Chapter 12: Segregation of Duties |
This Standard is intended to address the conflict of duties issues which could arise from user access administration within main business applications and the Information Services department. This section is intended for managers and supervisors authorizing user access requests, and for system administrators who are responsible for granting user access within business applications.
There are combinations of transactions within any business application which, when granted within the same user profile, increases the risk of accidental or deliberate modification or misuse.
The following matrices represent a "best possible" scenario. Strict adherence to the rules contained in the matrices may not be possible in some cases due to limited resources. However, these rules should be kept in mind when granting access rights to users. The matrices are only a representative sample for segregation of duties and do not cover all possible combinations where issues may exist.
Segregation of duties must be maintained between incompatible functions in order to minimize the potential for errors and fraud.
For each transaction within the business application, there should be adequate segregation of duties between the person authorizing the transaction (usually a supervisor or manager) and the person entering the transaction. It is also necessary to have adequate segregation between the person entering the transaction and the person validating it (usually a supervisor or manager). For example, the person authorizing a customer's credit limit should not be the person adding that data to the system. Also the person adding the information should not be the one who reviews or verifies those transactions for validity.
All employees capable of authorizing or assigning access rights are required to comply with the basic principles of conflict of duties as contained in this document.
Compensating controls must be put in place in the event that a user account contains conflict of duties issues.
Managers and supervisors are responsible for:
Application administrators are responsible for:
This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a Conflict of Duties.
General Ledger Postings |
Review of Daily Ledger Postings |
GL Master Record Maintenance |
|
General Ledger Postings |
|
X |
X |
Review of Daily Ledger Postings |
X |
||
GL Master Record Maintenance |
X |
Definitions:
General Ledger Postings - Creating and inputting of routine or manual journal vouchers and reversals, rolling of period-end totals, period reporting and opening new period procedures.
Review of Daily Ledger Postings - Verification of daily or weekly journal vouchers by a supervisor or manager.
GL Master Record Maintenance - Additions or changes to chart of accounts, assignment of document and batch number ranges, and mapping of financial information to corporate financial reporting structures.
NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.
This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a conflict of duties between the horizontal and vertical fields.
Customer Data Maint. |
Billing |
Delivery/Dist. |
Sales Order Mgt |
Process Incoming Payments |
Customer Credit Mgt |
Credit Issuing |
|
Customer Data Maintenance |
X |
X |
X |
X |
X |
||
Billing |
X |
X |
X |
X |
X |
||
Delivery/Distribution |
X |
X |
X |
X |
X |
||
Sales Order Management |
X |
X |
X |
X |
X |
X |
|
Process Incoming Payments |
X |
X |
X |
X |
|||
Customer Credit Management |
X |
X |
X |
X |
X |
||
Credit Issuing |
X |
X |
X |
X |
X |
X |
Definitions:
Customer Data Maintenance - Updating of customer master data, inclusive of credit information.
Billing - Processing of customer invoice documentation.
Delivery / Distribution - Picking and expediting of goods to customer as per sales order pick lists.
Sales Order Management - Annual price change master updates, sales order inputting and maintenance.
Process Incoming Payments - Accounts receivable, including cash receipts and check deposits, posting to accounts and reconciliation.
Customer Credit Management - Assessment of customer credit worthiness, authorization and updating of credit limits, payment terms and customer price information.
Credit Issuing - Authorization, issuance and allocation of customer credit notes.
NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.
This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a conflict of duties between the horizontal and vertical fields.
Vendor Master Data Maint. |
Vendor Invoice Processing |
Payment Processing |
Purchasing Activities |
Goods Receiving |
|
Vendor Master Data Maintenance |
X |
X |
X |
X |
|
Vendor Invoice Processing |
X |
X |
X |
X |
|
Payment Processing |
X |
X |
X |
X |
|
Purchasing Activities |
X |
X |
X |
X |
|
Goods Receiving |
X |
X |
X |
X |
Definitions:
Vendor Master Data Maintenance - Authorizing and updating of vendor data, including terms of payment and contact information.
Vendor Invoice Processing - Validation and inputting of vendor invoices usually matched to GRN's and / or purchase orders.
Payment Processing - Validating Invoices, posting to accounts, issuing debit memos, processing electronic payments and checks.
Purchasing Activities - Vendor approval, requisition approval, purchase order management, vendor data maintenance.
Goods Receiving - Physical handling and checking of incoming goods, and booking in of the received / rejected amounts.
NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.
This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a conflict of duties between the horizontal and vertical fields.
HR Admin |
Payroll |
Benefits |
Accounting/GL |
|
HR Admin |
X |
X |
||
Payroll |
X |
X |
X |
|
Benefits |
X |
X |
||
Accounting/GL |
X |
X |
X |
Definitions:
HR Admin - Inputting and processing of HR related data.
Payroll - Inputting of and processing of Payroll related data.
Benefits - Inputting of and processing of Benefits related data.
Accounting/GL - Inputting of and processing of Accounting/General Ledger related data.
NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.
This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a conflict of duties between the horizontal and vertical fields.
Materials Master Maint |
Goods Receiving |
Inventory Mgt. |
Sales Order Mgt |
Mfg & Production |
Delivery/ |
Purchasing Activities |
|
Materials Master Maint. |
X |
X |
X |
X |
X |
||
Goods Receiving |
X |
X |
X |
X |
X |
X |
|
Inventory Mgt. |
X |
X |
X |
X |
X |
X |
|
Sales Order Mgt |
X |
X |
X |
X |
X |
X |
|
Mfg & Production |
X |
X |
X |
X |
X |
||
Delivery/ |
X |
X |
X |
X |
X |
||
Purchasing Activities |
X |
X |
X |
X |
X |
Definitions:
Materials Master Maintenance Authorization and master updates of parts records.
Goods Receiving - Physical handling and checking of incoming goods, and booking in of the received / rejected amounts.
Inventory Management - Management of logical / physical stores, goods movements and stock bookings, excluding inventory checks.
Sales Order Management - Authorization and updating of Sales Orders, including schedules and EDI downloads.
Manufacturing & Production - Any manufacturing or production activity, including factory order management or manufacturing scheduling.
Delivery/Distribution - Picking and expediting of goods to customer.
Purchasing Activities - Vendor approval, requisition approval; purchase order management, vendor data maintenance.
NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.
This matrix shows which disciplines should be kept separate from other disciplines in a well-regulated business environment. An "X" in a box indicates a conflict of duties between the horizontal and vertical fields.
Analyst/ |
Application Input |
Operator |
Database Admin. |
Security Admin. |
System Programming |
Quality Assurance |
|
Analyst/ |
X |
X |
X |
X |
|||
Application Input |
X |
X |
X |
X |
X |
||
Operator |
X |
X |
X |
X |
|||
Database Administrator |
X |
X |
X |
||||
Security Administrator |
X |
X |
X |
||||
System Programming |
X |
X |
X |
X |
X |
||
Quality Assurance |
X |
X |
Definitions:
Analyst / Programmer - Interpreting user needs and determining applications to satisfy user requirements, maintaining production systems.
Application Input - Inputting of information through an application into application data files.
Operator - Performing of everyday computer operations, maintaining systems and peripherals, including removable media management and storage.
Database Administrator - Designing and administering of application data files, usually residing between the application and the operating system.
Security Administrator - Maintaining security and access to files and resources, violation monitoring and reviewing procedures for improved safety.
System Programming - Maintaining of non-application specific system software, including operating systems.
Quality Assurance - Testing and verifying of programs and changes for adherence to standards and functionality.
NOTE: This matrix reflects segregation of duties best practices, and it may not be possible to enforce these guidelines in all situations. Ensure that compensating controls are established and adhered to in cases of non-conformity.