What is segregation of duties what functions should be performed by different people?
What is Segregation of Duties (SoD)?Segregation of Duties (SoD) is an internal control built for the purpose of preventing fraud and error in financial transactions. To do this, SoD ensures that there are at least two individuals who are responsible for completing a critical task that has financial consequences or can impact financial reporting. Show
SoD processes break down tasks, which can be completed by one individual, into multiple tasks. The goal is to ensure that control is never in the hands of one individual, either by splitting the transaction into 2 or more pieces, or requiring sign-off approval from another party before completion. Payroll management, for example, often faces error and fraud risks. A common SoD for payroll is to ask one employee to be responsible for setting up the payroll run and asking another employee to be responsible for signing checks. This way, there is no short circuit where someone could pay themselves or a colleague more or less than they are entitled to. Breaking tasks down prevents risks, however, it doesn’t come without other costs. For one, it can negatively impact business efficiency. Additionally, stricter SoD enforcement can lead to an increase in costs and complexity and require organizations to add more staff. This is why many organizations apply SoD only to the most vulnerable and mission-critical components of their environment. Why is Segregation of Duties Important?The concept behind Segregation of Duties is that the duty of running a business should be divided among several people, so that no one person has the power to cause damage to the business or to perform fraudulent or criminal activity. Separation of duties is an important part of risk management, and also relates to adhering to SOX compliance. SoD comes up most often when talking about accounting and information security practices. Individuals in these roles can cause significant damage to a company, whether inadvertently or intentionally. There are several reasons employees may turn against their employer:
Therefore, finance and security leaders should pay attention to separation of duties. It is important to build a role with IT security capabilities so that no one can abuse it. One of the laws that enforce separation of duties is the Sarbanes Oxley Act of 2002 (SOX). In response to a wave of company accounting scandals, SOX required audit committees and senior executives to be accountable for the accuracy of their issued financial statements. As part of its enforcement, the Securities and Exchange Commission (SEC) specified that companies must establish effective internal control systems for financial reporting, with separation of duties being a critical part of those controls. Due to SOX and similar regulations, most financial companies currently enforce separation of roles in financial departments, information technology, security, and any other organizational unit that can have a critical impact on the organization or its financial reporting. Segregation of Duties ConceptsWhat are SoD Conflicts?To prevent misuse of critical combinations of tasks in the process, tasks within the organization are segregated (separation of duties, SoD). It is typically the authorization management of the company that implements preventive measures to protect against criminal activity performed by individual users. To provide these precautions against criminal activity, you must first check for SoD conflicts and perform analysis. Typically, this is done by using RBAC to analyze the roles themselves for any intrarole SoD overlaps, and then analyzing each user for interrole SoD overlaps. SoD conflicts may occur in several areas of the company—Purchase to Pay (P2P) or Order to Cash (O2C). When a person has the required roles needed to perform a combination of important activities in a process sequence, this is called a SoD conflict. This means that individuals have the potential to act in their own interest and against the interests of the company. Of course, not all conflicts mean illegal actions by users. Companies must next assess their SoD violations to ensure that SoD conflicts are not turning into risky or fraudulent behavior. Learn more in our detailed guide to segregation of duties conflicts (coming soon) What are SoD Violations?The first step in the SoD process is to leverage role-based access control (RBAC) to accurately provision users into systems and try to reduce potential SoD conflicts. However, SoD conflicts are an inevitable part of running a business, when evaluating the cost/benefit tradeoffs. SoD violations are like a safety net – allowing you to see when users perform a risky transaction with their combinations of policies containing an SoD conflict. When any user abuses the assigned access, performing an action prohibited by company policy or industry regulation, this is considered a violation and it is investigated for potential fraud or harm. Technically, a violation occurs when the user gains control over more workflow steps than they are allowed, and uses them in parallel on one or more transactions. This could include the ability to enter vendor invoices and approve vendor payments for example. When properly applied, SoD uses internal controls to highlight these conflicts of interest and improve safety and compliance. Managing SoD through monitoring violations focuses attention and effort on actual violations of risk rather than theoretical risks raised through SoD conflicts. What is Segregation of Duties Matrix?Implementing SoD can be very complex. To keep accounting roles, responsibilities, and risks clear, compliance managers use the Segregation of Duties Matrix (SoD matrix). The matrix plots unique user roles once on the X axis, and the same roles on the Y axis, to identify conflicts and resolve them. In modern organizations relying on enterprise resource planning (ERP) software, SoD matrices are generated automatically, based on user roles and tasks defined in the ERP. Each task must match a procedure in the transaction workflow, and it is then possible to group roles and tasks, ensuring that no one user has permission to perform more than one stage in the transaction workflow.
How Does Segregation of Duties Impact Your Organization?Segregation of Duties in IT SecuritySoD has two main impacts on IT security: IT security is responsible for implementing SoD IT security teams have a key role in implementation of SoD, because they are the ones responsible for enforcing privileges and permission for IT systems. IT staff must work with the business first to define the correct role hiearchy according to SoD definitions—for example, ensuring that if one person has access to the software function used to prepare paychecks, that same person will not have access to the software function used to authorize paychecks. Similarly, IT staff need to ensure that roles do not have access to other applications or files belonging to a conflicting role. An important part of SoD implementation is the principle of least privilege. Each individual should have the minimum permissions they need to perform their duties. Even within a certain IT system, individuals should only have access to the data and features they specifically require. Permissions should be regularly reviewed, and revoked in case an employee changed role, no longer participates in a certain activity, or has left the company. IT departments need to practice SoD themselves SoD within the IT department is critical—otherwise the same employee may be responsible for multiple steps of the permission assignment workflow. Consider two examples of insufficient SoD in an IT department:
SoD in the IT department can prevent control failures that can result in disastrous consequences, such as data theft or sabotage of corporate systems. Different people must be responsible for different parts of critical IT processes, and there must be regular internal audits performed by individuals who are not part of the IT organization, and report directly to the CEO or board of directors. Segregation of Duties In AccountingAccounting departments are the traditional focus of SOX and similar regulations. Organizations must ensure they do not put multiple steps of a financial transaction or financial reporting flow in the hands of one person. Otherwise, there is no oversight to prevent careless or malicious individuals from committing acts of fraud or tampering with financial data. A few examples of SoD in an accounting department:
The foundation of SoD in accounting is having several people in the accounting organization, with predefined roles that prevent SoD conflicts. In addition, there should be regular reviews by external auditors to ensure SoD is correctly maintained. Critical actions like signing high value checks or authorizing payrolls should ideally be conducted by senior executives. SoD Can Reduce Human ErrorWhen SoD is correctly implemented, organizations can significantly reduce the risk of human error in critical financial activities. When every critical transaction is performed by multiple individuals, there is a much higher chance one of those individuals will notice an error and correct it. It is important to realize that risks in financial reporting do not only stem from malicious individuals—they can also result from careless individuals or honest mistakes, which can dramatically skew financial reporting. Segregation of duties can prevent several sources of human error, including:
SoD Can Increase EfficiencyIt is often thought that SoD creates inefficiency, because it requires adding more roles that were not originally needed. However, if SoD is carefully planned, it can lead to specialization which can actually promote efficiency. If you separate financial departments into well-thought-out roles, each of which is carried out by a highly trained, specialized individual, each individual will do their work faster and more accurately. Here are a few ways to improve organizational efficiency in an organization implementing SoD:
6-Step Segregation of Duties ChecklistThe following checklist can help you streamline SoD in your organization:
Segregation of Duties Automation with PathLockPathlock provides a robust, cross-application solution to managing SoD conflicts and violations. Finance, internal controls, audit, and application teams can rest assured that Pathlock is providing complete protection across their enterprise application landscape. With Pathlock, customers can enjoy a complete solution to SoD management, that can monitor conflicts as well as violations to prevent risk before it happens:
Interested to find out more about how Pathlock is changing the future of SoD? Request a demo to explore the leading solution for enforcing compliance and reducing risk. What do you understand by the term segregation of duties What are the different functions of segregation of duties explain?Segregation of Duties (SOD) is a basic building block of sustainable risk management and internal controls for a business. The principle of SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department.
What are the four functions of segregation of duties?There are four general categories of duties or responsibilities which are examined when segregation of duties are discussed: authorization, custody, record keeping and reconciliation. In an ideal system, different employees would perform each of these four major functions.
What are the functions that should be segregated?Generally, the primary incompatible duties that need to be segregated are:. Authorization or approval.. Custody of assets.. Recording transactions.. Reconciliation/Control Activity.. What is segregation of duties give an example of functions that should be separated?The separation of duties concept prohibits the assignment of responsibility to one person for the acquisition of assets, their custody, and the related record keeping. For example, one person can place an order to buy an asset, but a different person must record the transaction in the accounting records.
|