Segregation of duties in ERP: an automated assessment tool enables internal auditors at MeadWestvaco to enhance their SOD control reviews throughout the enterprise - Computers & Auditing - enterprise resource planning

Internal Auditor, Oct, 2003 by Susan S. Lightle, Cynthia Waller Vallario

EFFECTIVE SEGREGATION OF duties (SOD) represents a vital component of virtually any organization's internal control system. SOD controls are designed to ensure that no single individual inappropriately handles all aspects of a transaction or business process, helping to prevent employees from committing errors or engaging in fraudulent activity.

Internal auditors are often charged with reviewing employee tasks and transactions to identify potential SOD conflicts and make recommendations to minimize their impact. In an organization that uses enterprise resource planning (ERP) technology to integrate its business and information processes, however, hundreds or even thousands of individual users may have access to the company's system, each with authorization to perform multiple transactions. The sheer volume of activity in this type of environment can make testing SOD controls extremely challenging.

The internal auditors at Mead--now MeadWestvaco Corp., a global producer of packaging, paper, and consumer and office products, as well as specialty chemicals--faced this challenge when their company decided to implement an ERP system. Realizing that manual SOD testing would become impractical once the system was in place, the internal audit group sought a more efficient means of conducting their control reviews. They needed a software tool that would help them expedite the testing process, analyze controls at specific transaction levels, and generate reports showing potential conflicts. Otherwise, the auditors' ability to evaluate controls and make recommendations to mitigate the risk of fraud and error would be compromised.

FINDING A SOLUTION

Mead's auditors became involved early in the company's ERP planning process. During the system-design phase, management charged cross-functional teams with creating appropriate job authorization assignments before establishing system access for employees. The audit department, under the direction of Vicki Davies, then Mead's director of internal audit and currently MeadWestvaco's director of policies and standards, assisted these teams by reviewing job roles to ensure that employees did not have access to conflicting functions. The auditors also helped develop the user authorization request and approval process by talking directly with business process owners to review individual job responsibilities and investigate the rationale behind any dual assignments.

In 2001, approximately a year after Mead began installing ERP applications at its major manufacturing divisions, the internal audit group decided it needed a new method to test the company's SOD controls. Because Mead had more than 4,000 potential users at that time, with hundreds of combined job roles, Davies knew it would not be feasible for her internal audit department to identify conflicting authorization assignments manually and to assess the effectiveness of the user request and approval process. She needed a cost-effective technology that internal auditors could use with minimal assistance from the ERP implementation team, which at the same time would not slow down system operations throughout the organization. In addition, she sought the ability to test controls at specific transaction levels, enabling precise targeting of SOD violations.

To help meet her specific requirements, Davies engaged a CPA firm with extensive expertise in auditing, internal controls, and technology. The consultants provided their own proprietary SOD analysis tool and trained the internal audit staff to use it.

TESTING CONTROLS

Before starting their automated analyses, Davies' audit team first had to make sure that the tool's settings were matched to their clients' business environment. The tool contained a matrix showing tasks that should not be combined, based on traditional SOD concepts and client experiences. After reviewing the list of tasks, the internal audit staff, with the help of the consultant, customized the software's matrix, adding some conflicts and deleting others based on Mead's control philosophy and business process design.

With the tool adapted to their specifications, Mead's auditors began conducting SOD evaluations. Using the new software, they were able to generate automated SOD reports for targeted subsets of users. The tool enabled them to test user authorizations against SOD conflicts at the basic level of specific transaction assignments and to generate a report that listed potential conflicts by user group. The auditors then used this information to perform further analysis.

"Once the software generated its report, the next step was to analyze and confirm whether any of the identified conflicts were, in fact, a concern," Davies says. The internal audit team reviewed the list and assessed each item to determine the severity of the control risk and the existence of mitigating controls. For items that raised concern, the auditors noted designated process owners and planned to speak with them to assess the rationale for any dual responsibilities. Where necessary, the auditors could then recommend mitigating controls, such as regular supervisory reviews of certain transaction types or changes to employee job roles, to remove conflicts.