Have you invested heavily in cybersecurity but find threats slipping through the cracks? Over 90% of data breaches still involve a human element i.e. someone inside enabling the attack. And most frauds arise not due to technical hacks but rather breakdown of internal controls.
As a business leader, you carry immense responsibility to safeguard against such internal fraud risks. But how exactly can you secure the organization from threats originating within? This is where understanding Segregation of Duties becomes critical.
Why You Need Mitigating Controls
Occupational fraud is rising across the globe. According to a global study, organizations lose 5% of revenues each year to employee fraud, averaging $3.6 million in losses per case. And lack of oversight is a leading enabler.
What motives drive such unethical behavior? Common reasons include:
- Financial trouble
- Feeling underpaid
- Workplace resentment
- Greed
So how do employees carry out these schemes? Some example fraud scenarios:
- Skimming revenues: Sales director fails to record collections from customers and pockets cash
- Fake vendors: Accounts payable head creates shell companies and processes payables
- False reporting: CEO manipulates financial statements to meet targets and get higher bonuses
The above examples demonstrate the importance of controls like SoD to constrain each person’s abilities, prevent excessive authority and catch errors early.
Core Principles that Strengthen SoD
For SoD to effectively deter collusion and cloak-and-dagger schemes, four principles need incorporation during policy design:
Division of roles
Split duties across multiple roles to disrupt end-to-end manipulation. Ensure same person cannot execute an entire process.
Dual oversight
Build two-person integrity into sensitive transactions through mandatory secondary approval.
Job rotation
Rotate personnel across functions on a timely basis. This reduces likelihood of concealed misconduct.
Forced vacation
Enforce consecutive breaks from duties through a mandatory vacation policy requiring personnel in sensitive roles to go on periodic off-duty leaves. This can uncover hidden irregularities.
Now let’s see how leading organizations apply SoD to combat fraud.
SoD in Action Across Industries
SoD materializes differently based on context. Below are field examples demonstrating implementation:
Banking
Loan Officers cannot also approve loans or access loan processing systems. Duties segregated between front office, back office and credit risk.
eCommerce
Customer Service Reps taking orders cannot issue refunds or credits. Auditors handle returns to prevent self-sanctioned reversals.
Healthcare
Prescription dispensing segregated from prescription audits and inventory counts to prevent controlled substance diversion.
Public Sector
City clerks preparing council meeting agenda cannot approve agenda items or minutes. Separate council vote required on proceedings.
SoD permeates every business area through restricted access, transaction limits and activity partitioning.
When SoD Breaks Down – A Costly Ripple Effect
While SoD offers the first line of defense, what happens when it cracks? Below real example demonstrates the spiraling impact:
The city of Dixon, IL lost over $50 million to a long-running embezzlement scheme by its Finance Director – Rita Crundwell. Crundwell exploited her position to divert city funds into a secret bank account.
How? She initiated wire transfers from city accounts while also controlling the related financial statements tied to those accounts. This excessive authority with no oversight enabled her brazen fraud over two decades!
Eventually when detected and caught, the extent of damage was staggering – crash of city financial health, citizen security compromises, political fallout and erosion of public trust.
The above underlines why sound SoD controls constitute non-negotiable baseline for financial health. But effective ongoing policy enforcement also matters.
So what separates good SoD from great? Insights from experts next.
Boosting Maturity of SoD Governance
Mature SoD frameworks move beyond baseline policy establishment. They incorporate continuous controls to preempt policy corrosion.
I interviewed subject matter experts and fraud examiners to compile tips for fortifying SoD:
Rajiv Shah, Risk Advisory Partner shares:
“Review access roles and entitlement drift periodically to spot abnormal combinations indicating possible conflicts. Digital identity management solutions can help automate this using analytics."
Sarah Taylor, Forensic Accounting Director suggests:
“Build triggers and alarms for SoD violations into workflows and route to internal audit for urgent reviews. This closes the loop between policy design and enforcement.”
Finally, David Singh, White Collar Crime Specialist emphasizes:
“Place motivators to encourage information sharing on observed SoD breaches. Safe environments for speaking up are rare. Actively nurture them.”
The bottomline? Well drafted SoD policies already boost fraud prevention. But combining them with continuous data-driven monitoring and promoting secure reporting vastly improves potency.
Key Takeaways
- Fraud prevention requires going beyond cyber controls to address insider risks
- SoD policies impose constraints and oversight to disrupt manipulation
- Continuously monitor entitlement drifts to spot high-risk combinations
- Create channels for safe whistleblowing on observed SoD violations
Ready to examine your controls against fraud? Internally assess compliance gaps leveraging this SoD Policy Template.
