Peeriosity Insights: Recent Research Findings Summarized insights.To view detailed research results, contact us to inquire about membership.



Segregation of Duties in a World of Robots

Introduction

The addition of Intelligent Automation to business processes can eliminate many of the routine work steps human processors are required to complete, with the added benefit of zero errors, assuming each step is defined properly, and the impact of ongoing process or system changes are accounted for as they occur.  Being able to perform reviews and audits of automated processes is critical, and none more critical than ensuring the proper segregation of duties is maintained to prevent intentional manipulation or misuse of company resources.

With the launch of Peeriosity’s Multi-Developer User Group for Intelligent Automation, practitioners from the world’s leading companies can network and interact directly with peers, in an environment that is private, candid, and nonbiased.  With hundreds of users already participating, members of Peeriosity’s Multi-Developer User Group for Intelligent Automation are able participate in multiple Peercasts every month, learn directly from others using iPollingTM, communicate with peers using Peer Mail, and access libraries of shared content and contributed research. 

This research paper is a top-level summary of a recent poll that was conducted in Peeriosity’s Intelligent Automation research area.  For Peeriosity members, full visibility to all the details of the poll is available, including the ability to interact directly with participating peers.

iPollingTM Results Review

Recently, Peeriosity’s iPollingTM was used by a Process Improvement Lead at a member company to understand the approaches companies take to ensure compliance with segregation of duty requirements. Responses were posted real-time, with visibility to company responses available to all Peeriosity members, allowing for direct communication with peers using Peeriosity’s integrated Peer MailTM capabilities.

The first polling question asked where or not a separate account is created for each process when building a new RPA bot.  For 58%, each bot (process) has its own user ID.  21% indicated that each bot has a user ID and that the bot is used for multiple processes.  No one responded that bots use existing employee accounts, and the remaining 21% indicated that some other approach is followed.  Here are the details: 

To the question of how companies resolve potential segregation of duty conflicts, only 6% indicated that bots are not validated against segregation of duties so that they have all required access to do their job (and since they are programmed robots and not people, traditional segregation of duties parameters do not apply).  At 72% of companies, if needed, separate accounts are created to avoid segregation of duties conflicts.  Finally, 22% indicated that some other approach was followed.

Here are some comments from responding companies:

  • This really depends on the type of process we’re talking about. Some of the larger processes require multiple user ID’s that are assigned individually to the bots, while other smaller processes can be scheduled appropriately and share a User ID.
  • We have created a separate User ID per functional area which can be used by several bots built for that area.
  • User accounts are based on the need to uniquely identify the actions associated with the roles/responsibilities assigned in the ERP.
  • We are still determining if SOD validation is required in this situation.
  • The main service Bot IDs are utilized for multiple processes, but each automation process also has an individual SAP ID. These SAP IDs are created with the specific SAP access needed including consideration of segregation of duties. The security team is running a risk analysis to ensure SODs are properly reviewed, before applying.
  • All of our future bots will be configured to follow the same SOD policies and rules of our employees.
  • We use a separate User ID for each application/process within a Bot. If we touch 5 applications, 5 IDs.
  • All of our RPA BOTs are Named Service Accounts. Each process that is performed, regardless of the BOT, is performed using specific and unique IDs for each process assigned to the process and then the BOT. This helps us make sure that we are minimizing our risk.

Closing Summary

Re-engineering processes involves the fundamental rethinking of processes steps, often changing the underlying nature of work activities. Significant changes need to be analyzed and reviewed carefully to ensure continued compliance with fundamental business controls, including the responsibility for appropriate segregation of duties.  While perhaps not the most exciting part of an Intelligent Automation project, it is definitely a necessary step.

What is the approach your company takes to ensure an appropriate segregation of duties when you implement Intelligent Automation solutions? 

Who are your peers and how are you collaborating with them?

_______________________________________________________________________________

“iPollingTM” is available exclusively to Peeriosity member company employees, with consultants or vendors prohibited from participating or accessing content. Members have full visibility to all respondents and their comments. Using Peeriosity’s integrated email system, Peer MailTM, members can easily communicate at any time with others who participated in iPolling.

Peeriosity members are invited to log into www.peeriosity.com to join the discussion and connect with Peers.   Membership is for practitioners only, with no consultants or vendors permitted.  To learn more about Peeriosity, click here.



Comments are closed.