Ensuring the proper segregation of duties for different roles within a company, as well as the proper assignment and monitoring of sensitive system access by employees, are both important controls that all Shared Services operations are involved into one degree or another.  As the scope of Shared Services expands at many companies, the adequate focus needs to be placed on ensuring that these two control areas are carefully included in any transition planning and as part of the ongoing process performance so that no compromises occur.

Recently, a major manufacturing company was working to onboard a new system for tracking the segregation of duties (SOD) and sensitive system access (SA).  In conjunction with the new system, they were also developing a leadership scorecard summarizing their status, action plans, etc. related to this effort.  Using Peeriosity’s iPolling^TM capabilities, this company was able to get the status and perspective of other large corporations related to both segregation of duties and sensitive system access.

Reviewing the results of the first of two poll questions, the members of Peeriosity’s Shared Services Leadership research area were first asked how their companies identified segregation of duty and sensitive system access issues for their employees.  For the majority of the companies (71%), the utilization of a formal tracking process and/or system for all major process areas were implemented.  That was followed in popularity by 18% of the companies indicating that a formal tracking process and/or system is being utilized for this purpose, but for just a limited number of process areas.  Just 6% of the responding companies said that the segregation of duties is not tracked by their company. 

The second poll question then addressed the role of Shared Services in the oversight and resolution of segregation of duty and sensitive system access issues.  While no one approach stood out as dominant, for 40% of the surveyed companies their only responsibility currently in this area is to manage the compliance of Shared Services employees.  Another 27% have no responsibility for managing compliance, with it all being handled outside the Shared Services organization.  However, the remaining 33% do have responsibilities in this area, with 20% managing compliance for all company employees for all process areas and 13% managing compliance for all company employees, but just for specific process areas.

These poll results highlight that there is an opportunity for Shared Services to expand its scope of responsibility to manage compliance in the segregation of duty and sensitive system access areas.  With its rich history of process standardization and technical competence, this might be a perfect fit for the Shared Services environment.

Some of the comments made by Peeriosity members regarding this poll include:

Healthcare, Pharmaceuticals, Biotech Member: Organization is going through a complete role re-design initiative to resolve the root cause of SOD issues. A review of SOD / SA issues is coordinated currently by a third-party (PWC). Responsibility for the review and authorization of those issues rests with the designated system (or process) owners for those respective areas.

Media & Entertainment Member: Shared Services has developed a database for the business units to review access within the ERP system. Each unit is responsible for signing off on its own SOD Reviews. We do it twice a year.

Manufacturing Member:  This is a joint control point. Shared Services is responsible for managing the SOD and SA compliance for employees who work in Shared Services and BU is responsible for managing the SOD and SA for employees who work in the BU department.

Manufacturing Member: Shared Services team members participate on a Corporate GRC Committee which owns the overall process. Much of the routine steps to review newly requested SODs, along with the assignment of acceptable mitigating controls, are performed by Shared Services.

How does your company manage compliance in the segregation of duty and sensitive system access areas?  Is there an opportunity for Shared Services to expand its reach more broadly within this important role?

Who are your peers and how are you collaborating with them?

_____________________________________________________________________

“iPolling^TM” is available exclusively to Peeriosity member company employees, with consultants or vendors prohibited from participating or accessing content. Members have full visibility of all respondents and their comments. Using Peeriosity’s integrated email system, Peer Mail^TM, members can easily communicate at any time with others who participated in iPolling.