SITUATION – The investment banking client with 60+ systems managing trading lifecycle functions for various lines of business, was carrying regulatory risks due to incomplete Sarbanes Oxley (segregation of duties) related procedures. There were a number of possible problems in play which might have facilitated fraudulent activity or enabled trades to be approved by an inappropriate member of staff which might negate all risk management precautions.

SOLUTION – We were engaged to define business process related access rules across the investment banking systems estate. These systems supported the investment banking trading lifecycle processes from trading, confirmation, settlement, messaging, reconciliation to risk management activities. We approached this by process mapping all their line of business activities and capturing the user permissions each business function used within an end 2 end transaction process. Some custom coding provided by a third party was to check that appropriate user/ function segregations were observed throughout a specific line of business transaction or an error would be recorded.

OUTCOME – After 9 mths work, approx 45,000 rules were defined and run on the international trading systems estate’s IAM system logs. Errors indicated business rule violations indicating users with toxic combinations of access. Rule violations were verified and then resolved with business system owners and appropriate IT support administrators making changes to a user’s permissions across a number of systems.