Segregation of Duties (SoD) is a crucial element in an organization’s risk management strategies.
A 2022 report by the Association of Certified Fraud Examiners (ACFE) highlights that companies bear losses of approximately $1,783,000 to employee fraud per case.
This explains why modern businesses need to have sustainable risk management in this era of increasing fraud, scams, and errors.
And SoD aims to control, manage, and even mitigate these risks to have better organizational controls with increased safety and awareness.
In this article, I’ll discuss what SoD is, its importance, and other key terminologies associated with it.
So, let’s begin and learn how to take back control!
What is Segregation of Duties?
Segregation of Duties (SoD) is an important concept of risk management and internal controls of an organization wherein more than one individual is made responsible to complete the different parts of a task. It’s implemented to prevent information misuse, fraud, theft, and other security-related risks.
The task, though, can be completed by one person, but it’s broken into parts. This helps ensure that no single individual has sole control of the task or excessive controls, enough to misuse the control for unauthorized purposes or fraudulent activities. Instead, it will be shared by at least two individuals.
Today, SoD is implemented in various domains, such as accounting, finance, payroll, administration, etc. In politics, it becomes the separation of powers in democracies where the government is divided into a judiciary, an executive, and a legislature.
SoD in Risk Management
SoD works on the principle of shared responsibilities and that running an organization or business must not be a single individual’s job. You should not trust a single person to gain complete control to perform a task that may potentially lead to fraud, errors, or damage to the reputation of your company.
In fact, SoD is a vital element of risk management and enterprise compliance with regulations like the 2002 Sarbanes-Oxley Act (SOX).
Segregating duties among multiple responsible personnel lower the chances of an employee or a third party from:
- Misusing organizational confidential information
- Stealing funds
- Falsifying records (like finances) to mislead stakeholders or inflating stock prices
- Launching a revenge campaign after getting alleged mistreatment
- Involving in corporate espionage
And if you don’t employ a safe strategy like SoD, it could lead to significant damages to your organization in terms of finances, compliance-based penalties, and brand image. This is why it’s recommended to implement SoD across an enterprise, from accounting and payroll to information technology (IT) and cybersecurity departments.
Examples of SoD
Let’s look at some of the examples where you can apply SoD.
In accounting, organizations can prohibit single persons from gaining excessive power to hide assets and financial errors.
SoD will require you to thoroughly analyze all the accounting roles in your organization and segregate duties so that the same person can’t possess complete control of a given function. For example, the same person must not be allowed to receive the cheques and record the received cheques.
IT and Cybersecurity
SoD policies can help prevent access control risks in the IT department. You segregate workflow duties, ensuring the same group or persons are not given multiple access permissions.
If a single person gets access to power beyond their duties, they can misuse it and expose information to an outsider or grant them access permission. At the same time, no one else has any idea about it.
This situation could be catastrophic. For example, the same person must not be allowed to receive alerts from security systems as well as manage the access permissions of that system.
Compliance and Controls
Implementing solid SOD strategies can help eliminate employee errors, intentional or unintentional. You can also catch fraudulent filings, if any. This way, you can keep your organization safe from compliance violations. For example, you must make the same person responsible for filing financial information and auditing it.
The same individual should not be responsible for:
- Creating and approving requisitions
- Creating and approving vendor invoices
- Preparing the invoice and entering sales transactions into the ledger
- Paying salaries and hiring employees
- Recording cash received and creating credit memos
- Trading stocks and managing mergers and acquisitions
- Setting up buyers and approving requisitions or purchase orders
Advantages of SoD
Some of the advantages of applying SoD in your organization are:
#1. Fraud Prevention and Detection
Organizations are becoming victims of fraud more than ever. It involves fraudulent activities like cheque tampering, cash skimming, asset misappropriation, document forgery, falsified receipts, invoices, accounting record errors, and more.
With SoD, you can ensure no single person or group is responsible for performing all the functions of a given task. This will deter the opportunity of committing fraud and hiding it. Having more eyes on a task means anyone can detect, report, and help prevent external or internal fraud.
#2. Reduction in Human Errors
If you implement SoD correctly in your organization, you will likely see a significant reduction in human errors and related risks in your critical financial processes. It can involve errors like insufficient documentation of transactions, low manpower in accounting, data entry mistakes, careless audits, etc.
Employing multiple individuals in critical transactions essentially increases the chance of an individual noticing any error that occurred and resolving it.
#3. Improved Audits
Reducing the chances of risks and errors will improve the recordkeeping for your finance, payroll, accounting, IT, or cybersecurity department. SoD will help ensure the records are arranged properly, eliminating issues like duplication, late fees, compliance risks, etc.
This way, you will be better prepared for audits, whether it’s annual, half-yearly, or quarterly. You will also feel more confident before compliance with regulations and avoid penalties.
#4. Increases Efficiency
Some may think that adding more roles will lead to inefficiencies and higher costs. However, if you plan SoD well, it will promote efficiency. It’s because you are dividing a task into multiple sub-tasks, each performed by a suitable, specialized individual with better accuracy and speed.
This not only lowers risks but also provides higher efficiency compared to the case where a single person has to perform the entire task. In addition, the cost of damages to the company in the absence of SoD is much more than what you invest in hiring more personnel.
Some SoD Terminologies
To understand SoD more, you must learn about the following terminologies:
#1. SoD Conflicts
An SoD conflict can rise when a person acts against the organization’s interest and in their interest. This means they have acquired multiple roles in order to perform multiple important functions in a process. Doing this could potentially affect the process integrity as well as the company.
SoD conflicts can occur in different domains of an organization, such as Order to Cash (O2C) or Purchase to Pay (P2P). To mitigate SoD conflicts, you must analyze and assess such incidents. Organizations must also implement solid controls and safeguard themselves from employees participating in illegal activities.
A good strategy to prevent SoD conflicts could be applying Role-Based Access Controls (RBAC) across your organization. RBAC ensures that access permissions and controls are given to users based on their roles and responsibilities in the organization, not more than that.
In this, you can assign an authorized individual to analyze every role and access permission assigned to them for both inter-role and intra-role SoD overlaps.
However, every conflict does not mean to cause damage or result in illegal actions. A user could do it accidentally, out of carelessness, or perform a required function for the company needing more permissions.
This is why companies should thoroughly examine the case and assess their SoD violation policies to ensure the conflicts don’t turn into fraud or illegal activity.
#2. SoD Violation
SoD violations can happen if an organization’s employee exploits their assigned role and intentionally accesses information or performs a prohibited activity. This means they are violating the organization’s internal policy or external regulations.
Employees can conduct an SoD violation when they have gained control over multiple process steps, exceeding the permitted steps. Next, they misuse the access for their benefit.
Example: A company can make a policy that the person hiring employees can’t also distribute paychecks. It’s because if they perform both activities, they may leverage it for their own benefit and orchestrate fraud or illegal activity. Thus, this will turn into an SoD violation.
That was what an internal SoD violation looks like; let’s understand how an external SoD violation can occur. For instance, a senior decision-maker like the CEO of an organization indulges in manipulating financial statements, violating SOX regulations.
It can lead to tremendous fines for the organization, and the employee may also serve a prison sentence. This is damaging for the organization in terms of reputation and cost.
To mitigate SoD violations, an organization must monitor their violations and each employee’s activity. They must also keep updating their policies with changing technological space.
#3. SoD Matrix
SoD matrix is an approach that managers take in order to reduce SoD complexities. It enables managers to distinguish different responsibilities, roles, and risks in an organization.
In addition, the SoD matrix can detect potential conflicts across the organization and help resolve them in time while providing security from serious damage.
SoD matrices are automatically generated in modern companies that rely on ERP software. An SoD matrix generated is based on a user’s tasks and roles defined in their ERP software.
Here, each task should match a process in a given transaction workflow in order to group tasks and roles, ensuring no user is permitted to execute more than one step in the workflow.
Moreover, an SoD matrix can be represented by a plot where user roles are kept on both axes – X and Y that signify SoD conflicts. Also, it maps the duties and activities to roles in a workflow in order to enable compliance teams to segregate incompatible responsibilities.
You can either create an SoD matrix using software like MS Excel or manually on a paper sheet. They can also be created using an ERP tool.
Example: Here is an example of how you can create an SoD matrix for payroll for an employee. You can use any signifier like yes/no, colored flags or arrows, a tick mark, etc. for roles and responsibilities. Let’s use Y/N in the following plot.
|Process||Employee||Onboarding employees||Creating paychecks||Clearing payments||Managing benefits|
In the above chart, it’s shown that employee 2 has the authorization to create paychecks and clear them. So, they must not change benefits or hire employees. If they do so, then an SoD conflict may arise. Similarly, employee 1 is responsible for hiring new employees. Thus, they must not create paychecks, manage benefits, or clear payments. Else, an SoD conflict may occur.
How to Implement SoD
So, if you are thinking of implementing SoD but are confused about where to start, here are the steps you can follow:
#1. Define Organizational Processes and Policies
First of all, you must define all the key organizational processes that employees are responsible for. It could be based on your organization’s size and industry type. Once you define every process and task, list your policies as well. Define policies for your internal employees, external vendors, and other entities you deal with.
For example, in your HR department, you might want to list tasks like hiring and onboarding employees, creating benefits and compensation, clearing payments, recordkeeping, etc. Similarly, in the accounts department, you can list tasks like product delivery confirmation, reviewing invoices, signing checks, paying invoices, etc.
In addition, you will need to outline policies that you have made for your departments and employees. For example, an employee issuing payment must not also be the one signing checks. Another example of a policy could be – the employee responsible for selling a product must not also confirm its delivery.
#2. Create an SoD Matrix
After defining your tasks and policies, you must create an SoD matrix to list all the roles and tasks. It will help you understand which employees are responsible for what tasks, and if there’s any possibility of an SoD conflict or violation.
The above chart will help you create an SoD matrix for your organization. But sometimes, it becomes tough to detect SoD conflicts, especially when the representations don’t aptly match the tasks. For this, you can take two approaches while creating an SoD matrix:
Clearly define all the tasks and label each SoD conflict: it creates a large matrix but offers better accuracy in representing the tasks and roles visually.
Omit some tasks or group them: It will provide you with a condensed matrix, which is easy to analyze and focus on SoD conflicts. However, it could lead to false positives and errors affecting the SoD outcomes and conflicts.
#3. Assign Tasks
Once you have detected all the SoD conflicts, start assigning tasks and sub-tasks to employees, leveraging the concept of segregation of duties. If you come across a scenario where you can’t apply SoD, figure out a solid way to control and monitor the employee performing the task in order to deter any risks.
#4. Manage and Review
It’s vital to monitor and review your tasks and roles to ensure SoD is well implemented and there’s no potential conflict or violation. And if you detect any, manage your roles and tasks by reassigning them again. Continue monitoring to prevent risks.
Segregation of Duties (SoD) provides an excellent way to manage internal controls and prevent fraud and errors. It will help ensure organizational security so that no one gains excessive control, enough to cause damage to your organization in terms of data leaks, fraud, or illegal activities. So, implement SoD in your organization and stay safe and vigilant.
You may also explore some fraud detection and prevention tools for online businesses.