Segregation of Duties (SoD)

Segregation of Duties (SoD)

Segregation of Duties

Segregation of duties (SoD), also called separation of duties, refers to a set of preventive internal controls in a company’s compliance policy. Organizations require SoD controls to separate duties among more than one individual to complete tasks in a business process to mitigate the risk of fraud, waste, and error. In the traditional sense, SoD refers to separating duties such as accounts payable from accounts receivable tasks to limit embezzlement. For example, a user who can create a vendor account in a payment system should not be able to pay that vendor to eliminate the risk of fraudulent vendor accounts. Another example is a developer having access to both development servers and production servers. In modern IT infrastructures, managing users’ access rights to digital resources across the organization’s ecosystem becomes a primary SoD control.

Segregation of Duties Policy in Compliance

SoD figures prominently into Sarbanes Oxley (SOX) compliance. SOX mandates that publicly traded companies document and certify their controls over financial reporting, including SoD. Following a meticulous audit, the CEO and CFO of the public company must sign off on an attestation of controls. They can be held accountable for inaccuracies in these statements. If it’s determined that they willfully fudged SoD, they could even go to prison!

The Federal government’s 21 CFR Part 11 rule (CFR stands for “Code of Federal Regulation.”) also depends on SoD for compliance. It affects medical research and other industries, where lives might depend on keeping records and reporting on controls. SoD makes sure that records are only created and edited by authorized people.

How Does Identity Governance Support Effective SoD Policies and Controls?

Organizations that view segregation of duties as an essential internal control turn to identity governance and administration (IGA) to help them centralize, monitor, manage, and review access continuously. IGA solutions not only ensure access to information like financial data is strictly controlled but also enable organizations to prove they are taking actions to meet compliance requirements. The following ten steps should be considered to complete the SoD control assessment:

Prepare rule report from the RBAC controls design matrix
Scope and add “sensitive” access rules to detect user access to restricted data
Gather a list of active application users and role entitlements including privileges and data access
Create a list of exceptions by analyzing the security object items that prevent user access violations
Identify application configurations that mitigate the inherent SOD risk
Detect access rule violations by applying security object items rule logic to filter the user access report in step 3 above
Finalize the access violations report by excluding exceptions, and mitigated risks
Perform look-back transaction analysis to detect materialized risks
Create a remediation plan with corrective actions to update the user assignments and role configurations.
Provide an access violation scorecard as evidence of control effectiveness

How SecurEnds IGA manages Segregation of Duties efficiently?

Whether it’s an internal or external audit, SecurEnds IGA software allows administrators to generate reports to provide specific information about the Segregation of Duties within the company.

Set Up SOD Query : Using natural language, administrators can set up SoD query. Here’s a configuration set up for Oracle ERP. In this particular case SoD violation between Accounts Receivable and Accounts Payable is being checked.

SecurEnds-SoD-Policy-setup

SoD Certification and User Access Reviews

Once administrator has created the SoD, a review of the said policy violations is undertaken. Default roles in enterprise applications present inherent risks because the “birthright” role configurations are not well-designed to prevent segregation of duty violations. Here’s a sample view of how user access reviews for SoD will look like.

SecurEnds-Sod-Access-Review

SoD Audit Report

SecurEnds produces call to action SoD scorecard. The scorecard provides the “big-picture” on “big-data” view for system admins and application owners for remediation planning. To facilitate proper and efficient remediation, the report provides all the relevant information with a sufficient level of detail. This report will list users who are known to be in violation but have documented exceptions, and it provides important evidence for you to give to your auditor. The final step is to create corrective actions to remediate the SoD violations.

SecurEnds-SoD-Audit-Report