How To Check Segregation of Duties with Disco
Should the manager approve her own travel request? Usually, the answer is “no” and there are many other examples of where it is not desirable that the same person performs two or more activities in a process.
For example, in a Dutch government process, where citizens can ask for special support based on their income and expenses that they incurred because of illnesses and other circumstances, the employee handling the payout should not be able to change the bank account number and make the transfer at the same time. Otherwise, it would be too easy to give your own bank account number and transfer money to it.
These kind of rules are common in all companies and they are called “Segregation of Duties” (SoD), or “Four Eyes principle”. The idea is to reduce the risk of fraud by putting systems in place that help to keep people honest. These systems are called “controls” and while some controls are realised by IT others just exist in the process documentation, the business rules.
One of the main tasks of an auditor is to check whether the controls that are defined are actually working.
Process mining can be used to check compliance rules like the segregation of duties. The advantage is that while most IT-based SoD controls are implemented on the level of authorisations (for example, employees who have the ability to change the bank account number cannot transfer the money), managing authorisations is a complex task and people change roles all the time. What happens if a person first had the role, where the bank account number could be changed, and later changes into the role with the ability to transfer money? Cases that were started with the first role could be completed by the same person in the second role.
So, while an auditor will review the IT-based authorization controls, it is also interesting to check the actual process executions to see whether the controls were effective (that is, whether SoD violations did occur or not).
Three years ago, we had shown you already how to check segregation of duties with ProM. With Disco, it has actually been possible to check segregation of duties from the beginning. In this post we want to show you how.
If you want to follow along with the instructions, you can do that by simply downloading the demo version of Disco from our website here and repeating the steps that are shown below. Let’s get started!
Get the Sandbox project
You can use the sandbox example that comes with Disco. After the installation, you will be presented with the following blank screen. Click on the Sandbox… button and …
… then double-click the second data set called Process map 100% detail (or press the View details button).
This is the discovered process map of a purchasing process and you are now in the analysis view. Here, you can look at the actual process flows, use the sliders to simplify the process and change the metrics that are displayed in the process map, all based on the data that was extracted from the IT system.
Add filter for segregation of duty violations
To check for segregation of duty violations, you can add a Follower filter. This filter can be added directly by clicking the filter symbol in the lower left corner, or via a shortcut through the process map.
Imagine that this purchasing process has the SoD constraint that the activities Release Supplier’s Invoice and Authorize Suppliers’s Invoice payment should not be performed by the same person for the same case. You want “four eyes” (two different people) to look over it to make sure this is a real invoice that should be paid.
To add a follower pattern filter, you can simply click on the arc going from Release Supplier’s Invoice to Authorize Suppliers’s Invoice payment as shown below. Once you press Filter this path…
… a new Follower filter will be added to your data set.1 You can now further customize the Follower filter.
To check for segregation of duties in this example, make these two changes to the Follower filter:
Tick the box Require the same value of Resource for each pair of events matched above to enable the SoD constraint. Of course you actually want that different people are performing these two tasks. However, here we are checking for violations, so we want to see whether there are cases where the person was the same.
Change the follower pattern from directly followed to eventually followed. Because we came in through the process map short-cut the direct path is checked. However, we want to catch all violations, regardless of whether these two activities were directly performed after one another or whether a dispute was settled in between.2
You could now directly apply the filter, but let us preserve the results in a new bookmark in your project, so that you can refer back to them later on.
This can be done by using the Copy and filter rather than the Apply filter button. With Copy and filter you can give a meaningful name and apply the filter to a new copy of the data set, leaving the current data set as it is. Press Create.
Inspect the results
Now it is time to inspect the results. You will see that almost 40% of the cases are violating this segregation of duties rule! To look at some concrete examples, change from the Map view to the Cases view on the top.
You can see that there are exactly 242 cases that are violating the four eyes principle here. One case, the case with the case ID 15 is shown below and you can see that, indeed, Karalda Nimwada was doing both the Release Supplier’s Invoice and the Authorize Supplier’s Invoice Payment step in this case.
You can browse through to see more examples and export all of them to Excel.
But who exactly is violating the rule most often?
To find out, you can refine the results to focus on just the two activities involved in the SoD constraint in the following way: Click on the filter symbol in the lower left corner to add another filter and add an Attribute filter from the list as shown below.
Then, only keep the two activities we are interested in at the moment (Release Supplier’s Invoice and Authorize Supplier’s Invoice Payment). Press Apply filter.
Now you see that all the other activities have been removed and you can change to the Statistics view to look at the most frequent resources.
In the Resource statistics overview, we see that just two users are involved in the SoD violations.
To take action, we can now check their authorizations or give a targeted training.
If the activities you would like to check are not directly following each other, you can directly add a Follower filter from the filter list or change the activities in the filter configuration afterwards. ↩︎
Note that if these activities are sometimes performed in reverse order, then the opposite direction needs to be checked as well. ↩︎