Corporate governance legislation, such as the Sarbanes-Oxley Act of 2002, demands that organizations introduce stronger internal controls into their business processes. Among these internal controls is segregation of duties.

Segregation of duties refers to the notion that the duties of individuals in an organization should be limited to certain areas of responsibility, so as to minimize the ability of any individual to misappropriate company property. Segregation of duties prevents a single user from performing two or more phases of a transaction or operation. If a person can commit and conceal errors, irregularities, or both while performing day-to-day activities, they have generally been assigned or allowed access to incompatible duties or responsibilities.

The ability to automate and report on internal controls, such as segregation of duties, reduces the likelihood of non-compliance to corporate governance regulations and also reduces compliance-related costs.

Segregation of Duties Example shows the separation of business functions within an organization that enforces segregation of duties. Pam is responsible for maintaining supplier invoices and has been assigned the SuppInvCr role. All users assigned this role can create supplier invoices using Supplier Invoice Create.

Steve is responsible for creating supplier payment records and is assigned to the SuppPayCr role. All users assigned this role can create and modify supplier payments; however, they cannot maintain supplier invoices since this ability would violate segregation of duties policy.

Segregation of Duties Violation shows the business functions within an organization that has not implemented segregation of duties, or which has permitted a known segregation of duties violation. In this example, users assigned the SuppInvCr role can create supplier payments as well as creating supplier invoices.

Segregation of duties is achieved in the system by assigning application resources to a finite number of user-defined segregation of duties categories. A segregation of duties category is a way of grouping compatible system activities.

Setting up segregation of duties in your system is optional. However, the decision whether or not to use segregation of duties should be considered first in your security implementation planning. For details, see Implementation Summary.