Segregation of duties

Segregation of duties is a basic, key internal control and one of the most difficult to achieve. It is used to ensure that errors or irregularities are prevented or detected on a timely basis by employees in the normal course of business. Segregation of duties provides two benefits: 1) a deliberate fraud is more difficult because it requires collusion of two or more persons, and 2) it is much more likely that innocent errors will be found.  At the most basic level, it means that no single individual should have control over two or more phases of a transaction or operation. Management should assign responsibilities to ensure a crosscheck of duties.

 

• Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction.
• Receiving checks (payment on account) and approving write-offs.
• Depositing cash and reconciling bank statements.
• Approving time cards and having custody of pay checks.
• Having unlimited access to assets, accounting records and computer terminals and programs. For instance having access and using checks as the source documents to post to accounting records rather than using a check log or receipts.

There are four general categories of duties or responsibilities which are examined when segregation of duties are discussed: authorization, custody, record keeping and reconciliation. In an ideal system, different employees would perform each of these four major functions. In other words, no one person should have control of two or more of these responsibilities. The more negotiable the asset, the greater the need for proper segregation of duties - especially when dealing with cash, negotiable checks and inventories. In those instances where duties cannot be fully segregated, mitigating or compensating controls must be established. Mitigating or compensating controls are additional procedures designed to reduce the risk of errors or irregularities. For instance, if the record keeper also performs a reconciliation process a detailed review of the reconciliation could be performed and documented by a supervisor to provide additional control over the assignment of incompatible functions. Segregation of duties is more difficult to achieve in a centralized, computerized environment. Compensating controls in that arena include passwords, inquiry only access, logs, dual authorization requirements, and documented reviews of input/output. Some special aspects of segregation of duties apply to IT functions themselves. There should be segregation between systems development and operations, operations and data control, and data base administration and system development.

One of the most popular ERP is SAP. SAP is widely used in many industries, but one of the issues that emerged in the last few years, especially with the issuing of SoX, is the matter of Segregation of Duties (SoD). Maintaining authorizations in SAP is quite challanging because the assignement of authorizations is made in SAP indirectly. The main question when talking about SAP segregation of duties is "what can a user do?"

So we have users on the one hand, and what they can do on the other hand. In SAP the user "can do" things through transactions (create a sales order, issue a billing, etc).

To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.

The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:

· Starting SAP transactions (authorization object S_TCODE)

· Starting reports (authorization object S_PROGRAM)

· Calling RFC function modules (authorization object S_RFC)

· Table maintenance with generic tools (S_TABU_DIS)

What the system does not check is if the user's actions are compliant with regulatory business practices like Sarbanes Oxley. For example, a user should not be allowed to maintain customer information and also have the right to process sales orders, because there is a potential risk that he/she would create a fictitious customer and create orders for delivery to them thereby misappropriating goods.

There are certain "dangerous" combination of duties which are potential risks to the business. There's been a lot of discussions on specialized forum's, with a lot of beating around the bush on the topic of segregation of duties. Some of them ended with an indication to certain sites that do not work anymore.

Segregation of duties - conflict matrix