Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job*...
Transcript of Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job*...
![Page 1: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/1.jpg)
Governance, Risk and Compliance Bart Dahlstrom [email protected]
![Page 2: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/2.jpg)
Radar Spreadsheets
Transistor radios WWW
Human Genome Project GPS
![Page 3: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/3.jpg)
![Page 4: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/4.jpg)
![Page 5: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/5.jpg)
![Page 6: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/6.jpg)
6
Employee 1
Check Crea@on
Vendor Crea@on
Old Approach
High Risk
• Vague system for reques@ng access • No access reports for managers • Employees retained access aGer
transfers • Access determined arbitrarily
Employee 2
Job Role 1
Check Crea@on
Vendor Crea@on
Job Role 2
New Approach
Lower Risk
Employee 1
Employee 2
• Access and risks defined, documented, and monitored
• Defined process for modifying access • Defined roles for access ownership and risk
ownership • Mi@ga@on reports
Segrega@
on of D
u@es
Segrega@on of Du@es
![Page 7: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/7.jpg)
Roles
7
Finance Expert
IT support
Finance Job IT display
Non-‐finance Job
Common
Risk
Confirm
Segregate or Mi@gate
![Page 8: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/8.jpg)
8
SOD Analysis / Role Redesign
Role build & Test MiBgate Document Deploy
SOD Analysis /
Role redesign
MiBgate
Role build
Test
Document Deploy
![Page 9: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/9.jpg)
9
Responsibili@es Role Owner = Business owner
– Define role content – Define user role access – Approve user role access
Risk Owner = Manager of Business Owner – Iden@fy and define high risk access and SOD risks – Define mi@ga@on controls for SOD conflicts – Collaborate with Internal Controls and Audit to ensure compliance – Collaborate with Security Team to minimize risk in roles – Review and approve or reject risks associated with roles and users – Perform periodic review of risks and mi@ga@on control
![Page 10: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/10.jpg)
![Page 11: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/11.jpg)
Segrega@on of Duty
11
SOD: SAP Risk F001 Maintain fic@@ous GL account & hide ac@vity via pos@ngs
FuncBon: GL01 F.56 F.57 F-‐02 FB01 FB08 FB09 FB50 FBRA FBU8 FBV0
… (66 total)
= +
FuncBon: GL02 FS00 FS01 FS02 FSP0 FSP1 FSP2 FSS1 FSS2 GJ83 GJ85
…(319 total)
![Page 12: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/12.jpg)
Custom transac@on
12
ZJVA ZJVP ZJVV
= FB50
ZJVX = FB01
![Page 13: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/13.jpg)
Mi@ga@on Risk • Create vendor and ini@ate
payment • Assigned to Accounts
Payable Manager role
Mi@ga@on • Report – vendor changes
and invoices posted by same user
• Execute at least monthly • Review by manager who
does not have vendor master access
• Quarterly management review
• Annual audit review
13
![Page 14: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/14.jpg)
GRC Repor@ng & Analysis
14
![Page 15: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/15.jpg)
GRC Repor@ng & Analysis
15
![Page 16: Governance,*Risk*and*Compliance* - 3 · Roles* 7 * Finance* Expert IT*support Finance*Job* IT*display* NonUfinance*Job* Common Risk* Confirm Segregate* or* Mi@gate*](https://reader034.fdocuments.net/reader034/viewer/2022042105/5e830b9ca806a8107c1e5e36/html5/thumbnails/16.jpg)
Thank You!