Dear colleagues,
The effort to separate high risk role combinations for users in procurement and fixed asset systems across the University of Illinois System has been delayed due the COVID-19 pandemic this spring, but is moving forward this summer.
AITS Security Application (SecApp) has been recently updated to activate the security protocols which prevent the new provisioning of prohibited high risk role combinations. The changes are in compliance with policy Section 9 - Audits, Internal Control, and Business System Security. Unit Security Contacts (USCs) will not be able to initiate new access requests for users with conflicted role combinations in areas that carry potential risk. The policy and procedural changes support efforts by the System Offices to mitigate the risk associated with inadequate segregation of duties due to improper system access role combinations.
At this time, we ask that units begin the clean-up process of these highest risk incompatible role combinations. The goal is to complete this process by March 31, 2021. To verify whether you or staff at your unit have any of the above role combinations, please use the report on the Internal Controls website.
Specifically, the role combinations which create segregation of duty risks, include:
- iBuy Requestor & FABweb Unit Rep, Unit Contact, or Unit Head
- iBuy Approver & FABweb Unit Rep, Unit Contact, or Unit Head
- Banner Department Manager/Requestor with FABweb Unit Rep, Unit Contact, or Unit Head
- P-Card Cardholder and FABweb Unit Rep, Unit Contact, or Unit Head
We understand this is not an easy task, especially amid the COVID-19 pandemic, limited resources, and start of the fall semester. Additionally, we understand the challenges in resolving these role combinations yet making sure the unit roles and responsibilities for P-Card, iBuy, Banner, and FABweb are all completed. The Implementation Team is working on developing additional resources and mitigation strategies for units that may find it difficult to complete the clean-up process by the end of March. More information should be available in the coming weeks.
We encourage you to take advantage of the resources available on the Internal Controls website. The site provides detailed information about the prohibited role combinations, latest updates, and explains the iBuy, FABWeb and Banner roles in further detail. If you have questions, please use the Contact Us form on the website and members of the Implementation Team will be in touch.
Thank you for your continued cooperation as we work diligently to alleviate potential risks and protect the University of Illinois System.
Paul Ellinger
Associate Chancellor and Vice Provost for Budget and Resource Planning
Brent Rasmus
University of Illinois-System Offices