Learning Center
Plans & pricing Sign in
Sign Out

Beyond the Obvious for Segregation of Duties Implementing a


									Beyond the Obvious for Segregation of Duties:
Implementing a Hierarchical Segregation of Duties
Approach and Other Challenges
By Anthony Tarantino and Jeff Hare

Segregation of Duties (SOD) has much greater scrutiny with the process controls requirements
mandated by Section 404 of the Sarbanes Oxley Act (SOX). Segregation of duties should
include the assurance that no one individual has the physical and system access to control all
phases of a business process or transaction: from authorization to custody to record keeping.
When conflicts exist in segregation of duties, organizations can be exposed to significant risks.
Auditors are looking for conflicts in segregation of duties in which one individual has access to
responsibilities which are inherently in conflict with one another, such as purchasing and
accounts payable, purchasing and receiving, general ledger and supply management, etc. The
conflicts can be caused by innocent and unintentional errors or by intentional and criminal fraud.

Current State of Segregation of Duties (SOD)
Most companies have been scrambling to identify SOD conflicts and remediate them in their
applications, but may have overlooked some areas of exposure that could cause problems in
the future.

We will discuss four of these problems. The first is the ability to override the given controls
based on positional authority, the second relates to positions that support and maintain the
applications that can override the controls, the third is the ‘critical request’ situations, and the
final relates to controls that overlap process and application controls.

Overriding process controls as it pertains to SOD
To relate SOD to the procure-to-pay process, a successful SOD would separate the following

The conventional view of most auditors is that good segregation of duties will greatly reduce the
chances of unilateral errors or fraud and require collusion between or among multiple
employees in order for errors to occur without detection. While this is true, it is only a narrow
view that does not consider how segregation of duties relates to hierarchical approvals.
Hierarchical, or multi-level, approvals refer to a concept whereby authorizations are attached to
positions in a hierarchy, rather than to individual users. The Procure to Pay process is perhaps
the best example of this type of controls whereby PO’s are approved at increasing dollar values
as they go up the hierarchy. The traditional approach to developing and monitoring SOD often
leaves out the possibility that the process controls can be overridden at some level of the

Further complicating the ability to maintain segregation of duties and provide viable checks and
balances, consider the same reporting relationship in a global organization in which each
functional area is located in different time zones or even different continents, with users
speaking different languages. In many of these locations, American-based notions of ethics and
corporate governance are not understood or followed. Many of those who handle these
Beyond the Obvious for Segregation of Duties:
Implementing a Hierarchical Segregation of Duties
Approach and Other Challenges
By Anthony Tarantino and Jeff Hare

transactions may be clerical level folks who are conditioned to follow instructions without
questioning or evaluating them.

The Need for a Hierarchical Segregation of Duties (HSOD)
What is needed is a hierarchical segregation of duties (HSOD) approach, which at a minimum
would do the following:

       1. Identify individual conflicts in segregation of duties
       2. Identify the roles and responsibilities of the individuals involved
       3. Identify the reporting relationships of the individuals involved
       4. Identify HSOD conflicts that occur at higher levels within the organization

While the existing SOD controls may be able to identify and prevent obvious conflicts that occur
at clerical and transactional levels, they do nothing to address the ease at which higher level
supervisors and managers may make mistakes or commit fraud. Just as important, a narrow
SOD approach does not address the need for executive level SOD, i.e., the need for critical
business decisions to be reviewed and approved by key stakeholders outside of their area. For
instance, key stakeholders in finance and sales should review long term planning and
forecasting supply management decisions, while sales forecasts should be approved by key
stakeholders in supply management and finance.

 In our example, good business practice would argue that supplier master control should be
segregated from all supply chain and procurement responsibilities fairly high up in the hierarchy.
It would look something like this:
Beyond the Obvious for Segregation of Duties:
Implementing a Hierarchical Segregation of Duties
Approach and Other Challenges
By Anthony Tarantino and Jeff Hare

The prevention of errors and wrongdoing is only one aspect of the HSOD process. What follows
is a checklist of areas of concern in the procure-to-pay process that from a HSOD approach:

       Auditor Tests, a Snapshot in Time. Auditor tests, both manual and using software
       tools, are often times only a snapshot in time. Their activities and schedules are
       typically well understood by company employees. There may be little to prevent internal
       users from changing responsibilities to pass an audit and then changing them back after
       the auditors depart. Most organizations lack the sophisticated controls to catch the

       Planning, Scheduling, and Forecasting Controls: Ironically most organizations have
       developed very robust controls to for procurement and payments processes, but have
       typically done much less to control the overall master scheduling, planning and
       forecasting process. One error or intentional fraud at this level can cascade down into
       hundreds of mistakes at the execution level within procurement, and supply
       management. This process is further complicated by the global and outsourced nature
       of many organizations. Controlling the process is further complicated when the players
       are located in different countries and or are the product of multiple mergers and
       acquisitions. The typical SOD approach does not address these issues. A robust HSOD
       solution should include approval workflows that standardize and automate the review
       and approval of master schedules, forecasts, and plans. Ideally, the process would
       include a risk assessment around the various planning and forecasting assumptions and

       Buyer/Planner Approach: Many organizations have adopted a buyer/planner (or
       buyer/scheduler) approach in which the traditional purchasing and planning functions are
       merged under one individual. The segregation of these functions provides checks and
       balances, but creates inefficiencies and delays. As mentioned above, very tight controls
       are typically in place to control procurement within most organizations, but the controls
       around the master scheduling, planning, and forecasting processes are typically much
       looser. This is true at a senior level or at a buyer/planner level. Auditors may lack an
       understanding of the complexity of this process to develop adequate tests scenarios and

So Why Is This Essential? – Examples of SOD and HSOD Fraud

Various surveys have shown that most fraud is committed at executive levels of organizations.
This is not to minimize the impact of fraud at lower levels, which SOD will help to prevent. What
follows is an example of SOD and HSOD Fraud. We will suggest that HSOD fraud is a much
larger risk than SOD fraud. To paraphrase the classic TV show, the stories are true, but the
names (commodities) have been changed to protect the innocent (and the author).

       SOD Fraud: A major appliance manufacturer had a very profitable repair depot in which
       appliances both within and beyond warranty would be received from customers,
       repaired, renovated and returned. If the units were beyond repair, they would be scraped
       and the units replaced with a rebuilt or new unit. The guy running the repair depot was
Beyond the Obvious for Segregation of Duties:
Implementing a Hierarchical Segregation of Duties
Approach and Other Challenges
By Anthony Tarantino and Jeff Hare

       technically adequate, but the consensus of management was that he was not very bright
       and required a lot of hand holding as to how to perform the required system
       transactions. In his position, he would perform receiving transactions (from customers),
       inventory transactions (scraping units, and issuing components) and shipping
       transactions (to customers.). Well, he was actually dumb as a fox, running a side
       business selling refurbished units. It was actually quite simple. He created a false scrap
       transaction for a unit that he would then refurbish and sell to some of the company’s
       customers at very discounted prices. Since he was in control of all the required
       transactions, no one in the organization suspected the fraud, until the Saturday
       afternoon that a senior manager came into the office to catch up on some work and
       caught him loading a truck with several units. It was estimated that he was recognizing
       $50,000 per year in his venture.

       HSOD Fraud: A major automotive accessories manufacturer purchased a great deal of
       aluminum coils. This could be procured by actual net weights or by a theoretical
       minimum weight calculation (TMW). Using TMW, the buyer typically pays a small
       premium but is assured of only paying for the theoretical minimum weight and not actual
       and higher net weights of materials. The head of operations made a deal with the
       company’s largest supplier to defraud the company by charging for more weight than
       actually received. It required her to manipulate the purchasing, receiving and accounts
       payable processes. She convinced a naïve and inexperienced buyer that the PO’s to the
       supplier were in TMW, and therefore did not need to be weighted upon receipt. The truth
       is that TMW purchases should be weighed and the TMW calculations verified by
       determining the length of coils. In turn, the buyer instructed receiving not to weigh coils
       because they were TMW. The head of operations helped her cause by preventing the
       purchase of an electronic scale large enough to weigh the great majority of coils.
       Receiving was instructed to enter the weights on the packing lists as the actual net
       weights, so accounts payable and finance had no reason to suspect fraud. A consultant
       was hired by the company president to revamp the organization. Unfortunately for the
       head of operations, she had a background in buying TMW and suspected fraud. She
       verified it by weighing the smaller coils that the electronic scale could accommodate.
       Every coil was 7% to 10% underweight. The calculated fraud was over $1 million per
       year and had been in place for five years

Support and Maintenance Positions that can Override Controls
Due to the complexities in the maintenance and support of ERP applications, many IT
departments (or external consultants) have virtually unlimited access as System Administrators
or as Super Users. There is often a need for Super Users to access “production” environments.
Granting access to a production system to such Super Users adds a level of risk as they may
override the controls during system support. Unlike in mainframe environments, technology
limitations in the database make it impossible from a performance perspective to provide a
complete audit trail on a user. Audit trails are developed on a table by table basis, but due to
the extreme volume in some transactional tables such as where payables invoices or purchase
orders are stored, a complete audit trail cannot be developed for Super Users who are often
given unlimited access to the applications for the sake of supporting the production users.

The role of the System Administrator is another area of significant risk. The System
Administrator role grants access to business functions and are often held by someone with
Beyond the Obvious for Segregation of Duties:
Implementing a Hierarchical Segregation of Duties
Approach and Other Challenges
By Anthony Tarantino and Jeff Hare

other roles such as a development, Super User or even database administration. In many
companies, the System Administrator is the final gatekeeper to prevent a user from getting
access to two or more functions that could give that user the ability to violate SOD. Because of
this role, they inevitable become familiar with how a user is able to violate good controls. With
this knowledge and the System Administrator role they have the ability to violate SOD and
internal controls. Write access to the database adds even further risk and should be considered
as well in the design of SOD controls.

Business Critical Situations and the Override Possibilities
Has your business ever been forced to override process controls because of business critical
issues? Have you had situations of parts shortages or supplier quality issues that have caused
your company to circumvent process controls or face shutting down your production line? How
many times have you overridden process controls for the sake of expediency or because a key
approver was on vacation or tied up in a meeting? If so, you have overridden process controls
and have caused a violation of your controls.

Does your process documentation account for the override of such controls and define when
and who can override the controls?

A good business practice would argue that supplier master control should be segregated from
all supply chain, procurement and payables responsibilities. Does your process of adding
suppliers define when and who can override such controls. If not how can you expect the clerk
to discern when it is appropriate to override such controls because of critical business reasons.
What if it is their boss who asks for the override of such controls and their boss also happens to
have the ability to enter invoices in Payables or create Purchase Orders? Perhaps this one
override of the control has allowed that manager to commit fraud.

So, in the definition of process controls, don’t be so idealistic. Make sure that the ‘exceptions’ to
this process are clearly defined. If such decisions are made on the fly, you can’t always count
on someone to make the right decision. Such violation of the process controls then becomes a
control that hasn’t been in place for the whole quarter and will require extra scrutiny when your
CFO and CEO are making your company’s quarterly 302 controls assertions and your 404

Controls spanning both process and application controls
Have you properly identified and develop controls that span both basic process controls and
associated have applications controls?

We will look at the example of entering a supplier, which is a key function that should not be
held by anyone who has the ability to enter invoices or enter purchase orders. There are two
components to this process. The first is the identification and approval from of the use of that
supplier. This should include a qualification of that supplier that they are capable of providing
you with the goods or services at the quantity that you need and that they are financially sound.
After this qualification process, you then need to enter such supplier in your payables and/or
purchasing system. Often the focus is one discipline but not the whole picture.

The process should start with the completion of the form by the supplier or third party
verification of the forms data entry to an external database containing public records to verify
Beyond the Obvious for Segregation of Duties:
Implementing a Hierarchical Segregation of Duties
Approach and Other Challenges
By Anthony Tarantino and Jeff Hare

the validity of the supplier and the accuracy of the information entered. This prevents someone
from fraudulently completing the New Supplier Form. This is a process control that happens
outside any system.

Next, the ability to enter the supplier in your payables and/or purchasing system must be
considered so that the person with this function doesn’t also have the ability to enter invoices or
enter purchase orders.

Hence, the controls for the business process of entering a supplier need to be reviewed both
from a process and application perspective.

Finally, as noted earlier, the process to override the current process for ‘critical’ requests should
be clearly stated. This would include who is authorized to override the policy and under what
circumstances. This makes it clear to the gatekeeper of the process when and by whom the
process can be overridden so that there can be no confusion.

For companies, getting through the initial section 404 audits is the top priority and has included
measures to address SOD conflicts. However, several issues may still need to be addressed as
2005 is upon us and 302 reports are being issued.

The danger is to be lulled into a false sense of security because auditors didn’t catch the issues
during the 404 audits or haven’t yet addressed them in their questionnaires and audit plans.
However, just as companies are becoming more sophisticated in the identification of issues,
auditors are also becoming smarter about the various risks at a more detailed level.

I, for one, wouldn’t want my auditor to identify such issues in next year’s 404 audit.

Reference: Copied in part from “Hierarchical Segregation of Duties” by Anthony Tarantino,
Cutter IT Journal, Volume 7, Number 22, December 2004.

Questions and Comments: The authors welcome your questions and comments. Tony can
be reached at and Jeffrey can be reached at

About the Authors:

Anthony Tarantino, Ph.D., CPIM, CPM
Anthony Tarantino is an expert in supply chain management with 10 years of executive-level
consulting experience and 20 years of industry experience in supply management. Dr. Tarantino
has nearly 30 years’ experience in management positions in a variety of industries. He is
now helping clients on how to achieve supply chain excellence with improved corporate
governance. He is a regular contributor to various publications, including Inside Supply
Management, Sarbanes-Oxley Compliance Journal, Cutter IT Journal, and Line 56 on topics
such as corporate governance and Sarbanes-Oxley as well as informational supply chain and e-
business. Dr. Tarantino holds a CPIM from APICS, is pursuing his lifetime Certified Purchasing
Manager (CPM) certification from the Institute of Supply Management (ISM), has a Ph.D. in
Beyond the Obvious for Segregation of Duties:
Implementing a Hierarchical Segregation of Duties
Approach and Other Challenges
By Anthony Tarantino and Jeff Hare

organizational communications from the University of California, Irvine, and a B.A. from the
University of California, Santa Cruz. He can be reached at

Jeffrey T. Hare, CPA
Jeffrey T. Hare is the founder and President of ERP Seminars. He is CPA and is one of the
thought leaders on SOX Compliance in an Oracle Applications Environment. His experience
prior to coming into the Oracle Applications space includes Public Accounting, Controller and
CFO roles. His Oracle experience includes PM as a client in his Controller role and over five
years of consulting experience. He has written many white papers on SOX compliance in an
Oracle Applications Environment and has written articles for various industry publications. He
can be reached at White papers can be requested at

To top