Back to blog

Monitoring and Mitigating Risks

Pathlock
November 28, 2016

 

It wouldn’t be unusual for a large organization to have hundreds of access-risk gaps that must be investigated and assessed and whose legitimacy must be confirmed. Inevitably, you will have a subset of individuals who must have access to a broad range of systems, processes, and transactions to perform key tasks that create SoD violations. For example, an accounts payable clerk might have the ability to fill in for others when they are on PTO or may have access all the time to ensure transactions are processed quickly in the event of a backlog. Or a JIT company might need open POs to ensure raw materials can be received in the factory on time. If a manager’s approval is missing because of a vacation, it could have a detrimental effect on operations – so the company designates alternate approvers – which can create SoD issues. These are typically nothing more than a pragmatic willingness to maintain operational efficiencies. In these instances, mitigation controls monitoring is required. Application monitoring of risks – such as SoD transactions – involves correlating transactions to the users who conduct them. Capturing SoD transactions in real-time also enables organizations to put compensating controls in place and greatly streamlines and simplifies audit prep and reporting. For instance, it helps organizations focus external audit resources on actual SoD risks that are occurring, as opposed to the mere potential to conduct an SoD transaction. An automated solution can quickly and consistently interrogate every transaction for a given user that presents a potential SoD issue, ensuring a consistent review using the same criteria across the organization. What’s more, through tighter definitions of SoD violations, the automated solution eliminates the false positives – the results show only true SoD violations that merit actual investigation. Since the volume of this activity can be very high, automated controls are necessary to filter thousands or hundreds of thousands of transactional details, correlate the data across the user’s activities, and present that data in an easily consumable format. Email notifications can advise process owners about exceptions – and only exceptions – that merit further investigation. Not only can the process owner then conduct the review and documentation online, the audit team can also perform its review online as well. This can reduce or eliminate costs by eliminating the need for audit travel expenses since a manual review of hardcopy documentation is no longer necessary. Click here to view the on-demand Webinar – How Leading Companies Automate the Last Mile of Segregation of Duties.