The complexity of enterprise applications has increased the risk of Segregation of Duty (SoD) control violations. All major audit firms are now testing SoD controls and holding executives accountable for successful risk remediation, in response to the control-driven regulations worldwide.
What is segregation of duties?
Segregation of Duties is a basic internal control that ensures no single individual has the authority to execute two or more conflicting sensitive transactions with the potential to impact financial statements. Critical job duties can be categorised into four types of functions: authorisation, custody, record keeping and reconciliation. In a perfect system, no one person should handle more than one type of function. However, without comprehensive SoD polices and advanced analytics that detect violations across thousands of application access points, SoD control implementation, testing, remediation and mitigation can be extremely difficult to achieve.
Why do you need Segregation of Duties?
Unbelievably some organisations leave just one person in charge of their main asset, cash. By doing this the whole organisation is put at risk. Companies can’t afford to be so trusting with their employees unfortunately. That’s why implementing SoD should be essential in the finance and accounting department of any organisation.
By not implementing segregation of duties you are putting the company at risk. One of the biggest risks is the increased risk of fraud. When one person is given the sole responsibility of two conflicting tasks the risk of fraud increases. Having more than one person carry out these tasks reduces this risk.
For example, the employee who prepares checks should not be the same person who signs that check. The person who is responsible for creating a vendor shouldn’t be the same person who pays that vendor.
Another risk associated with a lack of SoD is the risk of human error. If only one person is doing all the financial reporting errors can occur and be missed. Having segregation of duties put in place can help prevent these errors in the first place.
Segregation of duties along with internal controls can minimise risk. What are some common examples of Segregation of Duties?
What does SafePaaS recommend for Segregation of Duties Risk Assessment?
When it comes to segregation of duties, it's not a one size fits all approach. Depending on your needs and the size of your organization, we recommend taking different approaches.
Limited segregation of duties requirements
If you have limited segregation of duties requirements, SafePaaS SoD SCANNER™ produces test results in just minutes by utilizing the SafePaaS comprehensive risk repository, which includes one of the largest collection of SoD Rules, also used by major audit firms. Simply run the SOD SCANNER against your enterprise applications to detect all violations for the selected rules to identify hidden SoD conflicts. View results using advanced analytics that eliminate False Positives and accelerates the remediation process. Accurate control evidence collected by SOD SCANNER can be shared with process owners, application managers, IS Security and auditors.
No software, hardware, installation or configuration is needed for SOD SCANNER. You get immediate access to SoD Rules for your enterprise application. Upload a snapshot for your application security model using DataProbeETL™, the SafePaaS ERP Snapshot tool, to get the job done without costly software, hardware or technical resources.
Quickly identify problems
If all you need is to quickly and reliably identify segregation of duties risk, we recommend using our SafeInsight™ solution. This automated healthcheck makes it easy to isolate and analyse these risks so that you can build a remediation plan to address areas of concern. We leverage our platform to provide a deep personalized analysis which is tailored to your needs.
Segregation of Duties Management
If you're looking for a complete solution with built in remediation capabilities, we recommend our Policy Management solution that includes violation filters for false positives, role configuration automation, seamless integrations, continuous controls monitoring, access certification and many other capabilities to help you be proactive and prevent risk.