Managing segregation of duties (SoD) is essential. This key internal control is necessary for reducing the risk of financial errors and fraud, but it’s also one of the most difficult to implement and maintain without a sound strategy. When the time comes for SoD reviews, particularly when an ERP system is involved, accounting organizations often struggle to know with certainty that SoD conflict risks are being kept to a minimum.
Imagine a break room in a corporate office. The fridge is stocked with a special treat and a jar is next to the fridge asking for employees to place a dollar in the jar to cover the cost. It is midday and it is busy in the breakroom. How many employees do you think will place a dollar in the jar after taking the treat? Now, imagine a quiet time when no one else is in the breakroom. How many employees would you expect to place that dollar in the jar? Being alone and doing the right thing takes integrity. When opportunity exists and no one is watching, integrity is tested.
Let’s go over what SoD is, why it’s important, and what to consider when conducting SoD reviews.
What Is Segregation of Duties?
The basic concept: No one person should have complete control over a transaction, from beginning to end, or else you run the risk of this person being able to both perpetuate and conceal an error or fraudulent actions. The primary goal of having proper SoD controls is to protect company assets, reduce fraud risk and, in turn, protect the integrity of the financial statements.
For internal controls to be effective, there needs to be an adequate division of responsibilities among those who perform accounting procedures or control activities and those who handle assets. Ideally, separate employees will perform each of these duties:
- Having custody of assets
- Authorizing or approving transactions involving those assets
- Recording or reporting those transactions
- Reconciling and handling related control activities
Keeping such duties separate avoids potential conflicts that can arise, such as:
- One person approving a transaction and keeping the asset that results from the transaction
- One person receiving a payment and approving its issuance
- One person performing bank reconciliations and tracking the transactions in the accounting records
In general, the flow of transaction processing and related activities should be designed so that the work of one individual is either independent of, or serves to check on, the work of another. Such arrangements reduce the risk of undetected errors and limit opportunities to misappropriate assets or conceal intentional misstatements in the financial statements.
While the lines between such responsibilities tend to be clearly drawn within mature organizations, customizable access management and system administration capabilities in ERP systems can inadvertently lead to SoD conflicts.
How ERP Systems Create SoD Conflicts
ERP software enables companies to manage their core business processes on one platform, from accounting and operations to procurement, human resources, and supply chain. ERPs are customizable at a very granular level. The upside is adaptability to fit a company’s unique needs. This open configurability and use across multiple functional areas comes with a downside. The flexibility can create opportunities to commit fraud hidden from plain view.
Finding the empty breakrooms in your organization requires a thorough understanding of the fraud risks and the opportunities that exist. Access within an ERP is very granular. Each screen, field or even a checkbox can be the difference between creating an opportunity or preventing a slip in integrity. Often employees and their managers don’t know the full access they have been granted. This may lead to the logical conclusion that there is no issue. Unfortunately, lack of knowledge does not cure the problem. The existence of a material SoD conflict is sufficient to require disclosure.
Bringing Attention to SoD Risks
How do you effectively review SoD for conflicts? Typically, companies create an SoD matrix to map duties and individuals with access to perform the duties, and identify any conflicts where an individual can perform conflicting roles, such as initiating a transaction and approving it. In most cases, the company’s ERP system can generate a listing of all the tasks, roles and responsibilities as a starting point.
From there, the company will want to add in any customized roles, and then put roles and tasks into groups, and evaluate whether any users are involved in more than one phase of any transaction. Are there scenarios where conflicts of duties could occur?
Managing Segregation of Duties in ERP Environments
In more complex environments, a helper application within the ERP can be the most effective solution. However, these applications require significant effort and time to accurately configure to avoid a large volume of “false positives.” We have found that deeper dives performed at least annually and regular monitoring with less complex tools can effectively pinpoint excessive access so it can be removed before problems arise. These tools coupled with a sound strategy can reduce SoD exposures within an ERP to an acceptable level.
In effect, companies can proactively strengthen their internal controls over their ERP, mitigate fraud risks and foster greater confidence among investors.
Ken Roberts is a RoseRyan consultant who works with companies of all types in our Corporate Governance area. He’s an expert in SOX and internal control testing, and he’s held CFO, controller and internal audit roles. He also has experience with M&A integration work and operational accounting. Ken previously worked at Ernst & Young.