Segregation of Duties (SoD) is an important principle of internal control, financial reporting, and compliance regulations, including the Sarbanes-Oxley Act (SOX). It is an integral part of an efficient control system. The overall efficacy of the internal control measures of an organization’s management primarily depends on the Segregation of Duties. Proper SoD is essential for successful internal controls.
The basic principle behind SoD is that in the usual course of their duties, an individual or a group of employees should not be in a position to perpetrate and hide errors for fraud. The key incompatible duties to be separated are generally:
• The custody of assets
• Authorization of relevant and related transactions affecting those assets
• The documentation and reporting of the related transactions
Traditional internal control systems depend on assigning such roles or segregating conflicting tasks to different persons. The general principle of SAP SoD is to prevent one person from having both access to assets and responsibility for holding those assets accountable.
Why Does SoD Matter?
SoD helps reduce the risk and likelihood of an entity not achieving its objectives, providing accurate financial data, and complying with the laws and established policies. Administrative or other recording errors cannot be identified promptly because an independent/objective analysis of transactions may not occur or unacceptable, or illegal (fraudulent) transactions may occur when one person manages a large portion of the income, expenditure, payroll, or other functions.
Legacy ERP software that manages all business processes of organizations also allows Segregation of Duties (for example, SAP SoD).
SOX and other regulatory concerns (GDPR, CCPA, and others) are pushing businesses to raise awareness and transparency about their employees’ activities. This is where things such as SAP SoD come into the picture. Recent privacy legislation and the prosecution of security breaches introduce new responsibility to track and regulate security and data access within organizations.
Inadequate division of duties could complicate the prevention, identification, and prosecution of fraud, which could potentially lead to false financial statements, regulatory fines, harm to the reputation of the company, and diminished investor confidence.
There is also the possibility of asset misappropriation, involving third parties or workers of a company who misuse their role to profit from it through fraudulent conduct.
If internal controls cannot be counted on, this provides the case for the rigorous monitoring by internal audit and the external auditor, which may inflict on the company additional costs. More severe results may lead to an external auditor’s determination that the firm has a major shortcoming or material deficiency.
Finally, if SoDs are not present, it poses the question of whether the information and data collected is accurate, error-free or may suggest that there is a material mistake. As a result, the auditor can increase the sample sizes, lower the threshold for substantive testing, or increase overall audit procedures.
SoDs should be in line with the scale and scope, and overall risk of the activities and financial reporting environment of an organization. It is critical that the risks to the company always be addressed first. Businesses continue to rely on IT, further making SoDs relevant in efforts to minimize fraud and improve overall performance. Controls to compensate/mitigate can exist to reduce the risks arising from a lack of sufficient Segregation of Duties. These checks include audit trails, compliance assessments, reconciliations, and transaction logs.