This Standard is intended to address the conflict of duties issues which could arise from user access administration within main business applications and the Information Services department. This section is intended for managers and supervisors authorizing user access requests, and for system administrators who are responsible for granting user access within business applications.

There are combinations of transactions within any business application which, when granted within the same user profile, increases the risk of accidental or deliberate modification or misuse.

The following matrices represent a "best possible" scenario. Strict adherence to the rules contained in the matrices may not be possible in some cases due to limited resources. However, these rules should be kept in mind when granting access rights to users. The matrices are only a representative sample for segregation of duties and do not cover all possible combinations where issues may exist.

Segregation of duties must be maintained between incompatible functions in order to minimize the potential for errors and fraud.

For each transaction within the business application, there should be adequate segregation of duties between the person authorizing the transaction (usually a supervisor or manager) and the person entering the transaction. It is also necessary to have adequate segregation between the person entering the transaction and the person validating it (usually a supervisor or manager). For example, the person authorizing a customer's credit limit should not be the person adding that data to the system. Also the person adding the information should not be the one who reviews or verifies those transactions for validity.

All employees capable of authorizing or assigning access rights are required to comply with the basic principles of conflict of duties as contained in this document.

Managers and supervisors are responsible for:

• Ensuring that user access requests are reasonable and necessary, and are correctly authorized
• Verifying that user access requests do not create unnecessary conflicts of duties within the business environment
• Establishing compensating controls to reduce the impact of conflicts of duties
• Annual reviews of user access rights to ensure privileges are necessary and current

Application administrators are responsible for:

• Ensuring user access requests are correctly authorized and reasonable
• Informing managers and supervisors of any conflicts of duties arising from their user access requests within the application
• Providing information to managers and supervisors to facilitate the annual review of application user access.

This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a Conflict of Duties.

General Ledger Postings - Creating and inputting of routine or manual journal vouchers and reversals, rolling of period-end totals, period reporting and opening new period procedures.

Review of Daily Ledger Postings - Verification of daily or weekly journal vouchers by a supervisor or manager.

GL Master Record Maintenance - Additions or changes to chart of accounts, assignment of document and batch number ranges, and mapping of financial information to corporate financial reporting structures.

NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.

This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a conflict of duties between the horizontal and vertical fields.

Definitions:

Customer Data Maintenance - Updating of customer master data, inclusive of credit information.

Billing - Processing of customer invoice documentation.

Delivery / Distribution - Picking and expediting of goods to customer as per sales order pick lists.

Sales Order Management - Annual price change master updates, sales order inputting and maintenance.

Process Incoming Payments - Accounts receivable, including cash receipts and check deposits, posting to accounts and reconciliation.

Customer Credit Management - Assessment of customer credit worthiness, authorization and updating of credit limits, payment terms and customer price information.

Credit Issuing - Authorization, issuance and allocation of customer credit notes.

NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.

This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a conflict of duties between the horizontal and vertical fields.

Definitions:

Vendor Master Data Maintenance - Authorizing and updating of vendor data, including terms of payment and contact information.

Vendor Invoice Processing - Validation and inputting of vendor invoices usually matched to GRN's and / or purchase orders.

Payment Processing - Validating Invoices, posting to accounts, issuing debit memos, processing electronic payments and checks.

Purchasing Activities - Vendor approval, requisition approval, purchase order management, vendor data maintenance.

Goods Receiving - Physical handling and checking of incoming goods, and booking in of the received / rejected amounts.

NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.

This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a conflict of duties between the horizontal and vertical fields.

HR Admin - Inputting and processing of HR related data.

Payroll - Inputting of and processing of Payroll related data.

Benefits - Inputting of and processing of Benefits related data.

Accounting/GL - Inputting of and processing of Accounting/General Ledger related data.

NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.

This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a conflict of duties between the horizontal and vertical fields.

Definitions:

Materials Master Maintenance Authorization and master updates of parts records.

Goods Receiving - Physical handling and checking of incoming goods, and booking in of the received / rejected amounts.

Inventory Management - Management of logical / physical stores, goods movements and stock bookings, excluding inventory checks.

Sales Order Management - Authorization and updating of Sales Orders, including schedules and EDI downloads.

Manufacturing & Production - Any manufacturing or production activity, including factory order management or manufacturing scheduling.

Delivery/Distribution - Picking and expediting of goods to customer.

Purchasing Activities - Vendor approval, requisition approval; purchase order management, vendor data maintenance.

This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a conflict of duties between the horizontal and vertical fields.

Analyst / Programmer - Interpreting user needs and determining applications to satisfy user requirements, maintaining production systems.

Application Input - Inputting of information through an application into application data files.

Operator - Performing of everyday computer operations, maintaining systems and peripherals, including removable media management and storage.

Database Administrator - Designing and administering of application data files, usually residing between the application and the operating system.

Security Administrator - Maintaining security and access to files and resources, violation monitoring and reviewing procedures for improved safety.

System Programming - Maintaining of non-application specific system software, including operating systems.

Quality Assurance - Testing and verifying of programs and changes for adherence to standards and functionality.

NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.