Cases

The Challenge

‍

CELEPAR, a reference in information technology in the public sector, began the 2023/2024 cycle with a commitment to strengthening its governance structure, internal controls and compliance. To this end, it hired Vennx with the challenge of executing its Biannual Internal Audit Plan, covering several critical areas of the organization.

Objective of the Project

Vennx was responsible for conducting 15 internal audits, focusing on:

• Detailed mapping of the processes (walkthrough) with qualified interviews;
• Assessment of operational, regulatory and strategic risks;
• Analysis of internal controls based on COSO, COBIT, ITIL frameworks and good market practices;
• Preparation of recommendations aimed at mitigating risks, increasing efficiency and automation of processes;
• Construction of roadmaps with prioritized actions, considering complexity and impact;
• Creation of interactive Power BI panels for clear and dynamic visualization of the results;
• Presentation of the findings to the Board of Directors with delivery of a final executive report and complete working papers.
  
  

Scope and Coverage

‍

The audits covered strategic and operational areas:

1. LGPD (General Data Protection Law)
   
   
2. Corporate Projects, Processes, and Organizational Structure
   
   
3. Provisions
   
   
4. Intangible and Fixed Assets
   
   
5. Contracts and Agreements
   
   
6. Consulting and Legal Advice
   
   
7. Innovation and Research & Development
   
   
8. Compliance
   
   
9. Information Systems and Information Security
   
   
10. Acquisitions and Accounts Payable
    
    
11. Tax Planning
    
    
12. Accounts Receivable and Contracts with Clients
    
    
13. IT Corporate Governance
    
    
14. Budget
    
    
15. Labor Relations and Benefits
    
    

Achieved results

‍

• 100% of the expected scope delivered on time, with a high technical standard;
• Conducting audits based on a structured methodology aligned with international standards;
• In-depth diagnosis and practical recommendations for risk mitigation and efficiency gains;
• Creation of management panels and dashboards in Power BI, facilitating decision-making and the monitoring of the action plan;
• Effective contribution to strengthening the company's governance, regulatory compliance, and data protection.
  
  

Strategic Impact

‍

Vennx's actions contributed to increasing the maturity of CELEPAR's internal controls, while structuring the basis for more agile, transparent decisions aligned with the principles of public administration and best corporate risk management practices.

‍

The proposal's main objective is to assist PerkinElmer in mapping the main risks related to the General Data Protection Law (LGPD - Law 13,709/18) and the General Data Protection Regulation (GDPR). Aiming at detailing the company's processes, the scope of this work provides for the evaluation of the personal and sensitive data used by the Company, as well as the security of the information technology environment that supports the traffic and storage of this information.

With the identification of the processes and systems most relevant to the job, the mapping of data and IT compliances will be carried out through interviews and analysis of supporting documentation. In addition to the results obtained in the mappings, this proposal includes the preparation of a report with recommendations for compliance with the LGPD based on the best practices of the market and the industry, as well as our proprietary process improvement methodology.

Our proposal is structured on two main fronts of work, the first of which is linked to the awareness of executives and the staff of employees, and the second to the evaluation of processes, data and information technology, where detailed analyses will be carried out and the report will be constructed with the consolidation of the results of the previous stages.

‍

objectives

• Assist PerkinElmer in the compliance journey with the General Data Protection Act (LGPD) and the General Data Protection Regulation (GDPR).
• Map the main risks related to data protection, evaluating processes, personal and sensitive data, and the security of the information technology environment.
• Prepare a report with best practices and recommendations to ensure compliance with data protection laws.

‍

Achieved results

‍

• Validation of 12 compliance-related items:

- Assessment of the company's compliance with the requirements of the LGPD and the GDPR in relation to the mapped items.

- Identification of improvement points and opportunities for compliance with standards.

‍

The LGPD and GDPR compliance project carried out by Vennx was fundamental for PerkinElmer to identify risks related to data protection and take the necessary measures to ensure their compliance with the laws.

‍

Vennx, at the request of Invepar, conducted a complete audit to verify the use of the antennas installed by Brasil Towers in the Via-040 domain range. The process involved:

▪ Planning: In this phase, work will be planned, including logistics programming to cover the entire stretch to be verified.
▪ On-site collections and checks
▪ Georeferencing analyses and the survey of the technical specifications of the antennas will be carried out using audiovisual captures by drone. The journey along the road must be assisted by Invepar, with the provision of a driver and vehicle.
▪ Technical evaluation of evidence
▪ With the support of a telecommunications technician, the collected evidence will be analyzed and, based on the queries provided by Anatel, the identification of the use of antennas and towers.
▪ Internal Audit Report
▪ The evidence and conclusions of the auditing work will be recorded in a technical report that will be submitted to Invepar.
▪ Presentation of results
▪ The auditing team will present the results of the audit in forums of interest to Invepar, including, if necessary, Brasil Towers.

‍

objectives

‍

• Verify the use of the antennas installed by Brasil Towers in the Via-040 domain range, granted to Invepar.
• Collect evidence to support analyses, internal procedures, and contract management with Brasil Towers.

‍

Achieved results

‍

• 39 audited antennas
• 13h drone flight
• 1800 km covered

The audit carried out by Vennx provided Invepar with a complete and accurate overview of the use of the antennas installed by Brasil Towers in the Via-040 domain range. The evidence collected and the analyses carried out support strategic decision-making by Invepar in relation to the contract with Brasil Towers, ensuring compliance with regulations and compliance with established agreements.

‍

Vennx developed and deployed Oráculo, a platform for continuous corporate access monitoring. The solution was designed to cross data between authoritative sources, HR databases, and final applications, with the objective of detecting inconsistencies, improper access, and status differences between systems. The project meets a critical demand for access governance, information security, and regulatory compliance.

‍

Identified Customer Problem

‍

Before Oráculo was implemented, the Ipiranga and Ultrapar access environments presented significant risks and several points of fragility, including:

1. Access with higher profiles than necessary, creating a risk of undue privilege;
2. Disconnected users who still had access to systems and applications;
3. Active users in applications, but absent from HR databases or official sources;
4. Differences between the status of users in the authoritative sources and in the applications (active/inactive);
5. Low traceability and absence of automated alerts about inconsistencies.

‍

Objective of the Project

‍

The project aimed to establish an automated verification and alert mechanism capable of identifying:

• Improper access or inconsistent with the functions performed;
• Active accounts that are not backed up on official bases;
• Governance flaws in the access lifecycle;
• Data exposure risks or flaws in internal IT controls.

The proposal aimed to reinforce security, regulatory compliance, and the effectiveness of access controls in critical environments.

‍

Achieved results

‍

Although still in a phase of continuous evolution, the Oracle has already demonstrated significant results:

• Reduction of access inconsistencies of approximately 20% for the range of 10% to 15%;
• Identification and correction of improper access not previously tracked by conventional routines;
• Creation of an additional layer of identity governance, based on integrated data and proactive monitoring;
• Direct support for managing access risks, especially in the context of SoX auditing and compliance requirements.

Oráculo is consolidated as a strategic solution in the access governance ecosystem of Ipiranga and Ultrapar. By significantly reducing the number of irregular accesses, the tool strengthens the internal control environment, provides a faster response to emerging risks, and promotes greater security in the management of users on a corporate scale.

‍

The Challenge

‍

‍CELEPAR presented challenges related to fragility in process governance, operational inefficiency, and the need to mature internal controls and risk culture. In addition, there was exposure to unmapped risks and lack of integration between processes and systems, impacting compliance with standards and good practices such as LGPD, COSO, COBIT, and ITIL.

‍

Objective of the Project

‍

Vennx was contracted to execute a strategic internal auditing and internal controls assessment initiative, focusing on risk mitigation, regulatory compliance, and increasing efficiency. Among the main objectives were:

• Evaluate critical processes in various areas of the company, focusing on adherence to recognized standards and frameworks;
• Identify risks, test, and map mitigating controls;
• Issue recommendations based on best governance, risks, and compliance practices;
• Create interactive Power BI panels with consolidated results;
• Produce robust working papers, ensuring traceability of all auditing procedures.

‍

Scope and Approach

‍

The following topics and processes were audited:

• LGPD - General Data Protection Law
• Project Management and Strategic Processes
IT Organizational Structure and Corporate Governance
• Provisions, Intangible and Fixed Assets
Contracts, Agreements and Legal Advice
• Innovation, R&D and Compliance
Acquisitions, Accounts Payable, and Accounts Receivable
Tax Planning and Budgeting
• Labor Relations and Benefits
• Information Systems and Information Security

The methodology included:

• Walkthrough interviews with those responsible for the audited processes;
• Diagnosis of adherence to the COSO ERM, COSO IC, COBIT and ITIL frameworks;
• Risk mapping, control tests and proposing a “to be” version of the processes;
• Development of a risk and control matrix, with prioritization according to materiality and criticism;
• Presentation of an Executive Audit Report to managers and Board of Directors.
‍

‍

Equinox, one of the leaders in the infrastructure and construction sector, sought to identify weaknesses and inconsistencies in its contracts. The focus of this project was to apply auditing approaches using cutting-edge technologies.

‍

objectives

‍

• Identify weaknesses and inconsistencies in infrastructure and construction contracts.
• Use advanced technologies for reading and transforming documents.
• Process and analyze large volumes of data to detect irregularities.

‍

Stages

‍

1. Initial planning: Anticipating the stages that make up the work, Vennx will carry out a planning sprint, during which interviews will be held with the sponsors to raise expectations and define the project schedule and the governance model. This stage also includes the initial meeting with stakeholders.
2. Contract analysis and evidence collection: Stage of analyzing contracts and their amendments to define the business rules that will be applied. Additionally, gather evidence to be processed to compose the databases.
3. Technological setup: Definition of the technologies that will be applied to read and transform the collected documentation. At this stage, Vennx will carry out tests to identify the most appropriate tools for the project objective.
4. Test Documentation: Once the technological configuration stage has been completed, Vennx will proceed with the processing of the results to identify the corresponding red flags, following the business rules. In addition, manual tests will be performed to identify and correct false positives. The results will be compiled in a report.

‍

Achieved results

‍

• Evaluation of 13 contracts.
• Analysis of 2600 files:

.pdf: 1674
.xlsx: 413
.jpg: 151
.xlsm: 110
.jpeg: 81
.docx: 51
.xlsb: 40
.zip: 32
.msg: 24
.doc: 18
.rar: 2
.csv: 1
.txt: 1

• Use of Artificial Intelligence and advanced data mining tools for document processing and analysis.

Vennx used its expertise in cutting-edge technology to assist Equinox in auditing its infrastructure and construction contracts. With the application of AI and advanced data mining tools, it was possible to identify weaknesses and inconsistencies, ensuring greater security and efficiency in the company's contractual processes.

‍

Project Summary

‍

The Vennx Access Radar (VAR) is a solution designed to improve identity and access governance in complex corporate environments. The platform goes beyond simply managing concessions and revocations, offering features such as periodic access review, Segregation of Functions (SoD) risk management, and control according to predefined access maps.

‍

Its modular design allows the organization to implement paper-based access policies (RBAC), monitor risks with intelligence, and maintain continuous compliance with auditing requirements.

‍

Problem Identified

‍

Before the adoption of VAR, clients faced several challenges related to access management:

‍

1. Environments with a high risk of uncontrolled or obsolete access;
2. Significant delay in granting access, impacting productivity;
3. Absence of timely revocation of access by disconnected or retired employees;
4. Exposure to regulatory and operational risks due to improper active access;
5. Lack of visibility about risks associated with access, due to the lack of a SoD matrix or formal analysis.
   
   

Objective of the Project

‍

The purpose of the VAR is to centralize, automate, and make access management more secure, reducing operational risks and increasing the agility of access granting, reviewing, and revoking processes. The tool acts on three pillars:

‍

• Efficiency: Agility in access processes with automated workflows;
• Security: Implementation of segregation of duties and risk management based on profiles and permissions;
• Compliance: Generation of evidence, reports, and certifications for internal and external audits.
  
  

Achieved results

‍

• Significant improvement in the agility of the processes for granting, blocking and revoking access;
• Implementation of periodic access review campaigns, with centralized evidence recording;
• Reduction of the risk of improper access, with continuous analysis of SoD and permission risks;
• Dynamic user monitoring, including alerts for cases of inactivity and profile deviations;
• Direct support for compliance with standards such as SOx and LGPD, promoting safety and traceability.
  
  

‍

The adoption of Vennx Access Radar allows companies to consolidate a modern, proactive access management model that complies with the highest governance standards. By integrating security, efficiency, and automation, VAR transforms access management into a strategic asset, with a direct impact on reducing risks, increasing productivity, and meeting auditing and compliance requirements.

‍

Afya, one of the largest medical education companies in Brazil, faced challenges in managing its users' access to corporate data. To address this issue, we implemented the Role-Based Access Control (RBAC) model, a strategic solution that not only protected corporate data but also increased the company's operational efficiency.

‍

Objective

‍

Protect corporate data, as well as enhance the Company's operational efficiency by restricting user access based on their business functions.

‍

Evaluation of profiles and functionalities

‍

• 270 reviewed profiles.
91,500 evaluated features.
• 20 TOTVS RM modules included.

‍

Reduction of accesses

‍

• Access before the project: 7,928,291.
• Accesses after the project: 1,721,657.
• 78% global reduction in accesses.
• Development of RBAC Profiles:
• 880 users covered by the new system.
• 207 RBAC profiles built.
• 60 non-transactional profiles created (including cubes and visual formulas).

The implementation of RBAC in Afya guaranteed the standardization of functions, allowing users to have access only to the information necessary for their work routines. With this, we mitigate the risks of accessing sensitive information that is not relevant to certain functions, strengthening the security of corporate data, thus generating a safer and more efficient IT environment.

The 78% reduction made IT management easier and as a result the company obtained a more agile response to security incidents and better compliance with internal policies and external regulations.

The Vennx Access Radar (VAR) is a solution designed to improve identity and access governance in complex corporate environments. The platform goes beyond simply managing concessions and revocations, offering features such as periodic access review, Segregation of Functions (SoD) risk management, and control according to predefined access maps.

Its modular design allows the organization to implement paper-based access policies (RBAC), monitor risks with intelligence, and maintain continuous compliance with auditing requirements.

‍

Problem Identified

‍

Before the adoption of VAR, clients faced several challenges related to access management:

1. Environments with a high risk of uncontrolled or obsolete access;
2. Significant delay in granting access, impacting productivity;
3. Absence of timely revocation of access by disconnected or retired employees;
4. Exposure to regulatory and operational risks due to improper active access;
5. Lack of visibility about risks associated with access, due to the lack of a SoD matrix or formal analysis.

Objective of the Project

‍

The purpose of the VAR is to centralize, automate, and make access management more secure, reducing operational risks and increasing the agility of access granting, reviewing, and revoking processes. The tool acts on three pillars:

• Efficiency: Agility in access processes with automated workflows;
• Security: Implementation of segregation of duties and risk management based on profiles and permissions;
• Compliance: Generation of evidence, reports, and certifications for internal and external audits.

Achieved results

‍

• Significant improvement in the agility of the processes for granting, blocking, and revoking access;
• Implementation of periodic access review campaigns, with a centralized record of evidence;
• Reduction of the risk of improper access, with continuous analysis of SoD and permission risks;
• Dynamic user monitoring, including alerts for cases of inactivity and profile deviations;
• Direct support for compliance with standards such as SOx and LGPD, promoting safety and traceability.

The adoption of Vennx Access Radar allows companies to consolidate a modern, proactive access management model that complies with the highest governance standards. By integrating security, efficiency, and automation, VAR transforms access management into a strategic asset, with a direct impact on reducing risks, increasing productivity, and meeting auditing and compliance requirements.
‍

‍

Vennx developed and deployed Oráculo, a platform for continuous corporate access monitoring. The solution was designed to cross data between authoritative sources, HR databases, and final applications, with the objective of detecting inconsistencies, improper access, and status differences between systems. The project meets a critical demand for access governance, information security, and regulatory compliance.

Identified Customer Problem

‍

Before Oráculo was implemented, the Ipiranga and Ultrapar access environments presented significant risks and several points of fragility, including:

1. Access with higher profiles than necessary, creating a risk of undue privilege;
2. Disconnected users who still had access to systems and applications;
3. Active users in applications, but absent from HR databases or official sources;
4. Differences between the status of users in the authoritative sources and in the applications (active/inactive);
5. Low traceability and absence of automated alerts about inconsistencies.
‍

Objective of the project

‍

The project aimed to establish an automated verification and alert mechanism capable of identifying:

• Improper access or inconsistent with the functions performed;
• Active accounts that are not backed up on official bases;
Governance flaws in the access lifecycle;
• Data exposure risks or flaws in internal IT controls.

The proposal aimed to reinforce security, regulatory compliance, and the effectiveness of access controls in critical environments.
‍

Achieved results

‍

Although still in a phase of continuous evolution, Oráculo has already demonstrated significant results:

• Reduction of access inconsistencies of approximately 20% for the range of 10% to 15%;
• Identification and correction of improper access not previously tracked by conventional routines;
• Creation of an additional layer of identity governance, based on integrated data and proactive monitoring;
• Direct support for managing access risks, especially in the context of SoX auditing and compliance requirements.

Oráculo is consolidated as a strategic solution in the access governance ecosystem of Ipiranga and Ultrapar. By significantly reducing the number of irregular accesses, the tool strengthens the internal control environment, provides a faster response to emerging risks, and promotes greater security in the management of users on a corporate scale.

‍

The Challenge

In 2024, Ipiranga received from the external auditor the identification of a material weakness in its internal IT controls environment, indicating that the processes, controls, and systems then existing did not provide adequate security for the information published in the financial statements. The low maturity of the environment represented a significant risk to regulatory compliance, especially in the face of the Sarbanes-Oxley Act (SOx).

‍

Objective of the Project

‍

The purpose of the Gap Zero project was to increase the maturity of Ipiranga's internal control system, focusing on IT governance and General Information Technology Controls (ITGCs), seeking:

• Reduction of gaps identified in external audits;
• Adherence to best market practices;
• Strengthening the governance structure and mitigation of operational and regulatory risks;
• Creation of an environment of sustainable and auditable controls.

Approach and Service Lines

‍

Vennx acted in an integrated manner across six service lines, aimed at continuously strengthening governance and consolidating the IT environment:

1. IT Process and Control Mapping
Creation of detailed flowcharts and documentation of existing controls, which were incorporated into the Risk and Control Matrix (MRC), ensuring clarity, standardization, and preservation of knowledge.
2. COBIT 2019 Assessment
Diagnosis of the current environment compared to the objectives of the framework, with the preparation of a roadmap for improvements and a clear assignment of responsibilities, aligning IT with the best governance practices.
3. Execution of General IT Controls (ITGCs)
Conducting quarterly design tests (TODs), monthly monitoring of critical controls, and timely execution of essential controls.
4. Support for Interactions with External Audit
Technical monitoring of inquiry meetings and tests, analysis of auditor requests, and support in formulating effective responses aligned with the scope of the audit.
5. Evidence Curation
Technical and timely review of documents required in auditing, focusing on the consistency of the evidence and on formal compliance with the requirements of the process.
6. Structuring IT Governance
Development of an organization chart with clear roles and responsibilities for ITGC agents and creation of the SoX Adherence Policy, promoting the consistent execution of controls and compliance with critical deadlines.

Achieved results

‍

• Raising the maturity of internal IT controls, with a gain in robustness and traceability;
• Reduction of formal gaps and notes identified by the external audit;
• Improved curation and timeliness of auditing evidence;
• Consolidation of a sustainable IT governance model, aligned with frameworks such as COBIT and COSO, focusing on SOx compliance;
• Strengthening the culture of risks, controls, and organizational responsibility.

The Gap Zero project was decisive in reversing the status of material weakness in Ipiranga's IT controls environment, promoting significant gains in security, governance, and compliance. By delivering a mature and auditable model, Vennx contributed to creating a more reliable environment for stakeholders and adhering to market and regulatory requirements.
‍

‍

The Challenge

Ipiranga faced a scenario of weak governance over generic accounts, resulting from an outdated inventory and the decentralized grant flow of non-nominal access.

The absence of standardization and control hampered traceability, increased exposure to safety risks, and compromised compliance with the controls required by the Sarbanes-Oxley Act (SOx).

Objective of the Project

‍

The project focused on updating the inventory of non-nominal users (generic and service accounts), with the purpose of:

• Diagnose risks associated with these accounts through SoD (Segregation of Duties) analysis and critical permissions;
• Strengthen traceability and access security in sensitive environments;
Reduce risks of misuse or unnecessary access;
• Support compliance with SoX requirements through structured governance;
• Complement the identity management process front conducted previously by Vennx.
‍

Approach and deliveries

‍

• Update of the complete inventory of non-nominal users, focusing on systems classified as critical or within the SoX scope;
• Identification of previously uncatalogued accesses;
• Inclusion of “log on to” information in service accounts in Active Directory (AD), ensuring that generic users are limited to specific authorized servers;
• Mapping and validation of profiles with technical managers;
• Execution of obsolete or improper access revocations, based on risk analysis.
‍

Achieved results

‍

• Updated Inventory of Non-Nominal Users, with the regularization of missing data and standardization of information;
• Reduction of risks related to shared accounts or accounts without clear identification of use;
• Greater control over critical permissions in legacy systems;
• Strengthening access governance, in alignment with the pillars of information security and regulatory compliance.
‍

The initiative consolidated an essential layer of Ipiranga's access governance, allowing visibility, control, and security over generic accounts in critical environments. Preventive action reinforces commitment to good IT practices, protection of sensitive assets, and compliance with external audits.

‍

The Challenge

Ipiranga identified increasing risks related to the absence or outdated of profile maps in legacy systems, which generated inconsistency in access governance and increased exposure to non-compliance risks, especially in audits related to the Sarbanes-Oxley Act (SoX).

The absence of standardized Base Positions and Profiles hampered the continuous monitoring of access adherence, in addition to compromising the fluidity of the processes and the operational response time in answering calls.

‍

Objective of the Project

‍

The purpose of the project was to create and update Profile Maps in the defined systems, focusing on:

• Eliminate interrupted flows pending approval;
• Reduce the time and cost of processing calls;
• Mitigate non-compliance risks in external audits (SOx);
• Ensure adherence to access and standardization between Base Positions and Profiles;
• Enable continuous compliance monitoring by the Oracle, a tool already integrated with the BPO and Access Center processes.

Achieved Results

‍

• Creation of Profile Maps for 8 applications, including Base Positions and non-existent Profiles;
• Profile Maps update for 22 applications, with mapping and creation of missing elements;
• Structuring a more robust access governance model, supporting initiatives already implemented within the scope of BPO and Access Center;
• Significant improvement in the assertiveness of management and access control, with greater traceability and responsiveness to compliance and auditing requirements.

The project directly contributed to raising the maturity level of identity and access management in Ipiranga, by promoting the standardization and updating of a critical component for internal control: Profile Maps.

The alignment with established governance and the support for SoX compliance reinforce the organization's commitment to safe, efficient, and auditable performance.

‍

The Challenge

Ipiranga faced an environment highly sensitive to compliance risks, with an extensive SoX perimeter, strong dependence on customized programs in the JDE, and limited documentation in the ABADI repository. Among the main problems, the following stand out:

• High volume of Segregation of Duties (SoD) conflicts;
• Excessive and unnecessary permissions;
• Presence of false positives and unmapped conflicts;
• Significant gaps in access controls;
• Fragility in the process of granting, reviewing, and revoking access.
‍

Purpose of the Solution

‍

Establish an ongoing access and identity management operation, focusing on regulating critical processes and increasing the maturity of internal controls. The strategy was built based on IAM (Identity and Access Management) best practices, involving:
‍

• Clear definition of roles, responsibilities and chain of ownership;
• Structuring of internal controls and SoD matrix with updated rules;
• Development of workflows for granting and revoking access;
• Strict treatment of privileged access;
• Implementation of new risk approval and validation steps.
‍

Implemented Solution

‍

We mobilize a specialized cell in identity and access management, dedicated to the continuous operation of:

• SoD analysis for user maintenance calls, positions, and profiles;
• Active monitoring of the JDE environment to identify and mitigate risks;
• Systematic updating of the risk matrix and compensatory controls;
• Technical and strategic support to the area of internal controls.
‍

Achieved Results

‍

• Mapped, documented, and standardized processes, raising the level of governance and compliance;
• Creation and implementation of workflows tailored to the client's reality;
• Significant reduction of access conflicts and false positives, with improvement in the assertiveness of controls;
• Establishment of a continuous, sustainable and auditable access management structure.

‍

Ipiranga, one of the main companies in the fuel and energy sector in Brazil, needed an eye focused on the management of its SOX systems and on the definition of strategies to segregate the functions of its users and access profiles. For this reason, the team of Vennx specialists was hired to carry out a complete diagnosis and implement an effective action plan to solve challenges.

‍

Objective

‍

Perform a diagnosis on Ipiranga's SOX systems, for the purpose of defining a strategy to address the segregation of functions of its users and access profiles.

‍

Stages

‍

• Development of the methodology for classifying systems under the scope of SoD. Analysis of the company's risk strategy, auditors' notes, and technology practice for establishing the process for defining the SoD Perimeter, considering system classification criteria, potential impact, roles, and responsibilities.

• Construction of the identification tool for systems exposed to SoD: Development of the SoD exposure identification tool for systems, including the rules established in step #01, for the automatic generation of the critical assessment of each application for the purpose of segregating functions.

• Classification of the systems and definition of the SoD Perimeter: Evaluation of the Ipiranga SOX systems to identify the level of SoD exposure for each application. Compilation of results, definition of the SoD Perimeter and preparation of the SoD risk treatment roadmap for the mapped systems.

• Construction of version #01 of the Perimeter Systems SOD Matrix: Analysis of the source codes and the transaction dictionary, when applicable, and interviews to assess the SOD risks of the systems.

• Diagnosis and action plan for conflict mitigation: Execution of the conflict diagnosis in the Ipiranga environment and design of the action plan for mitigation and, if applicable, presentation to the external auditor.

• Execution of the action plan for the mitigation of SOD conflicts: Based on the defined action plan, carry out the following conflict mitigation actions:
1) breaking conflicting profiles;
2) association of compensatory controls;
3) mitigation analysis of accesses;
4) isolation of transactions and profiles that don't impact SOX.

‍

Achieved results

‍

- 25 systems evaluated.
- 20 systems classified for SoD scope.
- Preparation of 20 SoD risk matrices in just 7 days.
- Analysis of 5,500 transactions and 1,262 profiles.
- Rating from 23,000 users.
- Mapping of 15,700 risk possibilities.
- Identification of 30,600 intrinsic conflicts.
- Identification of 1,500,000 extrinsic conflicts.

The Ipiranga case demonstrates Vennx's effectiveness in implementing segregation of duties solutions in SOX systems, ensuring security and compliance. In just 7 days, we were able to create 20 SoD risk matrices, showing the speed and precision of our solutions. To learn more about how Vennx can help your company implement segregation of duties strategies and strengthen IT governance, contact us.

‍

‍