What is Segregation of Duties?
September 4, 2019
Segregation of Duties is one of those business concepts that’s a bit abstract, but the truth is you see it every day, perhaps without realizing. Formally, Segregation of Duties (SoD) is a set of controls and policies intended to ensure accuracy and keep companies compliant with regulations like Sarbanes Oxley. In simple terms, however SoD is about making sure controls are where they’re supposed to be and prevent specific combinations of roles that could facilitate fraud or embezzlement — for example, by preventing a single person from creating and paying a vendor.
What is Segregation of Duties?
Have you ever been at a store and had the cashier call for a manager to do an “override” on the cash register to void your transaction? That’s an everyday example of SoD. The cashier’s duties preclude him or her from overriding cash register transactions. That is the manager’s exclusive duty. If the cashier could override a transaction, the store would be at risk for employee theft.
People aren’t perfect, they make mistakes, use poor judgment, and give into temptation. But when people have access to ERP, the consequences can be huge. Employees can defraud investors of millions, jeopardize the safety of consumers with undetected errors, and expose employers to civil and criminal liabilities.
Your segregation of duties policy divides up transactions, both to make it harder for mistakes to slip through undetected, and to hold workers and leadership accountable. Though it’s not pleasant to contemplate, fraud risk is real and “trust” is not a control. Responsible businesses take care to mitigate these risks with SoD on ERP systems and other controls.
The goal of SoD is to prevent combinations of roles that could facilitate fraud or embezzlement. In corporate accounting, SoD manifests as separations between people who must hand off steps in a given transaction to ensure that it’s completed accurately. Examples include:
- The person approving new vendors cannot authorize a purchase order to vendors
- An individual who approves purchase orders cannot also authorize checks to be written
- The person who prepares invoices cannot also enter sales transactions in the general ledger
Segregation of Duties Policy in Compliance
SoD figures prominently into Sarbanes Oxley (SOX) compliance. SOX mandates that publicly traded companies document and certify their controls over financial reporting, including SoD. Following a meticulous audit, the CEO and CFO of the public company must sign off on an attestation of controls. They can be held accountable for inaccuracies in these statements. If it’s determined that they willfully fudged SoD, they could even go to prison!
The Federal government’s 21 CFR Part 11 rule (CFR stands for “Code of Federal Regulation.”) also depends on SoD for compliance. It affects medical research and other industries, where lives might depend on keeping records and reporting on controls. SoD makes sure that records are only created and edited by authorized people.
The Segregation of Duties Matrix
There are many ways to devise and implement segregation of duties. In the old days, it was about paper, e.g. the pink copy of a sales receipt went to person A while the yellow copy went to person B. If the yellow and pink copies didn’t match, there was a problem. We’ve come a long way.
Now, SoD is executed through access permissions tied to user roles on SAP systems. If the payables clerk is not supposed to authorize a check, his or her role will make it impossible to access the check authorizing part of the ERP solution.
This sounds pretty simple, but doing it can get complicated pretty quickly. In modern organizations, you might have dozens of roles in multiple locations and business units. To keep things straight, when we work with a client on to establish their SoD rules, many are included “out of the box” with ControlPanelGRC. The premise follows what’s known as a “Segregation of Duties Matrix.” The rules are standardized and generally follow a matrix approach, like the one shown here, to identify incompatible portions of business transactions.
The grid displays potential conflicts of role, while showing which roles are complementary in completing transactions. By following the matrix, you can see who should be allowed or denied access to system functions. You can use the grid to detect for SoD conflicts in your SAP landscape. For example, the “AP Voucher Entry” Role cannot have access to the ERP functionality set up for the “AP Payments” role and so forth.
Managing SoD Conflicts in SAP
Managing SoD risks in SAP can be challenging, however. An SAP system could have thousands of users and dozens of different roles. Each could have its own access rights. It becomes a big job to determine who should be able to do what. Plus, roles and privileges are almost always changing. An administrator could easily create a new role with too many access privileges, unwittingly having an impact on SoD. This is known as an SoD risk in SAP. A best practice is to have policies and tooling that enable your organization to be aware of SoD conflicts in SAP and then remediate them.
Before you begin a manual remediation process, it’s worthwhile to spend a moment understanding SAP SoD tools. SAP SoD tools, along with solutions like our ControlPanelGRC, provide automation and precision to the SoD process. With these tools, teams can automatically analyze roles and identify SoD risks. What previously took days, or even weeks to discover through a manual review of roles and workflows, could appear in minutes with ControlPanelGRC.
Segregation of Duties in GRC
Given SAP’s centrality in running most company’s financials and operations, the SAP system has a critical role to play in SoD as it relates to the broader work of Governance, Risk Management, and Compliance (GRC). Our ControlPanelGRC tool makes this all happen. An ABAP-based solution, ControlPanelGRC provides a comprehensive compliance automation solution for SAP® environments that doesn’t involve a lengthy implementation time or a complicated training program.
Our Access Control Suite lets you quickly assess potential compliance failures, easily remediate segregation of duties (SOD) conflicts, and control access to your SAP software. Designed to help prevent excessive user access, the suite uses powerful workflow and automated utilities to support effortless, continuous compliance reporting as well.
ControlPanelGRC also defines and analyzes risks in the SAP, replacing the tedious and error-prone manual process of mapping duties and roles. Risk Analyzer in ControlPanelGRC highlights SoD risk based on conflicting functions. This helps reduce redundant reporting and false SoD risk positives. The included rulebooks can be customized in order to satisfy corporate or audit requirements. They may include predefined checks for access risks relevant to regulations like SOX, HIPAA, GDPR and others.
Compensating Controls in SoD
In some cases, a segregation of duties audit reveals a conflict that simply cannot be addressed through controls. To solve this problem, the company can establish a compensating control. This serves to reduce the risks created by the conflict. For example, if a company has a single employee who sets up vendors and pays them, a compensating control might involve having a weekly review of vendor transactions.
SAP GRC as a Necessity for SoD
SAP GRC provides basic functionality to implement SoD controls. However, given that controls are only reliable if they are tested, reviewed and audited on a regular basis, SAP GRC software automates these time-consuming tasks. It also centralizes SoD controls. Our ControlPanelGRC suite takes you further, with SAP SoD risk analysis that detects potential risks before they happen.
ControlPanelGRC continuously monitors SoD conflicts in real time. That way you can detect and remediate conflicts as they arise. The software suite automatically creates comprehensive audit reports and routes them for approval in the organization.
Specific capabilities of ControlPanelGRC include:
- SAP Segregation of Duties (SoD) Risk Analysis– Defines SoD through SAP risk analysis in real time, determining sensitive authorization and preventing excessive user access.
- SAP Transaction Usage Analysis– Streamlines business processes with SAP GRC transaction usage data, remediating compliance risks and saving time and money by scoping upgrades—maximizing SAP license usage at the same time.
- SAP Emergency Access Management– Maintains a continuous state of readiness for audit by logging all user activities during an SAP “firecall” session.
- SAP User Provisioning and Role Management– Accelerates day-to-day SAP security administration and maintains audit-ready status.
- SAP User Access Review Automation– Provides an automated solution for user access and role certification reviews.
- SAP Audit Management– Reduces the time and effort required for audit prep by automating SAP audit report execution, delivery and validation.
- SAP HR Security Automation– Empowers SAP Human Capital Management (HCM) users to address HR security needs such as monitoring and protecting sensitive HR data and securely updating HR files.
Learn how Secure-24’s ControlPanelGRC Automated Controls can help you achieve better SoD while lowering your compliance costs at the same time.