GRC - Good practises for SOD functions design
When defining risks in any project first step is to identify all the processes in the company and group similar processes as functions and then validate these functions against each other in a SOD role matrix to come out with different types of risks [High, Medium, Low] and Mitigation controls.
From my first project i always have the same doubt. On what basis are these functions defined.
As per standard definition function will include a group of transactions which can perform a similar task.
For example creating security deposits and posting payments might be two different functions but when according to business they are done by the same person, in that case i can define both in a single function or i create separate functions for posting, separate functions for release activities, separate functions for maintenance activities. Will this be a good approach to go ahead with?
I just want to know good practices followed/suggested by experts who have been with the product from quiet a long time, so that it will be very helpful in my approach.
Thanks & Regards,