What is Segregation of Duties and why are they important?

The basis of SoD is the understanding that running a business should not be a single-person job. No one person should have the power or control to perform any kind of task that may lead to fraudulent or criminal activity that could damage the company. Segregation of duties is based on the idea of shared responsibilities, wherein the critical functions of a key process are dispersed to more than one person or department to mitigate the risk of fraud or other unethical behaviors. SoD is an important element of both enterprise risk management and compliance with laws such as the Sarbanes-Oxley Act of 2002 (SOX). Many companies struggle to implement effective Segregation of Duties controls in their ERP systems such as Oracle E-Business Suite, SAP, Oracle ERP Cloud, even though the concept of SoD is simple as described above.

  • Separation of duties implements checks and balances that help prevent issues that can negatively affect an organization, resulting in financial losses, regulatory penalties, and irreparable brand damage.
  • Take time to develop and schedule employee training that explains the hows and whys of separation of duties.
  • One of the most basic, yet most important principles of sound management is that of segregation of duties.
  • Significant damage to your organization can result from errors or fraud in all three departments, and organizations failing to implement effective SOD policies in these areas do so at their peril.

In addition, you will need to outline policies that you have made for your departments and employees. For example, an employee issuing payment must not also be the one signing checks. Another example of a policy could be – the employee responsible for selling a product must not also confirm its delivery. To mitigate SoD violations, https://quick-bookkeeping.net/ an organization must monitor their violations and each employee’s activity. That was what an internal SoD violation looks like; let’s understand how an external SoD violation can occur. For instance, a senior decision-maker like the CEO of an organization indulges in manipulating financial statements, violating SOX regulations.

The SoD implementation tested for this article listed more than 80 potential SoD conflicts, along with the compensating controls that had been applied to reduce risk to acceptable levels. In enterprises, process activities are often described by means of some procedure or in a diagram in some standard notation, such as a business process model and notation. Often, these descriptions are at a level of detail that does not immediately match with duties as previously defined. This may generate confusion when checking to see if there has been some kind of conflict in the attribution of duties. For example, figure 3 shows a schematic example of a fictitious accounts receivable process. It is only a part of the process and is grossly simplified, but it helps to illustrate this point.

In the AUT activity, the department checks the PRF submitted by the requestor; in the REC and CUS duties, they send the PO to the supplier. In the first case, there are two different assets (PRFs and POs), so SoD is maintained. In the second case, the purchasing department is solely responsible for sending orders to suppliers. For example, the requestor could review and sign off on the PO before it is sent to the supplier (thus exercising an AUT duty).

Risks of overlooking segregation of duties controls

In fact, checking SoD among all actors against all activities in a complex enterprise, aside from being impractical, would be meaningless. Be Wary and Watchful
While SOD seems a simple process, not properly following it can lead to disastrous consequences, evidenced by the two case studies above. As CPAs, you have the knowledge to make certain SOD is properly implemented within your own organization, as well as your clients’ and customers’ businesses. Much to the general manager’s disappointment, variances between the two inventory valuations continued and book value climbed. The operations manager came under severe scrutiny and corporate staff auditors were dispatched to the distribution center. At this point, the operations manager stopped showing up for work and was not returning phone calls.

  • When a person has the required roles needed to perform a combination of important activities in a process sequence, this is called a SoD conflict.
  • It can lead to tremendous fines for the organization, and the employee may also serve a prison sentence.
  • It is important to build a role with IT security capabilities so that no one can abuse it.
  • An SoD conflict occurs when an employee can potentially abuse a company process for their own personal gain.
  • Effective segregation of duties (SoD) controls can reduce the risk of internal fraud through early detection of internal process failures in key business systems.
  • Governance is not included in figure 2 since risk factors due to lack of governance are less specific and more difficult to match with single duties (nonetheless, they may have high impacts on businesses).

You can either create an SoD matrix using software like MS Excel or manually on a paper sheet. In this, you can assign an authorized individual to analyze every role and access permission assigned to them for both inter-role and intra-role SoD overlaps. https://kelleysbookkeeping.com/ A 2022 report by the Association of Certified Fraud Examiners (ACFE) highlights that companies bear losses of approximately $1,783,000 to employee fraud per case. Request a demo to explore the leading solution for enforcing compliance and reducing risk.

Conduct regular reviews and maintain SoD processes

In this case, the business owner should review a report from the accounting software that shows all new vendors’ input for the month. Any vendors you are not aware of or don’t remember doing business within the last month should be questioned. Require that the accountant/bookkeeper provide documentation as to what services were provided to jog your memory. There are several additional steps that you can take to verify that vendors are legitimate. An employee has less opportunity to cut a check to themselves, family members, or friends if they cannot both enter new vendors into the accounting system and issue a payment.

Implementing Segregation of Duties: A Practical Experience Based on Best Practices

For example, one person is not able to complete a task without another person who acts as a check, or access can be limited to a set number of times. Separation of duties is intended to prevent security compromises, such as errors, fraud, misuse of information, sabotage, and theft. On the top-down side of the approach, the https://business-accounting.net/ organization was analyzed to determine what the roles were for every department, function or office involved. Then, roles were matched with actors described in process-flow diagrams and procedures. This resulted in the ability to match individuals in the process flow with a specific job description within the organization.

#3. SoD Matrix

Dual custody is when two individuals perform a task together, such as opening the mail. Two employees stamp the back of checks with the company’s deposit stamp, count cash, and prepare the bank deposit. Segregation of duties takes one task and divides the task into two or more phases, jobs, or components. By limiting control over a process, it provides a barrier to a fraud potentially being committed. The segregation of duties is the distribution of tasks performed by individuals in a business place. SoD conflicts can occur in different domains of an organization, such as Order to Cash (O2C) or Purchase to Pay (P2P).

This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined. With HyperComply’s industry-leading compliance software, companies can centralize security details and documents for improved monitoring, document sharing, and access controls. To see how HyperComply can help your company elevate its risk management process, sign up for a HyperComply demo. Therefore, the first scoping rule is that duties must be segregated for every single asset to avoid conflicts (as in the first example in which two employees exchange their duties). Segregation of duties breaks business-critical tasks into four separate function categories–authorization, custody, recordkeeping, and reconciliation.

Segregation of Duties in Your Organization

This is why companies should thoroughly examine the case and assess their SoD violation policies to ensure the conflicts don’t turn into fraud or illegal activity. Some may think that adding more roles will lead to inefficiencies and higher costs. It’s because you are dividing a task into multiple sub-tasks, each performed by a suitable, specialized individual with better accuracy and speed.

It is essential to perform period reviews of access to ERP and other critical business systems, and perform a third-party review of access, to identify hidden conflicts. Additionally, investigating the role definitions themselves may often unearth sources of potential risk, as roles can be created with SoD conflicts already living within them. Segregation of Duties (SoD) is an internal control measure that all organizations should adopt to stop error and fraud, and is especially important when complying with regulations like the US Sarbanes-Oxley Act of 2002 (SOC). SoD ensures that more than one person carries out the tasks required to bring a sensitive business process to completion.

Payroll is one example where the segregation of duties works well and is even desirable. This blog explores common examples of departments and tasks that should be separated to ensure security. Maintaining control integrity is not an option in our rapidly evolving market – it’s necessary.

Leave a comment