated reporting capabilities for IT
  controls
• No monitoring tools/capability to periodically
  review access rights

Typically, leads to access creep, fraud risk, and failed user management processes
4
Why the Increased Interest

• Drivers causing companies to consider use of
  Segregation of Duties (SOD) in the management of
  their business
• Regulatory Compliance - Sarbanes-Oxley and other
  regulatory issues are forcing companies to
  increase their awareness and accountability of
  their employees actions within the company
• Security and Data Management Recent privacy
  laws and prosecution of security violations is
  bringing a new awareness to monitoring and
  controlling security and access to data within
  the organization
• Access Management Provisioning and management
  of users access to applications have not been
  enforced, resulting in access creep
• Rapid Implementation of ERPs Application
  Security was often overlooked or implemented
  incompletely (Segregation of Duties was not
  addressed)

5
Regulatory Compliance

• Sarbanes-Oxley is now providing a compelling case
  for the implementation and maintenance of
  appropriate segregation of duties at the
  organizational, manual process and system Level.
• Not only should business functions be separated
  departmentally, and at an even more granular
  level within departments, companies now find that
  they need to provide system enforcement of
  traditional segregation of duties models
• External auditors are insisting on evidence that
  proper segregation of duties exists

6
Security and Data Management

• Recent privacy laws and prosecution of security
  violations is bringing a new awareness to
  monitoring and controlling security and access to
  data within the organization.
• Lack of application specific Segregation of
  Duties are resulting in Access Creep, Fraud Risk,
  Failed User Management Processes
• Disclosure of sensitive information can have a
  negative impact on shareholder value
• Increased use of web services (online auctions
  and banking) has brought increased risk of
  identity theft and fraud
• Privacy laws and disclosure of violations is
  increasing the need for proactive segregation and
  control over access to data

7
Access Management

• Implementation of identity management and ERP
  tools provides an avenue to leverage technologies
  to enforce and regulate enterprise level
  segregation of duties.
• Established authoritative sources of information
  through ERP systems (HRMS)
• Leverage user lifecycle through role based access
  control and system integration
• Automated provisioning to lower operational costs
• Greater visibility by management to monitor user
  activity
• Centralization of user ID management for multiple
  applications through the single sign-on concept

8
National Express Corporation Segregation of Duty
Assessment
9
Background

• National Express Corporation (NEC) is the North
  American subsidiary of National Express Group,
  PLC, one of the premier transportation firms in
  the United Kingdom. NEC is made up of Durham
  School Services in the United States and Stock
  Transportation in Canada.
• Durham School Services and Stock Transportation
  operate more than 17,400 school buses and
  serve 376 school districts in 30 states and four
  provinces. 
• NEC has revenues of approximately 750M with
  20,600 employees
• National Express Group PLC is a public company
  and Ernst Young LLP is its external auditor.
• NEC must comply with Sarbanes-Oxley Act in the US
• NECs Year End is December 31st

10
SOD Assessment Objectives

• Prepare for Year-End Audit
• Assess SOD Controls
• Identify Incidents
• Eliminate False Positives
• Identify Intra-Role Conflicts
• Identify Inter-Role Conflicts
• Recommend Approach for Remediation

11
SOD Assessment Process

• Extracted SOD Data
• Imported SOD Data into OIC GRC Express
• Defined NEC as Datasource in AACG
• Imported Oracle Predefined SOD Controls
• Created SOD Controls
• Generated Access Synchronization
• Defined Global Access Conditions
• Generated Control Analysis
• Generated SOD Incident Reports
• Report Findings

12
SOD Controls

• We used the following Oracle predefined SOD
  Controls to perform the SOD Assessment for NEC

SOD Control SOD Control SOD Control SOD Control SOD Control
Approve Invoices Create Invoices Maintain Automatic Receipts Create Sales Order Maintain Automatic Receipts Release Sales Order Maintain Automatic Receipts Ship Customer Goods Maintain Item Master File Cycle Counting
Maintain Item Master File Inventory Transactions Mass Allocate Journal Entries Entry Journal Entry Modifiers Enter Customer Receipts Modifiers Pick Release Goods Modifiers Release Sales Orders
Modifiers Remittances Modifiers Ship Confirm Goods Modify Bank Information Item Price List Modify Bank Information Modifiers Modify Employee Information Define Payroll Information
Modify Employee Job and Define Payroll Information Modify Employee Position Define Payroll Information Perform Cash Reconciliations Item Price List Perform Cash Reconciliations Release Sales Order Perform Cash Reconciliations Ship Confirm Goods
Physical Inventory Receive Goods and Services Post Journal Entry Approve Invoices Post Journal Entry Approve Purchase Orders Post Journal Entry Asset Depreciation Post Journal Entry Assets Workbench
Post Journal Entry Capitalizing Assets Post Journal Entry Create Invoices Post Journal Entry Create Payments Post Journal Entry Create Purchase Orders Post Journal Entry Create Customer Receipts
13
SOD Controls

• We used the following Oracle predefined SOD
  Controls to perform the SOD Assessment for NEC

SOD Control SOD Control SOD Control SOD Control SOD Control
Post Journal Entry Mass Transactions Post Journal Entry Remittances Post Journal Entry Setup GL Post Journal Entry Ship Customer Goods Pricing Agreements Enter Customer Receipts
Pricing Agreements Pick Release Goods Pricing Agreements Release Sales Order Pricing Agreements Remittances Pricing Agreements Ship Confirm Goods Remittances Create Sales Orders
Remittances Release Sales Orders Remittances Ship Customer Goods Return Goods and Services Create Invoices Return Goods and Services Enter Customer Receipts Return Goods and Services Receive Goods and Services
Setup AutoCreate Purchase Orders Approval Authorization Control Setup AutoCreate Purchase Orders Approve Invoices Set Up Auto Create Purchase Orders Create Invoices Set Up Auto Create Purchase Orders Receive Goods and Services Set Up Auto Create Purchase Orders Return Goods and Services
Set Up Payment Create Payment
14
Results of SOD Assessment

• NEC Production Segregation of Duties (SOD)
  Control Violations
• This Excel Spreadsheet lists 52 SOD Controls with
  violations in NEC EBS Production Instance. For
  each SOD Control, the spreadsheet identifies the
  Oracle Responsibilities that contain intra-role
  conflicts and identifies the users that have been
  assigned these custom NEC Oracle responsibilities.

15
Next Steps Remediate, Mitigate and Retest

• Remediate
• Eliminate Intra-Role Conflicts
• Eliminate Inter-Role Conflicts
• Eliminate False-Positives
• Update User Access Policies and Procedures to
  include SOD conflict checks
• Mitigate
• Document Mitigating Controls
• Retest Controls
• Generate Controls Analysis

16
Revise Security Model in Production Instance

• Replicate Changes in Production Instance
• Extract SOD Data
• Import SOD Data into OIC GRC Express
• Define NEC as Datasource in AACG
• Import Oracle Predefined SOD Controls
• Create SOD Controls
• Generate Access Synchronization
• Define Global Access Conditions
• Generate Control Analysis
• Generate SOD Incident Reports
• Report Findings

17
NEC Preparation

• Provide OIC with System Administrator Access to
  Test Instance
• Identify Business Owner (BPO) for each Control
  who can make decisions regarding access
  privileges to grant to users
• Identify System Administrator who will modify
  Oracle Menus and/or Responsibilities to Remediate
  SOD incidents
• Provide Copy of Change Controls Policies so that
  we can revise the Production Instance in
  accordance with NEC Policy
• Review SOD Rules with External Auditors
• Finalize SOD Design with BPO

18
About Resources Global and OIC
Resources Global and OIC, partnering to bring
practical Governance, Risk and Compliance
solutions to companies everywhere.

• Resources Global is a leading professional
  services firm that helps companies become more
  efficient and competitive by assisting with
  internal projects and operational support. We
  deploy accomplished professionals across our 80
  offices in North America, Europe and Asia-Pacific
  who bring exceptional functional and technical
  skills in accounting and finance, governance,
  risk and compliance, information technology,
  supply chain management, human capital and legal
  services. Visit us at www.resourcesglobal.com to
  learn more.
• Oracle Independent Consultants LLC (OIC) is a
  leading provider of Risk Advisory and Oracle
  Fusion Governance, Risk, and Compliance
  (GRC)-based solutions. OIC GRC Express is an
  approved Oracle Accelerate program for Oracle GRC
  Controls and provides fixed scope methodologies
  for the rapid deployment of Oracle GRC Controls.
  The solutions are designed to make Oracle GRC
  Controls applications more affordable for midsize
  organizations. OICs Oracle Accelerate solution
  significantly reduces implementation costs and
  timeframes and lowers the total cost of ownership
  of Oracle GRC Controls. Contact us at
  www.theoicllc.com to learn more.