• Are you absolutely certain that the segregation of duties at your company effectively mitigates the risk of fraud? Did you know that retrospective verification of the appropriate segregation of duties to the supervisory authorities can result in significant costs?

    In recent audits conducted by FORFIRM we have found there was not a single organisation where we did not uncover an authorisation issue about which management was unaware. Among these issues were numerous conflicts of interest which enabled fraudulent activities causing significant financial loss, coupled with a small chance of the perpetrators being caught.

    It is important to emphasise that the complex access right structure of today’s ERP systems cannot be analysed via simple methods. Due to this fact, specialised analytical software is crucial in order to decrease operational expenses and increase reliability.



    • The supervisory authorities (e.g. the Hungarian central bank or the U.S. Securities and Exchange Commission) require verification that the company’s systems are free from conflicting roles;
    • Exploring and uncovering conflicts of interest and the segregation of duties use up significant business resources;
    • Your company has no suitable IT tool (e.g. SAP GRC, CSI) for exploring conflicts of interest, meaning reviews also result in significant extra costs;
    • Conflicts of interest have not been taken into consideration on the basis of relevant business risks, hence the results of your review are difficult to interpret and handle;
    • The reviews lack sufficient technical knowledge of the systems in question.

    The following services from FORFIRM’s IT Risk Advisory Services practice can help your company to resolve the problems outlined above in connection with segregation of duties. Depending on the character of the engagement we either implement, develop the control environment, or review its compliance with the relevant standards and legislation.

    • Access right concept development: The segregation of duties relies on a transparent, role-based access right structure developed on the basis of business processes; our Identity and Access Management Services help you with the development of this structure;
    • SoD concept planning: Based on the individual business and IT processes, and respecting the relevant regulations, we define which functions need to be separated. Furthermore, we develop a governance framework which ensures that conflicting functions are detected and appropriately managed, either by separation or by introducing mitigation measures (including compensating controls);
    • Definition of SoD rules: Along business and IT processes we develop an SoD matrix, which shows the conflicting functions which constitute a risk to the company
    • Implementation of SoD rules: We translate SoD rules to the company’s support tool that helps the review; if you wish we can also help you in choosing the appropriate application
    • Maintain compliance: By applying the defined rules and introducing control points, we help to maintain achieved results

    • Your company complies with relevant regulations (SOX, GLB, HIPAA, MNB 1/2015);
    • The controls built into the access management process help ensure lasting compliance;
    • We help decrease review costs by introducing optimised processes and risk-based operation;
    • We decrease the likelihood of instances of fraud;
    • The documentation practice suggested by FORFIRM makes the segregation of duties well-grounded and accountable;
    • With our automated solutions we make review tasks more efficient, utilising our outstanding expertise and tools for SAP access right analysis.