What is Segregation of Duties?
Segregation of Duties (SoD) is an internal control measure that all organizations should adopt to stop error and fraud, and is especially important when complying with regulations like the US Sarbanes-Oxley Act of 2002 (SOC). SoD ensures that more than one person carries out the tasks required to bring a sensitive business process to completion.
An employee with multiple functional roles within an organization can exploit their knowledge and power. This is why SoD should be a key part of any effective risk management approach in any enterprise.
A basic principle of SoD is that one person should never be responsible for any complete business task, when that task has an implication on the company’s security, financials, or financial reporting. For instance, one person can make an order from a supplier, but a different person needs to record the transaction for that order. This dramatically reduces the risk of fraud—for example, by preventing individuals making illicit orders and then failing to report the transactions, or reporting them with the wrong value.
Examples of Roles that Require SoD
Here are a few organizational roles that commonly require segregation of duties:
- Record keeping roles—individuals who create and maintain financial records for an organization’s transactions must be segregated from issuing or approving those transactions.
- Authorization roles—individuals who evaluate and approve transactions should be segregated from recording, reconciling, or reviewing those transactions.
- Asset custody roles—individuals who manage or access physical assets like inventory or cash, should not also be responsible for recording inventory, reconciling bank accounts, or approving transactions.
- Reconciliation roles —individuals who control and check that transactions have been correctly completed should be segregated from requesting or approving transactions.
Examples of Segregation of Duties for Specific Functions
The following are instances of how segregation of duties works for typical duties:
- Cash—one individual opens envelopes containing checks, while another individual enters the checks into the accounting system. This minimizes the risk that an individual will deposit the money into another account.
- Accounts receivable—one individual makes a record of cash accepted from the customer, and another individual completes credit memos for the customer. This minimizes the likelihood that an employee will redirect a payment from a customer and hide the theft with an equal credit to the customer’s account.
- Inventory—one individual completes an order of goods from a supplier, while another individual records the acquired goods in the accounting system. This prevents the purchaser from diverting goods for personal profit.
- Payroll—one individual completes the gross pay and net pay information for a payroll, and another individual checks the calculations. This prevents a payroll clerk from paying non-existent employees or increasing the compensation of specific employees.
Examples of Unintentional Segregation of Duties Conflicts
Some SoD violations are unintentional, but can still create risk of error and compliance violations. The following are selected examples of unintentional compliance violations:
- A company takes over another company, and its ERP system—members of the finance and IT teams require access rights in the acquired ERP system. They also retain the access they already have in the ERP of the parent company. The company doesn’t have standard procedures to make sure that these workers will be given the same privileges in the two systems. This could lead to an SoD or compliance violation.
- A member of the finance team moves to another department—the new role may have nothing to do with their prior position in finance. If the organization doesn’t revoke the employee’s privileges in the ERP system, they will retain sensitive permissions, like the ability to issue payments, which can combine with new permissions to create unnecessary segregation of duties conflicts.
- A programmer customizing the ERP system—as a component of the test, the programmer may use breakpoints to see the state of variables and to make the necessary changes. Consider that after the testing is over, the code is transferred into production, and the programmer’s ability to stop the application and change system variables remains. The programmer is now able to use their code to gain access to the organization’s sensitive information. They may even falsify records, creating the risk of fraud and theft, and damaging the integrity of financial reporting.
- Fixing an error in ERP invoicing—consider that the ERP system processes invoices incorrectly, and the individual responsible for invoices is away from the office. The administrator may grant emergency access to another employee to solve the issue. Yet, that employee’s access is not monitored and is never removed. If there is no follow-up review of the access privileges of all employees, the replacement employee will retain their emergency permissions, resulting in one or more SoD conflicts.
Examples of Intentional Segregation of Duties Violations
The primary purpose of the SoD model is to prevent intentional violations—unethical or criminal actions by company employees, usually for personal gain. Without segregation of duties, unethical individuals who have control over money, property, inventory, or security systems, can perform actions that lead to financial loss, reputation damage, falsification of financial reporting, and compliance violations. Even trusted employees may mistakenly perform incorrect transactions, or their credentials may be compromised and provide bad actors with a privileged account to gain access to critical applications.
Here are a few examples of intentional SoD violations:
- An individual can modify or delete financial data without being detected
- An individual can steal or grant access to sensitive data without authorization
- An individual can raise and approve payments to any third party without approval from others
- An individual can decide on the design and operation of security or access controls, without review from anyone else in the organization
Ensure that these, or similar activities, are never allowed to happen, and implement segregation of duties controls to prevent them.
Best Practices for Reducing SOD Risks
The following best practices can help your organizations reduce the risk of SoD violations.
Review Staffing Models
An organization may have a multi-person accounting team, yet only one person knows how to complete journal entries. The organization can train the second person, handing part of the journal process to them, to effectively segregate duties. The organization can also seek out opportunities to segregate duties that may have gone unnoticed, such as accepting and depositing cash.
Related content: read our guide to segregation of duties matrix – a tool organizations can use to identify and resolve SoD conflicts
Review User Access to Identify Conflicts
Adding restrictions for staff members in the ERP system can help segregate duties. It is essential to perform period reviews of access to ERP and other critical business systems, and perform a third-party review of access, to identify hidden conflicts. Additionally, investigating the role definitions themselves may often unearth sources of potential risk, as roles can be created with SoD conflicts already living within them.
Review Processes and Internal Controls
Proper internal controls are essential when ensuring accurate financial reporting and stopping fraud. Yet, controls that can be easily bypassed or circumvented are not useful. Organizations should review current processes and controls to isolate possible SoD issues. An in-depth internal control review enables process improvement, and makes it possible to isolate unmitigated risks or gaps in controls.
Segregation of Duties Automation with Pathlock
Pathlock provides a robust, cross-application solution to managing SoD conflicts and violations. Finance, internal controls, audit, and application teams can rest assured that Pathlock is providing complete protection across their enterprise application landscape.
With Pathlock, customers can enjoy a complete solution to SoD management, that can monitor conflicts as well as violations to prevent risk before it happens:
- Integration to 140+ applications, with a “rosetta stone” that can map SoD conflicts and violations across systems
- Intelligent access-based SoD conflict reporting, showing users’ overlapping conflicts across all of their business systems
- Transactional control monitoring, to focus time and attention on SoD violations specifically, applying effort towards the largest concentrations of risk
- Automated, compliant provisioning into business applications, to monitor for SoD conflicts when adding or changing user access
- Streamlined, intelligent User Access Reviews that highlight unnecessary or unused privileges for removal or inspection
- Compliant workflows to drive risk mitigation and contain suspicious users before they inflict harm
Interested to find out more about how Pathlock is changing the future of SoD? Request a demo to explore the leading solution for enforcing compliance and reducing risk.