Ipiranga, one of the main companies in the fuel and energy sector in Brazil, needed an eye focused on the management of its SOX systems and on the definition of strategies to segregate the functions of its users and access profiles. For this reason, the team of Vennx specialists was hired to carry out a complete diagnosis and implement an effective action plan to solve challenges.

‍

Objective

‍

Perform a diagnosis on Ipiranga's SOX systems, for the purpose of defining a strategy to address the segregation of functions of its users and access profiles.

‍

Stages

‍

• Development of the methodology for classifying systems under the scope of SoD. Analysis of the company's risk strategy, auditors' notes, and technology practice for establishing the process for defining the SoD Perimeter, considering system classification criteria, potential impact, roles, and responsibilities.

• Construction of the identification tool for systems exposed to SoD: Development of the SoD exposure identification tool for systems, including the rules established in step #01, for the automatic generation of the critical assessment of each application for the purpose of segregating functions.

• Classification of the systems and definition of the SoD Perimeter: Evaluation of the Ipiranga SOX systems to identify the level of SoD exposure for each application. Compilation of results, definition of the SoD Perimeter and preparation of the SoD risk treatment roadmap for the mapped systems.

• Construction of version #01 of the Perimeter Systems SOD Matrix: Analysis of the source codes and the transaction dictionary, when applicable, and interviews to assess the SOD risks of the systems.

• Diagnosis and action plan for conflict mitigation: Execution of the conflict diagnosis in the Ipiranga environment and design of the action plan for mitigation and, if applicable, presentation to the external auditor.

• Execution of the action plan for the mitigation of SOD conflicts: Based on the defined action plan, carry out the following conflict mitigation actions:
1) breaking conflicting profiles;
2) association of compensatory controls;
3) mitigation analysis of accesses;
4) isolation of transactions and profiles that don't impact SOX.

‍

Achieved results

‍

- 25 systems evaluated.
- 20 systems classified for SoD scope.
- Preparation of 20 SoD risk matrices in just 7 days.
- Analysis of 5,500 transactions and 1,262 profiles.
- Rating from 23,000 users.
- Mapping of 15,700 risk possibilities.
- Identification of 30,600 intrinsic conflicts.
- Identification of 1,500,000 extrinsic conflicts.

The Ipiranga case demonstrates Vennx's effectiveness in implementing segregation of duties solutions in SOX systems, ensuring security and compliance. In just 7 days, we were able to create 20 SoD risk matrices, showing the speed and precision of our solutions. To learn more about how Vennx can help your company implement segregation of duties strategies and strengthen IT governance, contact us.

‍

‍