Risk Management

Get Involved. Join the Conversation.


    Christine Doxey
    The Benefits of Segregation of Duties Controls
    Topic posted November 9, 2018 by Christine DoxeyRed Ribbon: 250+ Points, last edited November 9, 2018, tagged Advanced Controls, Compliance, Financial Transactions, Fraud, GRC, Risk Management, Sarbanes Oxley, Separation of Duties, SOX 
    The Benefits of Segregation of Duties Controls
    In my last post, we discussed the concept of implementing internal controls to mitigate risk. Segregation of duties is a fundamental control to consider when managing risk.

    What is Segregation of Duties (SoD)?

    The key principle of segregation of duties is that an individual or small group of individuals should not be in a position to control all components of a transaction or business process. The general duties to be segregated are: planning/initiation, authorization, custody of assets, and recording or reporting of transactions. In addition, control tasks such as review, audit, and reconcile should not be performed by the same individual responsible for recording or reporting the transaction. Adequate segregation of duties controls reduces the likelihood that errors (intentional or unintentional) will remain undetected by implementing separate processing by different individuals at various stages of a transaction and for independent reviews of the work performed. 

    Segregation of duties controls provides four primary benefits: 1) the risk of a deliberate fraud is mitigated as the collusion of two or more persons would be required in order to circumvent controls;  2) the risk of legitimate errors is mitigated as the likelihood of detection is increased;  3) the cost of corrective actions is mitigated as errors are generally detected earlier in their lifecycle; and 4) the organization’s reputation for integrity and quality is strengthened through a system of checks and balances.

    Applying SoD Controls to Systems Access

    The principle of segregation of duties is critical as it ensures the separation of different functions such as transaction entry, on-line approval of the transactions, master file initiation, master file maintenance, user access rights, and the review of transactions.  This means that one individual should not have access rights which permit them to enter, approve and review transactions. Assigning different security profiles or roles to various individuals supports the principle of segregation of duties. As an example, this principle can be reinforced by systems access policy and the ongoing review of system access controls as part of your internal controls program.

    Eight Categories of SoD Controls to Consider

    The following categories of duties or responsibilities should be considered when implementing segregation of duties controls and can  be validated by system access roles by asking the question, “Who can do what?” These controls can be used to develop your internal controls self-assessment process and when considering compensating controls to mitigate risk for a specific business process.

    1. Policy, Plans and Goals
      • Formulating policy, plans and goals
      • Approving policy, plans and goals
    2. Developing/analyzing business case justification
      • Transaction SoD Controls
      • Initiating a transaction
      • Authorizing the transaction
      • Recording the transaction
    3. Monitoring or having custody of physical assets
    4. Monitoring and/or reporting on performance results
    5. Reconciling accounts and transactions
    6. Master File Transactions
      • Authorizing master file transactions
      • Processing master file transactions
    7. Providing information systems development, security administration, and other related support
    8. Following-up and resolving issues or discrepancies