Guide Complete Set of Residential Architectural Drawings PDF
Automating PeopleSoft Segregation of Duties: HCM and Financials
1. Automating PeopleSoft Segregation of
Duties: HCM and Financials
PRESENTER:
Kirk Chan, Smart ERP Solutions, Inc.
NOTE: phones/mics are muted. Please submit any
questions using the GoToMeeting QUESTION feature
4. Segregation of Duties
Segregation of duties (SoD), or separation of duties, is the
concept of having more than one person required to complete a
task.
To help prevent fraud and error, no one individual should:
• Initiate a transaction
• Approve a transaction
• Record a transaction
• Reconcile balances
• Handle assets
5. •No single individual should have control
over two or more phases of a transaction or
operation…
•No one individual employee can complete a
significant business transaction in its
entirety…
•Those responsible for physical receipt of
goods should not be responsible for paying
for the goods.
•Those responsible for custody of goods
should not be responsible for maintaining the
records of the assets.
•Those responsible for collection of
receivables should not be responsible for
entries in the book of accounts.
What is Segregation of Duties Examples of Segregation of Duties
6. What Duties Should be
Segregated?
Purchase an Item
PO Initiator PO Approver PO Receiver
• Financial Duties
– Requisition Initiator
– Requisition Approver
– P.O. Initiator
– P.O. Approver
9. Key Functionality for Automating SoD
• Configurable Data Security
You can employ fine-grained row level security via easy to use configuration options, to secure by any
field, in any application in PeopleSoft.
• Flexible Segregation of Duties
Create policies for multiple SoD models and structure simple or complex SoD rules. You can apply
different models to reflect the different needs of each part of your business.
• Mitigation
Mitigation allows you to cater to temporary or long-term situations where certain users may be
authorized to “violate” your Segregation of Duties policy. This enables you to document such situations
in preparation for your audit. You can then exclude mitigated users from your reports to avoid wasted
effort during the audit.
• Detective Mode
Report of SoD violations at the Component, Permissions List and Role Level.
• Preventative Mode
Enforce SoD by validating security before user access.
• Cater to seasonality
Specify “from” and “to” dates to allow temporary seasonal variations to your normal business control
requirements. This approach creates a very strong Return on Investment during the results analysis
phase by allowing simplified or highly granular approach to SoD analysis.
• Context based security
Allows different security attributes for specific pages. For example, you can allow a user to only view his
own department on an expense reimbursement, while allowing him to access all departments when
entering a journal.
10. Benefits of Automation with Effective SoD
• Allows you to build robust, proactive, manageable controls
into your live system
• Prevents SoD violations
• Greatly reduces the time needed to manage SoD controls
and achieve SOX compliance
• Reduces the workload needed to prepare for your audits
and clean up afterwards
• Provides the evidence of controls that auditors demand,
reducing the time taken to complete the audit
• Affordable by organizations of all sizes
11. Top 10 Financials SoD Rules
• Creating a journal entry and opening a closed accounting period
• Maintaining accounts receivable master data and posting receipts
• Depositing cash and reconciling bank statements
• Completing goods transfer and adjusting physical inventory counts
• Approving time cards and distributing pay checks
• Preparing an order and changing a billing document
• Changing an order and creating a delivery
• Creating a journal entry and opening a closed accounting period
• Creating general ledger accounts and posting journal entries
• Maintaining bank account information and posting payments
• Maintaining assets and creating a goods receipt
15. Characteristics/Benefits of Effective SoD
• Built-in model enables SoD enforcement
– Violations checked BEFORE go-live
– Your decision to enforce rules or allow violations
• Saves time (= money)
– Easy set-up
– Easy testing for violations
– Quick and easy reporting
– Reduces number of compensating controls required
– Reduces auditing effort / costs
• Reduces risk
– Enforcing and reporting SoD violations reduces
opportunity for fraud
16. SoD – The Issues
• Nothing in PeopleSoft
– Any release
• Do use a Spreadsheet?
• How do you…
– Ensure the actual access control mirrors the
spreadsheet?
– Right people access the right data?
– Manage change control problems?
– Assess impact of changes?
– Manage enforcement of SoD?
17. Proactive SoD
Aim:
Prevent SoD Violations occurring during security Assignment.
Ensure Security Policy is enforced long term.
19. Change
Role assignment
Or
Security
without
affecting live security
‘Proactive’ SoD
OK
A/P “Super”
Voucher Clerk Role
1. AP Voucher clerk
2. Secondary role 2
3. Secondary role 3
SoD
Violations
Check
Violations
A/P “Super”
Voucher Clerk Role
1. AP Voucher clerk
2. Secondary role 2
3. Secondary role 6
SoD
Violations
Check
Bank PaymentsInvoice entry (A/P)
Credit NotesVendor Master
Purchase OrderVendor Master
Invoice entry (A/P)Purchase Order
Vendor MasterPurchase Order
Invoicing (A/R)Credit Notes
Credit limitsSales Order Entry
Sales Order EntryCustomer Master
Goods ReceiptPurchase Order
Sales Order EntrySales Pricing
Bank PaymentsVendor Master
Purchase OrderSales Order Entry
From this taskSegregate this task:
Extract from pre-populated,
model
Build Security
23. Creation of PeopleSoft SoD Rules
• Role level
– Create matrix of all active system roles
– Identify all roles that should not be linked to the same user
• Such as HR representative and Payroll Admin
• Permission List / Business Process level
– Include Application security & processing options
– Add to / modify as needed
• Component / Program level
– Add in any custom or modified processing
– If creating your own rules
• Start with most important controls & gradually add to them
24. Mitigation – The Issues
• Current Economic Climate
– Many redundancies equates to less people doing more.
– Major requirement from Audit to allow remediation
where a user is considered a risk.
– SOX requires that during an audit all risks must at least
be visible and understood by the business.
– With this comes risk assessment and documentation.
• Seasonal Changes
– Staff holidays or time away from office requires other
users be able to perform these additional duties.
25. • Ability to mitigate users once a validation has
occurred.
• Details of mitigation, including notes get added to
a mitigation table.
• The user gets checked during the next validation
but is not added to the violations table.
• Ability to time out mitigations, i.e. allowing for staff
who are on holiday, etc.
Mitigation Solutions
30. • The user’s security profile is made up of the assigned roles, the
permission lists assigned to that role and permission lists
assigned directly to the user.
Understanding PeopleSoft Security
34. Value Statement
Security and Segregation of Duties is an important element of your
overall PeopleSoft security and risk management
Key Features of an automated solution can help you maintain
legislative compliance (SoX), meet audit requirements and
reduce the likelihood and impacts of fraud and errors
• Expressly designed for your current PeopleSoft
• Powerful Proactive, Reactive and Mitigation Features
• Automated Workflow Approvals
• Reporting/Dashboards facilitate audits and compliance
• Use pre-packaged built-in security and SoD rules or easily
create your own
• Add-on Architecture Lowers Total Cost of Ownership
– Seamless Integration
– Utilize Best Practices
– Maintenance and Upgrades
35.
36. Questions?
Submit your question using the GoToMeeting QUESTION feature (any
remaining questions will be addressed via email after the broadcast)