Your SlideShare is downloading. ×
How Herman Miller automated its SOX Segregation of Duties ...
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

How Herman Miller automated its SOX Segregation of Duties ...


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Recently AMR announced that $6 bn will be spent on Sarbanes-Oxley compliance in 2006. This is roughly equal to the amount for 2005; however more will be proportionally spent on technology and less on headcount and resources. This pre-conference workshop invites companies to share their initial compliance experiences, what lessons have been learned and what initiatives they have in mind to achieve sustainable compliance and reduce compliance costs in the future. In particular the role of technology to enable compliance will be discussed to understand what additional benefits can be derived so that companies can look to gain a return on their compliance spend.
  • Transcript

    • 1. How Herman Miller automated its SOX Segregation of Duties validation across multiple business applications Session GB-06 Mon, April 24 , 2006 Don Morren – Herman Miller Inc.
    • 2. Session abstract
      • Like so many organizations seeking SOX certification or adequate governance, Herman Miller needs to certify that users do not have access to applications that create a conflict of interest. Our challenge, however, was to perform such “Segregation of Duties” (SOD) validation across 3750+ users, 250+ user-roles, 350+ business processes and thousands of application/session accesses associated to various business systems. For our first round, we came up with home made scripts, tables and spreadsheets along with countless hours of analysis to perform this tedious task. We have since then implemented a rules-driven SOD conflicts identification engine, enabling us to scan dynamically of all the above elements … in less than 10 minutes! Not only we know precisely who is able to access what, we have direct visibility of any SOD conflicts for us to investigate and resolve. In addition to saving us considerable effort, this SOD compliance solution enhanced the accuracy of our conflicts identification, critical to maintain our SOX certification for years to come. Benefit from our experience, mark this session in your agenda …
    • 3. Herman Miller Case Study
      • A Great Place to Work
      • An International Company That Builds Great Office Furniture Solutions
      • On Track for 1.7 Billion for 05/06
      Herman Miller Inc. and My Position
    • 4. Herman Miller Case Study
      • Technical Analyst
      • Business Process Analyst
      • No Financial Back Ground
      • Started With:
        • Business Process Change Control
        • Software Change Control
        • Business Systems Access Request
      • Evolved Into
        • SOD Review, A Finance Issue, That Needs IT Help
      Herman Miller Inc. and My Position
    • 5. Herman Miller Case Study
      • Past Present and Future:
      • Adoption of and Achieving the COBIT Standard
        • Business Process Change Control
        • Software Change Control
        • Business Systems Access Request
        • SOD Review
      404 requirements
    • 6. Herman Miller Case Study
      • System Generated User Access List Across Multiple Apps
        • Combining Into One Place for SOD Analysis
      • Building of the Complete List of All Available Session
        • Ability to Identify New/Old Session
      • Building of the Complete User Access List
        • Who has What, Sessions, Roles, Systems, Limited Sessions…
      • Writing The Risk’s, Controls, Conflict Rules
      • The Conflict Scan
        • Total Visibility to All Conflict in All Systems in One Place
        • Analysis by, Rule, Role, Session, User, Status…
      SOD Review, Past Present Future
    • 7. Herman Miller Case Study
      • The Resolution of Conflict
        • Writing ‘Resolution Rules’
        • Appling The Resolutions to the Conflicts
      • Timing and Automation of the Entire Chain of Events.
        • Hours not Days
        • Scheduled on off Hours
      • History, and Archiving
      • Targeted Preventative Action
      • Repetitious Monitoring as a Preventative Measure
      • Monitoring Super Users
      SOD Review
    • 8. (3) Employees Roles Corp-wide Applications Business Controls Business Processes Employee / Applications Access List Access Scan (1) SOD Conflict Rules SOX – SOD Conflicts List Conflict Scan (2) Resolution Scan SOD Resolution Rules Mitigated Conflicts List Business Risks