“What is the ideal frequency for conducting segregation of duties analysis?”
This question is very often raised by our clients, but there is no definitive answer. Actually, it depends on each organization’s unique situation.
In the past, auditors used to perform this analysis for their clients on a quarterly basis. They would then inform the customers about any identified issues, which they would subsequently address to achieve segregation of duties compliance by the end of the fiscal year.
However, with the advent of next-generation segregation of duties solutions, organizations now have full control over their data, eliminating the need to involve third parties like auditors or consultants for analysis.
What is the right frequency?
In today’s dynamic business environment, conducting segregation of duties analysis once a year or even once a quarter is no longer sufficient. The constant changes and the large number of users in systems make quarterly analyses ineffective. Additionally, the agility of modern businesses means that roles are no longer static, and changes can impact the segregation of duties.
With the increasing cyber and insider threats today, it is crucial for organizations to run segregation of duties analyses very often. The frequency of analysis should align with the pace of organizational changes, including technology factors like patches, configuration changes, deployment updates, and user provisioning.
For large complex organizations with frequent changes, running the analysis daily is advisable. Medium-sized companies with a moderate amount of changes can perform weekly analyses, while smaller companies with minimal or no changes can opt for a quarterly frequency.
How can you be more proactive and manage the risks?
1Trooper’s SoD management tool can help you proactively manage risks. Our ingenious tool facilitates the segregation of access to multiple accounts, applications, and systems. It automates the entire SoD management process, effectively mitigating fraud and errors in financial transactions. By analyzing each account’s access, it identifies and reports financial risks across roles and suggests ways to address the issues. Additionally, it anticipates risks related to user activities and shifts in responsibilities, resolving conflicts automatically.
