Getting Clean ................................................................................................
So proliferation of roles, implementation of numerous software systems, and
the passage of time have all contributed to a very complicated access control
picture. Complexity is the enemy of security and good governance. So, how
can you reduce this complexity?Figuring out where you stand ...........................................................
Analysis is the first step toward righting the ship. Analysis entails bringing IT
and businesspeople to the table and analyzing the roles that exist and their
associated SoD violations. For example, duties are not properly segregated if
a user can bothSet up a vendor andmake a payment
Change an order andcomplete a goods receiptChange a receipt andmake adjustments to inventoryAutomating role analysis is a good idea if you have the tools to do so. This
automation does not replace the meeting of the minds between IT and busi-
ness, but can simplify the process and make it easier to untangle the mess.Chapter 6: Access Control and the Role of Roles 121
Ten SoD violations you may not have thought of
Most people know that you shouldn’t allow the
same person to set up a vendor and cut a
check. But some SoD violations are a little less
obvious. Here are 10 more segregation of duties
violations to get the wheels turning as you ana-
lyze your roles:
Depositing cash and reconciling bank
statementsApproving time cards and distributing
paychecks
Preparing an order and changing a billing
documentChanging an order and creating a deliveryCreating a journal entry and opening a
closed accounting period
Creating general ledger accounts and post-
ing journal entriesMaintaining accounts receivable master
data and posting receipts
Maintaining bank account information and
posting paymentsMaintaining assets and creating a goods
receipt
Completing goods transfer and adjusting
physical inventory counts