Internal controls are the safeguards built into your business process to prevent fraud and ensure accurate financial reporting. Arguably the most essential part of an internal control system is Segregation of Duties (SoD).
Instead of having one person responsible for all duties related to a critical business process, you segregate those duties by assigning them to different individuals. By dividing critical tasks, SoD helps prevent errors and fraud from going unnoticed.
Regulations like GDPR, HIPAA, SOX, and PCI-DSS require strong internal controls, like SoD, to protect critical applications and sensitive data. Non-compliance due to inadequate controls can lead to fines, legal consequences, and lasting reputational damage. And yet, according to the Association of Certified Fraud Examiners, incidents of fraud occur due to a lack of internal controls 32% of the time.
An SoD checklist helps you systematically review business processes and spot weaknesses early, before they become a problem. A checklist will improve the repeatability and scalability of the SoD analysis process; once the checklist is built, you don’t need to be an expert in Segregation of Duties to use it.
Below are key questions to answer while creating your SoD checklist. To avoid duplicating your work, add them to your checklist in the right order.
To kick-off your process, first determine which business applications involve risky or business-critical transactions that could be impacted by SoD requirements.
It’s important to cross-reference accounting tasks, transactions, and approvals that often take place across multiple business applications like SAP, Oracle, or NetSuite Enterprise Resource Management (ERP) systems. Similarly, human resources teams manage sensitive data and processes in Human Capital Management (HCM) systems, and revenue teams use Customer Relationship Management (CRM) software.
Decide which applications are most important so you can map processes.
There are certain high-risk business processes or workflows you’ll need to track, such as Accounts Payable, Accounts Receivable, and Purchasing. Business and IT teams should collaborate to outline the workflow steps in each process.
Once you determine which applications and processes to track, acknowledge that a single workflow likely has multiple people executing and approving tasks. Use an SoD matrix to map them out and determine that no duties are assigned to the same person. The matrix provides a central place for you to document responsibilities and tasks that are part of a critical business process, allowing you to see the full picture of entitlements and identify toxic combinations.
The most important part of your SoD matrix is your “ruleset”: a list of access combinations that, if present together in a single user’s profile, could create a risk for the organization. Each access combination is known as a “rule”, such as creating vendor accounts and paying them, or ordering products and accounting for the inventory. Establishing SoD rules can be accomplished through a workshop with application owners and audit, to outline processes, controls, and potential risks.
If building an SoD matrix and ruleset sounds overwhelming, consider using a Governance, Risk, and Compliance (GRC) tool that offers out-of-the-box SoD rulesets across leading business applications to automate this step.
A critical part of your checklist is defining how you’ll monitor SoD controls.
Traditionally, the business application owner—for an ERP system that would be the finance department—is responsible for conducting SoD analysis and determining the cadence, whether once a quarter or every 6 months. The business application owner is responsible for making sure that the SoD review has been conducted, that corrective action has been taken, and the evidence has been documented.
Decide how you’ll escalate issues when a toxic access combination is found to remediate risk. The sooner you catch them, the more you can reduce the window of potential fraud.
There are three courses of action when an SoD conflict is detected:
Outline who is responsible for investigating and remediating the issue. That might be a compliance lead, business application owner, or security or IT team member. Be sure to document the course of action, and if applicable, the resolution. For high risk items, you may need to report to leadership or audit teams for additional investigation.
Once you’ve completed your SoD analysis, you’ll be able to measure the number of conflicts found. These conflicts should be grouped by priority, from high-risk to low-risk. From review to review, you’ll expect to see the number of high-risk conflicts drop. If they don’t drop, that means they haven’t been remediated, or new risk has been introduced.
To take your SoD program a step further and move from a detective to preventative control, consider integrating an SoD check into your identity management and provisioning processes and automating workflows. When you check for SoD BEFORE provisioning access, you can make better informed decisions about whether to allow the risk or not.
Evaluate whether your program reflects the standards that SOX compliance and identity security require. Segregation of Duties is an important internal control for all organizations, big or small, publicly traded or not.
Download our SoD checklist and ensure your program reflects the standards that SOX compliance and identity security require. You may also want to learn how to create a Segregation of Duties matrix from scratch.