Divide duties between staff
Separate duties by spreading tasks and associated privileges for a business process among multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Strong separation of duties controls are enforced by systems. It is also known as segregation of duties.
Why this countermeasure matters
Allowing a single person to perform all or multiple tasks within some processes may lead to:
- fraudulent payments
- unauthorised access, manipulation or disclosure of information
- poor management of decision-making and risk
- fraudulent requests or claims being processed
- the creation of fake vendors and fraudulent payments
- fraudsters concealing their activities.
How to put this countermeasure in place
Some ways to implement this countermeasure include dividing duties between the person who:
- creates and maintains vendor records and the person who processes invoices
- uses the credit card and the person who acquits and reconciles credit card payments
- approves grants and the person who processes the grant payments
- orders assets from suppliers and the person who confirms the delivery of the assets in the accounting system
- records the payroll information in the system and the person who verifies the calculation.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Consult staff or subject matter experts about separating duties and processes, and confirm they have a correct understanding of their purpose.
- Confirm the existence of separation of duties within the system.
- Obtain and review requirements for how duties should be separated.
- Review procedures or guidance to confirm it clearly specifies where separation of duties should apply.
- Review processes for requests for user permissions. Confirm the request processes identify conflicts in separation of duties. Actively test processes if required.
- Confirm request and approvals processes are consistently applied.
- Confirm that someone cannot override or bypass separation of duties even when pressure or coercion is applied.
- Review reports of user permissions to confirm if a single person can complete multiple functions that should be separated.
- Review a sample of completed requests/claims to confirm the separated of duties were applied.
- Undertake ‘pressure testing’ or a process walk-through to confirm that separation of duties are enforced.
- Confirm the existence of a review and reconciliation process and review the reports.
- Review any past access breaches to identify how they occurred.