What are the likely risks of Segregation of Duties in your Applications?

For a long time, we have been pushing Organizations to stop or modify using the delivered Roles with their Applications. We're not talking about one Application either, this problem extends to every Application we have worked with. If you're working on SOX Compliance, segregation of duties forms an integral part of the compliance process. Segregation of Duties represent a critical part because of the 'toxic'

Delivered Security

Delivered Roles and Configurations have long been the standard for Application implementations, pre-defined setups that help get your Applications up and running as quickly as possible. Where implementations need to happen quickly and at a low cost, Security (least privilege) is lower down the priority order. When we talk to Systems Integration partners, they too admit that a Security design project is a lengthy one and one that is fraught with obstacles to completing quickly.

This leaves many Organizations with one option: revisit Security and 'least privilege' post go live.

The problem is who wants to redo something that has just been done?

None of you reading this we bet! But the reality is while you may have your user's accessing your Applications, the access is likely to cause concern in an audit or worse leave you open to fraud and error. This has always been one of those statements that providers like us always put out there in marketing collateral, but can it be quantified and qualified correctly?

The answer is yes!

We reviewed every customer we have worked with over the last 12 months where we provided Segregation of Duties and Sensitive Access analysis. We focused on those customers who had utilized the delivered Roles and Configurations provided by their vendor, without bias, or focus on any one vendor.

The results were clear:

1 in 4 Users

had Segregation of Duty violations.

95% of Users

had Sensitive Access.

Sensitive Access is defined as access to a single process or element that is deemed sensitive, for example: editing Supplier Ban Account Information, or Posting Journals. We analyze these areas because often Organizations may not be aware that so many Users can perform these tasks.


We found that the number of Users within each customer's environment had no bearing on the results. The smallest customer had approximately 200 users, while the largest had approximately 90,000 users. The rules analyzed were consistent across all customers, and focused on core finance and accounting elements within the Applications, meaning all customers were treated as the same.

Effective Controls

If you are utilizing the delivered Security and Configuration within your Applications, there is a good chance you have Segregation of Duty violations. Seecuring will assist you with establishing and reporting on the issues you have through to helping remediate the issues (which usually represents the biggest and most time consuming aspect of implementing internal controls). Specifically, Seecuring delivers:

We have been working with ERP/HCM Applications since the early 2000's, and work with leading CPA's, Audit staff and Application specialists to deliver a complete solution.

Before you invest in expensive Software, why not look at GRC as a Service? Faster delivery, lower cost, and more than just reports on your issues - we help Organizations achieve their goals for Internal Controls.

To discuss your requirements, you can schedule a call with us:

Contact Us


Understanding Role Delegations in Oracle ERP/HCM Cloud

Continue Reading...

Fraud and Data Loss - one and the same?

Securing the Financial Close