Using Segregation of Duties (SoD) to Minimize Fraud
February 13, 2019
Fraud can occur at any company that presents the opportunity to its employees. Too often, corporations trust their employees are operating with the business’ best interests at all times. After all, typically these employees have gone through a rigorous hiring process with background checks and several internal interviews before joining the team. Unfortunately, trust is not a control and solid segregation of duties principals are critical to maintaining compliance. Contrary to what you may believe, it’s often the trusted, longtime employees who are involved in fraud.
As an example, CVS identified anomalies related to procurement of diabetic test strips at a location in Rochester, NY. During further analysis, they determined that a senior assistant purchasing manager had stolen 20,203 boxes of diabetic test strips with a value of $2.5M. This purchasing manager had been with CVS for over 10 years and was considered to be a trusted employee. However, excessive system access allowed the manager to procure goods and receive them, which is a critical segregation of duty.
What is Segregation of Duties (SoD)?
Segregation of Duties (SoD) comprises one of the foundational controls in an effective Risk and Compliance (GRC) program. SoD involves separating responsibilities from people who execute the different steps of business transactions to reduce the risk of fraud or errors.
Small locations – like a CVS store – may not have enough employees to properly segregate all business functions. This leads to inevitable SoD conflicts. In the scenario above, CVS allowed one person to execute multiple portions of the procure to pay process. This violates the core principle of segregation of duties.
The SAP GRC Access & Process Control framework calls for mitigating controls once a SoD conflict of this type is discovered. However, this process for identifying and addressing SoD conflicts typically relies on manual steps like reviewing vendor lists, combing through unusual purchasing activities, and trying to match goods receipts with purchase orders and related invoices.
This manual process is time-consuming and lacks systematic risk and usage analysis. Without real-time alerts to potential violations of SoD controls, consistent compliance reports, and mandated reviews and sign offs, compliance violations may go unnoticed for long periods of time—or forever. In the case of this CVS incident, their internal auditing systems did “red flag” the purchasing of diabetic strips. Unfortunately, it wasn’t until $2.5 million worth of the strips had already gone unaccounted for.
Solving SAP SoD Compliance Challenges
Organizations around the world can strengthen their SoD process by using SoD monitoring tools. These products are designed to detect, analyze and manage risks related to SoD conflicts. They automate access reviews to sensitive transaction violations of complex, role-based authorization rules. In particular, we implement ControlPanelGRC®, a Continuous Controls Monitoring (CCM) platform designed to automate SAP and SOX compliance and audit-relevant tasks like SoD.
Our team can work with you to implement ControlPanelGRC in your organization, embedding SoD compliance into your day-to-day SAP administration in a matter of hours. Our approach covers regular user and role changes, transport and batch jobs as well as emergency access processes. Additionally, all your SAP and SOX compliance checkpoints are available on a single dashboard designed for business users.