What Is Segregation of Duties (SOD)?
Segregation or separation of duties (SOD) is a precaution intended to prevent conflicts of interest and abuses of power in an organization. To ensure functioning internal controls, conflicting tasks such as placing and approving an equipment order must be split across different individuals. This prevents a single employee from holding too much power, which would allow them to commit and cover up fraud.
What Is Segregation of Duties?
Segregation of duties (SOD), also known as separation of duties, is a security policy designed to stop conflicts of interest and the misuse of privileges in organizations. Segregation of duties prevents too much power from being placed in one person’s hands by requiring businesses to split tasks with the potential for fraud or abuse across two or more individuals. For example, a financial report should not be submitted and reviewed by the same person.
As part of an organization’s internal controls, decisions made in an organization must be checked by at least one other person (four eyes principle). Independent controls are essential to prevent theft, fraud and risky behavior such as financial speculation with company assets. Segregation of duties is especially important when it comes to finances, orders and customer data.
Potential problems that can arise without segregation of duties include HR staff that can adjust their own salary or team members in procurement who place and approve fraudulent orders (for example to steal equipment or earn kickbacks). Alongside rules on gifts and gratuity, segregation of duties is an essential part of any business’ compliance strategy.
Examples of segregation of duties:
Employees cannot approve their own expense reports.
Business proposals and risk assessments are created by different people.
Financial transactions are independently reviewed.
HR staff cannot set salary levels.
Is Segregation of Duties Mandatory?
Preventing fraud through the use of SOD is not only in the self-interest of businesses, but a legal requirement in many industries. For publicly traded companies, the SOX Act sets out rules ensuring the independent review of financial reports. SOD is also a key requirement in the financial sector, where independent risk assessments form an integral part of of successful risk management.
Segregation of duties also plays an important role in many IT security standards like ISO 27001, NIST 800-53 or the NIST Cybersecurity Framework. Splitting important tasks across different accounts and enforcing the principle of least privilege prevents attackers from gaining total control over your network by compromising a single account.
Download our white paper for a deep dive into the Sarbanes-Oxley Act, its purpose and the role of IT in achieving compliance.
How Does Segregation of Duties Work?
Enforcing SOD requires businesses to ensure that conflicting duties – i.e. a combination of tasks that could enable fraud, abuse or cover-ups – are not assigned to a single person. Some tasks, such as handling large sums of money, are inherently high-risk on their own and must be secured through independent review and approval workflows. In order to enforce these controls, organizations must know
which accounts exist within their IT network
which privileges they hold and
which permissions are incompatible with which other permissions.
SOD & IAM: The Perfect Fit
The easiest way to enforce SOD on an IT level is through the use of role-based access control: this approach ensures that each employee only receives the exact permissions required for their business role – no more and no less. IAM solutions help you automate this process, making them the ideal foundation for SOD policies.
As your central hub for identity and access management, tenfold ensures that all changes to users’ access rights are fully documented and logged for later review. Our permission reporting makes it easy to track which accounts have access to which systems and resources. This helps you protect sensitive data and prepare for compliance audits. Additionally, tenfold‘s automated user access reviews ensure that privileges are kept up to date at all times.
Best Practices for Access Management In Microsoft® Environments
Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implentation, reporting and auditing.