Segregation of duties (SOD) in auditing is the idea of requiring more than one person to complete certain key duties to prevent fraud and errors. 

The segregation of duties is a fundamental element of internal controls. The basic principle underlying segregation of duties is that no one person or group of employees should be in a position to commit and conceal errors or fraud in their day-to-day jobs. 

Depending on the size and nature of a business, the actual job titles and organizational structures can vary greatly among companies. 

Under the concept of SOD, duties that are business-critical can be categorized into four types of functions: 

  1. Authorization
  2. Custody
  3. Record keeping
  4. Reconciliation 

In a perfect system, no one person should handle more than one type of function.

The general concept of SOD is to prevent one person from having access to assets as well as responsibility for maintaining the accountability of those assets. Essentially, SOD promotes shared responsibilities of a key process that disperses critical functions of that process to more than one person, department, or company.  

Segregation of duties is a key issue for organizations to ensure compliance with laws and regulations. The importance of SOD stems from the consideration that giving one person complete control of a business process or an asset can expose a company to risk. 

Therefore, enforcing SOD is an important control element in support of achieving an effective risk management strategy.

Although there’s no internal control audit standard or accounting dictum that prescribes specific SOD requirements, maintaining a system of effective internal controls requires the appropriate segregation of duties.

For internal controls to be effective, there has to be an adequate division of responsibilities among the individuals who handle assets and those who perform control activities or accounting procedures.

In general, organizations should design the work of transaction processing and related tasks so that the work of one person is independent of, or serves as a check on, the work of another. 

Doing so reduces the risks of undetected errors and limits opportunities to misappropriate assets or conceal intentional misstatements in a company’s financial statements. SOD acts to deter fraud and stop an individual from covering up errors because that one person would have to secure another individual’s cooperation to conceal those activities.​

SOD is well known in financial accounting systems. Organizations of all sizes understand that they shouldn’t combine roles, such as receiving payments on accounts and approving write-offs, depositing cash and reconciling bank statements, etc. 

Although SOD is fairly new to most information technology (IT) departments, many Sarbanes-Oxley (SOX) internal audit issues come from IT. SOX, which was passed in 2002, helps protect investors from fraudulent financial reporting by corporations.

In information systems, segregation of duties helps reduce the potential damage from the actions of one person. According to ISACA’s Segregation of Duties Control Matrix, enterprises should not combine some duties into one position.

However, the matrix is not an industry standard, but rather a general guideline indicating which positions should be separated and which require compensating controls when they are combined. Compensating controls are internal controls intended to reduce the risk of an existing or potential control weakness. 

See also

Best Practice Guide: Using Automation to Transform Risk Management

When an organization is unable to segregate duties, it should put compensating controls in place. If one person can carry out and conceal errors and/or irregularities doing his daily work, he has been assigned duties that aren’t compatible with SOD. There are several internal control mechanisms that can help a company enforce segregation of duties:

  • Audit trails enable auditors to recreate the actual transaction flow from its origin to its existence on an updated audit file. A good audit trail should provide information on who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.
  • Supervisors should handle exception reports, supported by evidence indicating that the exceptions are handled properly and in a timely manner. Generally, the signature of the person who prepares the report is required.
  • An organization should maintain a manual or automated system or application transaction logs recording all the processed system commands or application transactions.
  • An enterprise should employ someone to conduct an independent review, which can help detect errors and irregularities in financial statements, for example.

Organizations should apply proper SOD by requiring segregation of duties between individuals or groups of individuals. There are several different levels of segregation of duties:

  • SOD by individuals (individual-level SOD): This is the traditional and most basic level of segregation of duties. In this case, SOD is achieved by having different people perform different duties. For example, a manager authorizes a worker to make a payment.
  • SOD by functions or organizational units (unit-level SOD): At this level, different functions, i.e., departments, perform the segregated duties. For example, the sales department might ready an offering, and the risk management function signs off on it. 
  • SOD by companies (company-level SOD): At this level, different legal entities are required to perform operations. For example, the controlling company might have to authorize investments made by a subsidiary. Another example of company-level SOD is a third-party audit.

Because SOD is internal control, an organization should view it within the frame of its risk management activities. A company must thoroughly analyze business processes and make choices about detecting and resolving potential conflicts.

If any conflicts remain, the organization must put compensating controls in place to manage the associated risks appropriately. Most importantly, SOD requires that an organization have a clear understanding of the individuals involved, their roles, and any potential conflicts.

Automating GRC: The Next Frontier
in Risk Management