Case Study: Reduce costs and time spent on SoD management with efficient, automated solutions and processes
A large retailer with annual sales of nearly $2 billion across 1,000 retail stores in North America lacked enforcement of segregation of duties (SoD) policies across financial applications, as well as an approach to monitoring and reporting SoD violations.
The organization’s external auditor, as well as management, determined that the retailer had material weaknesses in internal controls related to SoD and access management. Under the Sarbanes-Oxley Act (SOX), publicly traded companies like the retailer are required to disclose any material weaknesses to the Securities and Exchange Commission (SEC), which can negatively impact stock prices and investor confidence, and potentially increase external audit and legal fees. A lack of effective SoD and access management controls can also make it difficult to detect internal fraud, another red flag for investors.
Compounding matters, the retailer lacked an automated reporting system to review its millions of transaction records for violations. Manually collecting that data from disparate files and areas was prone to error and resource-intensive, requiring hundreds of work hours per month.
After a costly but ineffective first effort to design and implement a process to manage these challenges, the organization asked CohnReznick to help remediate the internal controls weakness around SoD violations and reporting.
CohnReznick’s Risk Intelligence and Automation services helped solve this specific challenge by developing a customized solution that addressed the business’s ongoing need for security controls and real-time monitoring of all financial transactions conducted by all users.
To do so, our team worked with Pathlock (formerly Greenlight Technologies), a third-party firm that provides a technology platform to monitor user access permissions for SoD conflicts in and across applications. In collaboration with the retailer’s stakeholders, our team developed a solution utilizing Pathlock's automated business control platform for transaction monitoring, which provided 100% visibility across 23 key financial risks and monitored millions of transactions in the organization’s enterprise resource planning (ERP) environment.
As part of this effort, the CohnReznick team helped develop processes and procedures for automated monitoring of user activity and access violations. Our team also helped design SoD business processes and limit employee user access to only applications necessary for their roles. Furthermore, we integrated the Pathlock control automation and SoD processes with the organization’s ERP system to help provide complete visibility across all transactions and all users within the ERP that were directly tied to the 23 key financial risks impacting the retailer.
Throughout the design and supplementation phases, our team identified and remediated transaction- and access-related issues and irregularities in the client's ERP system. We also developed a training and operational handbook, and provided training to the organization’s employees. We continue to advise the organization’s staff on fast and accurate delivery of its monthly and quarterly reports.
Armed with an efficient, accurate system for monitoring and responding to SoD conflicts within and across applications, the retailer now has complete visibility across all transactions and all users within the ERP landscape tied to the 23 key financial risks. This new capability has helped the organization reduce the time and resources needed to identify, remediate, and report SoD violations and associated risks.
Since the new reporting system went live, the organization has substantially decreased the time required to gather and analyze data and run reports. In their first quarter, for instance, the company completed reporting within two weeks. By the third quarter, the organization gathered data and ran reports in just a few hours. What’s more, the new solution helped reduce the cost of access violations by almost 98% within a 10-month period. It also helped lower the cost of external audits by automating monitoring of transactions and performing transactional testing, as well as providing timely reporting to auditors.
With a faster, more efficient tool to help accurately identify users violating SoD, the retailer can now focus on investigating verified violations and can limit user access to only the functionality needed for specific jobs. Armed with this integrated solution, the organization can actively and efficiently monitor for and quickly mitigate SoD and other control violations while reducing its risk exposure, ultimately resulting in positive financial outcomes.
- Reduction in the time and resources needed to identify, remediate, and report SoD violations and associated risks
- Enhanced ability to focus investigations on verified violations and to grant user access only to those needed for specific jobs
- Decreased the cost of access violations by almost 98% within a 10-month period
Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy
InsightSupport rapid delivery of secure software with DevSecOpsBhavesh Vadhani, Thomas McDermott, Tauseef ShaikhThe DevSecOps software development model has security built into all phases of its lifecycle, which can help reduce flaws and the costs of fixing them. Learn more.
InsightHow to assess risk for emerging technologies – before you use themBhavesh Vadhani, Thomas McDermottDon’t start using artificial intelligence, robotic process automation, and other newer tools without taking these steps to protect your organization and data.
InsightSolarWinds breach underscores the need for monitoring third parties’ securityBhavesh Vadhani, Deborah NitkaThe malware attack on software provider SolarWinds shows that companies must understand their supply-chain risks – and their own business environment. Learn more.
InsightUsing cybersecurity lessons learned from COVID-19 to advance your remote-work programBhavesh Vadhani, Ali Khraibani, Kiran BhujleRead about steps to take with regard to training, frameworks, protecting against phishing, and more amid the extra security challenges brought by the pandemic.