Next-generation SOD

Nearly two decades ago, the Sarbanes-Oxley (SOX) Act mandated separation of duties (SOD) to prevent a single person from controlling all aspects of a transaction. Yet, risk still plagues businesses, due in part to today’s business trends: digital innovation, mergers and acquisitions (M&A), and remote workforces.

As businesses transform with a proliferation of best-of-breed, cloud-based systems, security professionals face more workflows, integration points, and mitigating controls that all have to work together across many applications. In addition, the M&A uptick resulting from low interest rates means both a consolidation and integration of roles—leading to SOD complexities and deficiencies that leave companies vulnerable to employee fraud and error. Even the remote workforces ushered in by COVID-19 bring greater technology security risk.

Traditionally, SOD is siloed with embedded controls to monitor a single application such as an enterprise resource planning (ERP) system. Monitoring for business processes that span multiple apps is often done manually. Conducting audits or deconstructing fraud events proves these missed links and unrealized exposures elevate risk. Fortunately, KPMG LLP (KPMG) and Fastpath can help.

Leveraging Fastpath Assure technology, KPMG offers a five-step process to evaluate needs, implement strategy and technology, and continuously improve SOD programs. The result is a scalable application security tool with automated access and SOD analysis that drives operational efficiency and lowers overall cost of ownership.

KPMG professionals guide you through the five steps to next-generation SOD 3.0:

• Vision. We work side by side with you to assess your needs and goals, then we develop a target operating model (TOM) aligned with corporate strategy.
• Validate. Based on a thorough risk assessment and prioritization, we validate the solution design and develop an implementation roadmap that includes final solution design.
• Construct. We configure and test the Fastpath platform, delivering functionality that allows you to monitor access controls and risk across all business transactions.
• Deploy. We integrate Fastpath’s technology solution with the TOM to create a sustainable SOD program with cross- application monitoring for cloud and on-premises systems.
• Evolve. Once the Fastpath solution goes live, we work with you to put processes in place to continually improve, adapt, and scale as the threat landscape changes.

The joint offering includes more than 20 proprietary rule sets developed across a mixture of cloud and on-premises applications. The library contains major ERP packages such as SAP S/4HANA, Oracle, Workday, Microsoft Dynamics, PeopleSoft, and NetSuite, as well as cloud applications such as Coupa, Ariba, Salesforce, and SuccessFactors. Additionally, KPMG and Fastpath continuously develop and update industry-specific rule sets that offer access controls tailored to your sector.