Compliance 101: Segregation of Duties
According to KPMG, 36% of all material weaknesses reported by US companies in 2020 involved Segregation of Duties issues! Read our latest insights...
Understanding the role of Segregation of Duties (SoD)
SoD is a basic building block of any internal control environment, which attempts to ensure that no single individual has the authority to execute two or more conflicting, sensitive transactions that can impact financial statements or create fraudulent transactions. At present, there is a heightened interest in SoD, which is partly due to control-driven regulations worldwide and the executive-level accountability for their successful implementation. However, the underlying reason for these regulations is more important and predates any of these regulations. No individual should have excessive system access that enables them to execute transactions across an entire business process without checks and balances, highlighting the need for integrated IT and financial controls. The essential starting point is to review your Segregation of Duties!
According to KPMG, 36% of all material weaknesses reported by US companies in 2020 involved Segregation of Duties issues!
What are the challenges businesses face with SoD?
As clear as the need for SoD is, there are a variety of reasons why many companies struggle to achieve it:
- Defining and applying appropriate SOD can be difficult due to the increasing complexity and automation of key business processes.
- As businesses grow, additional access is typically granted to more users, which over time may result in the initially designed security controls becoming less effective or misapplied.
- As employees change jobs, it is not unusual for access that is no longer needed to be left available, resulting in unintended access to sensitive processes across many functional areas, including the potential to carry out a complete process from start to finish.
- In order to ensure business continuity with backups in place for processes, a lack of additional resources with the required availability and training can limit options.
Following a best practice, SoD design would mitigate these risks as actions are divided amongst multiple individuals. Companies do not need to create undue complexity in their processes. By focusing on the transactions that pose the most significant risk to the business, a company can quickly identify the issues related to access and ensure that appropriate steps are being taken to remedy their root causes at a level that satisfies management and audit parties. In those situations where an SoD conflict cannot be avoided, ensure that you have mitigating controls in place.
ALLOut Tip
When defining your JDE security roles, ensure that each role is free of SoD conflicts. This will simplify your resolution of user issues later. Ensure that your SoD information includes documentation around what controls you are relying on. Involve business process owners or functional management in the SoD review process so that they understand the implication of access requests and the importance of processes that support mitigating controls. Understand that the information needs will include both summary reports for management and actionable information for administrators. Start your SoD process by focussing on those SoD conflicts that create the most risk and move on once those have been addressed.
If you're looking to re-design SoD rule in JD Edwards, take a look at SoDMaster - ALLOut's best practice Segregation of Duties matrix.
Sources: 2021 IPO Material Weakness Study. Retrieved from March 16, 2022 fromhttps://advisory.kpmg.us/articles/2020/material-weakness-study-2020-ipo.html.