Business processes are increasingly dependent on IT systems to support their execution. This dependence amplifies the risks stemming from the lack of segregation of duties (SoD) analysis when granting users system access. 

And because SoD risks are notoriously problematic, auditors are expanding their SoD analysis beyond ERP systems and focusing on cross-application SoD risks. The impact of inadequate SoD policies can potentially devastate an organization. A policy-based identity governance solution is essential to ensure that internal controls related to access are active and mitigate damaging effects on the organization.

IGA and GRC

IGA integrates Identity Governance and Identity Administration. 

• Identity Governance: Identity governance is a framework used to gain better visibility of user identities and access controls while complying with standards and regulations. 
  • Concerns visibility, segregation of duties, role management, analytics, and reporting. 
• Identity Administration: is part of identity management and access management (IAM). It involves creating, modifying, or deleting identities and granting privileges and entitlements based on the user’s role to manage access to resources such as applications and help to protect data security.
  • Concerns account administration, credentials administration, user and device provisioning, and managing entitlements.

IGA solutions allow organizations to control digital identities and access privileges across numerous systems for multiple user types (employees, partners, and machines) to ensure appropriate access to resources across IT environments and compliance with government regulations.

GRC solutions enable the organization to perform risk assessment, compliance management, internal audits, and other GRC activities, which can be time-consuming and resource intensive without a GRC software platform.

In the past, IGA platforms were separate from GRC solutions. But when IGA and GRC systems are independent, companies can not perform preventative segregation of duties checks before granting access. Conversely, GRC systems were limited because they only detected SoD risks once the access was granted through the IGA and without knowledge of the identity lifecycle management need.

For this blog, GRC is referred to as SoD because SoD is the specific GRC risk we are exploring.

Evolution of Governance

Segregation of Duties is a significant aspect of modern access governance required by Sarbanes Oxley (SOX) compliance. And SoD can only be accomplished if users are in the correct roles and with the proper privileges for their duties.

SOX mandates that publicly traded companies must document and certify their controls over financial reporting, including Segregation of Duties. SoD is a set of controls in a company’s compliance policy, and SoD controls require companies to separate responsibilities between individuals to complete tasks in a process to mitigate the risk of fraud, waste, and error. 

Traditionally, SoD refers to separating duties such as accounts payable from accounts receivable tasks to limit fraud. For example, users that can create vendor accounts in a payment system should not be able to pay vendors. However, as insider threats continue to rise, segregation of duties should be applied across the enterprise. For example, system security administrators should be the only people who can monitor for excessive, unauthorized, or unused privileges. Managing user access privileges to digital resources is a key Segregation of Duties control in modern IT infrastructures.

New risks, new requirements

Digital transformation creates new vulnerabilities, risks, and compliance challenges. Businesses need IGA and GRC capabilities to meet compliance requirements and mitigate insider and cyber threats in hybrid environments. And because some business processes span multiple applications in the cloud and on-premise, auditors require companies to mitigate SoD violations across all applications at all stages of the access lifecycle. 

To meet these new demands, organizations require IGA solutions to efficiently manage user access during joiner, mover, and leaver events within the hire-to-retire process, not to mention other compliance requirements in hybrid IT environments. IGA solutions are unique in their ability to provide a single source of truth about user access across the business. Companies desire flexible IGA solutions to meet their requirements and scale with the business.

“Auditors require companies to mitigate Segregation of Duties violations across ALL applications at ALL stages of the access lifecycle.”

Streamlining the digital enterprise

Organizations struggle to maintain complex integrations between their identity management and GRC solutions. Often these integrations create more uncertainty and complexity than they resolve, creating the need for GRC to be included in an IGA platform. 

IGA and GRC can support complex entitlement hierarchies in the ERP and manage SoD policies at the entitlement level. This allows you to identify risk violations during the role change process and eliminate false positives throughout the lifecycle of the identity governance process. 

Other benefits of combining GRC capabilities within an IGA platform include the following:

Segregation of duties and sensitive access

Performing an SoD risk analysis simulation before submitting the access request can help improve your SoD violation count. Converging IGA and GRC shows managers what additional risk an access request may cause. 

Access request workflows

The ability to route an access request is more efficient in onboarding because it allows you to route the request to the appropriate manager(s) for approval. Organizations can include the GRC or compliance teams in the customizable workflow for added risk assurance. Approvers can review risks and assign mitigating controls before access is granted in production environments.

Streamlined SoD management

Management needs visibility of access risks across the enterprise without aggregating data from multiple sources. To streamline your risk management processes, you must manage SoD and sensitive access risks from a single solution or platform.

Integrated entity request management

Integrating IGA and GRC allows you to accurately identify, quickly resolve, and continuously monitor for SoD violations across your application ecosystem. Organizations can also manage, automate and optimize risk management and compliance processes while giving end-users the access they need when needed.

Control access provisioning risks

In many organizations, the provisioning process is primarily manual. It’s performed in a fragmented and informal process exposing organizations to unnecessary risk. The provisioning process is a critical component of maintaining compliance. Most organizations have access policies to determine whether a user has appropriate access, which is an important consideration when a user is granted access.

Role management with user provisioning

An access certification should be integral to a company’s user provisioning and role management processes. This combination enables a successful closed-loop management of security policy violations and the corresponding access revocations. Having a complete life-cycle approach will make the following possible:

• Efficient and effective removal of access that violates policies while retrieving relevant audit information
• Increase compliance by remaining within the defined business roles based on appropriate access.
• Use business roles to assign, attest, and audit access.

IGA supports SoD policies and controls

Organizations that view SoD as a key control depend on IGA to help them continuously centralize, monitor, manage, and review access. IGA solution’s secure access to financial data is strictly maintained and enables organizations to prove they are taking steps to meet compliance requirements. 

To stay ahead of risk, digital enterprises are centralizing IGA and GRC to evaluate SoD risks from end to end. Technology solutions should provide visibility into fine-grained entitlements, and insight into the types of access users have across multiple applications, not just your ERP. A solution incorporating GRC and IGA allows your business to operate smoothly while easily meeting compliance obligations.