What Is Segregation of Duties?#
Segregation of duties (SoD) is a fundamental internal control that divides responsibilities among different people to reduce the risk of error or inappropriate actions. No single individual should control all aspects of a transaction cycle.
Why SoD Matters#
Fraud Prevention#
SoD prevents fraud by requiring collusion among multiple individuals. A single person cannot commit and conceal fraud.
Error Detection#
Independent processing and verification catch errors that a single individual might miss.
Quality Control#
Multiple perspectives on transactions improve quality and completeness.
Core SoD Principles#
The Three-Way Split#
Ideally, transaction cycles involve three separate functions:
Custody: Physical control of assets.
Authorisation: Approval of transactions.
Recording: Documentation of transactions.
Common Conflicts#
Procure-to-pay: - Creating vendors and processing payments - Purchasing and receiving - Approving purchases and processing payments
Order-to-cash: - Creating customers and processing credits - Sales order entry and shipping - Invoicing and cash application
General ledger: - Journal entry creation and posting - Master data maintenance and transaction processing - Reconciliation and transaction processing
ERP SoD Implementation#
Role Design#
Principles: - Roles based on business functions - Minimal necessary permissions - Clear role definitions - Documented role ownership
Approaches: - Function-based roles: Roles aligned with job functions - Activity-based roles: Roles based on specific activities - Hybrid: Combination of function and activity
Conflict Matrices#
A conflict matrix defines which permissions should not be combined:
| Permission A | Permission B | Risk Level |
|---|---|---|
| Create vendor | Process payment | High |
| Create customer | Process credit | High |
| Enter journal | Post journal | Medium |
Automated Detection#
Modern ERP systems include SoD conflict detection:
Real-time detection: Alerts when conflicts are created.
Periodic analysis: Regular scanning for conflicts.
Remediation tracking: Management of identified issues.
Dealing with SoD Conflicts#
Eliminate the Conflict#
The preferred approach: redesign roles to eliminate conflicts.
Compensating Controls#
When elimination isn't practical, implement compensating controls:
Supervisory review: Manager review of transactions.
Independent reconciliation: Reconciliation by someone independent.
Audit logging: Comprehensive logging for later review.
Exception reporting: Automatic reporting of unusual transactions.
Risk Acceptance#
For low-risk conflicts, formal risk acceptance may be appropriate:
Documentation: Document the conflict and risk assessment.
Approval: Obtain appropriate management approval.
Periodic review: Regularly reassess accepted risks.
SoD Challenges#
Small Organisations#
Smaller organisations may not have enough people for ideal SoD:
Approach: Focus on highest-risk conflicts, implement compensating controls.
Operational Efficiency#
Strict SoD can create operational friction:
Approach: Balance security with efficiency, streamline approval workflows.
System Limitations#
Some ERP systems have limited SoD capabilities:
Approach: Supplement with manual controls or third-party tools.
NZ/AU Considerations#
Regulatory Expectations#
Financial services: Regulators expect strong SoD.
Public sector: Accountability requirements.
Listed entities: Corporate governance expectations.
Audit Expectations#
External auditors assess SoD as part of internal control evaluation.
Best Practices#
Design Phase#
- Define SoD requirements early in implementation
- Involve audit and compliance in role design
- Document SoD design decisions
Implementation Phase#
- Test SoD before go-live
- Train users on SoD requirements
- Establish conflict resolution process
Ongoing Operations#
- Regular access reviews
- Continuous monitoring for conflicts
- Periodic assessment of compensating controls
Conclusion: SoD Is Fundamental Control#
Segregation of duties is not optional for organisations that take governance seriously. Effective SoD design in ERP systems requires upfront investment but pays dividends in reduced fraud risk and stronger control environment.