Segregation of Duties 2112



  • Scenario: A company has many small locations, and most of those locations have a segregation of duties issue due to the size of the decentralized operations. There are higher-level mitigation controls, but due to the pervasiveness of the SOD issues all over the place, does the company have a significant deficiency?
    If so, how is the company ever going to get rid of the SD without significantly increasing its workforce?



  • Furthermore, practically, do all of the ‘4 functions’ (authorization, bookkeeping, access to asset, and reconciliation) need to be segregated in reality? Can any of them be combined and still viewed as OK?



  • SOD (similar to ‘parlay’ in the Pirates code) is really more a set of guidelines than a set of actual rules.
    You have done the right thing in identifying higher-level controls that mitigate any potential SOD issues. I would not think that this would lead to a significant deficiency. My company annually has remote accounting locations perform a SOD review. We do allow exceptions where we have potential conflicts due to the size of the office staff at those locations. We require them to identify compensating controls when a potential SOD issues exists.
    In the ideal world, you would have all 4 segregated. When they are not, that is an indicator of a potential SOD issue.



  • Hi Hoiya - I’ll try to answer this in general terms and based on an IT background.
    The establishment of SOX workflow controls relating to ‘separation of duties’ and ‘automony controls’ should be based primarily on a risk management evaluation of the financial exposures. If the financial risk factors are low, then elaborate SOD controls may not be needed.
    As shared in your 2nd post, ideally you’d not want the possibly for someone to initiate transactions, record them, approve them, and cut checks with zero accountability and in an unchecked manner. SOD and other classical audit controls should be applied as a front-end control where possible in high risk settings. For low risk scenarios, post transactional controls might be used as a mitigation approach where multiple processes are handled by a single perso (e.g., audit reviews could be used after the fact to spot inconsistancies days, weeks, or months later).
    The PCAOB guidelines related to COSO (e.g., financial workflows), COBIT (e.g., financial IT system controls) might be helpful in evaluating control scenarios and requirements. Discussions with both internal and external auditors might also be beneficial in the design framework to ensure the financial risks are all appropriately addressed.



  • What is a good source to find examples and explanations of SOD possibilities? One that would describe the risks associated with, for example, the same person with access to shipping and receiving functions? And possible corresponding mitigating controls? Is there a book out there listing these, just like a ‘policy handbook’ would list generic policies?



  • Anybody own a document illustrating a good examples of how to apply segregation of duties on managing the customer master record? For example one company department is assigned to identify and prepare the data for possible new customers, another department analyze and validate all the new customers and a third department update the customer data into the IT system …
    Any good practice you may have could be very useful for me, many thanks.



  • Hi - Below are some quick links found on ‘separation of duties’ (SOD) – the more classical audit term for this 😉
    I believe the key is for SOD analysis to evaluate material risks associated with financial processes and systems. Then on any transactions or processes where someone could potentially initiate, approve, and disburse funds unchecked in a risky manner, you want to design streamlined SOD controls where there are checks and balances and proper autonomy levels to control this.
    Please copy links to browser below, as direct links aren’t permitted in forums
    http-and-#58;//www.google.com/search?hl=en-and-q=separation of duties
    http-and-#58;//en.wikipedia.org/wiki/Separation_of_duties
    http-and-#58;//szabo.best.vwh.net/separationofduties.html
    http-and-#58;//szabo.best.vwh.net/separationofduties.html#Example – Handling Money
    http-and-#58;//www.isaca.org/Template.cfm?Section=Glossary3-and-Template=/CustomSource/Glossary.cfm-and-char=S-and-TermSelected=244
    http-and-#58;//www.google.com/search?hl=en-and-q=separation of duties
    http-and-#58;//finaff.ucsc.edu/cc/tips/sepduty.htm
    http-and-#58;//www.insidesarbanesoxley.com/2007/05/explaining-segregation-of-duties.html
    P.S. These links can help with risk evaluations and SOX SOD controls-and-#58;
    http-and-#58;//en.wikipedia.org/wiki/SOX_404_top-down_risk_assessment
    http-and-#58;//www.pcaob.org/Rules/Docket_021/2007-05-24_Release_No_2007-005.pdf


Log in to reply