2-controlware:04authorizationmonitoring:2standard_competence

  

Work with Standard Competences

Each organization has a personal interpretation of the quality of the authorization. Assessing the quality is therefore based on the presence of standards which the quality is assessed.

The desired quality of the authorizations is specified in the module Authorization Monitoring by standard competences. These competences are used to determine the quality around it to own the responsibilities for data.

Tip! When you are setting up the standard competence make sure that you create distinction between standards for the data ownership (e.g. item management) and to defining segregation of duties (e.g. purchase and receive).

In the window Standard Competence you can define standard competences and link allowed permissions. By linking organizational roles (formerly user profiles) to the Standard Competence you can make users responsible for certain data. Additionally, you can set function conflicts by linking Standard Competences.

To be able to monitor the responsibility of users for data and tasks, the organization has to define standard competences. These standard competences can often be derived from the built permission sets (formerly user roles). This procedure explains how you can define a standard competence and how you can assign organizational roles (formerly user profiles) to a standard competence.

  1. Open the window Standard Competenceby selecting menu Departments - Compliance - Security - Authorization Monitoring - Standard Competence.
  2. Fill in the fields as described below:
  • Code: Enter a recognizable code for the standard competence. It is recommended to use a naming convention, for example: “FIN xxxx”. FIN means Financial process and xxxx can be replaced for a short description of the standard competence. This way you have a well-organized set of standard competences.
  • Description: Enter a description for the standard competence.
  • Type: Select a function type (according to the theory of Starreveld): Management, Guarding, Accounting, Executing, Monitoring.
  • Business Risk: Enter the risk for the organization if a user is linked to the permissions, but not to the standard competence (so the user is able to perform tasks he is not allowed to), for example “Unauthorized changes in item data”.
  • Business Impact: Select the impact of the Business Risk: High, Average or Low.
  • Process: Select the process of the standard competence.
  • Check Method: Select how to check: * Object: Check object by object and by separate permissions.
    • Standard: Check all allowed permissions together.
  • Default Evaluation for Accepted finding: automatically accepted findings are registered with the evaluation ‘Agreed’ by default. This might be changed to ‘To be reviewed’ in the field Default Evaluation for Accepted Finding for the opened standard competence. The default configuration might be adjusted in the Actions, Functions, Authorization Monitoring Setup.
  • Action by Agreeing Profile: optionally, accepting a finding might also accept the findings for users and/or roles, depending on the configuration. This setting per standard competence overrules the generic setting in the Departments - Compliance - Authorization Monitoring - Authorization Monitoring Setup.
  • The other fields are filled automatically.

According to internal control theories, some authorizations can conflict and should be segregated (segregation of duties). E.g. the authorizations for entering a sales order and posting a sales delivery should not be held by one person. With conflicting competences the correctness of the segregation of duties can be monitored.

To analyse possible segregation of duties conflicts, the module Authorization Monitoring offers the functionality to define these conflicts. Segregation of duties conflicts can be defined in a Standard Competence with conflicting competences, using the window Standard Competence, or with the use of window Conflict Matrix.

Method 1: By standard Competences

  1. Open the window Standard Competence by selecting menu Departments - Compliance - Security - Authorization Monitoring - Standard Competence.
  2. The conflicting competences can be set up by selecting Conflicting Competences.
  3. Press Ctrl+N to define a new conflicting competence.
  4. Select the conflicting competences in field Competence and in field Conflicts with.
  5. Choose the internal control impact and internal control risk, in case the conflict exists.
  6. Define the conflict reason: Internal Control, Hierarchical, Mandatory Principles or Setting Standards.

Method 2: By Conflict Matrix

The conflicting competences can also be managed in the conflict matrix. In this window the lines and columns show the standard competences and a conflict can easily be set up by simply checking the intersection. In the sub window, you can define for each conflict the internal control impact, internal control risk and the conflict reason. When unchecking the intersection, the conflict will be deleted.

  1. Open the window Standard Competences by selecting menu Departments - Compliance - Security - Authorization Monitoring - Conflict Matrix.
  2. In this matrix conflicting competences are setup by selecting arrow down button in the intersection between two competences.
  • 2-controlware/04authorizationmonitoring/2standard_competence.txt
  • Last modified: 2020/10/23 12:36
  • by luukvm