Transaction Example: SOD Risk

Algorithms may review transactions for separation-of-duties risk. Each specifies actions that may conflict, such as managing suppliers and creating payable invoices for those suppliers, and identifies users who have created or updated records of those actions.

In the result worksheet for one of these algorithms, each row is in itself a complete risk incident. For example, suppose the Transaction Risk Summary worksheet contains a row for an algorithm titled 40001: Supplier and Payables Invoices Created by the Same User. It indicates that algorithm violations exceed $100,000 and that the worksheet includes 56 result rows. For this type of algorithm, there are therefore 56 individual issues for you to investigate.

You open the result worksheet for the algorithm. Its description tells you that each row identifies users who have created both a payables invoice and a record of the corresponding supplier or supplier site. You might want to begin by sorting on the Payables Invoice.Amount column, so that you can start with the highest-value issue and descend from there.

You would then look for "Created By" columns. (Some SOD algorithms also include "Last Updated By" columns.) In this algorithm, the columns identify users who created supplier records, payables invoice records, and supplier-site location records. In the row for a particular supplier, you would discover the identity of an individual user who has created all three of these records, or two of the three. You could then investigate the related record numbers and follow up with that user to determine that the actions were legitimate.