Skip to content

Term of the Week: Separation of Duties

What is it?

A strategy that helps reduce fraud and error by assigning two or more parts of a transaction to separate individuals. For example, the same person should not be able to enter an invoice then approve payment.

Why is it important?

Separation of duties (SoD) (also known as segregation of duties) prevents the same person from performing two or more parts of a transaction that would be susceptible to error or fraud if performed by one person. Fraud perpetrated through the lack of internal controls can lead to the loss of money, reputation, and market share as well as risking fines from regulators and, perhaps ultimately, shutdown of the organization.

Why does a business professional need to know this?

In its 2017 annual report, power and robotics firm ABB Robotics said losses from fraud at its South Korean unit would total $73 million. Managers failed to maintain sufficient segregation of duties in its treasury unit and failed to keep the signature seals (used in many Asian countries) secure, allowing a single employee to bind the company to unauthorized financial contracts(Pham 2017).

In a 2016 case, an employee of a federal credit union embezzled $1,945,000 from her employer over a 15-year period by removing cash from the vault and placing it in her purse. She deposited some of the cash into credit union accounts she controlled and took the remainder of it for personal expenses. She manipulated the credit union’s books and records to cover up her crime(Simmerman 2016).

In both of these cases, appropriate separation of duties could have stopped the fraudulent activities. Appropriate separation of duties requires measures such as the following:

  • One person to enter an invoice and a second to approve payment
  • One person to receive and log a payment, another to deposit it, and a third to reconcile payments against deposits
  • Two signatures on a check
  • Two keys to a safe deposit box
  • Two passwords to approve an electronic funds transfer
  • One person to create or update content, another to edit, and a third to approve for publication

In many Asian countries, a seal or chop is the accepted way of signing a contract on behalf of a company. If separation of duties is properly implemented, using a seal would require two people to access the seal, using a dual-key or dual-combination safe, and two people to witness and sign off on any document on which the seal was used.

One person should never be able to remove cash from a vault and then update paper and electronic records to cover up his or her tracks. Whenever money is moved, there should be at least two people involved to help prevent fraud due to lack of SoD controls.

References

About Ron LaPedis

Photo of Ron LaPedis

Ron LaPedis is Managing Director at Seacliff Partners International, a business resilience and security consulting firm. Before that, he worked on HP NonStop servers for 25 years, becoming a subject matter expert in high availability systems, business continuity, and security. Ron is co-inventor on two storage and two virtualization patents and is named on one encryption patent. He is a Distinguished Fellow of the Ponemon Institute and holds AFBCI, MBCP, and CISSP certifications. Ron is a columnist for PoliceOne.com and the NonStop Insider.

Term: Separation of Duties

Email: rlapedis@seacliffpartners.com

Twitter: @RLaPedis_CISSP

Leave a Reply

Your email address will not be published. Required fields are marked *