SEGREGATION OF DUTIES

AND LOGICAL ACCESS

GUIDE
WHAT IS SEGREGATION OF DUTIES (SOD)?

The basic idea underlying SOD is that no em­ployee or group of employees should be in a position both to perpetrate
and to conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties to be
segre­gated are:

Custody of assets

Authorization or approval of related trans­actions affecting those

assets

Recording or reporting of related transac­tions

Traditional systems of internal control rely on assigning certain

responsibilities to different individuals or segregating incompatible
functions. The general premise of SOD is to prevent one person
Rationalization
from having both access to assets and responsibility for maintaining
the accountability of those assets. SOD’s do not prevent collusion.

The fraud triangle is a model for explaining the factors that cause someone to
commit fraud. It consists of three components which, together, lead to
fraudulent behavior:
Financial
• Financial Pressure Pressure

• Opportunity
Opportunity
• Rationalization

2
TYPES OF SEGREGATION OF DUTIES

Logical Access is control that limits user access to information and restricts their ability to
record transactions in the system to only what is appropriate for them.
System • EX 1: Can an employee post and approve a journal entry in the system or open/close an
Designed SOD accounting period?
• EX 2: Does the employee have access to update the master vendor file, issue a
purchase order or enter an invoice, process payment, post a journal entry, etc.?

Segregation of duties includes protocols that exist outside of the system that are managed
by appropriately designed manual business operations and internal control.
• EX 1: Does the employee responsible for preparing or reviewing bank reconciliations also
Operationally have the following cash receipt or disbursement responsibilities: receiving cash,
Designed SOD preparing cash deposits, printing checks or approving checks/wires?
• EX 2: Does the employee responsible for making adjustments and running final payroll
also have responsibility over reviewing final payroll prior to disbursement?

3
WHY IS IT IMPORTANT?

SODs help minimize the risk and the possibility that an organization
Support Internal Control
does not achieve its goals, provide reliable financial data, and/or
Environment
comply with laws and defined policies.

Administrative or other recording errors may not be detected timely

since an independent/objective review of transactions may not be
Prevent the Risk of Fraud
occurring OR inappropriate or unauthorized (fraudulent) transactions
or Error
are permitted to occur since one individual controls a major portion of
the revenue, expenditure, payroll or other functions.

Sarbanes-Oxley and other regulatory issues are forcing companies to

Regulatory Compliance increase their awareness and accountability of their employee’s
actions within the company.

Recent privacy laws and prosecution of security violations are bringing

Security Data Management new awareness to monitoring and controlling security and access to
data within organizations.

4
WHAT IS THE RISK?

Increased Financial Statement Fraud Risk – Inadequate segregation of duties could make fraud
prevention, detection and investigation difficult, which could possibly lead to misstated financial
statements, regulatory punishments, damage to the company’s reputation, reduced investor trust,
etc.

Misappropriation of Assets – Involves third parties or employees in an organization who abuse

their position to steal from it through fraudulent activity.

Reduced Reliance on Internal Control – Could lead to increased substantive testing by internal
audit and the external auditor, translating to additional money out of Company A’s pockets. More
serious findings could lead to an evaluation by the external auditor that the company has a
significant deficiency or material weakness.

Increased Auditor Skepticism – Ongoing questioning of whether the information and evidence
obtained is reliable, free from errors or may suggest that a material misstatement exists. As a result,
the auditor may increase sample sizes, lower substantive testing thresholds or increase audit
procedures overall.

5
WHAT IS EVERYONE’S ROLE (INCLUDING YOU)?

Management (Company A):

Just like any other internal control, management and control owners are responsible for:
• Planning, organizing and directing performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved
• Understanding the scope of sensitive transactions and SOD conflicts that drive the company’s KEY business
processes
• Determining thresholds based on the risk and impact to the company for each potential SOD conflict pairing

Internal Audit:
• Support management in the analysis, design and implementation of SOD protocols and controls
• Internal audit may play an important consulting and advisory role, but not design
• Test logical access and segregation of duties and controls on behalf of management

External Audit:
• May independently test logical access and segregation of duties or review/rely on procedures performed by
management/internal audit
• Responsible for evaluating procedures completed by management or the internal audit function and, depending
on this evaluation, may issue a deficiency, significant deficiency or material weakness which could lead to an
adverse opinion on the effectiveness of internal controls and/or increased substantive testing procedures
• The external auditor is legally required to address the concerns issued by the Public Company
Accounting Oversight Board (PCAOB)

6
IN SUMMARY
Key Points:

SOD is a component of an effective internal control environment.

The overall effectiveness of management’s internal controls depends to a large extent

on segregation of duties. If internal controls are to be effective, there needs to be an
adequate division of responsibilities.
• Custody of assets
• Authorization or approval of related trans­actions affecting those assets
• Recording or reporting of related transac­tions

SODs should be commensurate with the size, complexity and overall risk of a
company's operations and financial reporting environment. It is important to always first
consider the risks to the organization.

Compensating/mitigating controls may exist to mitigate the risks resulting from a lack of
appropriate segregation of duties. These controls include audit trails, reconciliations,
supervisory reviews and transaction logs.

7
SOD MATURITY MODEL

The Capability Maturity Model (CMM) is a external framework Protiviti uses to help businesses succeed through
assessing current capabilities against their desired state. When applying this model to SOD, the model assesses
Company A’s SOD maturity with the least mature taking a reactive approach and the more mature taking a proactive
approach. A more mature SOD approach helps to limit risk and increases the quality of the process.

The higher up the model a company’s

capabilities are, the greater its
prospects for successfully managing 5 System IT/GRC
Environment
Proactive
risk associated with improper
segregation of duties.

4 Management Reviews

3 User Access Reviews Performed by Management

2 Operational Approach Reactive

1 Do Nothing

Increases Risk Increased Quality

8
DO NOTHING

Example: Company A has no defined processes for Management’s Role: Does nothing relating to SOD.
designing, reviewing or monitoring SODs. The
environment is reactive based upon regulatory and Risks:
statutory needs.
1) With no procedures in place, the opportunity for an
Current State: Reactive employee to commit fraud is very high

Risk Level: High 2) Company A is not compliant with regulatory

requirements
SOX Sufficient: No
3) Errors can go undetected
Leading Practice: Practices increased level of
professional skepticism and encourage Company A to 4) Possibility of increased external audit fees
understand importance of a strong SOD environment.
Recommend management adopt, at a bare minimum,
user access reviews performed by management and
tested by internal audit.

9
OPERATIONAL APPROACH

Example: Process owners assume SODs are adequate Management’s Role: Defines operations and
and functioning appropriately based on the idea that segregates roles within departments to ensure there are
various business departments exist with separate no SOD issues.
individuals performing tasks (e.g., separate
procurement, receiving, accounts payable, etc.). Risks:

Current State: Reactive 1) With a limited number of companywide procedures

in place, the opportunity to commit fraud is still
Risk Level: High available for employees who are involved in more
than one department’s operations
SOX Sufficient: No
2) Company A is not compliant with regulatory
Leading Practice: Practices increased level of requirements
professional skepticism, specifically for employees that
perform cross functional department duties. 3) Errors can go undetected
Recommend management adopt, at a bare minimum,
user access reviews performed by management and 4) Possibility of increased external audit fees
tested by internal audit.

10
USER ACCESS REVIEWS PERFORMED BY
MANAGEMENT

Example: Internal audit will perform an analysis of Management’s Role: Performs user access reviews to
management’s user access review and of SOD, and evaluate SOD. This may represent the bare minimum
updated audit procedures may be used in process for SOX/internal controls. Again, it is important to
areas determined to have weaker SOD. discuss with management and the external auditor
throughout the audit.
Current State: Reactive/Detective
Risks:
Risk Level: High
1) While the user access is being reviewed, it does not
SOX Sufficient: Depends on Company A & external necessarily address SOD effectiveness, thus leaving
auditor opportunity to commit fraud

• Evaluate the control environment & business 2) Company A is not compliant with regulatory
complexity requirements
• Engage in discussions with management and the
external auditor 3) Errors can go undetected
Leading Practice: Performs SOD testing utilizing
4) Possibility of increased external audit fees
system access detail (system security) and business
process knowledge.

11
USER ACCESS TESTED BY MANAGEMENT

Example: Management analyzes various roles in the Risks:

organization and maps employee user access to
eliminate or mitigate the risk of SOD conflicts. 1) If the SOD review does not take place in conjunction
with the user access review, the possibility exists
Current State: Proactive/Preventative that a user’s access is not consistent with the access
they should be given based on the SOD review.
Risk Level: Medium
2) Additionally, management’s review may not be
SOX Sufficient: Yes, Good Approach complete or management did not assess changes in
the business that could impact the user access
Leading Practice: Validates management's review or review.
re-performs the analysis to ensure management’s
analysis was appropriate.

Management’s Role: Completes a SOD analysis and

works to mitigate issues if found. Additionally ensures
compensating controls are in place if issues are
identified.

12
SYSTEM IT/GRC ENVIRONMENT

Example: Organization utilizes a government, risk and Management’s Role: Monitors and further reviews
control (GRC) setup in SAP using a rule set and exceptions from system-generated error reports.
periodically sends out error reports and flags new users. Management should assess changes in the business
The GRC program may also prevent user access that environment that were not previously incorporated into
would cause SOD conflicts. the rule set.

Current State: Proactive/Preventative Risks:

Risk Level: Low 1) Although this is the most efficient way to monitor
SOD within an organization, be mindful that the risk
SOX Sufficient: Yes, Best Practice still exists that the rule set is incomplete, there are
insufficient mitigating controls, or management did
Leading Practice: Analyzes error reports and rule sets not assess changes in the business that could
to ensure management has implemented, monitored impact the GRC rule set.
and is handling exceptions. Reviews to ensure the GRC
rule set is robust and adopts the current business & risk
environment. Additionally ensures compensating
controls are in place if issues are identified.

13
IMPORTANT CONCEPTS

Things to Remember Resources Going Forward What You Can Do

• SOD is becoming increasingly • The Small Cap SOD Matrix • Familiarize yourself with the
important in internal control identifies key segregations that SOD matrix.
frameworks and SOX should be in place in small cap • Evaluate the business & control
compliance. For example, manufacturing companies. The
environment, organizational
Committee of Sponsoring matrix provides examples of
complexity and associated risks
Organizations (COSO) requires conflict types that may exist in
at Company A. Determine
that companies select and companies of this size.
whether they are taking an
develop control activities that
• Internal audit has a lot of appropriate approach to assess
should address segregation of
intellectual property and staff and mitigate SOD conflicts.
duties.
dedicated to assist companies • Communicate to seniors &
• Businesses are continuing to with GRC/SOD assessments managers when an insufficient
increase reliance on information and capabilities. Leverage SOD approach is identified.
technology (IT), further making them!
SODs important in efforts to
reduce fraud and increase
operational effectiveness.

14