You get a call at 2 a.m. informing you that your SAP ERP system has…
Segregation of Duties is one of those business concepts that’s a bit abstract, but the truth is you see it every day, perhaps without realising. Formally, Segregation of Duties (SoD) is a set of controls and policies intended to ensure accuracy and keep companies compliant with regulations like Sarbanes Oxley. In simple terms, however SoD is about making sure controls are where they’re supposed to be and prevent specific combinations of roles that could facilitate fraud or embezzlement — for example, by preventing a single person from creating and paying a vendor.
What is Segregation of Duties?
Have you ever been at a shop and had the cashier call for a manager to do an “override” on the till to void your transaction? That’s an everyday example of SoD. The cashier’s duties preclude him or her from overriding till transactions. That is the manager’s exclusive duty. If the cashier could override a transaction, the shop would be at risk for employee theft.
People aren’t perfect, they make mistakes, use poor judgment, and give into temptation. But when people have access to ERP, the consequences can be huge. Employees can defraud investors of millions, jeopardise the safety of consumers with undetected errors, and expose employers to civil and criminal liabilities.
Your segregation of duties policy divides up transactions, both to make it harder for mistakes to slip through undetected, and to hold workers and leadership accountable. Though it’s not pleasant to contemplate, fraud risk is real and “trust” is not a control. Responsible businesses take care to mitigate these risks with SoD on ERP systems and other controls.
The goal of SoD is to prevent combinations of roles that could facilitate fraud or embezzlement. In corporate accounting, SoD manifests as separations between people who must hand off steps in a given transaction to ensure that it’s completed accurately. Examples include:
- The person who approves new vendors cannot authorise a purchase order to vendors
- The person who approves purchase orders cannot authorise cheques to be written
- The person who prepares invoices cannot also enter sales transactions in the general ledger
Segregation of Duties Policy in Compliance
SoD figures prominently into Sarbanes Oxley (SOX) compliance. SOX mandates that publicly traded companies document and certify their controls over financial reporting, including SoD. Following a meticulous audit, the CEO and CFO of the public company must sign off on an attestation of controls. They can be held accountable for inaccuracies in these statements. If it’s determined that they willfully fudged SoD, they could even go to prison!
The Federal government’s 21 CFR Part 11 rule (CFR stands for “Code of Federal Regulation.”) also depends on SoD for compliance. It affects medical research and other industries, where lives might depend on keeping records and reporting on controls. SoD makes sure that records are only created and edited by authorised people.
The Segregation of Duties Matrix
There are many ways to devise and implement segregation of duties. In the old days, it was about paper, e.g. the pink copy of a sales receipt went to person A while the yellow copy went to person B. If the yellow and pink copies didn’t match, there was a problem. We’ve come a long way.
Now, SoD is executed through access permissions tied to user roles on SAP systems. If the payables clerk is not supposed to authorise a cheque, his or her role will make it impossible to access the cheque authorising part of the ERP solution.
This sounds pretty simple, but doing it can get complicated pretty quickly. In modern organisations, you might have dozens of roles in multiple locations and business units. To keep things straight, when we work with a client to establish their SoD rules, many are included “out of the box” with ControlPanelGRC. The premise follows what’s known as a “Segregation of Duties Matrix.” The rules are standardised and generally follow a matrix approach, like the one shown here, to identify incompatible portions of business transactions.
How to Check SoD Conflicts in SAP
The grid displays potential conflicts of role, while showing which roles are complementary in completing transactions. By following the matrix, you can see who should be allowed or denied access to system functions. You can use the grid to detect SoD conflicts in your SAP landscape. For example, the “AP Voucher Entry” Role cannot have access to the ERP functionality set up for the “AP Payments” role and so forth.
Compensating Controls in SoD
In some cases, a segregation of duties audit reveals a conflict that simply cannot be addressed through controls. To solve this problem, the company can establish a compensating control. This serves to reduce the risks created by the conflict. For example, if a company has a single employee who sets up vendors and pays them, a compensating control might involve having a weekly review of vendor transactions.
SAP GRC as a Necessity for SoD
SAP GRC provides basic functionality to implement SoD controls. However, given that controls will only be reliable if they are tested, reviewed and audited on a regular basis, SAP GRC software automates these time-consuming tasks. It also centralises SoD controls. Our ControlPanelGRC suite takes you further, with SAP SoD risk analysis that detects potential risks before they happen.
ControlPanelGRC continuously monitors SoD conflicts in real time. That way you can detect and remediate conflicts as they arise. The software suite automatically creates comprehensive audit reports and routes them for approval in the organisation.
Specific capabilities of ControlPanelGRC include:
- SAP Segregation of Duties (SoD) Risk Analysis– Defines SoD through SAP risk analysis in real time, determining sensitive authorisation and preventing excessive user access.
- SAP Transaction Usage Analysis– Streamlines business processes with SAP GRC transaction usage data, remediating compliance risks, and saving time and money by scoping upgrades—maximising SAP licence usage at the same time.
- SAP Emergency Access Management– Maintains a continuous state of readiness for audit by logging all user activities during an SAP “firecall” session.
- SAP User Provisioning and Role Management– Accelerates day-to-day SAP security administration and maintains audit-ready status.
- SAP User Access Review Automation– Provides an automated solution for user access and role certification reviews.
- SAP Audit Management– Reduces the time and effort required for audit prep by automating SAP audit report execution, delivery and validation.
- SAP HR Security Automation– Empowers SAP Human Capital Management (HCM) users to address HR security needs such as monitoring and protecting sensitive HR data and securely updating HR files.
Learn how Symmetry’s ControlPanelGRC Automated Controls can help you achieve better SoD while lowering your compliance costs at the same time.