The Importance of Segregation of Duties
Segregation of Duties is an internal control that prevents a single person from completing two or more tasks in a business process. Organizations require Segregation of Duties controls to separate duties among more than one individual to complete tasks in a business process to mitigate the risk of fraud, waste and error.
Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. Therefore, it’s important for management to analyse the skillset and capabilities of the individuals involved based on the risk likely and impact to business processes. Critical job duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function.
You can apply the following options to segregate job duties:
- Sequential separation (two signatures principle)
- Individual separation (four eyes principle)
- Spatial separation (separate action in separate locations)
- Factorial separation (several factors contribute to completion)
Many companies struggle to implement effective Segregation of Duties controls in their ERP systems such as Oracle E-Business Suite, SAP, Oracle ERP Cloud, even though the concept of SoD is simple as described above. This is mainly due to the complexity and variety of the applications that automate key business processes, and the ownership and accountability for controlling those processes requires complete analysis of thousands of functions available across roles and responsibilities assigned to users. For example, to assess SoD risk in Account Payable application that a user, assigned the Payables Manager role has access to create a supplier and approve payment requires a completed analysis of all functions that constitute the entitlements granted through the role, while excluding any false positives that may occur as a result to overriding attributes, profiles, page level configurations or customizations that prevent such access.
The Segregation of Duties Matrix lists potential conflicts to determine what risk may be realized should a user have access or authorizations to a combination of entitlements. For example, what is the likelihood, that a user can create a fictitious supplier and make a payment to that supplier? The risk likelihood and impact varies based on industry, business model and even individual business unit. It is not uncommon for a large global company to have more than one matrix due to differences in the business processes by location or business unit. For example, a company may have a manufacturing business unit with a large amount of inventory, requiring a Segregation of Duties matrix that focuses on specific inventory transactions. They may also have a service-based business unit necessitating a focus on project accounting, requiring a different SoD matrix. Though knowledge of similar businesses and industries can help to establish the conflict matrix, each business unit must perform a customized analysis of its conflicting transactions to capture the real risk for that particular business model.
Segregation of Duty controls are a significant component of control environment of any organization that operates its business on an ERP platform.