skip to Main Content

segregation of duties matrixSegregation of Duties (SoD) is an important control that reduces the risk of errors and fraud. Though simple in concept, SoD can be quite complex in its execution. To help keep accounting roles, responsibilities and risks clear, compliance managers have long turned to the Segregation of Duties Matrix. The segregation of duties matrix, once a pencil and paper affair, is now the product of advanced software.

A Mini-Lesson on Segregation of Duties

SoD is a control that prevents the same person from executing multiple steps in a business transaction that could unlock the potential for fraud. For example, in purchasing, it would be unwise to authorize a single person to create and then approve a purchase order (PO). Each of these steps, or duties, should be performed by a separate person. Otherwise, and unfortunately this does happen, a person may be tempted to create a PO for a vendor that she owns, approve it and then pay herself with company money. By splitting the duties up, the control mitigates the risk of fraud in this case and many others.

Segregation of Duties Matrix Information Technology

How can you keep track of the many different transactional duties in a large organization? The segregation of duties matrix is an invaluable tool in this regard. The figure below depicts a small slice of an SoD matrix. In this example, the matrix lays out four purchasing roles. Each duty, matched by a unique user group, or role, is listed twice—once on the X axis and once on the Y. With this layout, it is easy to spot where duties overlap and create risk.

sod matrix example

A matrix like this is computer-generated. It is based on user roles and functions contained in a financial system such as SAP. For SoD to work, each user group must match up to a procedure in the transaction workflow. It is possible to assign duties one at a time, by hand, but this is highly impractical and prone to human error. Instead, the best practice is to assign each function to a particular role. That way, as you identify SoD conflicts, you can confirm you’re preventing the conflict from creating SoD risks.

What are SoD Risks?

SoD risk is a concept that refers to the likelihood that an SoD conflict will result in a financial loss, legal liability or compliance penalty for a business. You can indicate SoD risks within the matrix. In the PO example shown in the matrix, you can see that there is “Elevated Risk” where Create PO (Role 3) aligns with Approve PO (Role 4). This is because the two roles are in conflict, from an SoD perspective. In contrast, the SoD conflict between Create PO and Approve Requisition is only a “Low Risk.” Risk does arise from having the same person approve a requisition and then create the PO. However, with effective SoD elsewhere, that individual cannot proceed to approve the same PO he or she has written.

Is Segregation of Duties a Preventative Control?

SoD is a preventive control. Its job is to prevent fraud and errors in advance of any transactional execution. That is, if it’s done right.

Accounting controls fall into two broad categories: preventive and detective. A detective control looks for evidence of error or fraud retrospectively, examining transactional data for anomalies that might indicate a problem. For example, if a PO approver is signing off on PIs that have nothing to do with his or her area of the business, that might suggest the evidence of fraud.

Some controls are both preventive and detective. Numbering transactions is a good example. Assigning every transaction a unique identifying number prevents mistakes and fraud by giving everyone a simple way to track each transaction. At the same time, numbering provides the basis for a detective control. One common place fraud examiners often look for anomalies is in transaction numbers.

What is SoD Compliance?

SoD plays heavily into compliance. The Sarbanes Oxley Act (SOX), for example, which requires public companies to audit and attest to the strength of their internal controls over financial reporting, effectively mandates that SoD be in effect. A SOX auditor looks for SoD and will rate the company’s controls as “deficient” if SoD is not properly implemented. To do this, the auditor may look at the segregation of duties matrix. SoD compliance, therefore, is the process of getting SoD into sufficient shape to meet compliance requirements.

Working with a qualified SoD partner

Maintaining SoD compliance means having an SoD risk analysis process that is clear and actionable. If SoD controls are weak, you need a solution that provides options for remediation. The analysis and remediation should be easy for non-technical employees to understand. We can help you with this. Our ControlPanelGRC® software gives you the ability to conduct rigorous SoD risk analysis. It also shows remediation steps that are easy to make.

With ControlPanelGRC®, Symmetry is relentlessly committed to delivering solutions that meet the depth and breadth of your compliance challenges. Here you can learn more about ControlPanelGRC®, and how Symmetry can help you with SoD.

Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.