In 2022, a client specialized in packaging print requested TriFinance support to remediate 77 Segregations of Duties (SoDs) reported by internal auditors on conflicting functions in the ERP: Infor M3. These conflicts were all related to four main processes: P2P, O2C, Supply Chain, and Finance.
The client has a worldwide presence in sales and services, with offices in Belgium, Central America, and Asia, as well as multiple R&D centers and two manufacturing sites.
Remediating Segregations of Duties risks
In 2020, the company implemented Infor M3 as their primary ERP system. The implementation went live and now supports all global operational activities. However, in 2022, the company's auditors identified several Segregation of Duties risks related to security role authorization in Infor M3, specifically in the O2C, P2P, Supply Chain, and Finance business processes. These risks were categorized by risk level as critical, high, and medium.
The TriFinance approach was based on a business process methodology, rather than a risk-based approach, which allowed TriFinance expert Caroline Maton to provide a practical solution to the conflict issues in the security role matrix in Infor M3.
The Right Approach
One major obstacle the TriFinance project consultant faced was the absence of adequate documentation, including process designs, operating procedures, and updated delegation of authority. Using CFO Services' business process methodology, Caroline conducted a process walkthrough to identify the subprocesses. This approach allowed her to detect any conflicts within the security role matrix, taking into account the functions within the scope of the project.
'The CFO Services methodology that is based on a process approach was really essential in identifying the issues related to the Segregation of Duties conflicts.'
Caroline Maton, Project Consultant, CFO Services
Along with the inadequate documentation, Caroline also encountered obstacles due to changes in the client's organization and ongoing projects. As a result, she had to be adaptable in her planning, prioritizing tasks based on the varying project demands and the availability of new stakeholders.
The Assessment Phase
This project was approached in two phases. The first phase was the assessment phase, dedicated to understanding the Infor M3 environment and the client's business processes, as well as identifying any quick wins.
During the assessment phase, Caroline Maton identified several key issues that needed to be addressed. Specifically, she was able to identify 50 percent of the SoDs that could be easily resolved. These issues were primarily linked to errors and lack of procedures in the user access management process for Infor M3.
Additionally, a misalignment was found between the technical roles and functions defined in the security role matrix and the client's business process responsibility and activity
'Misalignments can create inefficiencies. They increase the risk of errors or fraud, which could have significant consequences for the client.'
Caroline Maton, Project Consultant, CFO Services
Aligning the Security Role Matrix
Based on the results of the assessment phase, Caroline Maton developed a project plan for phase 2, which aimed to rectify the identified Segregation of Duties (SoD) issues. During phase 2, she implemented various actions to tackle the assessment phase's findings. These actions comprised:
- Realignment of technical roles in Infor M3 to match business process responsibilities, enhancing the alignment between security roles and business processes.
- Assessment of the basic and related options of the function within the role to ensure that the security roles accurately reflect the needs of the business.
- Assessment of the users assigned to roles to verify that they possess the necessary access to carry out their job responsibilities .
- Validating exception rules where a customized Infor M3 design was implemented to ensure that any exceptions are valid and necessary.
- Identifying mitigating controls where segregation could not be handled due to the lack of operational capacity to reduce the risk of errors or fraud.
To guarantee the long-term success of the project, a process governance framework was developed to establish procedures for describing processes, defining roles and responsibilities, and describing preventive and detective controls where needed. This framework ensures that the improvements made during phase 2 are sustained over time and continue to deliver value to the organization.
The ultimate result
The ultimate result of the project was the successful alignment of the Infor M3 security role matrix with well-defined business processes, taking into consideration the risks associated with SoD. Achieving this objective necessitated a comprehensive review of technical roles and functions, user access management, exception rules, and mitigating controls. Additionally, a process governance framework was developed to guarantee the project's sustainability.
Image by senivpetro on Freepik