Segregation of Duties (SoD) comprises one of the foundational controls in an effective Risk and Compliance (GRC) program. SoD involves separating people who execute the different steps of business transactions to reduce the risk of fraud or errors. Given the role of SAP in finance, SoD is an unavoidable responsibility for SAP administrators and others responsible for aligning SAP with GRC.
What Is Segregation of Duties (SoD)?
Understanding segregation of duties requires knowing a bit about how businesses process income and expense transactions. With spending, for example, there is a sequence of steps that occur before any money is actually disbursed. Typically, a business manager drafts a purchase order (PO) that spells out how a vendor is to be paid for a product or service. To be paid, that vendor needs to be approved by the purchasing department. Someone, usually a senior manager, must approve the purchase order. Then, the vendor must invoice for the product or service. Someone in the accounts payable department has to approve the invoice for payment before the check is signed. Figure 1 captures this basic procurement work flow.
Figure 1 – Procurement workflow from PO request to signing the check
Each of the four people depicted in figure 1 have different duties. Well-run companies assign these duties to different people for a compelling reason. The individuals in this workflow act as checks on one another. Indeed, imagine if one person could execute all four steps in this process. He or she would be in a position to request a purchase, approve it and sign the check.
As experience has unfortunately shown, employees sometimes abuse this concentration of authority as a means to commit fraud. For instance, an employee could request goods or services that never get delivered, but still pay for them, colluding with the vendor to pocket the money.
Why is SoD So Important for Compliance?
SoD is a core control over financial reporting. Without it, financial reports may easily offer invalid information. As a result, SoD figures prominently into public companies’ compliance with the Sarbanes Oxley Act (SOX). The law mandates that public companies that certain verifiable steps to ensure accuracy in financial reporting. SOX Section 404 states, “All annual financial reports must include an Internal Control Report stating that management is responsible for an ‘adequate’ internal control structure, and an assessment by management of the effectiveness of the control structure.” SoD is critical to an adequate internal control structure. The SOX audit must determine that SoD controls are robust enough to enable management to attest to their efficacy in the SOX compliance process.
SoD and SAP
Today, with virtually all aspects of corporate accounting and finance occurring on software, SoD is largely a matter of user account access controls and rules. Figure 2 expands the procurement workflow from Figure 1 to include each user’s connection to the SAP solution that powers the work step. For SoD to work, the SAP access controls and transaction permissions have to match the SoD requirements. In this case, when Person A logs into the SAP procurement system, he can only write a PO. If he tries to approve a PO he’s written, the rules in the system must prohibit him from doing so. That is how SoD gets enforced.
Figure 2 – SoD rules affect user account access privileges in the SAP systems that support financial transactions.
SAP provides automated tools for SoD, logging access, transactions and other information related to SoD. These are part of a broader GRC set of access and process controls that manage your internal security model and remediate compliance issues while monitoring potential business risks within your SAP system. SAP GRC access controls cover what users can do. The process control tracks what your users are actually doing. In the example shown in Figure 2, SAP GRC access control would detect the potential for a violation of SoD and issue an alert.
SoD Challenges in SAP Environments
Business organizations seldom remain static for very long. There’s a constant churn of personnel and shifts in organizational structure. This leads to inevitable SoD conflicts. Consider the following scenario: The procurement staffer authorized to approve new vendors retires. Her role is assigned to another procurement staffer, who is also authorized to issue purchase orders. This violates the principle of segregation of duties.
The SAP GRC framework calls for mitigating controls once a conflict of this type is discovered. However, in our experience, the process for identifying and addressing SoD conflicts relies on manual steps like review of vendor lists and payment ledgers. This document-centric process is deficient, on our view, because it lacks systematic risk and usage analysis as well as real-time alerts of potential violations of SoD controls. Without consistent compliance reports, mandated reviews and sign offs, risks may go unnoticed for long periods of time—or forever.
Solving SAP SoD Compliance Challenges
We have had success helping clients strengthen their SoD through the use of SoD monitoring tools. These products are designed to detect, analyze and manage risks of SoD conflict. They automate review of access to sensitive transactions violations of complex, role-based authorization rules. In particular, we implement ControlPanelGRC®, a Continuous Controls Monitor ing (CCM) platform automates SAP and SOX compliance and audit-relevant tasks like SoD.
We can work with you to implement ControlPanelGRC in your organization, embedding SoD compliance into your day-to-day SAP administration. Our approach covers regular user and role changes, transport and batch jobs as well as emergency access processes. It shows all SAP and SOX compliance checkpoints on a single dashboard.