News & Blogs

Auditors Overemphasize Segregation of Duties, Neglecting Critical Sensitive Access Risks

Global · · erpra.net

Auditors are spending too much time on Segregation of Duties (SoD) conflicts and not enough on sensitive access risks, especially in modern ERP systems. Many traditional SoD conflicts are mitigated by effective workflow designs, making their extensive testing redundant. The article advocates for a shift in focus towards identifying and auditing sensitive access risks, which can lead to significant financial fraud independently.


Rethinking Audit Focus: Beyond Segregation of Duties

The article argues that auditors are disproportionately focused on Segregation of Duties (SoD) conflicts, often overlooking more critical sensitive access risks, particularly within modern Enterprise Resource Planning (ERP) systems. While SoD is a valid risk, its prevalence and impact have changed with advancements in ERP technology. The author, Jeff Hare, suggests that this overemphasis leads to an incomplete and potentially ineffective audit approach, leaving organizations vulnerable to significant financial fraud.

The Diminishing Relevance of Traditional SoD Conflicts

Modern ERP systems, such as ERP/HCM Cloud, Workday, NetSuite, and Salesforce, incorporate robust workflow designs that inherently mitigate many traditional SoD conflicts. For instance, the segregation of transaction entry from approval is often a standard, easily configurable workflow. Auditors who extensively test for SoD conflicts in these environments might be duplicating efforts if they haven't first validated the effectiveness of these built-in workflows. The article provides examples where common SoD conflicts, like entering suppliers versus purchase orders or journal entries versus posting, are effectively addressed by system workflows, negating the need for separate SoD testing once workflow design is confirmed.

Prioritizing Sensitive Access Risks for Comprehensive Assurance

The core message is to shift the audit paradigm to prioritize sensitive access risks. These risks, unlike SoD, can lead to fraud or financial misstatement independently, without requiring a combination of conflicting duties. Examples include unauthorized changes to supplier bank information, customer credit limits, or pricing on orders. These actions, if performed by a single individual with sensitive access, can result in significant financial loss or misstatement. The article advocates for auditors to first identify and assess these sensitive access risks, then consider SoD conflicts, ensuring a more comprehensive and impactful audit of access controls. This approach ensures that audit programs address all potential risks in control design and access control testing, moving beyond a narrow focus on SoD conflicts.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →