How To Check Segregation of Duties with ProM
The segregation of duties, also called the 4-Eyes-Principle, is one way for organizations to reduce the risk of fraud. For example, it may not be allowed for the same person to initiate a purchase order and pay the invoice for the same item.
Segregation of duties is often controlled via role-based access management in the IT systems. However, there are situations in which after-the-fact verification (based on audit files) is needed.
Here are three examples:
- No preventive mechanisms are in place.
Not every organization employes preventive mechanisms to ensure segregation of duties via IT controls. Sometimes there are simply not enough people to realize segregation of duties via separate roles.
But auditors still have to prove that the 4-Eyes-Principle was obeyed in the operations.
- Changing roles create loopholes.
Changing roles may create loop holes for bypassing segregation of duty IT controls and create a risk for fraud. For example, a person who initiated a purchase order in role A may over time obtain role B and thus be able to pay the open invoice after the role change.
Even complex role management tools usually verify the risk of violation at a static point in time (not over time).
- Access management may have been circumvented.
Processes often run across different systems. Increased certainty is needed in today’s climate in addition to preventive controls and beyond sampling.
By automatically checking 100% of the process log files for violations of segregation of duty constraints, auditors can provide a higher assurance.
1. Determine Segregation of Duty rules
Before you start, you need to know what the segregation of duty rules for your process are. For example, in a Purchase-to-Pay process it is most likely not allowed that the same person issues a purchase order and also approves it.
Here is an example from this ERP vendor blog. The matrix illustrates with an ‘X’ all those two tasks that should be separated. The red marking highlights one of the task combinations that are not allowed:
In the rest of this post, I continue with the call center demo example used earlier. This way, even if you don’t have a log file that you want to check yourself, you can follow the steps using the demo file that comes with Nitro. (Download the free demo version of Nitro here.)
2. Import Audit File
Using Nitro the process log can be imported from a CSV or Excel file. The meaning of the columns is configured in the GUI.
You need to at least configure the following columns:
CaseID: Distinguishes different executions of the process (i.e., process instances)
Activity: Determines the tasks that were executed
Resource: The person who performed the activity
The other columns are optional. For example, you can configure the columns as shown in the screenshot shown above.
3. Choose 2 Activities
After the import of the converted log file in ProM, start the LTL Checker by choosing ‘Analysis -> Raw ExampleLog.mxml.gz (unfiltered) -> LTL Checker’ from the menu.
In the LTL Checker settings screen:
Choose ‘exists_person_doing_task_A_and_B’ from the list of pre-defined formulas. This is the formula that checks segregation of duties.
Write down the names of the two activities that should not be performed by the same person for the same case.
Click on ‘Check formula’
4. View and Export Violations
Now, potential violations are displayed and the details can be exported.
In the screenshot above you see the result for our segregation of duty check with respect to the activities ‘Email Outbound’ and ‘Call Outbound’.1
In total, there were 75 cases for which the segregation of duty rule was violated (‘Correct process instances‘ means that the formula could be matched) and 3810 cases were without problem (‘Incorrect process instances‘ means that the formula was not matched – so this is a bit counter-intuitive).
You can also switch between the “Correct” and “Incorrect” set of cases and inspect individual process instances. For example, in the screenshot above the case 3278 is visualized and the found Segregation of duty violation is highlighted.
For further analysis in Excel, you can export the found violations by choosing ‘Exports -> Correct instances -> CSV for log Exporter’ from the menu.
Do you think checking segregation of duties after-the-fact makes sense? Have you needed it at some point in time? Which tools did you use, and what did you like or dislike about that solution?
Let us know in the comments.
Granted, the example does not make any sense here. This call center process simply does not have any segregation of duty constraints. But I am sure you will have plenty of examples from your own processes. ↩︎