What is it?
A strategy that helps reduce fraud and error by assigning two or more parts of a transaction to separate individuals. For example, the same person should not be able to enter an invoice then approve payment.
Why is it important?
Separation of duties (SoD) (also known as segregation of duties) prevents the same person from performing two or more parts of a transaction that would be susceptible to error or fraud if performed by one person. Fraud perpetrated through the lack of internal controls can lead to the loss of money, reputation, and market share as well as risking fines from regulators and, perhaps ultimately, shutdown of the organization.
Why does a business professional need to know this?
In its 2017 annual report, power and robotics firm ABB Robotics said losses from fraud at its South Korean unit would total $73 million. Managers failed to maintain sufficient segregation of duties in its treasury unit and failed to keep the signature seals (used in many Asian countries) secure, allowing a single employee to bind the company to unauthorized financial contracts(Pham 2017).
In a 2016 case, an employee of a federal credit union embezzled $1,945,000 from her employer over a 15-year period by removing cash from the vault and placing it in her purse. She deposited some of the cash into credit union accounts she controlled and took the remainder of it for personal expenses. She manipulated the credit union’s books and records to cover up her crime(Simmerman 2016).
In both of these cases, appropriate separation of duties could have stopped the fraudulent activities. Appropriate separation of duties requires measures such as the following:
- One person to enter an invoice and a second to approve payment
- One person to receive and log a payment, another to deposit it, and a third to reconcile payments against deposits
- Two signatures on a check
- Two keys to a safe deposit box
- Two passwords to approve an electronic funds transfer
- One person to create or update content, another to edit, and a third to approve for publication
In many Asian countries, a seal or chop is the accepted way of signing a contract on behalf of a company. If separation of duties is properly implemented, using a seal would require two people to access the seal, using a dual-key or dual-combination safe, and two people to witness and sign off on any document on which the seal was used.
One person should never be able to remove cash from a vault and then update paper and electronic records to cover up his or her tracks. Whenever money is moved, there should be at least two people involved to help prevent fraud due to lack of SoD controls.
References
- (Pham 2017) How poor management helped an ABB employee steal $103 million: Pham, Sherisse (2017). CNN Money. Video. Explores the story of how an employee of a major European company took advantage of lax cybersecurity and disappeared with $103 million of the firm’s money.
- (Gutierrez 2017) Probe of water district finds 'shocking' misuse of public assets: Gutierrez, Melody (2017). SFGate. Story of how lack of oversight allowed employees to allegedly use hundreds of thousands of dollars in public funds for personal purchase.
- (Sorkin 2002) 2 Top Tyco Executives Charged With $600 Million Fraud Scheme: Sorkin, Andrew Ross (2002). New York Times. Story of how executives at Tyco were indicted for allegedly misappropriating $600 million in company funds.
- (Simmerman 2016) Former Credit Union Manager, Kathryn Sue Simmerman, Sentenced To Six And A Half Years In Prison For Embezzlement: US Department of Justice (2016). Press release. Announcement of Kathryn Sue Simmerman sentence.
- (Singleton 2012) What Every IT Auditor Should Know About Proper Segregation of Incompatible IT Activities: Singleton, Tommie W. (2012). ISACA Journal, Volume 6, 2012. Discusses the importance of the concept known as separation of duties. Suggests a lack of separation can make it easier for malicious cybercriminals to perform misdeeds undetected.
About Ron LaPedis
Ron LaPedis is Managing Director at Seacliff Partners International, a business resilience and security consulting firm. Before that, he worked on HP NonStop servers for 25 years, becoming a subject matter expert in high availability systems, business continuity, and security. Ron is co-inventor on two storage and two virtualization patents and is named on one encryption patent. He is a Distinguished Fellow of the Ponemon Institute and holds AFBCI, MBCP, and CISSP certifications. Ron is a columnist for PoliceOne.com and the NonStop Insider.
Term: Separation of Duties
Email: rlapedis@seacliffpartners.com
Twitter: @RLaPedis_CISSP