Actual SOD Detection vs SOD Rules
By Dr Neil Patrick
Actual SOD Detection vs SOD Rules
The GRC community knows Segregation of Duties (SOD) needs to be managed. Unfortunately, though, it is often relegated as an IT back-office function and not seen as a risk with real business consequences.
In reality the business risks are significant and can lead to real financial harm. Example risks include fraud, financial misstatements and annual report errors, misappropriation of assets, regulatory non-compliance, and opportunities for collusion which makes it difficult to control financial wrongdoings. In addition to the financial loss when the risk becomes an actual event, there is the remediation costs and the likelihood of additional fines due to regulatory non-compliance.
There are a number of regulations that mandate SOD controls, for example Sarbanes-Oxley Act in the USA and it’s cousins around the world (e.g. Germany, Canada, Japan, France, India, Australia, South Africa, UK is still working on it), the Payment Card Industry Data Security Standard, Basel III for the banking sector, and the General Data Protection Regulation (GDPR) in the EU. Most of these have fines, sometimes personal to executives, for non-compliance.
Various frameworks and standards also mandate SOD controls, such as the COSO Internal Control Framework, National Institute of Standards and Technology (NIST), and the International Standards on Auditing (ISA).
Financial Impacts
Financial losses due to SOD violations can be significant. For example, the Association of Certified Fraud Examiners 2024 Report to the Nations estimates that while the median loss per occupational fraud case is $145,000, 21% are above $1 million. Mid-market organisations with less mature internal control frameworks have higher medial losses at $200,000 per incident.
Historical large SOD related losses include Societe Generale at $7.2 Billion in 2008 due to a rogue trader exploiting SOD weaknesses in trading and controls, Peregrine Financial Group at $215 Million in 2012 where the CEO forged bank statements for 20 years due to control gaps, and Koss Corporation at $34 Million in 2010 where the VP of Finance embezzled funds due to lack of oversight.
One might say these are all old cases and therefore don’t really relate to today’s organisations. But this is incorrect and careless reasoning. The problem isn’t that the type of SOD is old or known – which may well be true – it’s that organisations don’t check. Or don’t check thoroughly.
It’s instructive to examine a more recent transgression in some detail: Circor International which had weak SOD’s and poor internal controls, enabled accounting fraud during 2019-2021.
Circor International had a subsidiary called Pipeline Engineering that maintained its own books in its own accounting system and sent financial statements to Circor International.
Pipeline Engineering’s finance director at the time was the only employee with access to both Pipeline’s local accounting system and the Circor’s consolidation system, and had the responsibility for transmitting Pipeline’s financial statements and reconciling the updated information in both systems. Circor corporate treasury couldn’t independently verify cash balances and activity at Pipeline.
Circor’s senior management knew this was a problem at the time. Worse, the external auditors at the time flagged weaknesses in Circor’s internal controls. They changed auditors the next year, who for some unknown reason did not pick up the weaknesses.
The financial director was able to:
- Overstate the 2019 operating income by $7.2 million (24%)
- Understate a 2020 operating loss by $34.5 million (36%)
- Understate an operating loss for the first nine months of 2021 by $12.5 million (120%)
The company had to restate three years’ worth of financial results during 2022, and ultimately opted to be taken private in 2023 for $1.6 billion.
Access Governance: Potential SOD using Rules
Access governance, largely powered by authorization rules and role provisioning, is absolutely fundamental in managing the potential for unauthorised user access to key data and process approvals. Either within the same system, or across multiple systems.
SAP has two industry standard and enterprise-ready access governance solutions: SAP Access Control (AC) and SAP Cloud Identity Access Governance (IAG). The two solutions perform almost identical functions but typically cater to different business streams and technology stacks, but can also work together in a mutually beneficial symbiosis.
These two SAP solutions are tightly integrated to SAP’s ERP variants for ECC and S/4HANA, and include fine-grained rule set libraries that are critical for mitigating potential SOD violations. This enhances the oversight, control, and management of user access across an organization, and helps enforce policies, detect future conflicts, and reduce the risk of fraud, errors, or unauthorized transactions.
They can implement preventive controls that give managers visibility to ensure employees can only access functions required for their job, as well as alerting to risks during user provisioning requests like the classic permissions to be able to approve vendor creation and payment processing.
They also have comprehensive functions to require managers and users to validate user access rights, produce regular SOD conflict reports, assign risk levels based on SOD authorisations, and if integrated to the HR system, apply an employee’s role definition to authorizations and provisioning as part of the joiners-movers-leavers HR processes.
These solutions are a cornerstone to an organisations ability to get a handle on SOD management. Their rich functionality, ready integration, comprehensive rule sets and pervasive use provides a very compelling provenance.
However, they will always give information about what SOD event could potentially happen. Because they don’t analyse financial transactions in the ERP systems, in other words what SOD event has actually happened.
Automated Transaction Analysis: Actual SOD Management
Happily SAP has an answer to actual SOD’s too: SAP Risk and Assurance Management (RAM), SAP’s next-generation risk management and compliance solution. It is a strategic SAP Business Technology Platform solution and as such has a low setup time and cost, low total operating cost, doesn’t require additional SAP infrastructure, and is very intuitive to use so has a low training impact. RAM can help protect financial and non-financial data, policies, and processes by:
- Automating internal controls
- Helping identify and assess risks and opportunities
- Determining issue response strategy & progress
- Improving overall control effectiveness
- Applying internal governance, risk and control policies
- Streamlining financial compliance processes
- Contextualizing the above by linking to objectives, processes and regulations.
The automation of internal controls is where RAM is the next (or first) step in SOD management. Because this allows an organisation to alert on and prioritise management of actual SOD violations. Parameterised queries, called automated procedures in RAM, are run as controls in S/4HANA and ECC and can cover the full range of master data, policy and process, and transactions.
One can create and routinely run an automated procedure to detect an actual SOD transaction, set a materiality threshold, filter for a company code, purchasing document type etc. RAM will raise findings if their logic is triggered which can then be managed through sophisticated issue and remediation workflows.
Automated procedures also sit within the context of a full control documentation, and linked objects such as processes, regulations and risks, so their business impact can be properly assessed. Note that RAM has a technical integration with SAP Signavio which means these two solutions can automatically synchronise processes, risk and controls, further extending the transparency and ability to properly manage SOD’s.
Included in around 90 out the box automated procedures for RAM, focusing on key financial processes, SAP provides four SOD rules – all ready for use in S/4HANA as a valuable starting point.
| RAM SOD Content Items | ||
| Control Area | Automated Procedures | Minimum Release Required |
| Ensure Segregation of Duties | Same User Created Supplier and Purchasing Document | SAP S/4HANA Cloud 2105
SAP S/4HANA 2021 |
| Same User Created Supplier and Invoice (Enhanced) | SAP S/4HANA Cloud 2105
SAP S/4HANA 2021 |
|
| Same User Created Purchase Order and Invoice | SAP S/4HANA Cloud 2108
SAP S/4HANA 2021 |
|
| Same User Processed Goods Receipt and Supplier Invoice | SAP S/4HANA Cloud 2108
SAP S/4HANA 2021 |
|
Winterhawk can translate these four SOD automated procedures for ECC systems, as well as additional SOD automated procedures for S/4HANA and ECC. This can cover the high-risk financial processes below where SOD’s are most impactful.
High-Risk Areas Prone to SoD-Related Losses
| Function | Examples |
| Accounts Payable | Unauthorized payments, fictitious vendors. |
| Procurement | Inflated prices, procurement fraud. |
| Payroll | Ghost employees, salary fraud. |
| General Ledger | Misstatement of financial results. |
| Cash Handling | Misappropriation, skimming. |
In addition to the business value in itself, this is also important for small teams and smaller organisations, where it is necessary to have employees with SOD conflicts to be able to do their jobs. Such situations can be automatically tested for actual SODs and prioritised for business risk.
RAM is not limited to SOD’s and financial processes though. Winterhawk can implement our industry-specific risk and control library covering 23 industry verticals – often highly regulated – such as pharma, mining, manufacturing, energy, banking and insurance, retail, life sciences etc. This risk and control library also extends to sustainability frameworks such as CSRD, WEF and GRI.
In addition to financial, operational and regulatory domains, RAM can be used to automate IT application controls real-time in S/4HANA and ECC such as super user authorizations SAP_ALL and SAP_NEW. It can also test for expired users with valid roles, and active temporary users with a long validity period – ripe for compromise and allowing SODs and collusion. Winterhawk can help implement these automated procedures plus more SOD rules, ideal for automated real-time transaction analysis.
Looking to the future
RAM is a strategic solution in SAP’s GRC portfolio and has a very strong functional roadmap. A planned innovation highly relevant to this article is an integration between RAM and IAG, proposed for Q4-2025. This exciting enhancement will enable two-way integration with the IAG service for:
- Accessing control tests in RAM from IAG
- Addition of risk assessment data from IAG
- Updating the IAG service with control and risk data from RAM
This will close the loop between theoretical and actual SOD risk, amongst many other benefits.
It is also planned that RAM will be able to connect to SAP Datasphere, and many other systems, via OData v4. This will open up the ability of RAM to assess actual SODs in more SAP systems, non-SAP systems, and spanning multiple systems (e.g. instances of ECC & S/4HANA, Coupa, Central Finance).
The Author
Dr Neil Patrick
Global Director Client Services at Winterhawk. I was formerly in the Center of Excellence at SAP and was the Solution Manager of SAP Risk & Assurance Management (RAM). I am passionate about ESG topics helping businesses in their journey towards delivering on their business objectives.
Feel free to reach out to me (info@winterhawk.com) if you would like to know more how Winterhawk supports organizations around the world, providing solutions tailored to their business goals and sustainability objectives. Our Risk Optimization approach helps organizations achieve maturity, focused around pain points and operational weaknesses.
