Services for Organizations

Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection

Consulting & Strategy Sessions

Ventana On Demand

    Services for Investment Firms

    We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

    Consulting & Strategy Sessions

    Ventana On Demand

      Services for Technology Vendors

      We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

      Analyst Relations

      Demand Generation

      Product Marketing

      Market Coverage

      Request a Briefing

        Robert Kugel's Analyst Perspectives

        << Back to Blog Index

        Separation of Duties at Jurassic Park

        You really, really have to be a nerd to watch Jurassic Park and see the absence of separation of duties (SoD) and inadequate process controls as a core plot device. To explain, one of the pivots in the story line of Jurassic Park is the point where the villain of the story, “Dennis Nedry” decides to steal some dinosaur embryos and sell them. The company created some safeguards in their systems to prevent this from happening but (as usual) they were mainly designed to guard against outsiders, not to prevent internal fraud. Knowing how they operate (since he wrote the code), the villain shuts down key systems so that he can override security systems designed to prevent just this sort of possibility.

        A decade before Enron and WorldCom we were warned of what can happen when corporations operate without adequate access and process controls. If “JP Corporation” was a US-listed corporation, would the Sarbanes-Oxley Act have rendered the plot line improbable because they would have had these controls in place? Or would the company have taken a narrow view of the value of separation of duties, thinking that it was mostly a financial control issue with little relevance to operations or the IT department? But why quibble with the realism of these sorts of plot devices when there are bigger, Argentinosaurus-size suspension-of-disbelief issues at work in a story about recreating long extinct animals?

        OK, so that’s a hokey way of bringing up the topic of SoD and process controls. In the years since the film was made, companies have made major investments in identity management, access controls as well as process monitoring and management in order to address internal vulnerabilities. A good deal of this was sparked by the Sarbanes-Oxley Act in the US, since it elevated the importance of having tight control of a company’s IT environment to prevent fraud, errors and malfeasance. Despite this, there’s a lot of time wasted and money spent on pretty ineffective identity and process controls in companies. This is one of those hidden time and expense wasters that don’t seem like they’re important enough to assess, find gaps and address them. Nonetheless, unless your company already has a program and process in place, it’s definitely worth doing.

        In terms of gaps, the issue with identity management is not that companies don’t have it – it’s that too often they are using too many manual procedures to onboard, update or revoke their permissions. And they devote too much time to lost passwords or making changes because they lack self-service capabilities. Companies also need to be able to easily manage groups and resources flexibly. Identity management is a foundational element to maintain bullet-proof separation of duties.

        Separation of duties is a longstanding concept designed to prevent fraud and errors. Requiring two signatures on a check and preventing the same person from performing two related steps in a process (such as depositing money into a bank account and reconciling that bank account) are two examples of this. More recently, SoD has increasingly been used in IT departments to ensure that computer systems are secure from fraud or malfeasance, especially in the wake of the Sarbanes-Oxley Act as computer systems are being used as higher level controls against potential financial fraud. Moreover, there are many operational compliance issues that can and should be managed within an IT environment that ought to involve separations of duties: someone asserts that a set of inspections or actions have been taken and another certifies that these have been carried out.

        Process controls can prevent specific sequences of events from happening or they can generate alerts if an event or sequence of events happens or, as important, doesn’t happen (for instance, steps are skipped, required actions aren’t taken or confirmations are not made within a certain time period). Process controls and process monitoring are valuable in that they reduce the risk of unfavorable events occurring and because they are continuous controls, they can mitigate the impact of an unfavorable event by allowing for faster interventions.

        Process controls have become more valuable over the past decades as an increasing amount of the work that takes place in a corporation is supported or managed by IT systems. As such, it has become much easier to automate monitoring events and flag suspicious or worrisome activities. These sorts of process monitors allow internal and external auditors to easily verify that controls are working or not and therefore can save money on audits. They enable easy analysis of systems logs to spot suspicious activities such as intraday granting and rescinding of permissions or a higher than usual number of changes at the end of a month. This is the electronic version of what auditors used to do in the old days, checking the paper ledgers for erasures and examining the handwriting to spot anything that looked suspicious. The difference here is that events, or a sequence of events, or some statistical analysis of system logs are all areas where forensic accountants and other risk and fraud experts can design controls that eliminate the need for a lot of manual oversight either in real time or in auditing. By having these sorts of controls in place, corporations can eliminate the need for a lot of external and internal audit requirements and that will save time and money.

        Granted, if “JP Corporation” had had all of these things it would have made the plot line a lot less interesting to everyone except accountants and auditors. They would have been gratified to see internal controls work and marvel at the amount of money that the wildlife park was raking in from the overflow crowds that went to gawk at the safely contained dinosaurs.

        Let me know your thoughts or come and collaborate with me on Facebook, LinkedIn and Twitter.


        Robert D. Kugel - SVP Research


        Robert Kugel
        Executive Director, Business Research

        Robert Kugel leads business software research for Ventana Research, now part of ISG. His team covers technology and applications spanning front- and back-office enterprise functions, and he personally runs the Office of Finance area of expertise. Rob is a CFA charter holder and a published author and thought leader on integrated business planning (IBP).


        Our Analyst Perspective Policy

        • Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business, industry and technology vendor trends. Each Analyst Perspective presents the view of the analyst who is an established subject matter expert on new developments, business and technology trends, findings from our research, or best practice insights.

          Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to

        View Policy

        Subscribe to Email Updates

        Posts by Month

        see all

        Posts by Topic

        see all

        Analyst Perspectives Archive

        See All