Segregation of duties
Separate duties by allocating tasks and associated privileges for a business process to multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Systems help to enforce the strong separation of duties. This is also known as segregation of duties.
Why this countermeasure matters
Allowing a single person to perform all or multiple tasks within some processes may lead to:
- fraudulent payments
- unauthorised access, manipulation or disclosure of information
- poor management of decision-making and risk
- fraudulent requests or claims being processed
- the creation of fake vendors and fraudulent payments
- fraudsters concealing their activities.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- not allowing the same person to create and maintain vendor records as well as process invoices
- not allowing the same person to use a credit card as well as acquit and reconcile credit card payments
- not allowing the same person to approve grants as well as process grant payments
- not allowing the same person to order assets from suppliers as well as confirm the delivery of the assets in the accounting system
- not allowing the same person to record payroll information in the system as well as verify the calculation and reconcile records.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- consult staff or subject matter experts about separating duties and processes, and confirm they have a correct understanding of their purpose
- confirm the existence of separation of duties within the system
- obtain and review requirements for how duties should be separated
- review procedures or guidance to confirm it clearly specifies where separation of duties should apply
- review processes for requests for user permissions. Confirm the request processes identify conflicts in separation of duties. Actively test processes if required
- confirm request and approvals processes are consistently applied
- confirm that someone cannot override or bypass separation of duties even when pressure or coercion is applied
- review reports of user permissions to confirm if a single person can complete multiple functions that should be separated
- review a sample of completed requests/claims to confirm the separated of duties were applied
- undertake ‘pressure testing’ or a process walk-through to confirm that separation of duties are enforced
- confirm the existence of a review and reconciliation process and review the reports.
- review any past access breaches to identify how they occurred.