Separation of Duties (SoD) is an internal control built for the purpose of preventing fraud and error in financial transactions. To do this, SoD ensures that there are at least two individuals who are responsible for completing a critical task that has financial consequences or can impact financial reporting.
SoD processes break down tasks, which can be completed by one individual, into multiple tasks. The goal is to ensure that control is never in the hands of one individual, either by splitting the transaction into 2 or more pieces, or requiring sign-off approval from another party before completion.
Payroll management, for example, often faces error and fraud risks. A common SoD for payroll is to ask one employee to be responsible for setting up the payroll run and asking another employee to be responsible for signing checks. This way, there is no short circuit where someone could pay themselves or a colleague more or less than they are entitled to.
Breaking tasks down prevents risks, however, it doesn’t come without other costs. For one, it can negatively impact business efficiency. Additionally, stricter SoD enforcement can lead to an increase in costs and complexity and require organizations to add more staff. This is why many organizations apply SoD only to the most vulnerable and mission-critical components of their environment.
Download The Forrester Total Economic Impact™ of Pathlock.
The concept behind Separation of Duties is that the duty of running a business should be divided among several people, so that no one person has the power to cause damage to the business or to perform fraudulent or criminal activity. Separation of duties is an important part of risk management, and also relates to adhering to SOX compliance.
SoD comes up most often when talking about accounting and information security practices. Individuals in these roles can cause significant damage to a company, whether inadvertently or intentionally. There are several reasons employees may turn against their employer:
Therefore, finance and security leaders should pay attention to separation of duties. It is important to build a role with IT security capabilities so that no one can abuse it.
One of the laws that enforce separation of duties is the Sarbanes Oxley Act of 2002 (SOX). In response to a wave of company accounting scandals, SOX required audit committees and senior executives to be accountable for the accuracy of their issued financial statements. As part of its enforcement, the Securities and Exchange Commission (SEC) specified that companies must establish effective internal control systems for financial reporting, with separation of duties being a critical part of those controls.
Due to SOX and similar regulations, most financial companies currently enforce separation of roles in financial departments, information technology, security, and any other organizational unit that can have a critical impact on the organization or its financial reporting.
Companies often struggle with implementing separation of duties (SoD) due to several reasons. One major reason is the conflict between security and efficiency. On the one hand, SoD is critical to preventing fraud and misuse of control in a process. On the other hand, breaking tasks down into separate components can negatively impact business efficiency. Companies are often hesitant to sacrifice efficiency as it can affect their bottom line, resulting in weaker control and increased risk of fraud.
Additionally, implementing SoD can also lead to increased costs, process complexity, and staffing requirements, which can be daunting for organizations, particularly smaller ones. This may lead to companies only implementing SoD for the most vulnerable or mission-critical elements of the business, leaving other areas at risk.
Moreover, smaller organizations may find it particularly challenging to implement SoD as there are fewer people available to take on different parts of a task. In these cases, a single employee may be in charge of an entire process, making it challenging to separation duties effectively.
To prevent misuse of critical combinations of tasks in the process, tasks within the organization are separated. It is typically the authorization management of the company that implements preventive measures to protect against criminal activity performed by individual users.
To provide these precautions against criminal activity, you must first check for SoD conflicts and perform analysis. Typically, this is done by using RBAC to analyze the roles themselves for any intrarole SoD overlaps, and then analyzing each user for interrole SoD overlaps. SoD conflicts may occur in several areas of the company—Purchase to Pay (P2P) or Order to Cash (O2C).
When a person has the required roles needed to perform a combination of important activities in a process sequence, this is called a SoD conflict. This means that individuals have the potential to act in their own interest and against the interests of the company. Of course, not all conflicts mean illegal actions by users. Companies must next assess their SoD violations to ensure that SoD conflicts are not turning into risky or fraudulent behavior.
Learn more in our detailed guide to SOD conflicts
The first step in the SoD process is to leverage role-based access control (RBAC) to accurately provision users into systems and try to reduce potential SoD conflicts. However, SoD conflicts are an inevitable part of running a business, when evaluating the cost/benefit tradeoffs. SoD violations are like a safety net – allowing you to see when users perform a risky transaction with their combinations of policies containing an SoD conflict. When any user abuses the assigned access, performing an action prohibited by company policy or industry regulation, this is considered a violation and it is investigated for potential fraud or harm.
Technically, a violation occurs when the user gains control over more workflow steps than they are allowed, and uses them in parallel on one or more transactions. This could include the ability to enter vendor invoices and approve vendor payments for example. When properly applied, SoD uses internal controls to highlight these conflicts of interest and improve safety and compliance. Managing SoD through monitoring violations focuses attention and effort on actual violations of risk rather than theoretical risks raised through SoD conflicts.
Implementing SoD can be very complex. To keep accounting roles, responsibilities, and risks clear, compliance managers use the Separation of Duties Matrix (SoD matrix). The matrix plots unique user roles once on the X axis, and the same roles on the Y axis, to identify conflicts and resolve them.
In modern organizations relying on enterprise resource planning (ERP) software, SoD matrices are generated automatically, based on user roles and tasks defined in the ERP. Each task must match a procedure in the transaction workflow, and it is then possible to group roles and tasks, ensuring that no one user has permission to perform more than one stage in the transaction workflow.
SoD has two main impacts on IT security:
IT security teams have a key role in implementation of SoD, because they are the ones responsible for enforcing privileges and permission for IT systems.
IT staff must work with the business first to define the correct role hierarchy according to SoD definitions—for example, ensuring that if one person has access to the software function used to prepare paychecks, that same person will not have access to the software function used to authorize paychecks. Similarly, IT staff need to ensure that roles do not have access to other applications or files belonging to a conflicting role.
An important part of SoD implementation is the principle of least privilege. Each individual should have the minimum permissions they need to perform their duties. Even within a certain IT system, individuals should only have access to the data and features they specifically require.
Permissions should be regularly reviewed, and revoked in case an employee changed role, no longer participates in a certain activity, or has left the company.
SoD within the IT department is critical—otherwise the same employee may be responsible for multiple steps of the permission assignment workflow.
Consider two examples of insufficient SoD in an IT department:
SoD in the IT department can prevent control failures that can result in disastrous consequences, such as data theft or sabotage of corporate systems. Different people must be responsible for different parts of critical IT processes, and there must be regular internal audits performed by individuals who are not part of the IT organization, and report directly to the CEO or board of directors.
Accounting departments are the traditional focus of SOX and similar regulations. Organizations must ensure they do not put multiple steps of a financial transaction or financial reporting flow in the hands of one person. Otherwise, there is no oversight to prevent careless or malicious individuals from committing acts of fraud or tampering with financial data.
A few examples of SoD in an accounting department:
The foundation of SoD in accounting is having several people in the accounting organization, with predefined roles that prevent SoD conflicts. In addition, there should be regular reviews by external auditors to ensure SoD is correctly maintained. Critical actions like signing high value checks or authorizing payrolls should ideally be conducted by senior executives.
When SoD is correctly implemented, organizations can significantly reduce the risk of human error in critical financial activities. When every critical transaction is performed by multiple individuals, there is a much higher chance one of those individuals will notice an error and correct it.
It is important to realize that risks in financial reporting do not only stem from malicious individuals—they can also result from careless individuals or honest mistakes, which can dramatically skew financial reporting.
Separation of duties can prevent several sources of human error, including:
It is often thought that SoD creates inefficiency, because it requires adding more roles that were not originally needed. However, if SoD is carefully planned, it can lead to specialization which can actually promote efficiency. If you separate financial departments into well-thought-out roles, each of which is carried out by a highly trained, specialized individual, each individual will do their work faster and more accurately.
Here are a few ways to improve organizational efficiency in an organization implementing SoD:
Compelled to address SoD issues within the company – specifically in order-to-cash and procure-to-pay processes – Scapa, a worldwide leading manufacturer of bonding products and adhesive components, turned to Pathlock. Pathlock provided an efficient and effective SoD management tool that was running after just two days of implementation and training.
The solution quickly identified existing SoD issues and began learning the behavior of all users on all systems. After a few weeks, Pathlock’s solution delivered continuous monitoring, immediate alerts, and notifications of new SoD violations and high-risk activities throughout the organization. As a result, Scapa could quickly implement SoD on crucial processes and maintain a proactive approach to security and control.
Choosing Pathlock’s solution for our organization has proven to be an excellent decision. We have now maintained control over Separation of Duties, locating any sensitive accounts and identifying the actual user and exact time of use. These achievements were essential for protecting our SAP investment, as well as for ensuring successful audits in the future. Pathlock solicits ideas from customers to guarantee that the user’s perspective comes first. Pathlock uniquely takes users’ requests and suggestions from the field to the practical level, and on various occasions, our suggestions have been included in Pathlock’s Access Governance Solution.Richard Symes, SAP Competence Manager, Scapa
Choosing Pathlock’s solution for our organization has proven to be an excellent decision. We have now maintained control over Separation of Duties, locating any sensitive accounts and identifying the actual user and exact time of use. These achievements were essential for protecting our SAP investment, as well as for ensuring successful audits in the future. Pathlock solicits ideas from customers to guarantee that the user’s perspective comes first. Pathlock uniquely takes users’ requests and suggestions from the field to the practical level, and on various occasions, our suggestions have been included in Pathlock’s Access Governance Solution.
The following checklist can help you streamline SoD in your organization:
Pathlock provides a robust, cross-application solution to managing SoD conflicts and violations. Finance, internal controls, audit, and application teams can rest assured that Pathlock is providing complete protection across their enterprise application landscape.
With Pathlock, customers can enjoy a complete solution to SoD management, that can monitor conflicts as well as violations to prevent risk before it happens:
Interested to find out more about how Pathlock is changing the future of SoD? Request a demo to explore the leading solution for enforcing compliance and reducing risk.
Share