Introduction

Over time, it is essential to review current security settings within software administration to avoid potential financial losses. Risks may arise from fraud, embezzlement, sabotage, or other unauthorized activities. A proactive review helps safeguard critical business processes and ensures compliance with industry standards.

Examples of Risks

  • Error Risk: Incorrect financial reporting due to lack of independent review.
  • Compliance Risk: Violations of SOX, GDPR, or other regulatory frameworks.
  • Operational Risk: Inefficiencies or system abuse resulting from excessive access.

Purpose

  • Our goal is to help organizations design and operate business processes that prevent a single individual from controlling multiple conflicting responsibilities. This reduces the risk of fraud, error, or unauthorized activity.
  • We provide a cursory overview of positions, responsibilities, and employee access rights to data. Based on this, we recommend corrective actions for high-risk areas with minimal disruption to daily operations.
  • We understand that change can be difficult. Our approach emphasizes employee engagement and communication, ensuring staff understand the reasoning behind recommendations. While acceptance cannot be guaranteed, clear explanations often lead to faster adaptation compared to unexplained changes.

Key Control Activities

  • Role Segregation:
    Authorization, execution, recording, and reconciliation are assigned to different individuals.
    Example: One person initiates a payment, another approves it, and a third reconciles the bank account.
  • Access Controls:
    System permissions are aligned with job responsibilities. Conflicting access rights (e.g., ability to both create and approve vendors) are identified and remediated.
  • Approval Workflows:
    Automated workflow systems enforce multi-level approvals for sensitive transactions. Exceptions are documented and reviewed.
  • Monitoring & Review:
    • Periodic audits of user access rights.
    • Continuous monitoring tools to detect SoD conflicts.
    • Management review of exception reports.

In complex cases, certified audit professionals can provide perspectives from both a CPA and legal standpoint, incorporating industry-standard procedures and recommendations.

Audit Procedures

  • Policy Review:
    Verify the existence of documented SoD policies and procedures. Assess alignment with regulatory requirements (e.g., SOX, ISO 27001).
  • Access Rights Testing:
    Obtain system access listings. Perform conflict analysis using SoD matrices. Confirm remediation of identified conflicts.
  • Process Walkthroughs:
    Trace key transactions (e.g., purchase-to-pay, payroll processing). Validate segregation of duties at each stage.
  • Exception Analysis:
    Review logs of overrides, emergency access, or manual adjustments. Assess adequacy of compensating controls.
  • Interviews & Observation:
    Observe transaction processing to identify informal workarounds. Interview staff to confirm understanding of roles.

Conclusion

A well-structured Separation of Duties framework is critical to protecting organizations against fraud, error, and compliance failures. By combining policy review, access testing, process walkthroughs, exception analysis, and staff engagement, organizations can strengthen internal controls and reduce risk exposure.