Segregation of Duty (SoD)
Strengthen Your Segregation of Duties Compliance with SecurEnds
Segregation of Duty
Segregation of duty (SoD), also called separation of duty, refers to a set of preventive internal controls in a company’s compliance policy. Organizations require SoD controls to separate duties among more than one individual to complete tasks in a business process to mitigate the risk of fraud, waste, and error. In the traditional sense, SoD refers to separating duties such as accounts payable from accounts receivable tasks to limit embezzlement. For example, a user who can create a vendor account in a payment system should not be able to pay that vendor to eliminate the risk of fraudulent vendor accounts. Another example is a developer having access to both development servers and production servers. In modern IT infrastructures, managing users’ access rights to digital resources across the organization’s ecosystem becomes a primary SoD control.
Segregation of Duty Policy in Compliance
SoD figures prominently into Sarbanes Oxley (SOX) compliance. SOX mandates that publicly traded companies document and certify their controls over financial reporting, including SoD. Following a meticulous audit, the CEO and CFO of the public company must sign off on an attestation of controls. They can be held accountable for inaccuracies in these statements. If it’s determined that they willfully fudged SoD, they could even go to prison!
The Federal government’s 21 CFR Part 11 rule (CFR stands for “Code of Federal Regulation.”) also depends on SoD for compliance. It affects medical research and other industries, where lives might depend on keeping records and reporting on controls. SoD makes sure that records are only created and edited by authorized people.