Segregation of Duties

Segregation of Duties (SoD)

The main elements required for fraud are motivation and opportunity. Accordingly, the best opportunity a company can offer a fraudster is having weak or nonexistent segregation of duties (SoD).  SoD is a critical internal control aimed at limiting opportunities for abuse by a single person such as requiring two signatures on a check or separating the creation and approval of sensitive transactions.

In today’s automated business processes SoD is enforced in business applications and ERPs, and breakdown in these controls can be difficult to detect. In other situations SoD conflicts caused by insufficient staffing create a physical inability to properly segregate the duties and are exacerbated by poor or missing compensating controls such as authorization/approval or budget/actual reconciliation, for example.

tn_SoD_Image

In one case, a major hi-tech corporation discovered a fraud that had been going on for over 7 years.  Employees who were checked and validated within the ERP system had additional privileges in other legacy systems in the same business process. The fraud cost the company over $18m, resulting in restatement of their earnings.

This case highlights the fact that even with mature ERP systems, issues can inadvertently arise that lead to SoD violations.  For example, elevated permissions are given to someone covering for a vacationing employee or an employee inherits elevated privileges from another security group. These types of SoD issues are not caught using the ERP’s built-in controls since the assigned authorities were validated and approved by the Administrator.  These issues underline the need to be able to confirm that the preventative ERP controls are working and secondly, that it is just as important to analyze SoD access in other systems both upstream and downstream from the ERP platform. This is especially true in companies that alter their processes and the rules governing SoD.

 Continuous Monitoring

An effective continuous monitoring solution provides an organization with an independent point of observation from the business applications over SoD controls across any business process in the enterprise. It enables the identification of control breaches and fraud and money leakage, by confirming that embedded application controls are working properly across business processes.

An independent point of observation is essential to continuous monitoring.  As demonstrated in the prior example, solutions that are embedded in an ERP or an add-on to an existing application are only capable of identifying issues within the system they are tied to.  SymSure however enables SoD to be monitored holistically, ensuring that user authorities are properly compartmentalized regardless of the business application, and as a secondary benefit, provides assurance that interfaces between different systems and business operations are working correctly.

The continuous monitoring system should be accessible by all key stakeholders in the organization.  Since an effective monitoring solution can touch multiple business processes, it is important that stakeholders can access and monitor the results. This is important in situations where many types of operational users may be using the system.  Equally important is the ability to distribute issues to the appropriate individuals and to ensure that that the issues are dealt with on a timely basis within an effective workflow. 

 SymSure Segregation of Duties

SymSure enables all SoD touch points within the business processes to be monitored, regardless of the underlying systems, data sources, platforms or locations.  Results from these disparate sources are presented in the SymSure portal for use by any authorized users regardless of their location, technical ability or business role.

With the SymSure framework, all aspects of SoD analysis can be examined regardless of the underlying infrastructure. Since SymSure is a framework rather than application specific, when business processes change, it can easily adapt to the changes. Notifications and workflow management are built into SymSure ensuring that issues receive proper attention and their resolution can be managed.

Key Benefits

  • Early detection of SoD issues
  • Simple regulatory compliance reporting
  • Enhanced view of potential SoD violations
  • Reduction in the risk of fraud through SoD violations
  • Historical record of SoD exceptions and remediation
  • Common portal for Segregation of Duties across the enterprise
  • Greater transparency and effectiveness in the protection of information