Implementing comprehensive segregation of duties management in an organization

Segregation of Duties is, in the simplest terms, the assignment of different parts of a task or transaction to different people, in order to prevent one person from gaining exclusive or excessive control over a process and then abusing that control for criminal or unauthorized purposes, such as committing fraud or embezzlement.

Identification of tasks and transactions that require segregation is based on a risk analysis of the processes.

Implementation and enforcement of Segregation of Duties (SoD) is an important task, representing:

  • A means of internal control in the organization
  • A component of the Risk Management Strategy
  • Ensuring compliance with laws and regulations
  • Reducing the possibility of hiding errors or fraud

SoD as an element of the Risk Management Strategy also enables:

  • Understanding of what risks flow from the use of a given technology / information system (data processes, number of users, location of access points, method of authentication).
  • Putting in place and implementing controls and procedures (including in the area of cyber security) allows a company to enable critical processes to be carried out without disruption

Implementation of SoD is related to the division of tasks or transactions in processes into smaller (sub-tasks) within various types of responsibilities including Authorization, Supervision, Execution, and Verification, and assigning them to different people.

In the course of a properly executed SoD implementation, one should, at a minimum:

  • Identify the processes for which the segregation of duties is to be implemented:
  • Perform a risk analysis and, based on this, select processes and divide tasks into partial responsibilities
  • Build an SoD matrix showing which combination of duties is prohibited due to risks
  • Implement the segregation of duties in the organization and start monitoring for possible conflicts and violations, including using monitoring tools provided, for example, in ERP systems.
  • To facilitate implementation, we use prepared lists of typical processes affected by potential risks and a proven SoD matrix structure.

The benefits of SoD implementation are:

  • Prevention of unilateral, uncontrolled activities inside of current business processes
  • Dividing critical business tasks in key processes into different functions
  • Introducing elements of control into workflows and bringing risk awareness within the organization
  • Efficient and effective tracking and identification of mistake, fault or fraud.
  • Effectively dividing responsibilities among individual users
  • Detecting risks, arising from user access to an excessive range of functions

When implementing SoD in organizations with IFS Application, we configure the SoD audit component of the system. And the work concentrates on, among other things:

  • Analyzing the level of configuration of permissions and risk-generating levels of access to the system
  • Distribution of responsibilities among individual users based on permissions
  • Configuration of SoD rules in the audit module