Stop prioritizing hypothetical SOD conflicts over actual ones
Since it’s inception, segregation of duties (SOD) reporting has traditionally been about hypothetical risk. Most SOD reporting will show you what people have the potential to do in the system that would classify as a conflict.
Trying to manage SOD conflicts at this high-level view and decide which conflicts to spend your time on can easily become a daunting task. We regularly see clients that get overwhelmed when they run a traditional SOD report and find there are thousands or even tens of thousands of conflicts.
Want to avoid this overwhelming scenario? Focus your efforts on actual SOD conflicts (conflicts that have been exercised). Not all conflicts are created equal when it comes to risk and these actual SOD conflicts pose a deeper and more immediate risk to your enterprise than hypothetical ones do.
Fortunately, modern advancements in SOD reporting have made it much easier to prioritize conflicts in this way. Any SOD automation platform worth its salt will have SOD reporting capabilities that enable you to identify both hypothetical and actual conflicts.
For example, the SOD Live tool within our Separations Enforcer module allows you to see whether or not the transactions within a given conflict have been executed using detailed transaction history data. If you want to take it even one step further, you can even drill down into the transaction and see if any changes were made.
We aren’t suggesting that you ignore hypothetical conflicts altogether. There are hypothetical conflicts that involve sensitive access and represent a significant risk to your enterprise. It is important to address these conflicts, especially in the role design process. But by focusing on actual conflicts first, you ensure you’re being efficient with your time and your enterprise is protected against the most immediate risks.
