System and Method for Separation of Duties
Original Publication Date: 2004-Dec-13
Included in the Prior Art Database: 2004-Dec-13
Disclosed is a Lotus Notes Separation of Duties, a system and method for organizational and departmental separation of duties. Separation of Duties is ... A business process to ensure that tasks (duties), system accesses, and physical accesses are assigned so that any one person cannot control multiple stages of a process or sub process in which errors, waste, or fraud could occur without detection. The key to the prevention and/or detection of error, waste, and fraud by identifying and preventing conflicts of tasks or accesses to applications or systems. The Lotus Notes Separation of Duties Data Base relates generally to the separation of duties, specifically to a system and method for coordinating and approving, establishing business risks information. More particularly, the present database relates to a system and method for consolidating department tasks, both system and manual, via automated technology, allowing for on-line approvals, validations, associated documentation, securing business risks and providing computerized tracking. Provides a system and method for separation of duties matrix through which department employees, approvers are notified that department separation of duties matrix and all associated business risks require their attention and authorization. Provides all associated documentation which is produced in full corporate compliance. Provides edits and controls to secure separation of duties compliance. Provides a total closed loop separation of duties business process that accommodates the requestor, manager and multiple approving organizations, notifies organizations of separation of duties approval and generates all necessary documentation. Process activities : - Process tasks (create or verify order data, print invoices, receive customer payment, and others) - Process control points (such as manager approvals) Application functions and accesses: - Operational access for the end users (consistent with operational process tasks (insert/update/delete) or view or print; also system control points, such as on-line manager approval) system administrator access (create/delete userids, update master data tables, and others), application maintenance (controls for programmer access to development, test, and production systems) Physical accesses: - Such as physical inventory in a warehouse, safes, preprinted forms which need to be controlled, and others The SOD process will ensure that someone with physical access to marketable (could be sold on the street) parts should not prepare and authorize a scrap ticket and be the sole witness to the destruction (physical scrapping) of the parts. If they had this ability, then they could take good marketable parts and pretend to scrap them ... stealing the good parts to make a profit for themselves. The "aggregate separation of duties " (combination) of (1) tasks and (2) application accesses assigned to any one individual must be evaluated to ensure that conflicts do not exist: - Within the tasks for the operational process and sub processes, including physical accesses - Within the application being sponsored for ASCA certification - Between the application under review and all other applications under which the same individual has some authority - Between all the system accesses and any manual tasks or physical accesses Each individual's job responsibilities should be analyzed for conflicts
System and Method for Separation of Duties
This application will serve to automate the process whereby a Separation of Duties Matrix (S.O.D.) is created and maintained. Currently, departments use a variety of methods to create and maintain these required documents including the Corporate Generic S.O.D. Matrix tool (a Lotus 1,2,3 spreadsheet).
In addition, this application incorporates an automated workflow approval to ensure that Managers review the S.O.D. matrix on an annual basis at the minimum. A report can be generated and automatically e-mailed to Managers providing details on the status of compliance. Users can choose to have the report generated monthly, quarterly, semiannually, annually, or opt for no reporting.
The Department Manager or a designated Team Leader will create a profile for their department. A facility will exist to identify optional Business Areas within the department and to provide others within the department with the ability to create and maintain records. The profile will also allow each department to determine the schedule for review of the S.O.D. matrix. The minimal allowable period will be annually. An agent will run to automatically notify managers when review and approval is due. If the profile is created by someone other than the manager, then the manager will be notified to review the profile. Delegate managers (defined in this context as managers within the same organization) will have authority to approve the S.O.D. matrix in the event of a Manager's absence. If the profile is deleted, all the associated documents (e.g., tasks and employees) belonging to that organization will also be deleted.
After the profile is created, tasks are identified. These tasks fall into two main categories - system and activity. System tasks are those that are specifically tied to accessing applications/data on computer systems (e.g., SAP, legacy systems, etc.). Activity tasks are defined as manual processes (e.g., badge access to crib). The task document records any other tasks that are in conflict with the defined task. Once a task document has been saved, the only information than can be edited is the task conflicts.
After the tasks and the associated task conflicts have been identified, employee documents are created. The employee documents identify which tasks each employee performs within the organization. Any conflicting tasks are flagged, and a Secondary Control statement must be provided in order for the record to be saved. Employee records will be updated automatically to reflect changes in task conflicts. If a new conflict is created based on a change in the tasks, an e-mail will be sent to the Department Manager allowing him/her to update the employee profile. In addition, a message will alert the user modifying the tasks that a conflict has been created.
In addition to the notification that the S.O.D. Matrix is due for review, a report will be generated and automatically sent to Department M...