This is one of the 52 terms in The Language of Cybersecurity published by XML Press in 2018 and the contributor for this term is Ron LaPedis.
What is it?
A strategy that helps reduce fraud and error by assigning two or more parts of a transaction to separate individuals. For example, the same person should not be able to enter an invoice then approve payment.
Why is it important?
Separation of duties (SoD) (also known as segregation of duties) prevents the same person from performing two or more parts of a transaction that would be susceptible to error or fraud if performed by one person. Fraud perpetrated through the lack of internal controls can lead to the loss of money, reputation, and market share as well as risking fines from regulators and, perhaps ultimately, the shutdown of the organization.
Why does a business professional need to know this?
In its 2017 annual report, power and robotics firm ABB Robotics said losses from fraud at its South Korean unit would total $73 million. Managers failed to maintain sufficient segregation of duties in its treasury unit and failed to keep the signature seals (used in many Asian countries) secure, allowing a single employee to bind the company to unauthorized financial contracts.
In a 2016 case, an employee of a federal credit union embezzled $1,945,000 from her employer over a 15-year period by removing cash from the vault and placing it in her purse. She deposited some of the cash into credit union accounts she controlled and took the remainder of it for personal expenses. She manipulated the credit union’s books and records to cover up her crime.
In both of these cases, appropriate separation of duties could have stopped the fraudulent activities. Appropriate separation of duties requires measures such as the following:
- One person to enter an invoice and a second to approve payment
- One person to receive and log a payment, another to deposit it, and a third to reconcile payments against deposits
- Two signatures on a check
- Two keys to a safe deposit box
- Two passwords to approve an electronic funds transfer
- One person to create or update content, another to edit, and a third to approve for publication
In many Asian countries, a seal or chop is the accepted way of signing a contract on behalf of a company. If separation of duties is properly implemented, using a seal would require two people to access the seal, using a dual-key or dual-combination safe, and two people to witness and sign off on any document on which the seal was used.
One person should never be able to remove cash from a vault and then update paper and electronic records to cover up his or her tracks. Whenever money is moved, there should be at least two people involved to help prevent fraud due to lack of SoD controls.