Segregation of Duties (SoD)
Segregation of Duties
Segregation of duties (SoD), also called separation of duties, refers to a set of preventive internal controls in a company’s compliance policy. Organizations require SoD controls to separate duties among more than one individual to complete tasks in a business process to mitigate the risk of fraud, waste, and error. In the traditional sense, SoD refers to separating duties such as accounts payable from accounts receivable tasks to limit embezzlement. For example, a user who can create a vendor account in a payment system should not be able to pay that vendor to eliminate the risk of fraudulent vendor accounts. Another example is a developer having access to both development servers and production servers. In modern IT infrastructures, managing users’ access rights to digital resources across the organization’s ecosystem becomes a primary SoD control.
Segregation of Duties Policy in Compliance
SoD figures prominently into Sarbanes Oxley (SOX) compliance. SOX mandates that publicly traded companies document and certify their controls over financial reporting, including SoD. Following a meticulous audit, the CEO and CFO of the public company must sign off on an attestation of controls. They can be held accountable for inaccuracies in these statements. If it’s determined that they willfully fudged SoD, they could even go to prison!
The Federal government’s 21 CFR Part 11 rule (CFR stands for “Code of Federal Regulation.”) also depends on SoD for compliance. It affects medical research and other industries, where lives might depend on keeping records and reporting on controls. SoD makes sure that records are only created and edited by authorized people.
How SecurEnds IGA manages Segregation of Duties efficiently?
Whether it’s an internal or external audit, SecurEnds IGA software allows administrators to generate reports to provide specific information about the Segregation of Duties within the company.
Set Up SOD Query : Using natural language, administrators can set up SoD query. Here’s a configuration set up for Oracle ERP. In this particular case SoD violation between Accounts Receivable and Accounts Payable is being checked.
SoD Audit Report
SecurEnds produces call to action SoD scorecard. The scorecard provides the “big-picture” on “big-data” view for system admins and application owners for remediation planning. To facilitate proper and efficient remediation, the report provides all the relevant information with a sufficient level of detail. This report will list users who are known to be in violation but have documented exceptions, and it provides important evidence for you to give to your auditor. The final step is to create corrective actions to remediate the SoD violations.