Presentation by Smart ERP Solutions on Smart SoD, an add-on software solution providing effective Segregation of Duties for PeopleSoft applications. For webinar playback see also http://www.smarterp.com/media/Webinar-SoD.html
Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Dutiesfor PeopleSoftSmartERP: Doris Wong, CEO; Dan White, VP of Product StrategyQ Software: Lewis Hopkins, Product ManagerFebruary 23, 2011Webinar Recordings available at smarterp.com/webinarsOur webinar will begin shortly. Please note all phone lines and computer microphones willbe placed on mute throughout the presentation. Please use the GoToWebinar QUESTIONfeature to ask questions.
Welcome & Introductions Doris Wong CEO, Smart ERP Solutions, Inc. Former Oracle Group VP and GM for PeopleSoft Enterprise Over 15 Years Experience with PeopleSoft Dan White VP, Product Strategy, Smart ERP Solutions, Inc. Former Oracle/PeopleSoft Functional Architect Over 12 Years Experience with PeopleSoft Lewis Hopkins Product Manager, Q Software, Ltd. Over 10 years experience in risk management, governance, and security for compliance for ERP applications
Agenda• “Effective” Segregation of Duties (SoD)• About Smart ERP Solutions, Inc.• Smart SoD™: Effective SoD for PeopleSoft• Demo• Summary and Q & A Please note all phone lines and computer microphones will be placed on mute throughout the presentation. Please use the GoToWebinar QUESTION feature to ask questions.
“Effective”Segregation of DutiesLewis Hopkins, Q Software, Ltd.
Segregation of DutiesA key element in the compliance lifecycle
Characteristics/Benefits of Effective SoD• Built-in model enables SoD enforcement – Violations checked BEFORE go-live – Your decision to enforce rules or allow violations• Saves time (= money) – Easy set-up – Easy testing for violations – Quick and easy reporting – Reduces number of compensating controls required – Reduces auditing effort / costs• Reduces risk – Enforcing and reporting SoD violations reduces opportunity for fraud
SoD – The Issues• Nothing in PeopleSoft – Any release• Use a Spreadsheet?• How do you… – Ensure the actual access control mirrors the spreadsheet? – Right people access the right data? – Manage change control problems? – Assess impact of changes? – Manage enforcement of SoD?
Proactive SoD Aim:Prevent SoD Violations occurring during security Assignment. Ensure Security Policy is enforced long term.
‘Proactive’ SoD A/P “Super” Voucher Clerk Role SoD OK1. AP Voucher clerk Violations2. Secondary role 2 Check3. Secondary role 3 6 Violations Segregate this task: From this task Build Security Change Role assignment Sales Order Entry Purchase Order Or Vendor Master Bank Payments Security Sales Pricing Sales Order Entry without Purchase Order Goods Receiptaffecting live security Customer Master Sales Order Entry Sales Order Entry Credit limits Credit Notes Invoicing (A/R) Purchase Order Vendor Master Purchase Order Invoice entry (A/P) Vendor Master Purchase Order Vendor Master Credit Notes Invoice entry (A/P) Bank Payments Extract from pre-populated, model
Reactive SoD Aim:Accurately assess existing security for remediation. Reduce Audit time and cost. Build case for restructuring security.
‘Reactive’ SoD Roles (High-Level) Permission List (Process) Components (In-depth Audit)Reporting directly on existing security
Top 10 Rules• Creating a journal entry and opening a closed accounting period• Maintaining accounts receivable master data and posting receipts• Depositing cash and reconciling bank statements• Completing goods transfer and adjusting physical inventory counts• Approving time cards and distributing paychecks• Preparing an order and changing a billing document• Changing an order and creating a delivery• Creating a journal entry and opening a closed accounting period• Creating general ledger accounts and posting journal entries• Maintaining bank account information and posting payments• Maintaining assets and creating a goods receipt
Creation of SoD Rules• Role level – Create matrix of all active system roles – Identify all roles that should not be linked to the same user • Such as purchasing and payments• Permission List / Business Process level – Include Application security & processing options – Add to / modify as needed• Component / Program level – Add in any custom or modified processing – If creating your own rules • Start with most important controls & gradually add to them
SoD Logic• AND/OR Logic – Applied to rules at the component and permission list level. – The user is either in conflict with all the items in a rule (AND logic) or, – The user is in conflict with at least two items in the rule (OR logic) Example – AND Logic: Example – OR Logic: Rule 1: Rule 1: Sales Order Entry Sales Order Entry AND AND Purchase Order Purchase Order AND OR Bank Payments Bank Payments Result: Extreme Flexibility and Maximum Benefit to customers!
Mitigation – The Issues• Current Economic Climate – Many redundancies equates to less people doing more. – Major requirement from Audit to allow remediation where a user is considered a risk. – SOX requires that during an audit all risks must at least be visible and understood by the business. – With this comes risk assessment and documentation.• Seasonal Changes – Staff holidays or time away from office requires other users be able to perform these additional duties.
Mitigation Solutions• Ability to mitigate users once a validation has occurred.• Details of mitigation, including notes get added to a mitigation table.• The user gets checked during the next validation but is not added to the violations table.• Ability to time out mitigations, i.e. allowing for staff who are on holiday, etc.
Smart ERP Solutions, Inc. Comprised of the best former developers, architects and executives from PeopleSoft/Oracle Providing cost-effective, robust and repeatable “Smart Solutions” for PeopleSoft applications Unique best practices and expertise in PeopleSoft strategic planning, Smart implementation and upgrade services KEY DIFFERENTIATOR−OUR SMARTADVANTAGERather than assigning teams of consultants to projects we apply our pre-built, proven solutions to efficiently address those efforts common to any PeopleSoft project thus saving time, reducing costs, minimizing risks and lowering total cost of ownership by avoiding costly difficult-to-maintain customizations.
SmartERP: Our Philosophy Solutions• Enhance and Extend Standard PeopleSoft Functionality to Meet Business Needs – 3Cs : Common, Critical, Complementary• Repeatable, Pre-Packaged, Highly-Configurable and Innovative Solutions• Release Independence• Customer-Driven Requirements• Architected and Designed as Add-On Solutions• Lower Total Cost of Ownership – Minimal to No Customizations – Minimal Upgrade Impact• Affordable and Cost-Effective
SmartERP: Our SolutionsBusiness Requirements Smart SolutionsRow level security on any data that requires limited or authorized access Smart SecurityDefine , manage and enforce segregation of duties for various roles withinan organization to adhere to compliance requirements Smart SoDRobust workflow approval capabilities across any business transaction ordocuments across your Enterprise Smart WorkflowStreamlined and easy-to-use data entry pages configured to meet yourspecific business process requirements, incl. industry reqmts; Easily add Smart Docs includingfeatures anywhere such as Save as Draft, Copy from Templates, ERP GadgetAttachments, Configurable Print, Collaborative Comments, Workflow, UserHelp, Business Process ViewConfiguring and tailoring business processes to meet your organization’sspecific processes, including defining step-by-step actions for each Smart Enterprise BPMprocess and managing your users through your organizations specificbusiness process.One-stop visibility into the full business process lifecycle of a transaction Smart Lifecycle ViewerAddressing additional compliance requirements not in standardPeopleSoft: I-9/W-4 Form, 1042 Foreign National Requirements Smart ComplianceManageable solutions for complex integration needs Smart Integration PacksOther Common, Critical and Complementary business requirements Tell us, we’ll build it!
Smart SoD Summary • Developed expressly for PeopleSoft by SmartERP in cooperation with QQ Software Software • Uniquely integrated within your SmartERP current PeopleSoft • Powerful Proactive, Reactive and Mitigation features • Built-in Smart SoD™ Analytics/Reporting/Dashboards • Use delivered SoD rules or easily create your own
Value Statement Segregation of Duties is an important element of your overall PeopleSoft security and risk managementKey Features of Smart SoD can help you maintain legislativecompliance (SoX), meet audit requirements and reduce thelikelihood and impacts of fraud and errors• Expressly designed for your current PeopleSoft• Powerful Proactive, Reactive and Mitigation Features• Automated Workflow Approvals• Reporting/Dashboards facilitate audits and compliance• Use pre-packaged built-in SoD rules or easily create your own• Add-on Architecture Lowers Total Cost of Ownership – Seamless Integration – Utilize Best Practices – Maintenance and Upgrades