Corporate governance legislation, such as the Sarbanes-Oxley Act of 2002, demands that organizations introduce stronger internal controls into their business processes. Among these internal controls is segregation of duties.

Segregation of duties refers to the notion that the duties of individuals in an organization should be limited to certain areas of responsibility, so as to minimize the ability of any individual to misappropriate company property. Segregation of duties prevents a single user from performing two or more phases of a transaction or operation. See Segregation of Duties Verification for an introduction to the rules on which segregation of duties is based.

If a person can commit and conceal errors, irregularities, or both while performing day-to-day activities, they have generally been assigned or allowed access to incompatible duties or responsibilities.

The ability to automate and report on internal controls, such as segregation of duties, reduces the likelihood of non-compliance to corporate governance regulations and also reduces compliance-related costs.

Segregation of Duties Example shows the separation of business functions within an organization that enforces segregation of duties. Pam is responsible for maintaining supplier invoices and has been assigned the SuppInvCr role. All users assigned this role can create supplier invoices using Supplier Invoice Create.

Steve is responsible for creating supplier payment records and is assigned to the SuppPayCr role. All users assigned this role can create and modify supplier payments; however, they cannot maintain supplier invoices since this ability would violate segregation of duties policy.

Segregation of Duties Violation shows the business functions within an organization that has not implemented segregation of duties, or which has permitted a known segregation of duties violation. In this example, users assigned the SuppInvCr role can create supplier payments as well as creating supplier invoices.

Segregation of duties is achieved in the system by assigning application resources to a finite number of user-defined segregation of duties categories. A segregation of duties category is a way of grouping compatible system activities.

Setting up segregation of duties in your system is optional. However, the decision whether or not to use segregation of duties should be considered first in your security implementation planning. For details, see Implementation Summary.

The system verifies the integrity of your defined segregation of duties policy by ensuring that the following two rules are not violated:

Each system user is logically associated with a set of segregation of duties categories, indirectly, through the user’s role assignment.

The SOD Block All Rule Violations field in SOD Configuration (36.3.27.14) controls whether the system should block any changes to role-based security that would allow users to access conflicting resources. If this field is cleared, administrators are not blocked from providing users with access to functions with conflicting segregation of duties categories. However, a violation is raised and written to the segregation of duties logs.

See Segregation of Duties Rule Checking for detailed information.