Candidate business activities for SoD controls

The objective of this list is to provide guidance on where in the organization to look for activities that may be linked to operational risks for which SoD may constitute a good mitigation technique. But SoD introduces new costs and comes in multiple shapes, hence this list does not prescribe that SoD controls be implemented for these activities. These activities should only be reviewed, risks assessed and AoD controls implemented if deemed necessary.

See Segregation of Duties for a description of the typical risks mitigated by SoD.

• Salesperson fixing price. Risk: price too low —> loss. (Kobelsky 2014)

• Salesperson taking inadequate commitments (deadlines, quantities, features). Risk: penalties, reputation damage. (Kobelsky 2014)

• Picking and shipment. Risk: inventory loss or damage or theft. (Kobelsky 2014)

• Payments or other financial receipt. Risk:theft or loss. Kobelsky 2014.

• Business Transactions Masterfile modification (e.g. IT data administration, IT maintenance) vs (initiation of business transactions and asset custody) , Kobelsky 2014

• Modification of pre-approvals vs (initiation of business transactions and asset custody), Kobelsky 2014

• Asset custody activities vs record keeping. Employee may have an incentive to inappropriately record an inappropriate transaction. When authorization and review takes place on the basis of records, this may reduce the effectiveness of subsequent controls. Kobelsky 2014, Carmichael 1970

• Record keeping and asset reconciliation. Kobelsky 2014. Risk:incentive to inappropriately reconcile inappropriately recorded transactions