In the first blog of our latest blog series, “Top Ten SoD Google Searches - Answered,” we examine what Segregation of Duties is, why it is important and provide common examples for each department in your organization.

Segregation of duties (SoD) is a core internal control that prevents unilateral actions within an organization's workflows. Segregation of Duties emphasizes sharing the responsibilities of key business processes by allocating the tasks of these processes to multiple people, helping to reduce the risk of possible errors and fraud. The objective of Segregation of Duties is that no one person is given control over a process where they can miss errors, falsify information, or commit fraud.

Typically SoD breaks critical tasks into separate functions like authorization, custody, recordkeeping, and reconciliation. Workflow roles should be sufficiently separated with a system of checks and balances where positions can regulate each other. 

Below are common examples of departments and tasks that should be separated to ensure security: 

Finance and Accounting

• Authorization and Approval: Transactions, expenditures, and financial decisions should be authorized by one person and approved by another. This prevents a single individual from making unauthorized financial decisions or expenditures.
  
• Recording and Reconciliation: Individuals responsible for recording financial transactions should not be involved in reconciling accounts or conducting audits. This minimizes the risk of fraudulent financial reporting and helps detect errors or irregularities.
• Payment and Disbursement: The person who prepares payments should not have the authority to approve them. This reduces the risk of unauthorized or improper payments.

Information Technology

• Development and Testing: Developers should not be able to move their code into production without oversight and testing by a separate team. This Enhances the quality and security of software releases and prevents unauthorized code changes.
• System Access and Security: The team responsible for granting access to systems should be different from those responsible for cybersecurity. This Reduces the risk of unauthorized data access or breaches by segregating access control from system management.

Human Resources

• Hiring and Recruitment: Different individuals should handle posting job vacancies, reviewing resumes, conducting interviews, and making hiring decisions. Separation ensures that decisions about job candidates are unbiased and that proper qualifications are met.
• Payroll Processing: Those responsible for payroll processing should not be able to add or modify employee records in the HR system. This prevents unauthorized changes to employee records and unauthorized payments.
• Employee Benefits Administration: Separate individuals should manage benefits enrollment, changes, and claims processing. This reduces the potential for fraudulent benefit claims and ensures accurate processing.

Marketing

• Advertising and Expense Approval: Approvals for advertising campaigns or expenses should involve multiple individuals to prevent unauthorized or excessive spending or unauthorized spending on marketing initiatives.
• Marketing Content and Review: Content creation and approval processes should involve different people to ensure accuracy and compliance in marketing materials, preventing misleading information.

Sales

• Order Processing and Fulfillment: Different teams should process and fulfill sales orders to prevent errors and unauthorized changes in sales orders, ensuring accurate product delivery.
• Sales and Collection: Individuals involved in sales should not handle collecting or processing payments. This Separates revenue recognition from the collection process to reduce the risk of revenue misstatements.

Operations

• Inventory Management and Procurement: The individuals responsible for managing inventory levels and ordering new supplies should be separate. This prevents overstocking or stockouts and reduces the risk of inventory mismanagement.
• Production and Quality Control: Those overseeing production processes should not be responsible for quality control checks. This ensures unbiased quality checks and prevents defects from being overlooked.

Customer Service or Support

• Issue Resolution and Refunds: Individuals handling customer complaints and support should not have the authority to issue refunds without separate approval. This prevents abuse of refund processes and ensures proper handling of customer complaints.

Research and Development

• Idea Generation and Implementation: Individuals involved in generating ideas and concepts should be separate from those implementing and developing them. This separates the creative phase from the technical implementation to maintain focus and quality.

Legal and Compliance

• Contract Approval and Legal Review: Contracts should be approved by authorized individuals and reviewed by legal experts. This ensures contracts are properly reviewed and approved, reducing legal and regulatory risks.

Administration

• Purchasing and Approval: Those responsible for making purchases should not have the authority to approve those purchases. This prevents individuals from making unauthorized purchases or approving their own purchases.
• Facility Management and Access Control: Different individuals should manage facility operations and control physical access. This enhances security by separating the management of physical access from operational tasks.

Public Relations

• Media Statements and Approval: PR representatives should have their statements reviewed and approved. This ensures accurate and appropriate communication with stakeholders, minimizing reputational risks.

Quality Assurance

• Testing and Sign-Off: QA teams should conduct testing, and a separate group should approve the release of products or services. This provides an objective assessment of product quality and prevents unchecked releases.

Project Management

• Planning and Execution: The team responsible for project planning should be separate from the team executing the project. This maintains clear oversight, preventing conflicts of interest and ensuring project objectives are met.

Strategy and Planning

• Goal Setting and Evaluation: The process of setting long-term goals should be separate from evaluating progress toward those goals. This allows for an unbiased assessment of goal attainment and strategic planning effectiveness.

Business Development

• Identification and Negotiation: The individuals identifying new opportunities should be separate from those negotiating partnerships. This minimizes conflicts of interest and ensures suitable business opportunities are pursued.

Training and Development

• Curriculum Development and Training Delivery: Those developing training content should be separate from those delivering the training. Separating content creation from delivery ensures consistent and effective training.

These are general guidelines, and the specific segregation of duties will depend on your organization's size, industry, and risk profile. The ultimate objective is pinpointing pivotal processes, gauging their associated risks, and establishing appropriate controls by segregating duties to navigate the intricate landscape of responsibilities while reinforcing trust, accountability, and resilience.