In our last blog post about Segregation of duties (SoD) Management, I introduced several categories for evaluating SoD maturity level. We will now use these categories to test your maturity level. By adopting this approach, you will be able to test your maturity level quickly and easily.
Assessing your Segregation of Duties Maturity Level
In what follows, I would like to share 31 questions with you that you can use to carry out a Self-Assessment of your SoD Maturity Level. You can download the guide including the questions here:
Maturity Level 0
The maturity level 0 is present if a company carries out its authorization management for standard business software, but does not take SoD issues into consideration. The perception of SoD issues within the company does not exist. The purpose of the authorization management is only to allow employees access the ERP system.
Maturity Level 1 – Initial
Similar to known maturity models such as CMMI and BPMM, plans to implement SoD in standard business software which can be graded as an "initial" have the lowest possible level of maturity. At this stage, processes are executed in an unplanned and unstructured way, thus the quality of SoD analysis is difficult to assess (OMG 2008, p. 20). This is mainly due to the lack of formalization of rule sets, which complicates the traceability of activities regarding completeness and correctness. Rules are defined on an ad hoc basis by the participating employees, creating a heterogeneous landscape, company-wide. In addition, the definition of rules is not based on risk assessments within the meaning of the risk management process.
Full consideration is therefore not given to all high-risk business processes. This also implies a lack of dynamism in terms of the rules applied. Adjustments based on risk assessments are not made.
Maturity Level 2 – Repeatable
In comparison to the maturity level "Initial", a formalized rule set – defining SoD conflicts – does exist. This increases the transparency of SOD activities within the company and makes it easier to formalize the procedure for re-implementing SoD analyses. From an organizational perspective at this level of maturity, the functional department is more involved in the SoD process. On the one hand, this increases the quality of the rule set. On the other hand, the functional department that receives reports is able to identify and evaluate SoD conflicts more effectively, and is also able to assist with their elimination. The successful elimination of SoD conflicts is reflected in the positive results of follow-up audits. The results are documented and reported.
Maturity Level 3 – Defined
At this maturity level, rules for multiple risk-prone business processes and supporting application systems exist. Rule sets are updated as soon as relevant changes are made to the business processes. To increase the effectiveness of the control system, the rule set includes both detective and preventive controls. In the event that certain rules are inapplicable, decentralized local controls are executed in order to minimize potential risks. To support a company-wide improvement in processes, conflicts are tagged with “risk values” in regular reporting. Based on the reported risk values, managers can prioritize follow-up activities to ensure their resources are used effectively. The communication of conflicts is integrated in the escalation management process to ensure timely processing. Overall, the SoD approach at this level is structured. Responsibility for SoD processes lies with the functional departments.
Functional departments develop rule sets in cooperation with IT staff and eliminate identified conflicts. The increased awareness of SoD is also reflected in the further development of authorization management.
Maturity Level 4 – Managed
At this maturity level, a generic rule set is used. Based on the risk assessment, SoDs are defined for all relevant business processes. These SoDs are defined independently of the (IT-) system. Before deriving controls from the rule sets, transactions are mapped to relevant application systems. In this way, it is easier to maintain a rule set that is uniform company-wide. Should there be changes to processes, only one rule set needs to be adapted. Conversely, the rule set can still be used if IT systems are replaced. Adaptations only need to be made for system-specific transformations. All control activities are automatically carried out on a regular basis. This enables the personnel responsible to make a statement about compliance regarding SoD-related aspects in the short term. The sustainable elimination of conflicts is supported by an automatic process for escalation management. Having been assigned a priority, conflicts are communicated to corresponding functional departments depending on age and risk assessment. Reports also include figures about process improvements.
Maturity level 5 – Optimizing
The maturity level "Optimizing" describes the highest level of planning to implement SoD in standard business software. At this level, SoD processes are constantly being developed and improved. A process to update the rule set in the case of relevant changes to processes is in place. The rule set also makes provision for system-specific transformations, as well as the associated control activities, risk assessment, reporting and escalation management. At this maturity level, the company-wide uniform rule set is complete. It takes account not only of all processes classified as high risk and the application systems involved, but also aspects of SoD that extend across different systems. To ensure uniform implementation of all control activities, compensating controls are defined and rolled out centrally. An autonomous approach adopted by different departments is precluded. Compared to maturity level 4, there are not only set targets for the elimination of SoD conflicts, but management has also defined a system of incentives. Incremental and innovative improvements to processes and technologies are thus encouraged.
This blog post presents a maturity model for the segregation of duties in standard business software. Both the complexity of the issue and the lack of research in this area illustrate the need for such a model. In the categories of rule set, control activities, reporting and organizational environment, we have formulated 31 questions that can help you to assess the current state of SOD activities. Furthermore, based on the results, it should be possible to identify opportunities for improvement and prioritize accordingly. In comparison to other maturity models, the relatively simple structure should ensure a high level of user friendliness. In the future, it may also be possible to provide a graphic presentation of results to aggregate important information and provide a general overview.
It should be noted, with regard to the evaluation criteria, that it is not explicitly required to implement the risk management process from risk identification right through to risk monitoring in the model. Based on the answers to certain questions, compliance with this process is however required indirectly since it leads to a continuous improvement in the company’s risk situation.
This article appeared as a long version in the Journal of Internal Auditing [Zeitschrift für Interne Revision – ZIR, 3/10].