SOD 3.0: Next-generation separation of duties for the modern ERP

Four pillars upon which to build a persistent SOD framework

Mick McGarry

Mick McGarry

Principal, Advisory, GRC Technology, KPMG US

+1 214-840-8249

Engel Schmidt

Engel Schmidt

Senior Director, Security & Controls Solutions, KPMG US

+1 713 319 2000

Increasing complexity, increasing risk

Multiple ERPs and enterprise applications from myriad vendors. Regular cloud-based software updates. Shifting employee and department responsibilities. Changing regulations and standards. All of these common factors complicate risk management and enterprise-wide controls.

To compete effectively in today’s global marketplace, companies must embrace digital information and emerging technologies. Yet, these advances can also make the organization more vulnerable to data access and security risks

Innovation, for better and for worse 

In the last five years, many companies have moved from one large ERP platform to multiple vendors and a mix of cloud and on-premise deployments. In this hybrid application landscape, companies can pick and choose among best-of-breed offerings, building an enterprise technology platform that meets their specific needs.  

However, even with the same vendor, buyers face challenges from cross-application risk in addition to multiple security models. Given the ease of acquiring cloud-based applications, business leaders are often adding new solutions without involving IT, which typically is more familiar with cloud security and compliance requirements. More applications means more workflows, automation, and integration points, as well as more sets of mitigating or compensating controls that have to work together. And, after initial implementation, companies also must manage the cascading impacts of mandatory software updates in addition to the introduction of enterprise applications into the landscape. 

Overwhelmed by the complexity, many organizations are doing the bare minimum to ensure separation of duties (SOD) controls on an entity-wide basis.

A new approach in SOD

KPMG SOD 3.0 is a next-generation approach that uses predefined role definitions that are directly aligned with front-, middle-, and back-office business processes. These predefined roles are designed to work with application controls and address data security, user access administration risk, and compliance requirements. They continue to protect the organization long after they are put into place by adapting to changing business needs.

Cowritten with Fastpath, this article provides insight on how organizations can implement the SOD 3.0 approach to ensure SOD controls on an entity-wide basis.

SOD 3.0: Next-generation separation of duties for the modern ERP
Advances in digital information and emerging technologies can make the organization more vulnerable to data access and security risks.