You really, really have to be a nerd to watch Jurassic Park and see the absence of separation of duties (SoD) and inadequate process controls as a core plot device. To explain, one of the pivots in the story line of Jurassic Park is the point where the villain of the story, “Dennis Nedry” decides to steal some dinosaur embryos and sell them. The company created some safeguards in their systems to prevent this from happening but (as usual) they were mainly designed to guard against outsiders, not to prevent internal fraud. Knowing how they operate (since he wrote the code), the villain shuts down key systems so that he can override security systems designed to prevent just this sort of possibility.
A decade before Enron and WorldCom we were warned of what can happen when corporations operate without adequate access and process controls. If “JP Corporation” was a US-listed corporation, would the Sarbanes-Oxley Act have rendered the plot line improbable because they would have had these controls in place? Or would the company have taken a narrow view of the value of separation of duties, thinking that it was mostly a financial control issue with little relevance to operations or the IT department? But why quibble with the realism of these sorts of plot devices when there are bigger, Argentinosaurus-size suspension-of-disbelief issues at work in a story about recreating long extinct animals?
OK, so that’s a hokey way of bringing up the topic of SoD and process controls. In the years since the film was made, companies have made major investments in identity management, access controls as well as process monitoring and management in order to address internal vulnerabilities. A good deal of this was sparked by the Sarbanes-Oxley Act in the US, since it elevated the importance of having tight control of a company’s IT environment to prevent fraud, errors and malfeasance. Despite this, there’s a lot of time wasted and money spent on pretty ineffective identity and process controls in companies. This is one of those hidden time and expense wasters that don’t seem like they’re important enough to assess, find gaps and address them. Nonetheless, unless your company already has a program and process in place, it’s definitely worth doing.
In terms of gaps, the issue with identity management is not that companies don’t have it – it’s that too often they are using too many manual procedures to onboard, update or revoke their permissions. And they devote too much time to lost passwords or making changes because they lack self-service capabilities. Companies also need to be able to easily manage groups and resources flexibly. Identity management is a foundational element to maintain bullet-proof separation of duties.
Separation of duties is a longstanding concept designed to prevent fraud and errors. Requiring two signatures on a check and preventing the same person from performing two related steps in a process (such as depositing money into a bank account and reconciling that bank account) are two examples of this. More recently, SoD has increasingly been used in IT departments to ensure that computer systems are secure from fraud or malfeasance, especially in the wake of the Sarbanes-Oxley Act as computer systems are being used as higher level controls against potential financial fraud. Moreover, there are many operational compliance issues that can and should be managed within an IT environment that ought to involve separations of duties: someone asserts that a set of inspections or actions have been taken and another certifies that these have been carried out.
Process controls can prevent specific sequences of events from happening or they can generate alerts if an event or sequence of events happens or, as important, doesn’t happen (for instance, steps are skipped, required actions aren’t taken or confirmations are not made within a certain time period). Process controls and process monitoring are valuable in that they reduce the risk of unfavorable events occurring and because they are continuous controls, they can mitigate the impact of an unfavorable event by allowing for faster interventions.
Process controls have become more valuable over the past decades as an increasing amount of the work that takes place in a corporation is supported or managed by IT systems. As such, it has become much easier to automate monitoring events and flag suspicious or worrisome activities. These sorts of process monitors allow internal and external auditors to easily verify that controls are working or not and therefore can save money on audits. They enable easy analysis of systems logs to spot suspicious activities such as intraday granting and rescinding of permissions or a higher than usual number of changes at the end of a month. This is the electronic version of what auditors used to do in the old days, checking the paper ledgers for erasures and examining the handwriting to spot anything that looked suspicious. The difference here is that events, or a sequence of events, or some statistical analysis of system logs are all areas where forensic accountants and other risk and fraud experts can design controls that eliminate the need for a lot of manual oversight either in real time or in auditing. By having these sorts of controls in place, corporations can eliminate the need for a lot of external and internal audit requirements and that will save time and money.
Granted, if “JP Corporation” had had all of these things it would have made the plot line a lot less interesting to everyone except accountants and auditors. They would have been gratified to see internal controls work and marvel at the amount of money that the wildlife park was raking in from the overflow crowds that went to gawk at the safely contained dinosaurs.
Let me know your thoughts or come and collaborate with me on Facebook, LinkedIn and Twitter.
Robert Kugel CFA - SVP of Research