Segregation of Duties (SoD) is the concept of internal controls which attempt to ensure that no single individual has the authority to execute two or more conflicting, sensitive transactions with the potential to impact financial statements. Often these controls are to prevent a single individual from being able to carry out a complete process, without collusion from another individual.
· SoD compliance is a growing concern for many entities – although it is a long-established method of preventing fraud and error. Regulations (e.g. Sarbanes-Oxley in the US) have increased the need, awareness and thoroughness of controls – thus highlighting the need for integrated IT and financial controls.
· Defining and applying internal controls is difficult due to the increasing complexity and automation of key business processes.
o As businesses grow, additional access is typically granted to more users – over time this may result in the original security controls no longer being effective as designed.
o Multiple users can acquire access to sensitive processes across many functional areas and critically they may gain the ability to carry out a complete process, from start to finish, that best practice SoD design would necessitate being divided amongst multiple individuals.
o Using ad hoc checks to control risk is not best practice nor is such an approach effective given the inherent complexities of EnterpriseOne (E1) security – these need to be replaced with systematic procedures.
Each complete process within your business should be analyzed, individually, to determine which steps give rise to potential risk – i.e. where fraud or error could occur.
While this may seem a daunting task, it is critical for compliance and most likely will be required to pass your Audit. Compliance will also mean that you are ready for GDPR in this area!
Contact ALLOut to find out how the JDE toolset can simplify this process for you, we offer a pre-defined set of JD Edwards SOD rules which you can apply to your system, and a reporting tool to not only assess your security status but help to appease those auditors!