Organizations today operate in a challenging business environment. Their workforce is constantly changing and the business processes the workforce performs are distributed across an increasing number of applications. The average worker today uses over nine applications. Ensuring these workers don’t do anything that could have a negative financial impact on the organization is no easy task.
You can identify which actions pose potential risks by performing a Segregation of Duties (SoD) analysis within and across applications and mitigate risk exposure by limiting user access to only the features and functionality they need to do their job. However, a certain level of access risk is unavoidable – to eradicate it all would limit business productivity. Process controls such as user training and risk owner oversight must be identified, implemented and monitored to mitigate those risks and, to be SOX compliant, the controls must be tested at least periodically to ensure they are effective. Testing controls by sampling user data from one application at a time and manually correlating the data across applications is not only extremely time-consuming, resource intensive and costly, it is ineffective – often performed haphazardly, inconsistently or not at all. As a result, organizations that test controls manually on a limited amount of data unnecessarily expose their business to potential fraud, mishandling of information and, most likely, audit findings.