You have a segregation of duties audit coming up! How should you prepare for it?
When it comes to segregation of duties (or what is commonly known as ‘SoD’), we need to think long-term and be practical. SoD is part of access management, which impacts basically all processes taking place in your system. And therefore, it is not easy to resolve or even implement in the first place.
You need to consider whether it is really practical to resolve all your SoD issues just to receive an all-clear in the audit. It is indeed possible to resolve your SoD issues before the audit commences, and we do that quite simply by removing access rights which may cause SoD issues. However, sooner or later some/all of these access rights will have to be granted back to the users, for the simple reason that otherwise they (or at least some of them) will not be able to do their job.
You also should bear in mind that resolving your SoD issues just for the audit does not deal with the months before when your system was at risk of SoD violations. The reason SoD is required in the first place is to prevent misuse/error from happening in the system (in particular, from occurring in certain key steps in the process). When SoD is not in place, this misuse/error can take place without being detected. It can be prevented from taking place only when SoD has been implemented. If SoD wasn’t present in the system beforehand, you may receive a clean bill of health on your SoD at the time of the audit; but this doesn’t mean that SoD violations have not happened in the months prior.
The most sensible way to deal with an upcoming SoD audit is to acknowledge these SoD issues and at the same time to start working on achieving SoD in your system. In other words, do it to achieve a more secure, efficient and effective working processes in your system. Don’t do it for the audit.
Additionally, you should understand that SoD is only a small part of a business operation. If you have a specific SoD audit coming up, use it as an opportunity to gain knowledge and input from the auditor on how to implement SoD that works with the way you operate. If it is an external audit, do the same – but also be aware that while SoD is important, financial auditors will also be doing their rigorous testing on financial controls as well as checking the financial accounts closely. SoD is simply a line of defence in the overall audit process.
Fixing SoD issues can be a long and involved journey. It takes involvement from various departments and a close collaboration with IT. You want to choose a knowledgeable and experienced specialist in this journey, particularly one that takes the way you operate into account.
Meanwhile, in the short term, what you may want to do is to put some mitigating controls in place. We strongly urge you, though, to not use mitigating controls as a blanket solution for all of your SoD issues. Why?
- Firstly, for some controls you may be able to achieve just as much assurance or more by relying on existing functionalities within your system (especially in the case of SAP), rather than on additional mitigating controls. As they already exist in the system, reliance on these functionalities require no additional time and effort.
- Secondly, mitigating controls are often performed manually outside the system and this means more human resources are required.
- Thirdly and more importantly, taking on a complete assessment around your SoD situation gives you an opportunity to consider if your access has been managed effectively and efficiently. This, in the long term, results in a better optimised and cost-effective process overall.
- Fourth, mitigating controls are detective controls. Detective controls do not prevent misuse/error from taking place – they only detect it once it has already taken place.
We hope we have helped you clarify your thoughts and given you some useful pointers on how to tackle your upcoming audit. If you need more guidance or help, please do not hesitate to contact us here. Good luck for the audit!