Segregation of Duties in Your Organization
What is Segregation of Duties (SoD)?
Segregation of Duties (SoD) is an internal control built for the purpose of preventing fraud and error in financial transactions. To do this, SoD ensures that there are at least two individuals who are responsible for completing a critical task that has financial consequences or can impact financial reporting.
SoD processes break down tasks, which can be completed by one individual, into multiple tasks. The goal is to ensure that control is never in the hands of one individual, either by splitting the transaction into 2 or more pieces, or requiring sign-off approval from another party before completion.
Payroll management, for example, often faces error and fraud risks. A common SoD for payroll is to ask one employee to be responsible for setting up the payroll run and asking another employee to be responsible for signing checks. This way, there is no short circuit where someone could pay themselves or a colleague more or less than they are entitled to.
Breaking tasks down prevents risks, however, it doesn’t come without other costs. For one, it can negatively impact business efficiency. Additionally, stricter SoD enforcement can lead to an increase in costs and complexity and require organizations to add more staff. This is why many organizations apply SoD only to the most vulnerable and mission-critical components of their environment.
Why is Segregation of Duties Important?
The concept behind Segregation of Duties is that the duty of running a business should be divided among several people, so that no one person has the power to cause damage to the business or to perform fraudulent or criminal activity. Separation of duties is an important part of risk management, and also relates to adhering to SOX compliance.
SoD comes up most often when talking about accounting and information security practices. Individuals in these roles can cause significant damage to a company, whether inadvertently or intentionally. There are several reasons employees may turn against their employer:
- To steal funds from the employer for financial gain
- As part of corporate espionage
- Disgruntled employees who were dismissed from their position, demoted, took a paycut, or feel they were mistreated
- Financial roles attempting to falsify financial records to satisfy shareholders and meet earnings forecasts, as in the Enron scandal
Therefore, finance and security leaders should pay attention to separation of duties. It is important to build a role with IT security capabilities so that no one can abuse it.
One of the laws that enforce separation of duties is the Sarbanes Oxley Act of 2002 (SOX). In response to a wave of company accounting scandals, SOX required audit committees and senior executives to be accountable for the accuracy of their issued financial statements. As part of its enforcement, the Securities and Exchange Commission (SEC) specified that companies must establish effective internal control systems for financial reporting, with separation of duties being a critical part of those controls.
Due to SOX and similar regulations, most financial companies currently enforce separation of roles in financial departments, information technology, security, and any other organizational unit that can have a critical impact on the organization or its financial reporting.
Segregation of Duties Concepts
What are SoD Conflicts?
To prevent misuse of critical combinations of tasks in the process, tasks within the organization are segregated (separation of duties, SoD). It is typically the authorization management of the company that implements preventive measures to protect against criminal activity performed by individual users.
To provide these precautions against criminal activity, you must first check for SoD conflicts and perform analysis. Typically, this is done by using RBAC to analyze the roles themselves for any intrarole SoD overlaps, and then analyzing each user for interrole SoD overlaps. SoD conflicts may occur in several areas of the company—Purchase to Pay (P2P) or Order to Cash (O2C).
When a person has the required roles needed to perform a combination of important activities in a process sequence, this is called a SoD conflict. This means that individuals have the potential to act in their own interest and against the interests of the company. Of course, not all conflicts mean illegal actions by users. Companies must next assess their SoD violations to ensure that SoD conflicts are not turning into risky or fraudulent behavior.
Learn more in our detailed guide to segregation of duties conflicts (coming soon)
What are SoD Violations?
The first step in the SoD process is to leverage role-based access control (RBAC) to accurately provision users into systems and try to reduce potential SoD conflicts. However, SoD conflicts are an inevitable part of running a business, when evaluating the cost/benefit tradeoffs. SoD violations are like a safety net – allowing you to see when users perform a risky transaction with their combinations of policies containing an SoD conflict. When any user abuses the assigned access, performing an action prohibited by company policy or industry regulation, this is considered a violation and it is investigated for potential fraud or harm.
Technically, a violation occurs when the user gains control over more workflow steps than they are allowed, and uses them in parallel on one or more transactions. This could include the ability to enter vendor invoices and approve vendor payments for example. When properly applied, SoD uses internal controls to highlight these conflicts of interest and improve safety and compliance. Managing SoD through monitoring violations focuses attention and effort on actual violations of risk rather than theoretical risks raised through SoD conflicts.
What is Segregation of Duties Matrix?
Implementing SoD can be very complex. To keep accounting roles, responsibilities, and risks clear, compliance managers use the Segregation of Duties Matrix (SoD matrix). The matrix plots unique user roles once on the X axis, and the same roles on the Y axis, to identify conflicts and resolve them.
In modern organizations relying on enterprise resource planning (ERP) software, SoD matrices are generated automatically, based on user roles and tasks defined in the ERP. Each task must match a procedure in the transaction workflow, and it is then possible to group roles and tasks, ensuring that no one user has permission to perform more than one stage in the transaction workflow.
|Create requisition||Approve requisition||Create PO||Approve PO|
|Process||COSO||Procedure/Function||User Group (Role)||1||2||3||4|
|Purchasing||Record||Create requisition||1||Elevated Risk||Low Risk|
|Purchasing||Approve||Approve requisition||2||Elevated Risk|
|Purchasing||Record||Create PO||3||Low Risk||Elevated Risk|
|Purchasing||Approve||Approve PO||4||Elevated Risk|
How Does Segregation of Duties Impact Your Organization?
Segregation of Duties in IT Security
SoD has two main impacts on IT security:
IT security is responsible for implementing SoD
IT security teams have a key role in implementation of SoD, because they are the ones responsible for enforcing privileges and permission for IT systems.
IT staff must work with the business first to define the correct role hiearchy according to SoD definitions—for example, ensuring that if one person has access to the software function used to prepare paychecks, that same person will not have access to the software function used to authorize paychecks. Similarly, IT staff need to ensure that roles do not have access to other applications or files belonging to a conflicting role.
An important part of SoD implementation is the principle of least privilege. Each individual should have the minimum permissions they need to perform their duties. Even within a certain IT system, individuals should only have access to the data and features they specifically require.
Permissions should be regularly reviewed, and revoked in case an employee changed role, no longer participates in a certain activity, or has left the company.
IT departments need to practice SoD themselves
SoD within the IT department is critical—otherwise the same employee may be responsible for multiple steps of the permission assignment workflow.
Consider two examples of insufficient SoD in an IT department:
- One IT administrator is responsible for defining permissions and also assigning permissions to individuals. This would allow them to define super-user permission, assign it to themselves, and cause major damage.
- One individual designs a security system, and is then responsible for testing and validating it. This would allow the individual to design the system with vulnerabilities that would allow them to later breach it.
SoD in the IT department can prevent control failures that can result in disastrous consequences, such as data theft or sabotage of corporate systems. Different people must be responsible for different parts of critical IT processes, and there must be regular internal audits performed by individuals who are not part of the IT organization, and report directly to the CEO or board of directors.
Segregation of Duties In Accounting
Accounting departments are the traditional focus of SOX and similar regulations. Organizations must ensure they do not put multiple steps of a financial transaction or financial reporting flow in the hands of one person. Otherwise, there is no oversight to prevent careless or malicious individuals from committing acts of fraud or tampering with financial data.
A few examples of SoD in an accounting department:
- The person who defines paychecks is not also responsible for authorizing paychecks.
- The person who deposits or withdraws cash is not the same person who reconciles bank accounts.
- The person raising purchase orders to suppliers is not the same person authorizing those purchase orders for payment.
The foundation of SoD in accounting is having several people in the accounting organization, with predefined roles that prevent SoD conflicts. In addition, there should be regular reviews by external auditors to ensure SoD is correctly maintained. Critical actions like signing high value checks or authorizing payrolls should ideally be conducted by senior executives.
SoD Can Reduce Human Error
When SoD is correctly implemented, organizations can significantly reduce the risk of human error in critical financial activities. When every critical transaction is performed by multiple individuals, there is a much higher chance one of those individuals will notice an error and correct it.
It is important to realize that risks in financial reporting do not only stem from malicious individuals—they can also result from careless individuals or honest mistakes, which can dramatically skew financial reporting.
Segregation of duties can prevent several sources of human error, including:
- Insufficient or non-professional manpower in accounting departments, leading to rushed work and lack of proper review
- Lack of delegation of duties to specialized roles
- Data entry errors where the resulting data is never reviewed by another team member
- Lack of reconciliation of balance sheets on a regular basis
- Insufficient documentation of expenses or transactions
SoD Can Increase Efficiency
It is often thought that SoD creates inefficiency, because it requires adding more roles that were not originally needed. However, if SoD is carefully planned, it can lead to specialization which can actually promote efficiency. If you separate financial departments into well-thought-out roles, each of which is carried out by a highly trained, specialized individual, each individual will do their work faster and more accurately.
Here are a few ways to improve organizational efficiency in an organization implementing SoD:
- Understand what each employee does best and what type of work they prefer doing. It is often possible to make several employees happier and more productive by trading non-conflicting duties between them.
- Identify duplication among roles and ensure that each task or duty is only carried out by one employee.
- Analyze permissions across similar employees, to make sure that employees who should have similar jobs on paper have similar entitlements in the IT systems where they work.
- Ensure each member of the team clearly understands their duties and has the appropriate skills to perform them.
- Create written job descriptions to make it clear to everyone on the team what are each member’s responsibilities.
6-Step Segregation of Duties Checklist
The following checklist can help you streamline SoD in your organization:
- Define policies and processes—use identity management tools to define SoD and enforce policies in a consistent way across multiple applications.
- Create a centralized dashboard—in order to monitor SoD, you must have one dashboard showing access and authentication activity across all enterprise applications. This way, if one user has access to multiple applications, you can track their activities.
- Manage privileged access on a just-in-time basis—the concept of temporary, elevated access can help you grant access to users for a limited time, or conditional on role parameters, and remove it when it is no longer needed or can result in a SoD conflict.
- Establish access request workflows—access should never be granted ad hoc, but always as part of a structured workflow. Identity management tools can define and enforce these workflows, and provide an audit trail.
- Provision access based on roles—as a general rule, access should not be granted to individual users. Rather, individuals should be assigned to roles, and should receive access based on their role. This process should be automated, to prevent delays in receiving access, which can hurt productivity.
- Ensure collaboration between IT, HR, and business management—these two departments should jointly define roles and approvals, to ensure that permissions match the job descriptions and skills of individual employees. Direct managers should also participate in the approval process.
Segregation of Duties Automation with PathLock
Pathlock provides a robust, cross-application solution to managing SoD conflicts and violations. Finance, internal controls, audit, and application teams can rest assured that Pathlock is providing complete protection across their enterprise application landscape.
With Pathlock, customers can enjoy a complete solution to SoD management, that can monitor conflicts as well as violations to prevent risk before it happens:
- Integration to 140+ applications, with a “rosetta stone” that can map SoD conflicts and violations across systems
- Intelligent access-based SoD conflict reporting, showing users’ overlapping conflicts across all of their business systems
- Transactional control monitoring, to focus time and attention on SoD violations specifically, applying effort towards the largest concentrations of risk
- Automated, compliant provisioning into business applications, to monitor for SoD conflicts when adding or changing user access
- Streamlined, intelligent User Access Reviews that highlight unnecessary or unused privileges for removal or inspection
- Compliant workflows to drive risk mitigation and contain suspicious users before they inflict harm
Interested to find out more about how Pathlock is changing the future of SoD? Request a demo to explore the leading solution for enforcing compliance and reducing risk.