Gartner published a new MarketScope research document regarding "Segregation of Duty Controls Within ERP and Financial Applications".
Segregation of duty controls for ERP systems remains an ongoing concern to auditors, particularly in the context of global financial integrity regulations. A variety of stand-alone and embedded control capabilities are available and are rated each year in a MarketScope.
The market for SOD in ERP and financial applications experienced little growth in 2013, but it remains stable based on continued need in the Gartner client base to address related audit findings and auditor concerns. The ability to support multiple ERP systems and cross-platform SOD conflict detection (that is, the ability to create a vendor in one instance and pay that same vendor in another instance) grew in importance.
What You Need to Know
Organizations seeking automated solutions to address segregation of duty (SOD) conflicts can typically be categorized in one of two ways:
- Needing a minimal approach with an immediate focus on identifying and remediating SOD conflicts using static analysis
- Needing a comprehensive approach that involves SOD cleanup, transaction analysis and compliant provisioning
CSI tools, a European company founded in 1997, has developed an inexpensive stand-alone toolset to address SOD issues and other SAP security matters. It offers two tools: CSI Authorization Auditor and CSI Accelerator. CSI Authorization Auditor should be considered an inexpensive, technically oriented, expert application for security administrators and auditors as a first step in SOD analysis automation. CSI Accelerator supports compliant provisioning and transaction analysis, but these are emerging capabilities that are not as strong as the competition. It does not support emergency privilege management. CSI tools' strength is in its two-layer security model and approach to automated role building, which are unique capabilities and may be of interest to some organizations.