Skip to main content

Divide duties between staff

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

Summary

Separate duties by spreading tasks and associated privileges for a business process among multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Strong separation of duties controls are enforced by systems. It is also known as segregation of duties.

Why this countermeasure matters

Allowing a single person to perform all or multiple tasks within some processes may lead to:

  • fraudulent payments
  • unauthorised access, manipulation or disclosure of information
  • poor management of decision-making and risk
  • fraudulent requests or claims being processed
  • the creation of fake vendors and fraudulent payments
  • fraudsters concealing their activities.

How to put this countermeasure in place

Some ways to implement this countermeasure include dividing duties between the person who:

  • creates and maintains vendor records and the person who processes invoices
  • uses the credit card and the person who acquits and reconciles credit card payments
  • approves grants and the person who processes the grant payments
  • orders assets from suppliers and the person who confirms the delivery of the assets in the accounting system
  • records the payroll information in the system and the person who verifies the calculation.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure by using the following methods:

  • Consult staff or subject matter experts about separating duties and processes, and confirm they have a correct understanding of their purpose.
  • Confirm the existence of separation of duties within the system.
  • Obtain and review requirements for how duties should be separated.
  • Review procedures or guidance to confirm it clearly specifies where separation of duties should apply.
  • Review processes for requests for user permissions. Confirm the request processes identify conflicts in separation of duties. Actively test processes if required.
  • Confirm request and approvals processes are consistently applied.
  • Confirm that someone cannot override or bypass separation of duties even when pressure or coercion is applied.
  • Review reports of user permissions to confirm if a single person can complete multiple functions that should be separated.
  • Review a sample of completed requests/claims to confirm the separated of duties were applied.
  • Undertake ‘pressure testing’ or a process walk-through to confirm that separation of duties are enforced.
  • Confirm the existence of a review and reconciliation process and review the reports.
  • Review any past access breaches to identify how they occurred.

Related countermeasures

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.

Use declarations or acknowledgments to both communicate and confirm that a person understands their obligations and the consequences for non-compliance. The declaration could be written or verbal, and should encourage compliance and deter fraud.

Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.

Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.

Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs such as making high-risk functions limited to specialised users.

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Prepare summary reports on activities for clients, managers or responsible staff.

Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.

Conduct internal or external audits or reviews to evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Related Fraudster Personas

Was this page helpful?