Presentation by Smart ERP Solutions on Smart SoD, an add-on software solution providing effective Segregation of Duties for PeopleSoft applications. For webinar playback see also http://www.smarterp.com/media/Webinar-SoD.html
Effective Segregation of Duties for PeopleSoft 2011-02-23
1. Effective Segregation of Duties
for PeopleSoft
SmartERP: Doris Wong, CEO; Dan White, VP of Product Strategy
Q Software: Lewis Hopkins, Product Manager
February 23, 2011
Webinar Recordings available at smarterp.com/webinars
Our webinar will begin shortly. Please note all phone lines and computer microphones will
be placed on mute throughout the presentation. Please use the GoToWebinar QUESTION
feature to ask questions.
2. Welcome & Introductions
Doris Wong
CEO, Smart ERP Solutions, Inc.
Former Oracle Group VP and GM for PeopleSoft Enterprise
Over 15 Years Experience with PeopleSoft
Dan White
VP, Product Strategy, Smart ERP Solutions, Inc.
Former Oracle/PeopleSoft Functional Architect
Over 12 Years Experience with PeopleSoft
Lewis Hopkins
Product Manager, Q Software, Ltd.
Over 10 years experience in risk management, governance, and
security for compliance for ERP applications
3. Agenda
• “Effective” Segregation of Duties (SoD)
• About Smart ERP Solutions, Inc.
• Smart SoD™: Effective SoD for
PeopleSoft
• Demo
• Summary and Q & A
Please note all phone lines and computer microphones will be placed on mute throughout
the presentation. Please use the GoToWebinar QUESTION feature to ask questions.
7. Characteristics/Benefits of Effective SoD
• Built-in model enables SoD enforcement
– Violations checked BEFORE go-live
– Your decision to enforce rules or allow violations
• Saves time (= money)
– Easy set-up
– Easy testing for violations
– Quick and easy reporting
– Reduces number of compensating controls required
– Reduces auditing effort / costs
• Reduces risk
– Enforcing and reporting SoD violations reduces
opportunity for fraud
8. SoD – The Issues
• Nothing in PeopleSoft
– Any release
• Use a Spreadsheet?
• How do you…
– Ensure the actual access control mirrors the
spreadsheet?
– Right people access the right data?
– Manage change control problems?
– Assess impact of changes?
– Manage enforcement of SoD?
9. Proactive SoD
Aim:
Prevent SoD Violations occurring during security Assignment.
Ensure Security Policy is enforced long term.
10. ‘Proactive’ SoD
A/P “Super”
Voucher Clerk Role SoD
OK
1. AP Voucher clerk
Violations
2. Secondary role 2 Check
3. Secondary role 3
6
Violations
Segregate this task: From this task
Build Security
Change
Role assignment Sales Order Entry Purchase Order
Or Vendor Master Bank Payments
Security Sales Pricing Sales Order Entry
without Purchase Order Goods Receipt
affecting live security Customer Master Sales Order Entry
Sales Order Entry Credit limits
Credit Notes Invoicing (A/R)
Purchase Order Vendor Master
Purchase Order Invoice entry (A/P)
Vendor Master Purchase Order
Vendor Master Credit Notes
Invoice entry (A/P) Bank Payments
Extract from pre-populated,
model
11. Reactive SoD
Aim:
Accurately assess existing security for remediation.
Reduce Audit time and cost.
Build case for restructuring security.
12. ‘Reactive’ SoD
Roles
(High-Level)
Permission
List
(Process)
Components
(In-depth Audit)
Reporting directly on
existing security
13. Top 10 Rules
• Creating a journal entry and opening a closed accounting period
• Maintaining accounts receivable master data and posting receipts
• Depositing cash and reconciling bank statements
• Completing goods transfer and adjusting physical inventory counts
• Approving time cards and distributing paychecks
• Preparing an order and changing a billing document
• Changing an order and creating a delivery
• Creating a journal entry and opening a closed accounting period
• Creating general ledger accounts and posting journal entries
• Maintaining bank account information and posting payments
• Maintaining assets and creating a goods receipt
14. Creation of SoD Rules
• Role level
– Create matrix of all active system roles
– Identify all roles that should not be linked to the same user
• Such as purchasing and payments
• Permission List / Business Process level
– Include Application security & processing options
– Add to / modify as needed
• Component / Program level
– Add in any custom or modified processing
– If creating your own rules
• Start with most important controls & gradually add to them
15. SoD Logic
• AND/OR Logic
– Applied to rules at the component and permission list level.
– The user is either in conflict with all the items in a rule (AND
logic) or,
– The user is in conflict with at least two items in the rule (OR
logic)
Example – AND Logic: Example – OR Logic:
Rule 1: Rule 1:
Sales Order Entry Sales Order Entry
AND AND
Purchase Order Purchase Order
AND OR
Bank Payments Bank Payments
Result: Extreme Flexibility and Maximum Benefit to customers!
16. Mitigation – The Issues
• Current Economic Climate
– Many redundancies equates to less people doing more.
– Major requirement from Audit to allow remediation
where a user is considered a risk.
– SOX requires that during an audit all risks must at least
be visible and understood by the business.
– With this comes risk assessment and documentation.
• Seasonal Changes
– Staff holidays or time away from office requires other
users be able to perform these additional duties.
17. Mitigation Solutions
• Ability to mitigate users once a validation has
occurred.
• Details of mitigation, including notes get added to
a mitigation table.
• The user gets checked during the next validation
but is not added to the violations table.
• Ability to time out mitigations, i.e. allowing for staff
who are on holiday, etc.
19. Smart ERP Solutions, Inc.
Comprised of the best former developers, architects and
executives from PeopleSoft/Oracle
Providing cost-effective, robust and repeatable “Smart Solutions”
for PeopleSoft applications
Unique best practices and expertise in PeopleSoft strategic
planning, Smart implementation and upgrade services
KEY DIFFERENTIATOR−OUR SMARTADVANTAGE
Rather than assigning teams of consultants to projects we apply our
pre-built, proven solutions to efficiently address those efforts
common to any PeopleSoft project thus saving time, reducing
costs, minimizing risks and lowering total cost of ownership by
avoiding costly difficult-to-maintain customizations.
20. SmartERP: Our Philosophy
Solutions
• Enhance and Extend Standard PeopleSoft Functionality
to Meet Business Needs
– 3Cs : Common, Critical, Complementary
• Repeatable, Pre-Packaged, Highly-Configurable and
Innovative Solutions
• Release Independence
• Customer-Driven Requirements
• Architected and Designed as Add-On Solutions
• Lower Total Cost of Ownership
– Minimal to No Customizations
– Minimal Upgrade Impact
• Affordable and Cost-Effective
21. SmartERP: Our Solutions
Business Requirements Smart Solutions
Row level security on any data that requires limited or authorized access
Smart Security
Define , manage and enforce segregation of duties for various roles within
an organization to adhere to compliance requirements
Smart SoD
Robust workflow approval capabilities across any business transaction or
documents across your Enterprise
Smart Workflow
Streamlined and easy-to-use data entry pages configured to meet your
specific business process requirements, incl. industry reqmts; Easily add
Smart Docs including
features anywhere such as Save as Draft, Copy from Templates, ERP Gadget
Attachments, Configurable Print, Collaborative Comments, Workflow, User
Help, Business Process View
Configuring and tailoring business processes to meet your organization’s
specific processes, including defining step-by-step actions for each
Smart Enterprise BPM
process and managing your users through your organizations specific
business process.
One-stop visibility into the full business process lifecycle of a transaction
Smart Lifecycle Viewer
Addressing additional compliance requirements not in standard
PeopleSoft: I-9/W-4 Form, 1042 Foreign National Requirements
Smart Compliance
Manageable solutions for complex integration needs
Smart Integration Packs
Other Common, Critical and Complementary business requirements
Tell us, we’ll build it!
23. Smart SoD Summary
• Developed expressly for PeopleSoft
by SmartERP in cooperation with Q
Q Software
Software
• Uniquely integrated within your
SmartERP
current PeopleSoft
• Powerful Proactive, Reactive and
Mitigation features
• Built-in
Smart SoD™ Analytics/Reporting/Dashboards
• Use delivered SoD rules or easily
create your own
25. Smart SoD Demo Scenario
• SoD Model and Rules
• Reactive: Mass check for user violations
• Proactive: Validate new user profile against
established SoD rules
• Dashboard/Analytics
27. Value Statement
Segregation of Duties is an important element of your overall
PeopleSoft security and risk management
Key Features of Smart SoD can help you maintain legislative
compliance (SoX), meet audit requirements and reduce the
likelihood and impacts of fraud and errors
• Expressly designed for your current PeopleSoft
• Powerful Proactive, Reactive and Mitigation Features
• Automated Workflow Approvals
• Reporting/Dashboards facilitate audits and compliance
• Use pre-packaged built-in SoD rules or easily create your
own
• Add-on Architecture Lowers Total Cost of Ownership
– Seamless Integration
– Utilize Best Practices
– Maintenance and Upgrades