Understanding The Basics Of Segregation Of Duties (sod) In Sap Grc

By Author: Abdul Saleem
Total Articles: 115
Comment this article

What Does Segregation of Duties (SoD) Mean?

Segregation of duties typically means separating the various tasks that a job involves and assigning these task responsibilities to different individuals. To understand segregation of duties, we should know how businesses process transactions relating to income and expense. For example, one employee in a company may draft a purchase order (PO), whereas another employee is authorized to approve the same. Another staff in the accounts payable department must approve the invoice for payment. Thus the various responsibilities and authorities are segregated. This is essential to minimize the abuse of authority.

The Importance of SoD in Compliance

With the Sarbanes Oxley Act (SOX) mandating public companies to undertake specific verifiable steps to ensure accuracy in financial reporting, SAP GRC as a core control over financial reporting, figures prominently in these companies' compliance policies. It necessitates that an Internal Control Report must be a part of all annual financial statements. ...
... The report should talk about the management's responsibility toward an "adequate" internal control structure, and should also contain an assessment by the management of the effectiveness of the control structure. SoD, therefore, is critical in ensuring an effective internal control structure.

SAP and SoD

SoD, these days, is a matter of user account access controls and rules as almost all corporate accounting and finance activities are carried out with the help of software. SAP, as part of its SAP security framework, offers automated tools for SoD (SAP Segregation of Duties), logging access, transactions, and other SoD related information. These features form a part of a more comprehensive GRC set of access and process controls that help you manage your internal security model and, at the same time, remedy compliance issues, all the while monitoring potential business risks within your SAP system. SAP GRC access controls let you decide what users can do, and it also tracks what exactly your users are doing.

With SAP SoD, the SAP access controls and transaction permissions perfectly match the SoD requirements. For example, rules in the system prohibit a person from doing anything outside his sphere of responsibilities, and SoD gets enforced.

SAP Environments: SoD Challenges

Business environments are always dynamic. Organizational structure these days is more fluidic. Significant changes are occurring in the respective roles and responsibilities of individual employees, thus creating SoD conflicts.

In the case of a conflict of this nature arising, the SAP GRC framework calls for mitigating controls. Identifying and resolving SoD conflicts, however, is dependent on manual steps; for example, review of payment ledgers and vendor lists. This process is cumbersome and time-consuming. Also, it is deficient in terms of systematic risk & usage analysis, and real-time alerts for potential violations of SoD controls. The risks may go unnoticed for long periods without consistent compliance reports, reviews, and sign-offs in place. This is why the SAP GRC is so critical when it comes to risk and compliance management.

Appsian One of the leading ERP data security,compliance,implementation solutions provider that gives organizations to complete control and visibility over their ERP data.