Case Study: Reduce costs and time spent on SoD management with efficient, automated solutions and processes
A large retailer with annual sales of nearly $2 billion across 1,000 retail stores in North America lacked enforcement of segregation of duties (SoD) policies across financial applications, as well as an approach to monitoring and and reporting SoD violations.
The organization’s external auditor, as well as management, determined that the retailer had material weaknesses in internal controls related to SoD and access management. Under the Sarbanes-Oxley Act (SOX), publicly traded companies like the retailer are required to disclose any material weaknesses to the Securities and Exchange Commission (SEC), which can negatively impact stock prices and investor confidence, and potentially increase external audit and legal fees. A lack of effective SoD and access management controls can also make it difficult to detect internal fraud, another red flag for investors.
Compounding matters, the retailer lacked an automated reporting system to review its millions of transaction records for violations. Manually collecting that data from disparate files and areas was prone to error and resource-intensive, requiring hundreds of work hours per month.
After a costly but ineffective first effort to design and implement a process to manage these challenges, the organization asked CohnReznick to help remediate the internal controls weakness around SoD violations and reporting.
CohnReznick’s Risk Intelligence and Automation services helped solve this specific challenge by developing a customized solution that addressed the business’s ongoing need for security controls and real-time monitoring of all financial transactions conducted by all users.
To do so, our team worked with Greenlight Technologies, a third-party firm that provides a technology platform to monitor user access permissions for SoD conflicts in and across applications. In collaboration with the retailer’s stakeholders, our team developed a solution utilizing Greenlight’s automated business control platform for transaction monitoring, which provided 100% visibility across 23 key financial risks and monitored millions of transactions in the organization’s enterprise resource planning (ERP) environment.
As part of this effort, the CohnReznick team helped develop processes and procedures for automated monitoring of user activity and access violations. Our team also helped design SoD business processes and limit employee user access to only applications necessary for their roles. Furthermore, we integrated the Greenlight control automation and SoD processes with the organization’s ERP system to help provide complete visibility across all transactions and all users within the ERP that were directly tied to the 23 key financial risks impacting the retailer.
Throughout the design and supplementation phases, our team identified and remediated transaction and access-related issues and irregularities in the clients ERP system. We also developed a training and operational handbook, and provided training to the organization’s employees. We continue to advise the organization’s staff on fast and accurate delivery of its monthly and quarterly reports.
Armed with an efficient, accurate system for monitoring and responding to SoD conflicts within and across applications, the retailer now has complete visibility across all transactions and all users within the ERP landscape tied to the 23 key financial risks. This new capability has helped the organization reduce the time and resources needed to identify, remediate, and report SoD violations and associated risks.
Since the new reporting system went live, the organization has substantially decreased the time required to gather and analyze data and run reports. In their first quarter, for instance, the company completed reporting within two weeks. By the third quarter, the organization gathered data and ran reports in just a few hours. What’s more, the new solution helped reduce the cost of access violations by almost 98% within a 10-month period. It also helped lower the cost of external audits by automating monitoring of transactions and performing transactional testing, as well as providing timely reporting to auditors.
With a faster, more efficient tool to help accurately identify users violating SoD, the retailer can now focus on investigating verified violations and can limit user access to only the functionality needed for specific jobs. Armed with this integrated solution, the organization can actively and efficiently monitor for and quickly mitigate SoD and other control violations while reducing its risk exposure, ultimately resulting in positive financial outcomes.
- Reduction in the time and resources needed to identify, remediate, and report SoD violations and associated risks
- Enhanced ability to focus investigations on verified violations and to grant user access only to those needed for specific jobs
- Decreased the cost of access violations by almost 98% within a 10-month period
Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy
InsightStart preparing now to earn points on GSA’s Polaris contract opportunityJeff Shapiro, Bhavesh VadhaniLearn what self-assessments, certifications, and other potential requirements to consider now for this upcoming IT services government contracting opportunity.
InsightDigital by Design - A CohnReznick Advisory podcastBusiness leaders need strategies that address current and future changes, support remote work, and enable business continuity. Learn more in our Episode 3.
InsightCalifornia’s new Consumer Privacy Rights Act: What you need to knowDaryouche Behboudi, Deborah NitkaBusinesses that collect California consumers’ personal data will soon need to comply with a new set of rules under the control of a new state agency. Read more.
InsightThe importance of incident response plans in protection of data, finances, and reputationsBhavesh Vadhani, Thomas McDermottEstablish policies and procedures for detecting and addressing cybersecurity incidents, from minimizing consequences to notifying stakeholders. Read more.