Minimize
Blogger List

Johannes Ahrends
Toad and Oracle

Ben Boise
Toad SC Discussions

Kevin Dalton
Benchmark Factory

Steven Feuerstein
PL/SQL Obsession

Devin Gallagher
Toad SC discussions

Stuart Hodgins
JProbe Discussions
  Henrik "Mauritz" Johnson
Toad Tips & Tricks on the "other" Toads
  Mark Kurtz
Toad SC discussions
  Michael Lumbard
Toad SC discussions
Daniel Norwood
Toad for Data Analysts,
Toad Extension for Visual Studio
Debbie Peabody
Toad for Data Analysts
Gary Piper
Toad Reports Manager
John Pocknell
Toad for Oracle, JProbe
Kuljit Sangha
Toad SC discussions
Bert Scalzo Indicates Oracle ACE status
Toad for Oracle, Data Modeling, Benchmarking
Jeff Smith
Toad product family
Richard To
SQL Optimization
Jim Wankowski
DB2 - LUW and z/OS
John Weathington
  Toad Data Modeler Opens in a new window
Data Modeling		  
  Real Automated Code Testing for Oracle
Quest Code Tester blog
 
Minimize
Blog Categories
 
Minimize
Blog Tags
toad for oracle (122)
oracle (62)
plsql (46)
sql optimization (37)
toad for data analysts (28)
code tester (19)
toad for ibm db2 (13)
automation (11)
batch optimizer (10)
virtualization (10)
schema browser (9)
toad for sql server (9)
data grid (8)
sql (8)
sql editor (8)
toad data modeler (8)
benchmark factory (7)
excel (7)
query builder (7)
report manager (7)
toad extension (7)
visual studio (7)
11g (6)
configuration (6)
freeware (6)
health check (6)
vmware (6)
connect (5)
dba module (5)
er diagrammer (5)
F4 (5)
linux (5)
refactoring (5)
spotlight (5)
unicode (5)
compare (4)
debugger (4)
export (4)
formatter (4)
make code (4)
rman (4)
strip code (4)
benchmark (3)
bfscript (3)
bulk collect (3)
code templates (3)
code xpert (3)
database browser (3)
db2 (3)
notebook (3)
oem (3)
RAC (3)
session browser (3)
speed (3)
sql optimizer (3)
toad for mysql (3)
tpc-c (3)
9.7 (2)
alert log (2)
app designer (2)
awr (2)
code insight (2)
code snippets (2)
collection (2)
compare and sync (2)
compliance (2)
data generator (2)
data warehouse (2)
database explorer (2)
database monitor (2)
explain (2)
forall (2)
ftp (2)
group execute (2)
handbook (2)
installation (2)
job scheduler (2)
multi-task (2)
nested table (2)
os command (2)
profiler (2)
recovery (2)
release history (2)
save as (2)
schema compare (2)
sql recall (2)
stats pack (2)
subversion (2)
team coding (2)
trace file browser (2)
while loop (2)
10g (1)
64 bit (1)
7zip (1)
action (1)
addm (1)
alter (1)
ansi join (1)
array (1)
ccleaner (1)
code coverage (1)
code road map (1)
CRON (1)
cursor for loop (1)
data browser (1)
data subset (1)
database probe (1)
dbms_flashback (1)
dbms_profiler (1)
ddl (1)
feuerstein (1)
filezilla (1)
flash drive (1)
flow control (1)
for loop (1)
group policy manager (1)
hints (1)
import (1)
index (1)
inheritance (1)
invoker rights (1)
ipad (1)
java (1)
latency (1)
log switch (1)
logical model (1)
ltrim (1)
master-detail browser (1)
monitor (1)
multi-select (1)
naming standards (1)
network (1)
object explorer (1)
OEBS (1)
package (1)
parser (1)
partitioning (1)
performance (1)
pragma (1)
project manager (1)
RAT (1)
revo (1)
REXEC (1)
schema report (1)
script manager (1)
search (1)
set operator (1)
sga (1)
slow (1)
sonarsource (1)
source control (1)
space projection (1)
sql monitor (1)
sql navigator (1)
sql script (1)
sql tracker (1)
sql*plus (1)
standards (1)
statistics (1)
stored procedure (1)
string parser (1)
sub-model (1)
sub-type (1)
synch (1)
synchback (1)
TELNET (1)
toad (1)
trace (1)
unit test (1)
unix (1)
usb (1)
utility (1)
v10 (1)
v9.5 (1)
version control (1)
waits (1)
workload replay (1)
workspace (1)
xml (1)
 
WELCOME, GUEST
 
 

Blogs
Toad and Database Commentaries

Toad World blogs are a mix of insightful how-tos from Quest experts as well as their commentary on experiences with new database technologies.  Have some views of your own to share?  Post your comments!  Note:  Comments are restricted to registered Toad World users.

Do you have a topic that you'd like discussed?  We'd love to hear from you.  Send us your idea for a blog topic.

Keep It Under Control With SOD

May 1

Written by: JohnWeathington
Thursday, May 01, 2008  RssIcon

For the last couple of weeks, we’ve been talking about common controls that you will see in the mitigation of risks at your company. First we talked about reconciliation, then last week we addressed approvals. This week we’ll wrap up this series, by talking about “SOD.”

No, I’m not suggesting that you install a new lawn. SOD stands for Segregation of Duties ( or sometimes it’s referred to as Separation of Duties ). It’s not an acronym, so you’ll never hear it pronounced like the word “sod”. However, it’s commonly shortened to its initials – S. O. D.

Essentially what SOD means, is that you want separate duties or activities in a chain of process events, physically executed by different people. This is not an approval control, so it’s not about somebody approving or checking somebody else’s work. Usually the different people in the process flow are peers.

For example, your company might require that the person receiving money be different than the person depositing the money. Or, that the person approving a request for access not be the same person that is actually requesting the access ( believe me, I’ve seen it! )

This type of control has a few qualities to it:

    • The implementation of the control is something you typically only see in a compliance context. Reconciliation and approvals serve many types of purposes, but SOD is generally only applied in a compliance domain.
    • This is an attempt to control a more narrow set of risks. In almost all cases, SOD is trying to prevent unethical behavior by removing the temptation.
    • Because of the nature of the control, SOD requires more thought and planning, and will probably be more intrusive in its implementation. I’ve seen entire databases created solely for the purpose of SOD, and process designers spend hours upon hours trying to get things mapped out and documented correctly.

Here are some key tips for designing SOD into your compliance data system.

Tip # 1 – Downstream the Correct Data From Your HR Database

This is the same tip I gave you last week on approvals. You will need the same set of data. To reiterate, here’s the data that you need from your HR Database. I’m going to use Oracle ERPish column names in case they are familiar to you, however you should be able to translate if you’re not using Oracle ERP:

    • USER_ID – You need some way to link in your employee to your transactional data. For obvious reasons, you need to bring this in.
    • EMPLOYEE_ID –This is only optional in very small companies or in companies where the EMPLOYEE_ID and USER_ID is the same. Employee ID is important to distinguish different people that have the same name.
    • EMPLOYEE_NAME – Duh. Make sure you bring in the full name of the employee. You do not want to be in the middle of an audit, trying to decipher what “JAMESF” means.
    • PHONE – The employee’s phone extension. Very handy when you need on the spot answers.
    • EMAIL – The employee’s email address. Once again, if the employee doesn’t answer the phone, it’s nice to be able to shoot off a quick email. These kinds of things demonstrate to the auditor that you are running an efficient compliance operation.

Once again, I suggest you denormalize this information out to every data point that references an employee. In a star schema, this will be tricky if your process is evolving, but your best design is to have a separate dimension ( could be virtual ) for each step in the process. Your fact would be at the grain of the process instance, and the person who executed each step of the process would be referenced out to a separate dimension. For instance, you would have a “RECEIVED BY” dimension, and a “DEPOSITED BY” dimension.

The other option would be to build a fact at the grain of the process step, and just have one “EXECUTED BY” option. I don’t like this approach, because in the reporting you are going to be required to put different rows of the fact into one logical row, and do comparisons. Unless you have some really good reporting tools, this is going to be a mess.

Tip # 2 – Solve for the Status of Compliance in the Database

It may be tempting to stop the design at merely capturing the data. You need to go the extra mile, and design in the transformations that highlight the actual status of the compliance at any point in time. What I mean by that is this. You should have transformations that physically analyze the people who have executed the different steps of the process, and determine at load time whether or not there was a compliance violation.

To do this, you need to understand the policy, and not merely the players involved in the process. To illustrate, let’s use the example above of a policy that states that you cannot have the same person who is receiving the money, deposit the money. You might build a table that includes the following columns:

    • PROCESS_ID
    • PROCESS_INSTANCE_ID
    • PROCESS_DESCRIPTION
    • RECEIVED_DATE
    • RECEIVED_BY
    • DEPOSIT_DATE
    • DEPOSITED_BY
    • FLAG_SOD_COMPLIANT

Your load routine would need to compare RECEIVED_BY and DEPOSITED_BY to determine if they were the same person, then populate the FLAG_SOD_COMPLIANT with a ‘Y’ or ‘N’ based on the findings. In this way, the reporting can highlight out of compliant situations with a simple filter on FLAG_SOD_COMPLIANT.

Tip # 3 – Consider a Separate Subsystem for SOD, and Keep the Design Flexible

As mentioned above, building in SOD controls requires more focus and attention. It is worthwhile to segment this area of controls off in its own area. It’s not uncommon to see a separate loading area, operational data store, data warehouse, and data marts specifically built for the implementation of SOD.

Also, be prepared for a lot of changing requirements. The evolution of SOD control development is usually somewhat chaotic. The business will be experimenting with a lot of options before they get comfortable with an optimal solution. If you have the skills and resources, I would recommend architecting in an agile fashion, so that changing requirements don’t become a headache. Otherwise, I would hold off for a while until requirements get firmed up a bit, and buy a lot of Aspirin.

To summarize, when building your compliance data system, you will invariable be faced with the concept of SOD, which stands for Segregation of Duties. In short SOD controls are trying to mitigate the risk of unethical human behavior, by forcing different steps of a process to be executed by different people. Making sure you downstream the correct data from your HR database and solving for SOD compliant status in the database are critical to your success. It may also be worthwhile to segment off the entire function of SOD, as these types of controls will require more diligence than some of the others. Start today by reviewing your SOD requirements with your internal auditors, and suggesting a new SOD management system to the executives.

Trackback Print
Tags:
Categories:
Location: Blogs Parent Separator John Weathington's Blog
Minimize
Most Popular
 
Search Blog Entries
 
Blog Archives