Segregation of duties (SOD), or separation of duties, breaks tasks into at least two parts to ensure that no one person cannot perform actions unilaterally when the impact of irreversible effects exceeds an organization’s tolerance for error or fraud. The application of segregation of duties for key functions protects organizations from risks to their money, inventory, and sensitive information due to fraud, human error, and malicious activities.
Watch this video on SoD to see how administrators can quickly develop policies to reduce the risk of fraud and maintain compliance.
Integral to effective risk management and internal controls for organizations, segregation of duties prevents any one person from having enough privileges to cause problems, such as using their control for malicious or unauthorized purposes. Segregation of duties also helps to overcome simple mistakes that result from human error, but that can be easily caught and corrected by a second set of eyes.
Examples of activities that segregation of duties seeks to prevent as part of risk management strategies include:
- Corporate espionage
- Failure to adhere to compliance requirements and related penalties
- Gross mismanagement
- Misappropriation of funds or other assets from an organization
- Neglect of duties
- Unauthorized access to sensitive information
- Unchecked human errors
- Unscrupulous hiring practices (e.g., hiring friends at inflated salary levels)
Segregation of duties breaks business-critical tasks into four separate function-based categories.
A role that reviews and approves transactions or operations.
A role with access to or control over any asset, such as cash, checks, equipment, supplies, or sensitive information.
A role that verifies the processing or recording of transactions to ensure that all transactions are valid, have the correct authorization, and are accurately recorded in a timely manner.
A role that includes following up on any discrepancies or errors that are identified.
For effective risk management, no one person or department should hold responsibility in multiple categories.
Segregation of duties should be applied to workflow rules to provide oversight and ensure that no one person has control over more than one responsibility.
Segregation of Duties in risk management
The extent of segregation of duties is driven by an organization’s tolerance for risk. Every organization has a certain tolerance for risk and its preference curves, which map the relationship between the probability of a risk occurrence and the amount of gained value that would make the risk worthwhile. As part of risk management, segregation of duties requires a thorough analysis of all roles to identify those that are deemed incompatible based on risk preference curves.
To effectively manage risk, organizations develop segregation of duties matrices for critical business processes. Segregation of duties matrices map activities and duties to roles to identify areas of concern. These are created and managed using software systems.
Areas included in a segregation of duties matrix to identify potential role and duty conflicts related to risk management for a workflow are:
- Process—e.g., IT security administration
- Duty—e.g., user access provisioning
- Procedure—e.g., authorization of privileges
- Role—e.g., administrator
Roles are rated low, medium, or high risk regarding performing a particular procedure. To minimize risk, each user role should be paired with one procedure in the process workflow.
A high-risk conflict occurs if activities connected to conflicting duties become associated with the same role or when one person assumes two conflicting roles. In this case, a segregation of duties should be implemented, by modifying processes, changing activities, or splitting functions between different roles.
In cases where it is not feasible or practical to implement segregation of duties, compensating controls can be used as a risk management tactic. In lieu of segregation of duties, regular audits or secondary authorizations can be put into place.
When considering risk management in terms of fraud, it is also important to understand the triangle of fraud and how the segregation of duties plays into breaking it. Risk management and fraud prevention experts refer to the triangle of fraud as the conditions that can lead to embezzlement. The three parts of the triangle are:
- Financial pressure on an individual
- Rationalization of criminal action
- Opportunity to commit the crime
Segregation of duties effectively breaks the triangle at the point of opportunity. Knowing there will be a third-party review, the individual’s assessment of the viability of an opportunity is shaken, and the likelihood of an attempted crime is reduced.
Segregation of Duties in accounting
Segregation of duties is used in accounting to provide controls over funds and other assets. The four function-based categories (i.e., authorization, custody, recordkeeping, reconciliation) for segregation of duties apply to accounting. Examples of segregation of duties in accounting are as follows:
- The person who authorizes a check to be written should not be the same person who records the check in the bookkeeping software or reconciles the checking account
- Individuals who have access to assets, such as bank accounts or inventory, should not handle recording and authorization functions
- The person who oversees expenses should not also be able to approve them
Using separation of duties mitigates the risk of fraud by providing oversight and ensuring that no one person can approve an invoice, create a new vendor in the system, or issue a check. This prevents common accounting frauds that result from inadequate separation of duties, such as:
- Creating false invoices and disbursing funds to an account they control.
- Making ghost accounts for employees, customers, or vendors that do not exist.
- Processing fake refunds to vendors.
- Writing checks to themselves and recording them as payments to a vendor.
Segregation of Duties in other functions
The concept of segregation of duties is broadly applicable and effective. While usually thought of in terms of accounting and finance, segregation of duties plays a critical role in risk management for other functions and sectors. A few examples of segregation of duties for healthcare, for example, include the following functions that should be handled by different people:
- Approving and provisioning access to sensitive information
- Creating and auditing reports
- Maintaining inventory and dispensing controlled substances (e.g., opioids, stimulants)
- Setting up and approving requisitions or purchase orders
- Ordering goods from a supplier and logging the goods into the accounting system
- Hiring employees and paying salaries
- Managing mergers and acquisitions and trading stock
Another common application of segregation of duties for risk management is for governance, risk, and compliance (GRC). GRC aligns IT and business goals to manage risk and comply with regulations. Two examples where segregation of duties is used for compliance are:
- Sarbanes-Oxley Act (SOX) compliance
SOX mandates that publicly-traded companies document and certify the controls used for financial reporting. A key part of the controls that must be shown is the segregation of duties. Failure to demonstrate segregation of duties or to falsify related reporting can result in penalties.
- 21 Code of Federal Regulation (CFR) Part 11
The U.S. Federal Government’s 21 CFR Part 11 requires segregation of duties for compliance. It is used to ensure the validity of records and reporting on controls that must be created and edited only by authorized individuals.
SOD use cases and examples
- Asset custody and inventory management
Management of asset custody and recordkeeping related to inventory should not be performed by the same person.
- Custody of cash and accounts receivable reconciliation
The roles of managing cash deposits and reconciling these with invoices should be separate.
- Expenses and approvals
No one should be allowed to approve their own expenses.
- Hiring and compensation
Hiring managers can make recommendations for compensation, but should not be able to define salaries. This also should be applied to bonuses.
- Journal entries and approvals
Separate the functions of entering a journal entry and approval of journal entries.
- Payments and bank reconciliation
Assign different people to make payments (e.g., to vendors, paychecks) than to reconcile bank statements.
- Purchase orders
Require multiple approvals for purchase orders.
- Sales and approvals
The approval of sales deals (e.g., approval of margins or customer credit) should be separate from the sales process. That is, salespeople should not be able to set margins or extend credit terms on their own.
- Vendor management
Separate the setting up of vendors in a system from posting and paying invoices.
Segregation of Duties: A proven method for implementing checks and balances
The reason that segregation of duties is so widely used as part of risk management strategies is that it is effective. Segregation of duties has been proven time and again to prevent the abuse of control and any resulting nefarious activity by a single person or by collusion amongst a group. Segregation of duties is part of a system of essential controls that help prevent and detect the existence of fraud and error in any type of organization.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.