Segregation of duties are applied
Segregation of duties (also known as separation of duties) is the concept of having more than one person required to complete a task. Effective segregation of duties is achieved by disseminating tasks and associated privileges for a specific business process among multiple users.
Segregation of duties are very important in areas such as, payroll, finance, procurement and contract management, and human resources.
Strong segregation of duties controls are enforced by systems.
Some examples of this type of countermeasure include:
- A staff member who can create and maintain vendor records cannot also process invoices.
- The same staff member cannot make, acquit and reconcile credit card payments.
- Multiple staff are required to be involved in approving and processing grant payments.
- One staff member orders assets from suppliers and another staff member confirms the delivery of the assets in the accounting system.
- One staff member records the payroll information in the system and another staff member verifies the calculation.
Purpose of this countermeasure
Staff or contractors can abuse their position of trust to process fraudulent requests or claims for themselves or another person. Staff or contractors can also be coerced to process fraudulent requests or claims for another person or entity, e.g. pressured to pay a fraudulent invoice.
Staff or contractors can also abuse their position of trust to access and disclose official information without authority.
Acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.
Allowing a single individual to complete multiple functions that should be segregated can lead to:
- fraudulent payments
- unauthorised access, manipulation or disclosure of information
- poor management of decision-making and risk.
For example, allowing a staff member to create a vendor, record an invoice, pay the invoice, and reconcile the payment can lead to the creation of fake vendors and fraudulent payments.
Fraudsters can also take advantage of unsegregated duties to conceal their activities.
This type of control is supported by:
- Legislation and Policy
- Procedural instructions or guidance
- Decision-making powers are clearly defined
- Declarations or acknowledgments
- A specific form, process or system must be used
- Identity is authenticated for each interaction
- Requests or claims must meet specific eligibility requirements
- Mandatory information is required to complete the request or claim
- Internal escalation procedures
- Requests, claims or processes are limited by parameters
- Prompts and alerts
- System or physical access controls
- User permissions
- Data protected from manipulation or misuse
- Sensitive information controls
- Requests or claims are processed by a limited number of staff
- Information is verified
- Ongoing compliance, performance and contract reviews
- Duplicates are prevented, identified and corrected
- Requests, claims or activities are approved by the appropriate decision-maker
- Privileged access restrictions and monitoring
- Change management processes
- System testing
- End of life processes
- Quality assurance checks
- Activity reporting
- Exception reporting
- Internal or external audits or reviews
- Automatic notification of high-risk activities and transactions
- Fraud detection programs
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Consult staff or subject matter experts about segregation or duties processes. Confirm they have a correct understanding of their purpose.
- Confirm the existence of segregation or duties within the system.
- Review procedures or guidance to confirm it clearly specifies where segregation or duties should apply.
- Obtain and review requirements for how duties should be segregated.
- Review processes for requesting user permissions. Confirm the request processes would identify conflicts in segregation of duties. Actively test processes if required.
- Confirm request and approvals processes are consistently applied.
- Confirm that someone cannot override or bypass segregation of duties, even when pressure or coercion is applied.
- Undertake quantitative and qualitative analysis of user permissions to confirm if a single individual can complete multiple functions that should be segregated.
- Review a sample of completed requests/claims to confirm the segregation of duties were applied on all occasions.
- Undertake vulnerability testing or a process walk-through to confirm that segregation of duties are enforced.
- Confirm the existence of a review and reconciliation process. Review the reports.
- Review any past access breaches to identify how they were allowed to occur.