How SOD Works in Practice
Conceptually, SOD is straightforward. By ensuring that key financial processes require more than one staff member to complete, risk is naturally reduced.
Consider a loan application. If a single staff member is responsible for collecting applicant data, reviewing application details, and making the approval or rejection decision, this creates multiple points of risk. The data collected might contain errors that aren’t caught during the review process, or approvals may not meet the guidelines laid out by financial firms. This could result in high-risk loans being issued, leading to bank losses.
By placing two other staff members into this process, risk is reduced. For example, banks might assign one employee the task of collecting applicant data, another the job of reviewing this data, and a third the role of decision-maker. While the overall process remains the same, risk is naturally reduced by segregating process steps.
Best Practices to Comply with SOX Regulations
While SOX lays out requirements around controls, audits and reports, it doesn’t offer specific guidelines for creating effective SOD frameworks. This puts banks in a tough position: They understand the need for improved SOD, but they don’t know what this looks like in practice. When it comes to ensuring SOD compliance, three best practices can help.
- Conduct process assessments. Before designing and implementing internal controls, banks need to pinpoint potential process problems. By conducting a complete assessment of current operations, they can separate processes into high-, medium- and low-risk categories, allowing them to prioritize SOD efforts.
- Find the balance. Just as single-person processes pose risk, so do operations that are overstuffed with staff. In other words, at a certain point, adding more people has the opposite effect of what is intended. This is because each step in the process requires a handoff of data from one employee to another. If some of these employees are working from home and others are in the office, there’s potential for attackers to eavesdrop on data exchanges or compromise operations. As a result, it’s important to find a balance by regularly reviewing SOD procedures to strike a balance between security and complexity.
- Recognize what you don’t know. Banks also need to understand where their existing knowledge and skills may come up short. In part, these gaps stem from rapidly evolving regulations, and they’re tied to ongoing challenges in finding and keeping talented staff. The quickest way to solve for a shortfall is to turn to trusted advisers with industry experience. CDW’s experts can help financial institutions create SOD roadmaps.
The bottom line? With time and talent in short supply, it’s worth bringing in expert help to ensure banks’ SOD compliance is current and capable, and to keep processes properly segregated.