SEGREGATION OF DUTIES IN SAP GRCOctober 20, 2022
This blog talks about the Segregation of duties (SoD), the importance of compliance, challenges, and how to overcome them.
Segregation of Duties (SoD) consists of the foundational controls in an effective Risk and Compliance (GRC) program. The functions of SoD include the separation of people who carry out various steps of business transactions to reduce the errors and risk of fraud. SoD is an inevitable responsibility for the SAP administrators and people who see to the aligning of SAP with GRC.
In order to understand SoD, one must be knowledgeable about the processing of income and expenses in the business.
For example, when it comes to spending, there are a series of steps to be crossed before the money is disbursed.
Step 1: The business manager drafts a purchase order (PO) that tells how a vendor must be paid for the product or service.
Step 2: Generally, the senior manager of the purchasing department approves the purchase order.
Step 3: The vendor issues the invoice for the product or service.
Step 4: An authority in the accounts payable department approves the invoice before the cheque is signed.
The employees in the above workflow act as a check on one another. If one individual was responsible for all this work there would be a lot of chances for lack of concentration and committing mistakes.
Importance of SoD
SoD has core control over financial reporting. The financial reports may often offer invalid information without SoD. Hence, compliance with the Sarbanes Oxley Act (SOX) is so important.
As per the law, it is mandatory for public companies to follow a few verifiable steps to obtain accuracy in financial reporting. According to SOX Section 404, all the annual financial reports should include an Internal Control Report which states that the management is solely responsible for an ‘adequate’ internal control structure and also an assessment by management of the effectiveness of the control structure.
SoD and SAP
While the aspects of corporate accounting and finance are occurring on software, SoD is all about user account access controls and rules. SAP access controls and transaction permissions must match with the SoD requirements for the working.
For example, when the business manager logs into the SAP procurement system to write a purchase order (PO) and tries to approve it, the system rules prohibit him.
The user account access privileges in the SAP systems that support financial transactions are affected by the SoD rules. SAP provides automated tools for SoD, logging access, transactions, and any other information that is related to SoD.
These are a part of a broader GRC set of access and process controls that manages the internal security model. It also provides remedies for compliance issues while monitoring potential business risks within the SAP system. SAP GRC access controls state what the users can do and the process control tracks define what the users are doing. SAP GRC access control detects the potential for any violation of SoD and also gives alerts.
What are the challenges?
Organizations cannot remain static for a longer period of time. The organizational structure keeps changing once in a while which leads to SoD conflicts. The SAP GRC framework calls for easing controls when a conflict arises. The process for identifying and addressing SoD conflicts depends on manual steps such as reviewing vendor lists and payment ledgers.
The document-centric process is in turn deficient as it is lacking systematic risk and usage analysis. It also includes real-time alerts of potential violations of SoD controls. The risks may go unnoticed without consistent compliance reports, mandated reviews, and sign-offs.
How to solve them?
The usage of SoD monitoring tools can strengthen SoD. They are designed especially to detect, analyze and manage risks related to SoD conflicts. Review of access is automated to the sensitive transactions violations of complex and role-based authorization rules. Implementation of ControlPanelGRC, which is a Continuous Controls Monitoring (CCM) platform automates the SAP and SOX compliance and audit relates tasks like the SoD.