Segregation of duties is designed to prevent error and fraud, and under mandates such as the Sarbanes Oxley Act has even become a regulatory compliance requirement for some organizations. But the large amount of data produced by organizations, coupled with rapid transactions, has made manual segregation of duties susceptible to human error and impractical for some businesses.
The complications have led an increasing number of organizations to automate segregation of duties. In this feature, Michael Rasmussen, chief pundit at GRC 20/20 Research LLC in Waterford, Wisconsin, discusses how automating segregation of duties can ultimately drive down regulatory compliance costs, as well as reduce the likelihood of fraudulent activity and lawsuits.
What are some of the compliance challenges created by Segregation of Duties (SoD) in regard to business applications?
Michael Rasmussen: The compliance challenges come from several angles. The largest driver is Internal Controls Over Financial Reporting (ICFR) and, in that context, Sarbanes-Oxley (SOX) compliance. It is simply a matter of control to ensure we do not have the fox guarding the hen house. For example, can a person who enters an invoice also pay an invoice? If this is allowed to happen, then there is a control issue. You have an individual with a lot of access to systems who could use this to commit fraud or just make mistakes.
In the ideal world, we prevent these issues by making sure that individuals have proper segregation in their responsibilities and duties so that we have checks and balances. However, we do not live in an ideal world and, at times, we have legitimate reasons to have consolidated duties given to an individual. In the first case, we want to prevent these rights being given. In the latter case, we at least want to monitor these rights and what are done with them.
Today's environment is complex. There are lots of employees with different types of access to different systems -- ERP and more. Managing SoD manually becomes an impossible task. You end up with random sampling. Using technology to automate the enforcement/prevention of SoD conflicts -- or monitoring where they do occur for a legitimate business reason -- moves us from random sampling with high manual labor costs to thorough monitoring that is streamlined and efficient.
How can these SoD issues ultimately hurt a company's bottom line and/or lead to lawsuits if not handled properly?
Rasmussen: Fraud and mistakes. People can use them to commit fraud, which might start small and over time grows and grows. People can also simply make mistakes and having proper segregation of rights and access allows for this to be mitigated. Not paying attention to this issue can raise audit findings with internal and external auditors, as well as compliance issues. If there is rampant fraud happening and [it] impacts [the] bottom line, certainly it opens you up to lawsuits.
What are some segregation of duty best practices that can help overcome these challenges?
Rasmussen: Here are some best practices: First, define your roles and rights. Know how your business systems and transactions work and where there are SoD risk areas. Two, prevent SoD issues. Use technology to go through and find SoD issues and remediate them. Three, monitor SoD areas that are there for business purposes. Monitor SoD areas in which you have a business reason for consolidation of rights into a role where these rights may conflict.