Blog Posts

How To Check Segregation of Duties with Disco

This photo just amazes me and reminds me how far we have come in the past few years

Should the manager approve her own travel request? Usually, the answer is “no” and there are many other examples of where it is not desirable that the same person performs two or more activities in a process.

For example, in a Dutch government process, where citizens can ask for special support based on their income and expenses that they incurred because of illnesses and other circumstances, the employee handling the payout should not be able to change the bank account number and make the transfer at the same time. Otherwise, it would be too easy to give your own bank account number and transfer money to it.

These kind of rules are common in all companies and they are called “Segregation of Duties” (SoD), or “Four Eyes principle”. The idea is to reduce the risk of fraud by putting systems in place that help to keep people honest. These systems are called “controls” and while some controls are realised by IT others just exist in the process documentation, the business rules.

One of the main tasks of an auditor is to check whether the controls that are defined are actually working.

Process mining can be used to check compliance rules like the segregation of duties. The advantage is that while most IT-based SoD controls are implemented on the level of authorisations (for example, employees who have the ability to change the bank account number cannot transfer the money), managing authorisations is a complex task and people change roles all the time. What happens if a person first had the role, where the bank account number could be changed, and later changes into the role with the ability to transfer money? Cases that were started with the first role could be completed by the same person in the second role.

So, while an auditor will review the IT-based authorization controls, it is also interesting to check the actual process executions to see whether the controls were effective (that is, whether SoD violations did occur or not).

Three years ago, we had shown you already how to check segregation of duties with ProM. With Disco, it has actually been possible to check segregation of duties from the beginning. In this post we want to show you how.

If you want to follow along with the instructions, you can do that by simply downloading the demo version of Disco from our website here and repeating the steps that are shown below. Let’s get started!

Get the Sandbox project

You can use the sandbox example that comes with Disco. After the installation, you will be presented with the following blank screen. Click on the Sandbox… button and …

Sandbox project in process mining software Disco

… then double-click the second data set called Process map 100% detail (or press the View details button).

Selecting dataset in sandbox project in Disco

This is the discovered process map of a purchasing process and you are now in the analysis view. Here, you can look at the actual process flows, use the sliders to simplify the process and change the metrics that are displayed in the process map, all based on the data that was extracted from the IT system.

Add filter for segregation of duty violations

To check for segregation of duty violations, you can add a Follower filter. This filter can be added directly by clicking the filter symbol in the lower left corner, or via a shortcut through the process map.

Imagine that this purchasing process has the SoD constraint that the activities Release Supplier’s Invoice and Authorize Suppliers’s Invoice payment should not be performed by the same person for the same case. You want “four eyes” (two different people) to look over it to make sure this is a real invoice that should be paid.

To add a follower pattern filter, you can simply click on the arc going from Release Supplier’s Invoice to Authorize Suppliers’s Invoice payment as shown below. Once you press Filter this path…

Add Follower filter directly in Disco

… a new Follower filter will be added to your data set.1 You can now further customize the Follower filter.

To check for segregation of duties in this example, make these two changes to the Follower filter:

Check whether activities were performed by the same person

You could now directly apply the filter, but let us preserve the results in a new bookmark in your project, so that you can refer back to them later on.

This can be done by using the Copy and filter rather than the Apply filter button. With Copy and filter you can give a meaningful name and apply the filter to a new copy of the data set, leaving the current data set as it is. Press Create.

Make a copy of the data set to save the segregation of duty violations

Inspect the results

Now it is time to inspect the results. You will see that almost 40% of the cases are violating this segregation of duties rule! To look at some concrete examples, change from the Map view to the Cases view on the top.

You can see that there are exactly 242 cases that are violating the four eyes principle here. One case, the case with the case ID 15 is shown below and you can see that, indeed, Karalda Nimwada was doing both the Release Supplier’s Invoice and the Authorize Supplier’s Invoice Payment step in this case.

You can browse through to see more examples and export all of them to Excel.

Inspecting cases with segregation of duty violations

Dig deeper

But who exactly is violating the rule most often?

To find out, you can refine the results to focus on just the two activities involved in the SoD constraint in the following way: Click on the filter symbol in the lower left corner to add another filter and add an Attribute filter from the list as shown below.

Refining the results on the activities with segregation of duty violations only

Then, only keep the two activities we are interested in at the moment (Release Supplier’s Invoice and Authorize Supplier’s Invoice Payment). Press Apply filter.

Deselecting all activities that are not of interest

Now you see that all the other activities have been removed and you can change to the Statistics view to look at the most frequent resources.

Changing to the statistics view in Disco

In the Resource statistics overview, we see that just two users are involved in the SoD violations.

See which people are involved in the SOD violations and give targeted training

To take action, we can now check their authorizations or give a targeted training.

  1. If the activities you would like to check are not directly following each other, you can directly add a Follower filter from the filter list or change the activities in the filter configuration afterwards. ↩︎

  2. Note that if these activities are sometimes performed in reverse order, then the opposite direction needs to be checked as well. ↩︎

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples