Segregation of duties
Share tasks and permissions for a specific business process among multiple employees.
This control targets internal fraud.
Examples
Examples of this control include:
- employees who can create and maintain vendor records cannot also process invoices
- the same employee cannot make, approve and reconcile credit card payments
- multiple employees must be involved in approving and processing grant payments
- employees who ordered assets from suppliers cannot confirm the delivery of the assets in the accounting system
- the same employee cannot record payroll information in the system and verify the calculation.
Risks from control gap
Allowing a single individual to complete multiple functions that should be segregated can lead to:
- fraudulent payments
- unauthorised access, manipulation or disclosure of information
- poor management of decision making and risks
- the creation of fake vendors
- fraudsters concealing their activities
- employees falling prey to spoofing, which is the act of disguising communication from an unknown source as being from a known, trusted source.
Assessing effectiveness
Methods to evaluate the effectiveness of this control include:
- consulting employees or subject matter experts about segregation of duties processes
- confirming employees have a correct understanding of the purpose of segregation of duties
- confirming that segregation of duties is enforced within the system where required
- confirming that someone cannot override or bypass segregation of duties, even when pressure or coercion is applied
- carrying out quantitative and qualitative analysis of user permissions to confirm if an individual can complete multiple functions that should be segregated
- confirming that segregation of duties is being applied on all occasions by reviewing a sample of completed requests or claims
- confirming that a review and reconciliation process would identify users who are able to perform multiple functions when they should not be able to
- reviewing any past access breaches to identify how they occurred and how they can be prevented in the future.
Complementary controls
Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:
Related fraudster personas
Types of behaviour this control is designed to mitigate:
The corrupt
|
The exploiter
|
The organised
|
Download the complete fraud control catalogue
Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.
More information
- See examples of effective, low-cost counter fraud messaging your organisation can use
- Find out more about the seven common personas that fraudsters use when committing financial crimes
- Find out how employees perceive your organisation’s fraud control activities
- Conduct pressure testing to identify and reduce fraud and corruption vulnerabilities in your organisation