Processes

Segregation of duties: prevent fraud and error

Niek Dekker
10 Min
segregation-of-duties

As businesses continue to rely more heavily on automated systems, strong internal controls are increasingly critical. These financial controls are necessary to protect your organisation’s financial assets and lower the risk of fraud, especially in the accounts payable (AP) function.

And one of the most important elements of internal controls is segregation of duties (SoD).

However, a poll from KPMG found that more than a third of survey respondents described their internal controls as either “basic” or “rudimentary.” It’s a concern because cyber-crime rates are rising and the threat landscape is evolving rapidly – today’s fraud risks are different from the analogue risks from a few decades ago. Finance leaders can’t afford to settle for “rudimentary” or outdated controls.

To stay ahead of today’s threats, let’s explore segregation of duties for AP and find out how it can help you lower risks of fraud or error in the digital age.

What is segregation of duties?

The Australian Auditing and Assurance Standards Board defines segregation of duties as “assigning different people the responsibilities of authorising transactions, recording transactions and maintaining custody of assets.”

In other words, segregation of duties is all about ensuring no single individual has total control over any process. This spreads accountability throughout a team, making it harder for any one person to circumvent a business process or standard, intentionally or unintentionally. It also helps contain risk if a malicious actor does manage to infiltrate your systems or dupe an employee.

Within an AP team, segregation of duties helps to prevent errors, fraud and other irregularities across payment processes and financial reporting. Several different functions should be separated, including:

  • Receiving and processing invoices
  • Approving invoices for payment
  • Initiating payment
  • Recording payment

For example, if a single employee can unilaterally approve invoices for payment and initiate payment, they could potentially approve and pay fraudulent invoices to themselves or to a fictitious vendor. But, when these duties are segregated, there would need to be a conspiracy between multiple employees. And, well, conspiracies are a lot less likely than a single bad actor.

What happens when you violate segregation of duties?

A segregation of duties violation occurs when one person is responsible for more than one step in the payment process, or when two or more individuals collude to circumvent the controls designed to prevent fraud or errors. Within the modern threat landscape, this might not even be staff acting maliciously – through hacking, social engineering or other tactics, cyber-criminals can work to circumvent segregation of duties from outside your organisation.

This can open your organisation to risks like duplicate payments or making unauthorised payments to fictitious vendors.

So what does this mean for accounts payable teams?

Importance of segregation of duties for AP teams

What is segregation of duties in auditing? In Australia, the Auditing and Assurance Standards Board developed a framework known as “ASA 240: The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report.”

ASA 240 emphasises the importance of segregation of duties in internal controls. It advises auditors that inadequate segregation of duties – also called “independent checks” – might make the organisation more susceptible to misappropriation of assets. Auditors understand that segregation of duties is a crucial way to manage the risks associated with fraud and human error.

You might feel like your team is totally trustworthy – and there’s a great chance that they are! But the reality is that there will always be risks, even when employees only act with the best intentions. Aside from the risk of internal fraud, two of the biggest risks are human error and cyber threats. Let’s examine all three.

Internal fraud risks

While it’s always uncomfortable to suspect a team member, trusted insider threats are still very real. Take the Australian National Maritime Museum, where an IT support contractor allegedly committed fraudulent activities totalling an estimated $90,000.

There are several reasons why employees may engage in fraud:

  • Financial gain: Some employees may simply want to profit at your organisation’s expense
  • Financial difficulties: Some employees may have accumulated debt and act out of desperation
  • Disgruntled employees: Some employees may feel they are being mistreated or underpaid and look for opportunities to get what they believe they’re ‘owed’

Internal fraud can take many months, if not years, to identify and address, especially since inside actors tend to have the organisational knowledge to cover their tracks. With a strong SoD controls system, it’s harder for any malicious actor to defraud your organisation, whether they’re internal or external.

Human error

Your team may be capable and hardworking but human error will always be a factor. No one is perfect, and we shouldn’t design processes or standards around the fantasy that anyone ever can be perfect.

Busy staff can easily make data entry errors that see you remitting funds to an incorrect bank account. Or they can skip a callback when verifying supplier details. These sorts of risks are even higher during especially hectic periods or during later hours when staff might be losing energy and ready to finish their workday.

Cyber-crime and social engineering

Cyber-criminals like to exploit those human errors, increasing the risk that an honest mistake can facilitate malicious activity. Cyber-crime is rising, so it’s important to know that fraudsters increasingly use tactics such as social engineering to lure employees into giving away sensitive information or processing fraudulent payments.

With cyber-criminals hunting for new ways to deceive employees or circumvent controls, it’s even more important to ensure your segregation of duties is strong.

Segregation-of-duties-examples

 

Examples of segregation of duties

There are many different ways to implement segregation of duties within an organisation. Some examples include:

1) Requisitioning and approving
  • Separation of duties between the employee who initiates a purchase requisition and the person who approves it
  • A separate person should be responsible for approving vendor invoices, ensuring that goods or services are received as expected and that prices are accurate
2) Invoice processing and payment
  • Segregation of duties between the employee who enters vendor invoices into the accounting system and the person who approves payment
  • Restricting role base access  control to electronic payment systems, checks and balances
  • Periodic review of vendor payments by an independent party
3) Bank reconciliation
  • Segregation of duties between the person who reconciles bank statements and the person who issues checks
  • Restriction of access to bank statements and reconciliation reports to authorised personnel only
  • Periodic review of bank reconciliations by an independent party
4) Petty cash
  • Segregation of duties between the employee who is responsible for petty cash and the person who reconciles and approves the petty cash transactions
  • Restriction of access to petty cash funds and records to authorised personnel only

To put it simply, you want at least two sets of eyes on every transaction.

How to implement segregation of duties?

Implementing segregation of duties requires a thorough understanding of the organisation’s processes and risks. CFOs should identify critical processes and tasks and then determine which team member should be responsible for each task.

It’s also important to ensure that there’s no conflict of interest.

For example, the person responsible for accounts receivable should not also be responsible for accounts payable. This could create a conflict of interest, and increase the risk of fraud or errors. CFOs should also ensure there’s adequate supervision and monitoring of segregation of duties policies. This can be paired with a clear matrix of the procure-to-pay cycle, helping to identify all the steps that need to happen.

Finally, CFOs should regularly review and update their segregation of duties policies. As the business grows and changes, new risks may emerge and new controls may be necessary. Regular reviews and updates of the segregation of duties policies ensure that they remain effective in reducing the risk of fraud and errors.

Some practical tips for implementing segregation of duties include:

  • Define roles and responsibilities: Clearly define the roles and responsibilities of each individual involved in a process to ensure that they are aware of their duties and limitations
  • Identify risks and control points: Improve risk management by identify the risks associated with each process and determine where controls are required to mitigate those risks
  • Assign duties appropriate: Assign duties to individuals based on their skills, experiences, and job responsibilities. Ensure that individuals don’t have conflicting, overlapping or incompatible duties
  • Regularly review and update SoD: Regularly review and update SoD policies and procedures to ensure they’re still effective and relevant

With these system restrictions in place, it should be possible to get visibility and ensure that teams are adhering to segregation of duties policies.

Segregation of Duties Checklist

Use the following checklist to ensure your organisation has appropriate segregation of duties in place:

Establish segregation of duties policy Closely examine your entire procure-to-pay cycle and identify all the steps that should be carried out by separate individuals.
Establish system roles and responsibilities Set up all the roles with appropriate access levels in all your systems and applications. Remember to set access rights to the files on your network’s shared drives accordingly.
Establish Identity and access management tools Identity and access management tools can help you establish appropriate access to systems and applications in ways that align with your segregation of duties matrix.
Establish provision access roles Ensure the right individuals are assigned the right roles. Bear in mind that as staff join your team, leave your team, are promoted or are demoted, these access rights need to be adjusted accordingly.
Ensure IT communication and collaboration In large organisations, the IT department will need to be involved in ensuring that all roles and access rights are set up and maintained correctly, in accordance with segregation of duties policies. This requires ongoing collaboration between the Accounts Payable Manager and the IT department.

Lack of segregation of duties

If your business lacks segregation of duties in its accounts payable function, it could mean that the same individual or group of people may be responsible for a number of problems. This includes a higher risk of errors and mistakes, regulatory breaches and, finally, external and internal fraud.

Room for fraud, error and scam attempts

One of the biggest risks associated with the lack of segregation of duties is the increased risk of fraud.

When a single person is given the sole responsibility of two conflicting tasks, such as entering payment information and approving payments, it creates an opportunity for fraudulent activity to occur. This risk is compounded when a single individual is responsible for both tasks.

One example is a bank manager who was sentenced for stealing $16 million from the Bank of Montreal. The manager was able to commit 63 counts of fraud, at least in part due to a lack of segregation of duties.

Accounts payable segregation of duties control

Implementing strict Segregation of Duties controls in a large organisation is easier, as there are many more employees. This allows the Accounts Payable Manager to ensure segregation of responsibilities to which different employees have responsibility for different steps in the Procure-to-Pay cycle.

However, this may not be possible in smaller organisations.

Smaller organisations don’t usually have enough employees to adequately implement a comprehensive Segregation of Duties framework. If this is the case, then smaller organisation need to establish compensating controls which are controls designed to compensate for the increased risk. For smaller organisations, you should consider other options that will deliver you the same level of protection afforded by comprehensive Segregation of Duties, such as:

  • Outsource certain tasks
  • Implement additional manual and automated checks

As an example, you may decide to outsource responsibility for managing your Vendor Master File.

Of course, deciding to outsource management of some confidential corporate data carries its own potential problems. However, with the right outsourcing model, this option can help you achieve Segregation of Duties, whilst also making your Accounts Payable team run efficiently and leanly.

Another option is to implement additional checks into your Procure-to-Pay cycle. These may be manual in nature, but given your staffing constraints, this is probably not possible. An automated solution, such as Eftsure, will help you achieve the same protections as comprehensive Segregation of Duties controls, without having to hire additional staff.

Prioritising robust controls for fraud prevention

Regardless of the cause of any irregularities, it’s important to investigate the issue and take corrective action to prevent further problems.

This can involve implementing additional controls or reviewing and updating payment processes and procedures. This way, it reduces the likelihood of fraudulent activities occuring with the rotating roles and responsibilities. It may also be necessary to investigate and take disciplinary action against any individual involved in fraudulent activity like accounts payable fraud.

Prioritising SoD ensures accountability and transparency in the organisation’s operations. It enables a clear chain of command and provides a system of checks and balances that ensures that no one employee has too much control over crucial business processes. It’s important that CFOs become aware that SoD processes are a crucial element of compliance with regulations and standards such as the ASAE 3150 (Assurance Engagements on Controls) and ISO 27001.

These regulations require Australian businesses to implement proper controls, including SoD to reduce the risk of fraudulent activities.

The benefit of Eftsure is that it ensures the banking details you’re using to pay a supplier match the details used by other organisations when paying the same supplier. It helps mitigate your risk of both human error and fraud each time you process an electronic bank payment.

For a demonstration of how Eftsure can help standardise segregation of duties and protect your organisation from fraud or error, contact us today.

accountants-segregation-of-duties
Segregation of Duties Checklist
Segregation of duties helps prevent errors, fraud and other irregularities across payment processes and financial reporting.

Use our SoD checklist to ensure your organisation has appropriate segregation of duties in place.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.