Exercitation ullamco laboris nis aliquip sed conseqrure dolorn repreh deris ptate velit ecepteur duis.
What is segregation of duties? Simply put, it is the separation between two or more tasks such that they cannot be performed by the same person.
Segregation of duties (or ‘SoD’ as it is commonly abbreviated to) is typically applied to tasks which, if performed by the same person, allow for fraud or error to be committed and then concealed.
A simple example: Andy counts how many cans of tuna are available in the pantry and notes this down. William then verifies the number of cans and signs his name to indicate that he has performed his review.
The counting and review processes should not be performed by the same person, otherwise he/she could record an incorrect number and it would not be detected during the review process.
Segregation of duties is relevant for tasks in and outside of the system. When a system such as SAP is used, SoD can be implemented through carefully designed user access rights.
Here are some examples of SoD in the system:
These examples show that a real business risk can arise if some conflicting tasks can be performed by one and the same person.
Using the first example above, segregation of duties should be established between the tasks of changing vendor master data and making invoice payments. However, sometimes you may see users who are granted access to do both in the system. Why would that be so?
In some cases, segregation of duties cannot be established because there are not enough employees to allow tasks to be segregated. Other times, tasks are assigned accidentally.
Using the above example again, a payment clerk may require access to view vendor details in order to help verify necessary details against the invoice. However, access to change vendor details is not required. Therefore, in this case, a simple remediation would be to remove the user’s access to change vendor details and give them display-only access instead. Other conflicts may require mitigating controls to be put in place.
Segregation of duties controls should be implemented on a preventative basis, such that any access rights given to users are free of SoD conflicts.