How To Check Segregation of Duties with Disco Anne6 Mar ‘14

This photo just amazes me and reminds me how far we have come in the past few years

Should the manager approve her own travel request? Usually, the answer is “no” and there are many other examples of where it is not desirable that the same person performs two or more activities in a process.

For example, in a Dutch government process, where citizens can ask for special support based on their income and expenses that they incurred because of illnesses and other circumstances, the employee handling the payout should not be able to change the bank account number and make the transfer at the same time. Otherwise, it would be too easy to give your own bank account number and transfer money to it.

These kind of rules are common in all companies and they are called “Segregation of Duties” (SoD), or “Four Eyes principle”. The idea is to reduce the risk of fraud by putting systems in place that help to keep people honest. These systems are called “controls” and while some controls are realised by IT others just exist in the process documentation, the business rules.

One of the main tasks of an auditor is to check whether the controls that are defined are actually working.

Process mining can be used to check compliance rules like the segregation of duties. The advantage is that while most IT-based SoD controls are implemented on the level of authorisations (for example, employees who have the ability to change the bank account number cannot transfer the money), managing authorisations is a complex task and people change roles all the time. What happens if a person first had the role, where the bank account number could be changed, and later changes into the role with the ability to transfer money? Cases that were started with the first role could be completed by the same person in the second role.

So, while an auditor will review the IT-based authorization controls, it is also interesting to check the actual process executions to see whether the controls were effective (that is, whether SoD violations did occur or not).

Three years ago, we had shown you already how to check segregation of duties with ProM. With Disco, it has actually been possible to check segregation of duties from the beginning. In this post we want to show you how.

If you want to follow along with the instructions, you can do that by simply downloading the demo version of Disco from our website here and repeating the steps that are shown below. Let’s get started!

Get the Sandbox project

You can use the sandbox example that comes with Disco. After the installation, you will be presented with the following blank screen. Click on the Sandbox… button and …

Sandbox project in process mining software Disco

… then double-click the second data set called Process map 100% detail (or press the View details button).

Selecting dataset in sandbox project in Disco

This is the discovered process map of a purchasing process and you are now in the analysis view. Here, you can look at the actual process flows, use the sliders to simplify the process and change the metrics that are displayed in the process map, all based on the data that was extracted from the IT system.

Add filter for segregation of duty violations

To check for segregation of duty violations, you can add a Follower filter. This filter can be added directly by clicking the filter symbol in the lower left corner, or via a shortcut through the process map.

Imagine that this purchasing process has the SoD constraint that the activities Release Supplier’s Invoice and Authorize Suppliers’s Invoice payment should not be performed by the same person for the same case. You want “four eyes” (two different people) to look over it to make sure this is a real invoice that should be paid.

To add a follower pattern filter, you can simply click on the arc going from Release Supplier’s Invoice to Authorize Suppliers’s Invoice payment as shown below. Once you press Filter this path…

Add Follower filter directly in Disco

… a new Follower filter will be added to your data set.1 You can now further customize the Follower filter.

To check for segregation of duties in this example, make these two changes to the Follower filter:

  • Tick the box Require the same value of Resource for each pair of events matched above to enable the SoD constraint. Of course you actually want that different people are performing these two tasks. However, here we are checking for violations, so we want to see whether there are cases where the person was the same.

  • Change the follower pattern from directly followed to eventually followed. Because we came in through the process map short-cut the direct path is checked. However, we want to catch all violations, regardless of whether these two activities were directly performed after one another or whether a dispute was settled in between.2

Check whether activities were performed by the same person

You could now directly apply the filter, but let us preserve the results in a new bookmark in your project, so that you can refer back to them later on.

This can be done by using the Copy and filter rather than the Apply filter button. With Copy and filter you can give a meaningful name and apply the filter to a new copy of the data set, leaving the current data set as it is. Press Create.

Make a copy of the data set to save the segregation of duty violations

Inspect the results

Now it is time to inspect the results. You will see that almost 40% of the cases are violating this segregation of duties rule! To look at some concrete examples, change from the Map view to the Cases view on the top.

You can see that there are exactly 242 cases that are violating the four eyes principle here. One case, the case with the case ID 15 is shown below and you can see that, indeed, Karalda Nimwada was doing both the Release Supplier’s Invoice and the Authorize Supplier’s Invoice Payment step in this case.

You can browse through to see more examples and export all of them to Excel.

Inspecting cases with segregation of duty violations

Dig deeper

But who exactly is violating the rule most often?

To find out, you can refine the results to focus on just the two activities involved in the SoD constraint in the following way: Click on the filter symbol in the lower left corner to add another filter and add an Attribute filter from the list as shown below.

Refining the results on the activities with segregation of duty violations only

Then, only keep the two activities we are interested in at the moment (Release Supplier’s Invoice and Authorize Supplier’s Invoice Payment). Press Apply filter.

Deselecting all activities that are not of interest

Now you see that all the other activities have been removed and you can change to the Statistics view to look at the most frequent resources.

Changing to the statistics view in Disco

In the Resource statistics overview, we see that just two users are involved in the SoD violations.

See which people are involved in the SOD violations and give targeted training

To take action, we can now check their authorizations or give a targeted training.

  1. If the activities you would like to check are not directly following each other, you can directly add a Follower filter from the filter list or change the activities in the filter configuration afterwards. ↩︎

  2. Note that if these activities are sometimes performed in reverse order, then the opposite direction needs to be checked as well. ↩︎

Anne Rozinat

Anne Rozinat

Market, customers, and everything else

Anne knows how to mine a process like no other. She has conducted a large number of process mining projects with companies such as Philips Healthcare, Océ, ASML, Philips Consumer Lifestyle, and many others.

Hello Friendo!

You are reading Flux Capacitor, the company weblog of Fluxicon. Here, we write mainly about Process Mining, the things we're up to, and anything really.

We make Disco, the most powerful, user-friendly, and popular process mining software in the world. You should check it out and download your free demo version here!

Every year, we organize Process Mining Camp, the only conference exclusively focused on the practical application of process mining. Join hundreds of Process Miners from all over the world for two days of practice talks, workshops, and hanging out in Eindhoven!

Whether you are a beginner, or an experienced process mining practitioner — you may want to join one of our popular Process Mining Trainings, given every few weeks by experienced guides. We hear they're pretty great.

And if you're more the book worm type, go and read your heart out with our brand new Process Mining Book, which has everything to get you started and much more!

Keep you in the loop? Sure thing! Use this RSS feed, or subscribe to get an email when we post new articles. If you prefer an executive summary to the daily flurry, you should sign up to our mailing list here. And, of course you should follow us on Twitter here.

See you around,

— Your friends from Fluxicon.

© 2024 by Fluxicon BV, all rights reserved.
You can read our privacy policy here.
Questions, comments, or suggestions? For all that, and anything really, please contact us at info@fluxicon.com.