What is Segregation of Duties?

Despite its abstract nature, segregation of duties is a business concept that is used every day, perhaps without realising it. Sarbanes-Oxley-compliant companies use segregation-of-duties (SoD) as a set of controls and policies to ensure accuracy and compliance. It's about ensuring that controls are in place and preventing certain combinations of roles from being used to commit fraud or embezzlement, such as by prohibiting a single person from both creating and paying a vendor.


What is Segregation of Duties?

Were you ever asked by the cashier to have a manager "override" the cash register so that your transaction was refunded? Just one of many examples of the use of SoD. He or she cannot override the cash register transactions because of his or her duties as a cashier. Those are the sole responsibilities of the manager. Employee theft could occur if a cashier could override a transaction.


There is no such thing as a perfect person. People make mistakes and make poor judgement decisions. However, when people have access to ERP, the consequences can be severe and far-reaching. Unchecked errors can put consumers' safety in jeopardy and expose employers to civil and criminal liability.

    Your segregation of duties policy separates transactions to make it harder for mistakes to slip through the cracks and to hold workers and leadership accountable. "Trust" doesn't work as a control for fraud because it isn't realistic. Reputable companies mitigate these risks with SoD on ERP systems and other measures.


    SoD's goal is to prevent roles from being combined in a way that could facilitate fraud or embezzlement. People who must hand off steps of a given transaction to ensure that it's completed correctly are separated by SoD in corporate accounting. Here are a few examples.

  • New vendors cannot be authorised to issue purchase orders.
  • No one with the authority to sign purchase orders can sign checks.
  • Billing personnel are not permitted to also enter sales transactions in the general ledger.

Segregation of Duties Policy in Compliance

Sarbanes-Oxley (SOX) compliance is heavily reliant on SOD. SOX requires publicly traded companies to document and certify their financial reporting controls, including SoD. It's mandatory for the CEO and CFO of the public company to sign off on an attestation of controls after a thorough audit is completed. Inaccuracies in these statements can be held to account by these individuals. SoD could even result in prison for those who willfully falsified it.

According to the 21 CFR Part 11 rule (CFR stands for "Code of Federal Regulation"), the Department of Defense must also comply with the rule. It affects medical research and other industries, where keeping records and reporting on controls may be life or death for some people's survival. SoD ensures that only authorised personnel can create and edit records.

The Segregation of Duties Matrix

It is possible to separate duties in a variety of ways. Back then, it was all about paper, as in the pink copy of a sales receipt going to person A and the yellow copy going to person B. There was a problem if the yellow and pink copies did not match. A long way has been travelled.


Now, SoD is carried out through access permissions tied to user roles on SAP systems, rather than directly. It will be impossible to access the check authorising part of the ERP solution if the payables clerk is not supposed to authorise checks.

This may sound simple, but it can quickly become complicated. If you work in a large organisation, you may be responsible for a variety of jobs in different locations and departments. Keep in mind that many of the SoD rules that we work with a client on are already included in ControlPanelGRC. "Segregation of Duties Matrix" is used as the basis for the premise. In order to identify incompatible portions of business transactions, the rules are standardised and generally follow a matrix approach, such as the one shown here.

However, it also identifies which roles complement each other in completing transactions. By following the matrix, you can determine who should have access to system functions and who should not have access to them. You can use the grid to check your SAP landscape for SoD conflicts. The "AP Voucher Entry" role, for example, cannot access the ERP functionality set up for the "AP Payments" role, and so on.

Managing SoD Conflicts in SAP

It is, however, not always easy to manage SoD risks in SAP. There could be thousands of users and dozens of different roles in a SAP system. Individual access rights could be granted for each. As a result, it becomes a difficult task to determine who should have access to what. In addition, roles and privileges are constantly shifting and evolving. Someone could create a new role with too many access privileges and unwittingly affect SoD. In SAP, this is referred to as a SoD risk. Having policies and tools that enable your organisation to be aware of SAP SoD conflicts and then remediate them is a best practise in the field of information technology (IT).

Understanding SAP SoD tools is important before you start a manual remediation process. Our ControlPanelGRC solution, along with SAP SoD tools, automate and precision the SoD process. It is possible to identify SOD risks by using these tools, which automatically analyse roles. By using ControlPanelGRC, you can find out in minutes what previously took days or even weeks to find out by manually reviewing roles and workflows.

Segregation of Duties in GRC

A critical role in SoD is played by SAP, given its central role in most companies' financials and operations (GRC). As a result of our ControlPanelGRC tool, this is all possible. It is an ABAP-based solution that automates compliance in SAP® environments without the need for a lengthy implementation period or a complex training programme, ControlPanelGRC.

As a result of our SAP Access Control Suite, you can quickly assess potential compliance failures, resolve segregation of duties (SOD) conflicts, and control access to your SAP software in a simple manner. With powerful workflow and automated utilities, the suite is designed to help prevent excessive user access.

ControlPanelGRC also defines and analyses risks in SAP, replacing the time-consuming and error-prone manual process of mapping duties and roles to the SAP. As a result of conflicting functions, the Risk Analyzer in ControlPanelGRC highlights the SoD risk. This reduces the number of redundant reports and false positives for SoD risks. Rulebooks included in the package can be customised in order to meet corporate or audit requirements. Depending on the regulations, they may include predefined checks for access risks such as SOX and HIPAA.

Compensating Controls in SoD

Auditing segregation of duties reveals conflicts that can't be resolved by controls in some cases. It is possible for the company to implement a compensating control to solve this problem. As a result, the conflict's risks are reduced. Compensating controls might include a weekly review of vendor transactions, for example, when only one employee is responsible for setting up and paying vendors in the company.

SAP GRC as a Necessity for SoD

To implement SoD controls, SAP GRC provides the basic functionality. Due to the fact that controls can only be trusted if they are regularly tested, reviewed, and audited, SAP GRC software automates these time-consuming processes to make them more efficient. As well, it centralises the command and control of SoD. For even greater protection, we offer SAP SoD risk analysis in our ControlPanelGRC suite.

It continuously monitors SoD conflicts in real-time with ControlPanelGRC. Detecting and resolving conflicts as they arise is easier this way. In addition, the software suite generates comprehensive audit reports automatically, which are sent to the organisation for approval.

ControlPanelGRC's capabilities include:

Define SoD through real time SAP risk analysis, determining sensitive authorization and restricting excessive user access with SAP Segregation of Duties (SoD) Risk Analysis.

  • Processes are streamlined with SAP GRC transaction usage data, reducing compliance risks while also saving time and money by scoping upgrades—while maximising SAP licence usage at the same time.
  • This feature logs all user activities during a SAP "firecall" session in order to maintain a continuous state of readiness for auditing the system's operations.
  • Users and roles provisioning in SAP accelerates day-to-day SAP security administration and ensures audit-readiness.
  • It automates the process of reviewing user access and role certifications in SAP.
  • As a result, audit preparation time is reduced by automating SAP audit report delivery, validation and execution.
  • In SAP Human Capital Management (HCM), HR security needs such as monitoring and protecting sensitive data, as well as updating HR files securely, can be addressed through automation.


No comments: