Segregation of Duties in a World of Robots
The addition of Intelligent Automation to business processes can eliminate many of the routine work steps human processors are required to complete, with the added benefit of zero errors, assuming each step is defined properly, and the impact of an ongoing process or system changes are accounted for as they occur. Being able to perform reviews and audits of automated processes is critical, and none more critical than ensuring the proper segregation of duties is maintained to prevent intentional manipulation or misuse of company resources.
This research paper is a top-level summary of a recent poll that was conducted in Peeriosity’s Intelligent Automation research area. For Peeriosity members, full visibility to all the details of the poll is available, including the ability to interact directly with participating peers.
iPolling Results Review
A recent Peeriosity poll looked at the issue of segregation of duties for Robotic Process Automation the approaches used at Peeriosity member companies.
The first polling question asked where or not a separate account is created for each process when building a new RPA bot. For 47%, each bot (process) has its own user ID. An additional 47% indicated that each bot has a user ID and that the bot is used for multiple processes, and the remaining 6% indicated that a unique ID is created when required.
To the question of how companies resolve potential segregation of duty conflicts, only 6% indicated that bots are not validated against segregation of duties so that they have all required access to do their job (and since they are programmed robots and not people, traditional segregation of duties parameters do not apply). In 76% of companies, if needed, separate accounts are created to avoid segregation of duties conflicts. Finally, 18% indicated that some other approach was followed.
A few of the comments from members include:
- When there are no control implications, such as SOD, we use the same BOT ID for multiple automation within a common process area. We do use different BOT IDs across disparate mega-processes; AP separate from AR from accounting from payroll, etc.
- Each bot is a separate user account. Should SODs occur, the jobs are then assigned only to the bots with access. Otherwise, any bot may perform the process.
- We treat the BOT ID exactly like we would a person, so the same SOD requirements are maintained for either type of ID. If there is a SOD conflict for the activities, only then would a separate BOT ID be created.
- Not all of our Bots require a user account to perform their tasks. For Bots that do require a user account, a unique ID is created for them and provisioned for the appropriate level of access.
- We are yet to encounter/develop a Bot that leads to a SOD conflict. We review for conflicts such as this when analyzing each use case and would handle them by creating a separate Account/Bot Worker account to separate the tasks if needed.
- Generic bot user IDs are used for multiple processes within the same functional area.
- We maintain appropriate segregation of duties with the bots. There are also monitoring and quality checks to ensure the bot is performing as expected.
Re-engineering processes involves the fundamental rethinking of process steps, often changing the underlying nature of work activities. Significant changes need to be analyzed and reviewed carefully to ensure continued compliance with fundamental business controls, including the responsibility for appropriate segregation of duties. While perhaps not the most exciting part of an Intelligent Automation project, it is definitely a necessary step.
What is the approach your company takes to ensure appropriate segregation of duties when you implement Intelligent Automation solutions?
Who are your peers and how are you collaborating with them?
“iPolling” is available exclusively to Peeriosity member company employees, with consultants or vendors prohibited from participating or accessing content. Members have full visibility of all respondents and their comments. Using Peeriosity’s integrated email system, Peer Mail, members can easily communicate at any time with others who participated in iPolling.
Peeriosity members are invited to log into www.peeriosity.com to join the discussion and connect with Peers. Membership is for practitioners only, with no consultants or vendors permitted. To learn more about Peeriosity, click here.