If you are Finance team member, you must have heard this something about “Internal control” and “Segregation of duties”.
As we all know that Internal control is very wide terminology and it includes Preventive Control and Detective Control. It’s always favorite part of Financial Auditor and System Auditor.
Segregation of Duty is one of the policy of Internal Control and in this policy we define the control related to bifurcation of work and responsibility to reduce potential risk.
Let’s understand “Segregation of duty”
Segregation of Duties (SOD) is a basic building block of sustainable risk management and internal controls for a business. The principle of SOD is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.
Imagine what would happen if the keys, lock and code for a nuclear weapons system were all in the hands of one person! Emotions, coercion, blackmail, fraud, human error and disinformation could cause grave and expensive one-sided actions that can’t be corrected. Or, consider the software engineer who has the authority to move code into production without oversight, quality assurance or access rights’ authentication.
(Source : Segregation of Duties (aicpa.org))
How does it work?
The basic concept underlying segregation of duties is that no employee or group should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties
The basic concept underlying segregation of duties is that no employee or group should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated are:
- Authorization or approval of related transactions affecting those assets
- Custody of assets
- Recording or reporting of related transactions
In IT Control Objectives for Sarbanes-Oxley, 3rd Edition—a fourth duty—the verification or control duty is listed as potentially incompatible with the remaining three duties. This fourth duty encompasses operations that verify and review the correctness of operations made by other individuals, whether they are custody, recording or authorization operations. Some of the core SoD elements are actors, duties, risk, scope, activities, roles, systems and applications, and user profiles.
When proper SoD is applied, actors performing incompatible duties are different entities. Such entities may be single individuals or groups. Requiring segregation to be applied between individuals or between collective entities gives rise to the following different levels of segregation, depending on the organizational constraints that are required for SoD to be recognized as such:
- SoD by individuals (individual-level SoD)—This is the traditional and most basic level of segregation. In this case, SoD is accomplished by having different duties performed by different individuals, such as clerks being authorized by their manager to make a payment.
- SoD by functions or organizational units (unit-level SoD)—At this level, different functions perform the separated duties. For example, the sales department might prepare an offering, which is then signed off by the operations department or the risk management function.
- SoD by companies (company-level SoD)—At this level, operations must be performed by different legal entities. For example, investments made by a subsidiary might require authorization by the controlling company. Third-party audits may be viewed as an example of company-level SoD as well.
How it works in Dynamics 365 Finance & Operation?
In Dynamics 365 Finance & Operation we have separate section to maintain “Segregation of Duties” to comply with legal and operational requirement.
Path : System Administration > Security > Segregation of duties
Define the Segregation of duties rules
We can define multiple SOD rules as per requirement of organization. This rule will define which duty can not be mix with other duty.
Example : Vendor payment authorization should allow to the same person who is authorized to post Vendor invoice. This will reduce the potential risk of Non Authorized transaction in Invoice & payment by same person.
Let’s create same rule in Dynamics 365 Finance & operation:
Complete the following procedure to create a rule. You must be a system administrator to complete the procedure.
- Go to System administration > Security > Segregation of duties > Segregation of duties rules.
- Click New.
- In the Name field, type a value for the rule.
- In the First duty field, click the drop-down button to open the lookup.
- In the list, find and select the desired record. Select the first duty that is controlled by the rule. (Select : Maintain vendor Invoices)
- In the Second duty field, click the drop-down button to open the lookup.
- In the list, find and select the desired record. Select the second duty that is controlled by the rule. (Select : Maintain vendor payments)
- In the Severity field, select an option. Select the severity of the risk that occurs when the same user or role performs both duties.
- In the Security risk field, type a value. Enter a description of the security risk.
- In the Security mitigation field, type a value. Enter a description of the actions that you take to mitigate the security risk. For example, you can mitigate the risk by conducting more detailed reviews of the process, by conducting a monthly managerial review, or by sharing resources with other departments.
- Click Save.
Verify the compliance of User role assignment with SOD
Let’s run the “Verification function for Compliance check”
Go to System administration > Security > Segregation of duties > Verify compliance of user-role assignments.
After running this compliance system will provide notification if there is any non compliance of SOD.
Identify and resolve conflicts in segregation of duties
Once you complete the above function, system will store all un resolved conflicts in one inquiry form.
Go to System administration > Security > Segregation of duties > Segregation of duties unresolved conflicts.
Select a conflict, and then select one of the following actions:
- Deny assignment: This will deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user isn’t granted the access associated with the role and can’t be assigned to the role until the administrator removes the exclusion.
- Allow assignment: This will override the conflict and allow the user to be assigned to the additional security role. If you override a conflict, you must enter a reason in the Reason for override field. All overridden role assignments can be viewed on the Segregation of duties conflicts page.
by allowing assignment system will apply new role to that user and override the original assignment.
Check all SOD conflict with updated status.
Go to System administration > Security > Segregation of duties > Segregation of duties conflicts
in this inquiry form you will be able to see all log of resolved and un resolved SOD compliance list.
Additional Benefits of using “SOD” in Dynamics 365 Finance & Operation
What we have discuss till now was related to “Detective control”, in which you will identify the conflict existing in your system as on now.
Now once you configure the SOD rule, This will work as “Preventive Control” in Dynamics 365 Finance & Operation.
let’s have one example to understand the scenario:
We need to create one role and we are trying to add both this duties to the same role. System will not allow to add the second duty as it will be the violation of SOD.
SOD Violation error
As you can see now this rule will work as “Preventive Control” as per the Legal and Organization Obligation.
Let me know your view and concerns in comment.
CA Gaurangkumar Jani