Today, the world is online and while this is great in making communication easier and data access open, it also comes with a set of risks. As a result, governments all over the globe have made security and compliance requirements stringent. While these requirements pose a challenge to companies across the world, there are, fortunately, solutions (such as STAEDEAN's Data Security Solution for Dynamics 365 Finance & Supply Chain Management) that can help.
Before we dive into the solution aspect of security and compliance, let us take a look at what you need to do and the three stages of preparation. As per AICPA, the Segregation of Duties or SoD is the basic building block of sustainable risk management and internal controls of a business. The principle of SoD is based on shared responsibilities of a critical process that disperses the critical functions of that process to more than one person or department. Without this separation in critical processes, fraud, and error risks are far less manageable.
The primary purpose to apply segregation of duties is to prevent the instances and opportunities for committing and concealment of fraud and/or error in the normal course of an organization’s activities, since having more than one person to perform a task minimizes the opportunity of wrongdoing and increases the chances to detect it, as well as to detect unintentional errors.
The three stages of this process include:
- Define and list down organization risks
- Continuous audit and compliance
- Best practices to Implement SoD
In stage one, we will look at the process to define and list down organization risks:
Define and list risks: Even if your organization is not pursuing a specific regulatory compliance objective like SOX, ISO, or GDPR, we recommend that you create a list of applicable SoD conflicts that are vulnerable to fraud or cause significant security or financial risks. You can achieve this by revisiting the organization's GRC objectives along with the organization's structure. The final result in this phase is to determine potentially risky ERP transactions and categorize them as either high, medium, or low severity.
Finetune the SoD rules: Your solution can help you arrive at the final set of SoD based on a set of rules, internal key controls, and risks identified and mark them as ‘severity,’ ‘risks,’ and ‘mitigation’ for each record. The head of finance, internal and external auditors, and the head of IT should be a part of the team that puts together this list.
Analyze risks: In this stage, you need to analyze the threats against the rule set to identify conflicts. You should highlight conflicts and escalate the same with recommendations to the appropriate department, such as internal controls or finance. You may need to further interact with the business to identify a suitable solution to eliminate risk.
Use the role-based access control to finalize security roles: You will need to review the security model to implement the necessary changes to either a conflicting role or role assignment. Risk assessment can help you redefine and recreate many standard security roles. Your solution can also help create new, modify, or merge multiple functions as required by the organization structure. You can also identify ways to segregate duties in a business process within various functional areas and departments.
Mitigate security risks: It may not always be possible to strictly go by the SoD ruleset due to business setup, low employee count, and other organizational constraints; then, the best practice is to have in place an appropriate control to mitigate the risk. You need to look for a solution that can provide you with a predefined list of ‘SoD’ rulesets designed to exclude transactions to the same role that can cause fraud. These are also of great help for organizations pursuing specific compliance requirements like SOX.
As you can see, security and compliance is an essential requirement for your company’s reputation and continued growth. At STAEDEAN, we understand your needs in this aspect. Our Data Security Solution can help you manage role-based security, achieve flexible Segregation of Duties (SoD), simplify auditing processes, govern your master data, and prepare for ongoing changes to regulatory requirements effortlessly, while safeguarding your master data integrity in Dynamics 365 F&SCM.
To learn more, we recommend downloading our solution factsheet from the link shared below.
Eric Van Hofwegen
