Which of the following would be the MOST effective audit technique for identifying segregation of
duties violations in a new enterprise resource planning (ERP) implementation?
Reviewing a report of security rights in the system
Reviewing the complexities of authorization objects
Building a program to identify conflicts in authorization
Examining recent access rights violation cases
Since the objective is to identify violations in segregation of duties, it is necessary to define the
logic that will identify conflicts in authorization. A program could be developed to identify these
conflicts. A report of security rights in the enterprise resource planning (ERP) system would be
voluminous and time consuming to review; therefore, this technique is not as effective as building
a program. As complexities increase, it becomes more difficult to verify the effectiveness of the
systems and complexity is not, in itself, a link to segregation of duties. It is good practice to review
recent access rights violation cases; however, it may require a significant amount of time to truly
identify which violations actually resulted froman inappropriate segregation of duties.