The advent of the Sarbanes-Oxley Act in the US some 15 years ago launched the ‘Governance Risk & Compliance’ (GRC) industry, in which tens of billions of dollars have been spent on technology, consultancy services and audit fees.
Sarbanes-Oxley (SOX) aims to protect investors from fraudulent financial reporting by corporations. It brought in many new requirements for corporate responsibility and accounting regulations. These regulations require companies to document and certify controls over financial reporting and include Segregation of Duties or Separation of Duties.
With warnings of jail sentences for CFOs who did not invest in SoD, companies had to invest in Segregation of Duties and looked to automate it wherever possible.
What does Segregation of Duties mean?
Segregation of Duties (SoD) is a key element of risk management and internal controls. Segregation of Duties means you share the responsibilities of a process, so more than one person is responsible for the critical functions of that process. The intention of Segregation of Duties is to reduce the risk of fraud and error.
Today’s organisations are being encouraged to invest further in software for Governance Risk & Compliance’ and Segregation of Duties in particular, extending automation and new visualisation technology and dashboards.
But why is implementing Governance Risk & Compliance Access Control so easy, but cleaning up access such an uphill task?
Many organizations have a we have a Segregation of Duties process and technology in place, but the process is not operating smoothly.
Most Segregation of Duties journeys share a common journey:
• A long running, low level awareness of user access compliance issues
• An eventual Audit finding
• Sudden frenzy of activity
• Segregation of Duties ‘project’ initiation
• Governance Risk & Compliance Software selection & acquisition
• Access Control ‘project’
• Remediation of low-hanging fruit
• Audit focus moves on to higher priority issues, followed by management focus
• Residual operational SoD and sensitive access issues remain, evolve and increase
• The organization evolves like any other dynamic, living organism, with constant change such organizational or people change.
With no sustaining business activity to manage Segregation of Duties compliance, the initiative falls into disrepair and disrepute.
64% of survey respondents stated that the biggest inhibitor to sustainable Segregation of Duties success is “business commitment, ownership, clarity and buy-in to the process”.
Dan French, CEO of Consider Solutions says “Having reviewed over a hundred SoD related engagements we have run over the past 17 years, we came to the following conclusions on the most critical factors for success in sustaining effective Segregation of Duties policies”
Here are the 5 most critical success factors for effective Segregation of Duties policies.
1. Segregation of Duties is not a project, it’s a PROCESS
This confusion is the cause of more pain and wasted effort than everything else combined. It is understandable that it is typically perceived as a project ‘to fix something’, especially as it is usually built around the business case for acquisition of software and associated consulting services. But projects have a start and an end and a clear set of deliverables. A process, on the other hand, comprises a repeated sequence of tasks that are known at the outset.
When it comes to applying Segregation of Duties policies in the dynamic life-form of a business, with organisation changes, process changes, system changes and the constant movement of joiners, movers, promotions, leavers in both employed staff, subcontractors and business partners, there is clearly a process required. Part of the the problem in understanding is the way that SoD has been portrayed by the Governance Risk & Compliance industry as a ‘Get Clean’ project (implying a start and end) followed by something more amorphous and often postponed called a ‘Stay Clean’ project.
2. Process governance is key
Like most processes, overall governance trumps everything else. We have documented lessons learned by all the organisations we have worked with. We call it the ‘Pentagon’ playbook.
3. Think Global, Act Local
Whilst these initiatives start centrally and may be managed centrally, risk management is a front-line operational task. We need to work out how to genuinely engage devolved business management in risk remediation. They are the first line of defense after all!
4. Automation
The technology card is usually overplayed. If you have a complex ERP, you probably need an off-the shelf tool to monitor the allocation and segregation of duties across, and permissions to, the 70,000-90,000 transaction options available.
Many use their ERP vendor provided SoD tools and others invest in best-in-class independent tools and “no tools/desktop tools only”. The pain points are often similar in both scenarions, which suggest the biggest issues are elsewhere, not in the technology.
5 The SoD ‘business as usual’ process is hard to sustain without the controls step being automatically embedded in a workflow.
A good start to process thinking is to develop a template for your end-to-end access control process for each business process and system, or at least the systems in compliance scope (although I recommend that you address all systems over time). It’s a simple matrix to build in Excel or Word, but, for most organizations, very difficult to complete! Try it, it’s a good indicator of maturity of process and system governance in the organization.
One of the biggest issues we identified is that Segregation of Duties remediation (the decisions and actions that need to be taken when SoD issues/violations arise) is a local business task, but business management are rarely prepared with the relevant information, knowledge and organizational best practice to discharge this responsibility effectively. As a result, it often gets ‘parked’, delegated or abdicated.
We shared some techniques in the webcast, which are free to use. You can see the webcast recording at http://www.consider.biz/webcast-last-mile-sod/
One of the key recommendations is to understand and agree the appropriate ‘Unit of Management’ (UoM) in the business for risk related Segregation of Duties decisions. In some, this is a region or a country, in others it’s a business unit/company. The key is to agree amongst stakeholders and process owners what the right level is, get it confirmed and communicated and then to set about ‘Getting Decisions Made’.
Top tips to help you get decisions made amongst key stakeholders
• Develop an End-to-End Process Governance Framework and Understanding
• Develop an understanding of business risks vs business tasks vs business priorities
• Engaging Units of Management in Decision Making Process (not training them in your GRC tool)
• Design & operation of EFFECTIVE compensating controls, and clarify the responsibility and accountability that comes from accepting residual SoD risk
• Develop a sustaining Business-as-Usual ‘Stay Clean’ user access control process
Interestingly, only 2% of those surveyed claimed to have compensating controls that worked effectively across the organization.
There are several reasons for this, but it underlines the fact that today’s end-to-end SoD approach is not serving organizations very well. It seems that much of the answer is in the process.
Any process that works effectively across an organization has some common characteristics;
• Consensus on Purpose or Desired Outcome
• A clear set of owners, stakeholders, and participants
• A mechanism to measure and communicate progress or successful completion
• A governance structure by which the process is steered, managed and overseen
• A clear process design – ‘what good looks like’
• Clear agreement on who is executing the individual parts of the process and where it takes place
• Some automation or enabling technology
• A defined set of skills and capability required against which resources can be allocated
• A mechanism to assess the impact on the customer, areas of success or underachievement, and to identify areas of improvement or required change
The end-to-end SoD process is no different. We need ALL these things. Without any one of these, the process falters and no amount of technology can assist!
Delegating the process to the IT department is not the answer. In fact, when you attempt to take this approach, it becomes obvious that it is not even possible. The majority of risk is in the business … IT can help but they are not in a position, nor should they be, to make business decisions on job roles, organization and process in business functions such as finance.
A template governance framework has been developed and shared in the webcast, and is represented by the image is at the top of this post.
If you are involved in this SoD / Internal Controls journey, you can avoid a lot of frustration down the road if you focus your energies on engaging process owners (candidate or existing), stakeholders and participants in an objective self-assessment of current and desired achievement levels in each of the nine themes, axes, segments (or whatever you want to call them). This will drive consensus on achievements, issues and priorities for the future.
This article was originally written by Dan French, CEO of Consider Solutions in 2017 and updated by Sarah Fane in 2020
To read this article you have to be registered.
Become a member to access all content and / or download it