RE: [sap-security] SAP Segregation of Duties for Small Companies
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by Lee Allen (Senior Lead Analyst) on Sep 1 at 3:41 PM |  Mark as helpful |
Thanks for the follow-up Mark. The original post was by Reyhan Joshi asking
about rules for a small organization. The reply we got was it is a public
company and subject to Sarbanes-Oxley reporting with all the attendant
control documentation, etc. One end-of-the-day control and mitigation issue
that rarely gets discussed is management's appetite for risk acceptance.
Management has the right to accept whatever risk they deem appropriate in
order to maintain or enhance profitability. Sometimes the auditor's role is
to provide assurance that management understands the implications of
accepting a certain risk.
From a simplified internal control perspective, SOD (segregation of duties)
is the practices, policies, & procedures put in place to ensure that all
financial data is authorized, approved, executed and recorded by separate
people/departments in order to be able to rely on that financial data.
Any other comments are gratefully welcomed.
The information transmitted is intended solely for the individual(s) or
entity to whom it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use
of or taking action in reliance upon this information by persons other than
the intended recipient is prohibited. If you have received this email in
error please contact the sender and delete the material from any computer.
From: MarkD via sap-security [mailto:sap-security@Groups.ITtoolbox.com]
Sent: Tuesday, September 01, 2009 10:50 AM
To: Lee Allen
Subject: RE:[sap-security] SAP Segregation of Duties for Small Companies
Posted by MarkD (Senior IT Audit
Consultant)
on Sep 1 at 10:50 AM
<http://it.toolbox.com/api/ContentVote/2967168/1/1/> Mark this reply as
helpfulMark as helpful
Lee,
We use a 3rd party bolt on system for determing SOD issues. One of the first
things I did was to go through the rules and shut most of them off as there
were many that did not affect the financials, which is the crux of Sarbannes
Oxley (SOX) 404 controls. I am not familiar with Calibrator but I believe if
it's the SAP security tool it used to be Virsa and they are all rule based.
Make sure in addition to the transactions that you are including the related
objects as well. I would focus your SOD rules around the following areas:
creation of master data such as customers, vendors, materials, GL accounts
etc., minimize those users that can open close accounting periods or modify
tables such as currency, etc. Also limit who can post journal entries. I
find that there are rules you need to test for one key activity and there
are rules where you need to combine activities such as who can create a
customer, create a sales order, and can process cash reciepts as an example.
Best thing to do is to find all SAP transactions that allow any of those
activities and test them down to the object level. It is time consuming up
front but is easy to maintain after the fact and limiting the number of SOD
rules will save your sanity. You will not be able to eliminate SOD issues
completely, especially for small remote offices with little staff. In cases
like this you need to have mitigating controls established and documented
for each SOD SOX risk. Good luck.
Mark
__.____._ about rules for a small organization. The reply we got was it is a public
company and subject to Sarbanes-Oxley reporting with all the attendant
control documentation, etc. One end-of-the-day control and mitigation issue
that rarely gets discussed is management's appetite for risk acceptance.
Management has the right to accept whatever risk they deem appropriate in
order to maintain or enhance profitability. Sometimes the auditor's role is
to provide assurance that management understands the implications of
accepting a certain risk.
From a simplified internal control perspective, SOD (segregation of duties)
is the practices, policies, & procedures put in place to ensure that all
financial data is authorized, approved, executed and recorded by separate
people/departments in order to be able to rely on that financial data.
Any other comments are gratefully welcomed.
The information transmitted is intended solely for the individual(s) or
entity to whom it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use
of or taking action in reliance upon this information by persons other than
the intended recipient is prohibited. If you have received this email in
error please contact the sender and delete the material from any computer.
From: MarkD via sap-security [mailto:sap-security@Groups.ITtoolbox.com]
Sent: Tuesday, September 01, 2009 10:50 AM
To: Lee Allen
Subject: RE:[sap-security] SAP Segregation of Duties for Small Companies
Posted by MarkD (Senior IT Audit
Consultant)
on Sep 1 at 10:50 AM
<http://it.toolbox.com/api/ContentVote/2967168/1/1/> Mark this reply as
helpfulMark as helpful
Lee,
We use a 3rd party bolt on system for determing SOD issues. One of the first
things I did was to go through the rules and shut most of them off as there
were many that did not affect the financials, which is the crux of Sarbannes
Oxley (SOX) 404 controls. I am not familiar with Calibrator but I believe if
it's the SAP security tool it used to be Virsa and they are all rule based.
Make sure in addition to the transactions that you are including the related
objects as well. I would focus your SOD rules around the following areas:
creation of master data such as customers, vendors, materials, GL accounts
etc., minimize those users that can open close accounting periods or modify
tables such as currency, etc. Also limit who can post journal entries. I
find that there are rules you need to test for one key activity and there
are rules where you need to combine activities such as who can create a
customer, create a sales order, and can process cash reciepts as an example.
Best thing to do is to find all SAP transactions that allow any of those
activities and test them down to the object level. It is time consuming up
front but is easy to maintain after the fact and limiting the number of SOD
rules will save your sanity. You will not be able to eliminate SOD issues
completely, especially for small remote offices with little staff. In cases
like this you need to have mitigating controls established and documented
for each SOD SOX risk. Good luck.
Mark
Copyright © 2009 CEB Toolbox, Inc. and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Related Content
In the Spotlight
White Papers
In the Spotlight
SAP Enterprise Software: flexible, best-of-breed business apps View Vendor Profile
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
