What is the rationale for the internal control principle segregation of duties?

Segregation of Duties is an internal control that prevents a single person from completing two or more tasks in a business process. Organizations require Segregation of Duties controls to separate duties among more than one individual to complete tasks in a business process to mitigate the risk of fraud, waste and error.

Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. Therefore, it’s important for management to analyse the skillset and capabilities of the individuals involved based on the risk likely and impact to business processes. Critical job duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function.

You can apply the following options to segregate job duties:

• Sequential separation (two signatures principle)
• Individual separation (four eyes principle)
• Spatial separation (separate action in separate locations)
• Factorial separation (several factors contribute to completion)

Many companies struggle to implement effective Segregation of Duties controls in their ERP systems such as Oracle E-Business Suite, SAP, Oracle ERP Cloud, even though the concept of SoD is simple as described above. (To understand the extent of the problem, we have processed a staggering 444,607,107 segregation of duties violations on our platform.) This is mainly due to the complexity and variety of the applications that automate key business processes, and the ownership and accountability for controlling those processes requires complete analysis of thousands of functions available across roles and responsibilities assigned to users. For example, to assess SoD risk in Account Payable application that a user, assigned the Payables Manager role has access to create a supplier and approve payment requires a completed analysis of all functions that constitute the entitlements granted through the role, while excluding any false positives that may occur as a result to overriding attributes, profiles, page level configurations or customizations that prevent such access.

The Segregation of Duties Matrix lists potential conflicts to determine what risk may be realized should a user have access or authorizations to a combination of entitlements. For example, what is the likelihood, that a user can create a fictitious supplier and make a payment to that supplier? The risk likelihood and impact varies based on industry, business model and even individual business unit. It is not uncommon for a large global company to have more than one matrix due to differences in the business processes by location or business unit. For example, a company may have a manufacturing business unit with a large amount of inventory, requiring a Segregation of Duties matrix that focuses on specific inventory transactions. They may also have a service-based business unit necessitating a focus on project accounting, requiring a different SoD matrix. Though knowledge of similar businesses and industries can help to establish the conflict matrix, each business unit must perform a customized analysis of its conflicting transactions to capture the real risk for that particular business model.

Common Examples

What are some of the most common examples of Segregation of Duties?

Segregation of Duty controls are a significant component of control environment of any organization that operates its business on an ERP platform.

Options

Are you looking for a segregation of duties solution but are not sure what to look for ?

SoD Insight

Our SoD Insight is ideal if your organization is new to segregation of duties. It quickly and reliably helps you identify segregation of duties risk in your environments so that you can take action if need be. 

SoD Scanner

This is our low cost option which utilizes the same software as our core application. SoD Scanner is designed for smaller organizations that have limited SoD requirements. 

Policy Manager ™

Policy Manager™ is designed for organizations with complex segregation of duties requirements. With built-in remediation it allows you to pro-actively mitigate risk. 

What is “Separation of Duties?”

Separation of duties is the means by which no one person has sole control over the lifespan of a transaction.  Ideally, no one person should:

• Initiate the transaction
• Approve the transaction
• Record the transaction
• Reconcile the transaction
• Handle the related asset
• Review reports

There should be at least two sets of eyes on each transaction.

Why is it Important?

Separation of duties is critical to effective internal control because it reduces the risk of both erroneous and inappropriate actions.

All units should attempt to separate functional responsibilities to ensure that errors, intentional or unintentional, cannot be made without being discovered by another person.  In addition, separation of duties is a deterrent to fraud because it requires collusion – working with another person – to perpetrate a fraudulent act.

What About Small Departments?

When separation of duties is not possible due to a small department size, compensating controls must be put in place.  Detailed Tier 2 and/or Tier 3 review of activities is required to compensate for the lack of separation of duties.

ABCs of Separation of Duties

In general, no one employee should have job functions in more than one of the following three categories of duties:

1. Asset handling and disposition: Having physical access to University assets or being in a position to control where an asset is directed
   • Assets include cash, tickets and passes, PCards, supplies, equipment, books, vendor and payroll checks, and purchase orders
   • Directing an asset includes initiating a vendor or payroll payment in myUFL, setting up a new employee in the Human Resources Management System (HRMS), making an adjustment to a student account transaction, placing an order for supplies, distributing payroll checks, and specifying where supply orders are to be delivered
2. Booking or recording transactions to the myUFL general ledger or subledger: Recording or posting a financial transaction to the myUFL general ledger
   • The recording of financial transactions in myUFL occurs when a vendor invoice, direct payment, or journal is approved
3. Comparison or review of transactions or balances: Reconciling and reviewing transactions appearing in the myUFL general ledger for validity and reasonableness
   • Monthly reconciliation is required as a key internal control to ensure the accuracy of data in myUFL – the official accounting record of the university of Florida

 How Does it Look?

Consider the following in assigning duties to people involved in handling a financial transaction process:

1. The preferred number of people that should be involved in handing a financial process is three of more – at this staffing level, satisfactory separation of duties can be attained fairly easily
2. The minimum number of people who can successfully operate a financial process is two – at this staffing level, satisfactory separation of duties can be attained, but not without careful planning
   • For some processes, certain duties might have to be performed jointly by both staff members
3. A person involved in more than one financial process should be assigned duties within the same duty category, such as asset handling, across the different processes. For example, people with asset handling duties in the cash handling process should be assigned only asset handling duties in other financial processes.

Note: An employee serving in a “back-up” role must be competent and have the same authority as the person normally performing the duty.

Example – Cash Handling

*Closing of cash drawer is performed jointly with both coworkers witnessing the count and certifying the deposit amount appearing on the department records/logs.  Employee 2 retains and secures the copy of the record/log for ledger review purposes.

**Ideally, someone other than employee 1 or 2 should review and certify the monthly reconciliation

Example – Purchase

**Ideally, someone other than employee 1 or 2 should review and certify the monthly reconciliation

Example – Billing and Receivables

Last Reviewed

09/30/2022: reviewed content

Training

PRO303 – Internal Controls at UF

PST130 – Reconciliation for Tier 1

Internal Controls & Quality Assurance: (352) 392-1321

What is the main rationale of segregation of duties is to ensure that the?

Why is segregation of duties important for internal control?

What is the principle of segregation of duties?

What is segregation of duties and why is it important?