According to PWC's 2022 Global Risk Survey, 56% of business leaders are investing in risk culture and reducing behavioral risk. While there are several ways to improve a company's risk management processes, implementing segregation of duties (SoD) is one highly effective strategy for mitigating your company's risk of fraud and improving the security of your business processes.
To help you lower your company's risk profile via effective internal controls, here is everything you need to know about the segregation of duties control and SoD risks.
According to the Association of International Certified Professional Accountants (AICPA), segregation of duties is "shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department."
Also known as separation of duties, dividing key responsibilities such as financial reporting and record-keeping between different employees rather than assigning them to one person helps create accountability and reduces the risk of intentional and unintentional errors.
From financial transactions to information systems containing all of your company's data, your employees have access to a lot of crucial and sensitive processes. Putting a single person in charge of these processes creates unnecessary temptation and risk. Ensuring that multiple employees share the responsibility for these processes via the segregation of duties offers companies several key benefits, including:
When spotting preventable errors, two pairs of eyes are better than one. Processes such as recording transactions, preparing financial statements, and depositing paychecks are all processes where errors can be both common and costly.
Along with asset losses and reputational damage, these errors can lead to costly compliance violations. For example, violating the Sarbanes Oxley Act (SOX) can lead to fines of up to $1 million. Putting more than one employee in charge of your company's crucial processes reduces the chance of errors going unnoticed.
Organizations lose an estimated 5% of their annual revenue to employee fraud every year. Segregation of duties helps create accountability and eliminates the temptation that is present when employees are given complete autonomy over a sensitive process.
For instance, ensuring that the person responsible for hiring new employees is not the same person who adjusts employee compensation and benefits is one example of how segregation of duties works to eliminate the fraud risk.
In certain situations, an employee's duties conflict with their professional interests. Insider trading, self-dealing, and accepting gifts from vendors are just a few examples of conflicts of interest in the workplace. In these situations, the potential for fraud and abuse is even more magnified. Once again, separation of duties can create the accountability and oversight needed to mitigate these risks.
Control activities such as the segregation of duties are vital for ensuring the security of your company's sensitive data and processes, and overlooking these controls can have serious consequences. The biggest risks that arise when a company fails to implement segregation of duties are SoD conflicts and SoD violations:
An SoD conflict occurs when an employee can potentially abuse a company process for their own personal gain. For example, an employee responsible for creating purchase orders and signing them would be considered an SoD conflict.
Therefore, an SoD conflict is a potential or theoretical risk rather than an actualized risk. However, an SoD conflict can easily turn into an SoD violation if left unaddressed.
SoD violations occur when an employee intentionally abuses their role or access to perform a prohibited action, typically for their own gain and in a way that is harmful to the company.
A CFO or CEO that violates SOX regulations by manipulating the company's financial statements is one example of an SoD violation. Another example is an employee who embezzles funds by altering the purchase order they both created and signed.
The importance of segregation of duties and how it works to help prevent errors and fraud is simple enough to understand. But implementing it is a bit more complicated.
Here are the five steps you can follow to establish SoD controls to help shield your company from a variety of risks.
Implementing segregation of duties starts with identifying the business processes and transactions that are most critical to your company or most at risk for abuse. Any process or workflow related to your company's finances or financial transactions is almost certain to fall under this category.
Processes involving access to information technology (IT) systems that contain sensitive data should also be protected via SoD controls and IT general controls.
Before you can ensure that no employee has too much access or control, you first have to understand the access and responsibilities each employee has. When working with any more than a handful of employees, this can quickly become a lot to keep up with.
One effective way to make the process a little less complicated is to create an SoD matrix. An SoD matrix outlines business processes and the employees responsible for ensuring no SoD conflict is present. Here is an example of an SoD matrix for implementing the segregation of duties into the process of employee compensation:
An SoD matrix such as this allows you to visualize employee roles and business processes to ensure no SoD conflicts. In this example, roles are assigned so that no one person is in charge of hiring new employees and changing their compensation or benefits.
Once you have created a segregation of duties matrix to determine how to assign roles to prevent SoD conflicts, the next step is assigning employees their appropriate roles.
In some cases, eliminating SoD conflicts may require training for employees to take on new roles and responsibilities. In other cases, it may require that roles and responsibilities be removed from one employee and assigned to another.
Segregation of duties is even more effective when reinforced with the right compensating controls. Controls such as role-based access controls, job rotations, and supervisory reviews mitigate the risk of fraud and errors by ensuring that no single employee has too much power over a critical business process.
Once you implement the segregation of duties, you need to maintain it — which requires regular monitoring via audits and reviews.
Reviewing access logs, transaction records, and monitoring activities to identify any SoD conflicts or violations will help you spot conflicts and violations as quickly as possible. It will also help you further optimize your SoD controls to prevent these issues from happening again.
When properly implemented and maintained, segregation of duties can offer several benefits for companies of all sizes:
Your company's financial processes are the processes most ripe with the potential for fraud and abuse, leading to financial records that are potentially inaccurate and unreliable. Along with intentional abuses, unintentional errors can likewise cause the same problem.
By providing oversight and accountability regarding your company's financial transactions and record keeping and reducing the risk of intentional and unintentional errors, segregation of duties improves the accuracy and reliability of your company's financial records.
Better record-keeping is one benefit when you reduce the risk of fraud and errors by segregating duties. Still, there are plenty of other reasons why companies should seek to mitigate the risk of fraud and errors. Reputational damage, compliance issues, and asset losses are just a few consequences of intentional fraud and intentional mistakes. Mitigating these risks is by far the biggest benefit gained from the segregation of duties.
Speaking of compliance issues, running afoul of external regulations and standards can land companies and their executives in some really hot water. Even if a simple error or a single employee's misjudgment is to blame, the company pays the price.
By using SoD controls and compliance software such as HyperComply to reduce the potential for compliance issues, you can take a major step toward ensuring compliance with all the regulations and standards your company is bound to.
Segregation of duties is one vital element of risk management, ensuring that no single employee within your company has too much power over vital business processes. However, the segregation of duties is even more effective when paired with other compliance and risk management controls designed to elevate your risk management process and strengthen your security posture.
With HyperComply's industry-leading compliance software, companies can centralize security details and documents for improved monitoring, document sharing, and access controls. To see how HyperComply can help your company elevate its risk management process, sign up for a HyperComply demo.