Segregation of duties - Technology vs User-Developers?

[fleaster]

Hi all,
Basically in our company a systems accounting team (under Finance) own and develop/maintain TM1, with secondary server support from the Technology side.

However, whenever the auditors come in, they view us as users as well (which we are kind of), hence they cite this as a conflict of interest... ie in their mind technology should be doing the development while users should be users.

Though we have been able to prove there are mitigating circumstances for the arrangement (and that it makes sense for our business workflow), it has become a little annoying fielding these questions each time - so am wondering if anyone else out there :

(i) has a similar arrangement of having "user-developers" outside of technology
(ii) if so, how you have explained it to auditors etc...?
(iii) ...or if you sit in Technology as a developer (and outside of the business), how you have found the workflow?

cheers,

Matt

[David Usherwood]

I would say the overwhelming majority of TM1 shops reside within a user function, not in IT. (Waits for rebuttal....)
I recall this kind of thing in the past, but since I was a systems auditor before I became a systems accountant, I didn't find it hard to shake them off. Hybrid skills are one of the key reasons this works well. Just because you are in finance doesn't rule out proper division of duties. Do you sign off the management accounts? I doubt it.

[George Regateiro]

I would agree with David on the sentiments that your situation is not out of the ordinary. I can remember going to old Applix conferences and literally being one of the only purely IT people in attendance. For me that has changed since TM1 is a product where I don't believe you can have the clear segregation and be successful, but that is another topic.

To your question about segregation of duties on a practical level. What we did in the past was the following

My daily account had WRITE access to my area of responsibility and then read to everything else so i could troubleshoot user issues. It did not have ADMIN (or even data admin).

I then had an separate NT Login that would have ADMIN access to TM1 for the tasks that required the admin rights. Logins to this account were monitored through the domain and I had to be able to justify a login via approvals for data changes and the like.

Security was an TI process (rather then the User and Groups GUI) so I could do most daily functions without my privileged login.

It was in no way an ideal system, but it worked to keep the auditors at bay. In the end you have a find a balancing act within your organization. The company I referenced in the example was very big on the segregation so TM1 was always a pain to explain. That is why or system was a little cumbersome with approvals and the like but it saved alot of headaches from auditors.

[fleaster]

Thanks for the responses guys...

My daily account had WRITE access to my area of responsibility and then read to everything else so i could troubleshoot user issues. It did not have ADMIN (or even data admin).
...
Security was an TI process (rather then the User and Groups GUI) so I could do most daily functions without my privileged login.

Am curious how you got the TI Security process to work - when I tried this, I was unable to get it to update unless I was logged in as Admin... not sure if is a pecularity associated with v9.4 ...?

[lotsaram]

Am curious how you got the TI Security process to work - when I tried this, I was unable to get it to update unless I was logged in as Admin... not sure if is a pecularity associated with v9.4 ...?

Right-click the process, make sure there is a check next to "Security Access".

[fleaster]

ar harr... thanks for that... can't believe I missed it :p

[jcr55]

We have a similar situation - I work in Finance as a TM1 Developer and Application admin.
IT handles the servers, infrastructure, and the Citrix side.
We have separate Development, User Test, and Production servers.
We only make functional (business logic) changes in Development, and a change control process is in place where IT does the migration to the User Test and Production environments.
That satifies the Audit 'separation of duties' requirement

[fleaster]

Ok i see

So what about general maintenance - which dept would update this? e.g. maybe some structures need to be updated because of reconciliation or mapping issues etc...

[Martin Ryan]

We have a similar situation - I work in Finance as a TM1 Developer and Application admin.
IT handles the servers, infrastructure, and the Citrix side.
We have separate Development, User Test, and Production servers

We have a similar setup but do the promotions, migrations etc ourselves. IT solely do the infrastructure. One of the senior IT guys doesn't like it much, but they simply don't have the knowledge to support the system, and the CFO loves the control it gives him as we turn things around way faster than IT would

whenever the auditors come in, they view us as users as well (which we are kind of), hence they cite this as a conflict of interest... ie in their mind technology should be doing the development while users should be users.

What's the conflict of interest? I think it's a great strength that the users are the developers as they get exactly what they need.

Given that TM1 is rarely a transactional tool I don't believe the "separation of duties" setup is required. Finance typically have access to all of the data anyway, so having it all in TM1 with complete access simply makes it easier for them to do their job.

My question back to audit would be "what's the security risk?". Just because it's not the normal way of developing systems, doesn't mean there's an inherent security risk.

[fleaster]

What's the conflict of interest? I think it's a great strength that the users are the developers as they get exactly what they need.

100% agree - unfortunately the auditors/compliance always seem to have an issue with what they perceive as a segregation of duties

Given that TM1 is rarely a transactional tool I don't believe the "separation of duties" setup is required. Finance typically have access to all of the data anyway, so having it all in TM1 with complete access simply makes it easier for them to do their job.

My question back to audit would be "what's the security risk?". Just because it's not the normal way of developing systems, doesn't mean there's an inherent security risk.

Yes, we generally cite that TM1 is not the general ledger data source, but just a reporting tool that sits on top of it (which we do extensive reconciliation & checking of etc) ; often I give the example of an Excel sheet or Access mdb - would you need to have someone signoff everytime someone changes a formula or the colour of a cell? Probably not...

However, I think they tend to be more wary because of the size of the user base (ie anything over 100), and the dependency on the application to provide "sensitive" data...

[garry cook]

Ah, FSA and SOX audits, yummy! Every six months without fail I get a visit from the people best described as the ones who turn up after the war's finished and stab the wounded

Division of labour always comes up. Every time it gets raised as a weakness and we point out that TM1 developers don't generally post journals or sign off on accounts so segregation of responsibility is not an issue.

In terms of controls for productionisation, testing, etc - well, that just comes down to the internal controls being strong enough which to be fair is what they're there to test. The argument I always put forward (usually succesfully) is that it's actually more controlled than IT because of the fact that it's integrated functionally meaning that there is a higher level of understanding for reconcilliations, etc. In reality the controls are never going to be as strong as in IT because the pressure for delivery speed functionally usually forces corner cutting but that's the trade off you pay.

As an aside, that's always one of my personal fave interview questions - "Do you believe TM1 fits in better in IT or Finance and why?"

People that have been through these pains (and others) have a good answer to it, those that haven't don't tend to and either way, there is no right answer so gives a chance for folk to show how good they are at putting forward their own argument.

[garry cook]

Just noticed that was my 100th post.

Taken four years to become a centurion. My mum would be so proud

[fleaster]

congrats Garry on making the 100-century club

...thanks all for sharing your experiences - am now thinking there is no "magic word" to make the auditors go away, but we'll probably just have to repeat the same story each year.... *sigh* :p