Prevent Fraud Risk with Segregation of Duties
Why it’s important?
This month an administrator for the Department of Emergency Medicine at Yale University pled guilty to defrauding the university of $40 million. And statistics from the last two years tell us that fraud cases are on the rise. A PWC report published in 2020 found that:
47% of companies experienced fraud in the past 24 months to a total of US$42 billion
For Yale, a $40million loss is taken right off their bottom line. And what’s more, it was entirely preventable. That’s not to say that fraud prevention is easy. Risk management in enterprises is complex and requires dedicated teams and solutions to prevent. So, how does fraud like this occur? And what can we do to prevent it?
How it happens?
As your organization grows, so does the need for greater efficiency in operations. This is usually when most organizations purchase a suite of applications: ERP, CRM, HCM, warehouse management, and supply chain management. While these applications increase productivity and reduce errors, they also allow a more significant number of users the opportunity to gain access and control. And with the increased number of users, comes an increased risk of fraud and error.
At Yale, the administrator who perpetrated the crime had the authority to make and authorize purchases for the department. This oversight left Yale vulnerable to almost a decade of illegal equipment purchasing and mismanagement of resources.
Segregation of Duties (SoD) is an internal control to prevent fraud, theft, misuse of information, and other security breaches. SoD accomplishes this by dividing the responsibilities of users to complete your business processes, so no one user has control over an entire process. SoD is the most effective approach to placing internal controls over your organization’s assets and preventing the kind of fraud seen at Yale. SoD serves a two-fold purpose:
It ensures that you have oversight and review of access and control of conflicts within your organization.
It helps you prevent fraud or theft because it requires two people to conspire to hide transactions and errors
SoD controls provide a layer of checks and balances on the activities of your users and help you keep track of access violations. An SoD violation occurs when a user exploits an SoD risk by performing both ends of a separated business process to complete one or more transactions.
Technically, a violation occurs when users gain access to a point above their assigned level within the workflow. As in the case at Yale, the ability to enter vendor invoices and approve payment is an SoD violation. However, without comprehensive SoD policies and advanced analytics, detecting violations across thousands of applications can be extremely difficult to accomplish.
Limitations of Segregation of Duties
Many companies struggle to implement adequate SoD controls in their ERP systems even though the concept of SoD is simple. SoD roles, responsibilities, and access controls are difficult to define within your ERP. Below are the two most common reasons why SoD violations occur.
1. Hybrid Environments
Hybrid environments, meaning both on-premises and cloud applications, help support your organization’s digital transformation, but they also come with complexities. Your organization most likely uses several applications to complete a single business process. When you use both on-premises and cloud applications, there can be potential SOD conflicts that emerge from cross-application workflows.
While knowing exactly who has what access is essential, many tools do not have an integrated solution that monitors access across all applications. While certain applications have built-in governance tools, they are specific only to their application. Even with a single application SoD tool, your organization is still vulnerable to cross-application SoD violations due to a lack of visibility between applications.
2. Changing roles and access
Organizations are not static. Employees enter, exit, and change jobs constantly. This means you need to continually add, modify, and delete their roles within your system. These endless changes require constant monitoring and updating. Keeping on top of all these changes is a near-impossible feat, which leads to outdated roles and employees having inaccurate access.
Just to put the problem of SoD violations into context, SafePaaS has processed an eye-watering 444,607,107 SoD violations on our platform.
Every business faces the risk of unforeseen, harmful events. Fraud can potentially cost your organization millions. But there are also additional implications to fraud, such as: harming your reputation and causing you to lose important clients. An SoD solution allows your organization to proactively prepare for the unexpected by setting internal controls. No one likes to think about risk prevention; we’d rather focus on revenue-generating opportunities and moving our organizations to the next level. Protecting your assets doesn’t have to be complicated or time-consuming with the right technology. SafePaaS is a reliable, scalable, and secure solution that protects your bottom line and reputation. Want to learn how SafePaaS can help?
How frequently should you run a Segregation of Duties analysis?
How frequently should we run a segregation of duties analysis? This is a question our customers often ask and there is no correct answer. The frequency of running a segregation of duties analysis varies based on your company’s situation.
How to select a Segregation of Duties tool
When it comes to SoD audit tools, you can either build your own in-house or choose between a few vendors currently on the market. But buyer beware, not all tools are created equal. Many of the "tools" on the market to assess your SoD controls only have the capability of running a report listing your violations. These tools do nothing to correct the violations they find or track your responses to those violations.
Segregation of Duties Assessment vs Management
During an audit, cycle companies are tasked with correcting these privilege conflicts. To do this companies can opt for a one-time SoD assessment of their ERP security configuration or elect to acquire a continuous, self-service SoD management solution to handle the job permanently.