Board members and senior management are increasingly concerned about the quality of corporate governance within their organizations. At the end of 2024, the Association of Certified Fraud Examiners (ACFE) issued the 2024 Annual Occupational Fraud Report,[1] referencing 1,921 cases of fraud between 138 countries which caused total losses of more than $3.1 billion. CFEs estimate that organizations lose around 5 percent of revenue to fraud each year.

Asset misappropriation schemes such as: asset requisitions and transfers, false sales and shipping, purchasing and receiving, and unconcealed larceny, were the most common but least costly schemes — 89 percent of cases with $120,000 median loss — while financial statement frauds were the least common but most costly — 5 percent of cases with $766,000 median loss.

The study also showed that nearly half of the cases (48 percent) involved some form of corruption, such as conflicts of interest: purchasing schemes and invoice kickbacks bribery; or bribery: sales schemes and bid rigging. These cases caused a median loss of $200,000 per case. Notably, the longer a fraudster worked for an organization, the more costly their fraud, going from $50,000 median loss for employees with less than one year, to a median loss of $250,000 for employees with 10 years or more in the organization.

The study highlighted the access and use of an organization’s systems by occupational fraudsters such as: creating fraudulent electronic documents or files (31 percent), altering electronic documents or files (28 percent), creating fraudulent transactions in the accounting system (19 percent), altering transactions in the accounting system (16 percent) and deleting or omitting transactions in the accounting system (13 percent). The study also highlighted that in 82 percent of the schemes, organizations have modified their antifraud controls to prevent other frauds.

To counteract these fraudulent schemes, segregation of duties (SoD) can be a key factor in the prevention of fraud and manipulation within an organization. Common types of fraud can occur when there is no governance that establishes authorization limits and responsibilities for managing the organization.

These risks include:

• Misappropriation: If an employee has control over the authorization and execution of financial transactions, they could divert funds to personal accounts without being detected.
• Record Manipulation: If an employee has access to both the creation and approval of accounting records, they could manipulate the records to hide fraudulent activity.
• Conflict of Interest: If an employee is responsible for approving purchase orders or contracts and has personal or financial interests in a supplier, a conflict of interest could occur that leads to decisions being made that benefit the employee instead of the company.
• Overbilling: If an employee is responsible for both the request and approval of purchases and contracts, they could approve overpriced purchases from suppliers with whom they have an agreement.

Segregating functions can aid in mitigating risks of fraud by ensuring that no employee has absolute control over critical processes. Organizations can distribute responsibilities among different individuals or teams, creating a checks-and-balances system that makes it difficult for fraud to be carried out.

To make SoD effective, organizations will need to translate their strategic vision to the tactical and operational level, regarding systems controls and governance.

SoD failures can result in other serious repercussions for an organization. These can include reputational damage, where fraud or mismanagement arising from inadequate SoD controls erodes trust among customers, investors and other stakeholders. Additionally, organizations may face legal and regulatory sanctions, including fines and other penalties if they fail to implement proper SoD measures. Operational inefficiency is another significant consequence, as the lack of SoD can lead to disorganized and ineffective processes that undermine productivity and overall effectiveness.

When SoD failures affect management systems — enterprise resource planning or legacy systems — there can be several consequences for the organization. Some scenarios in which fraud and deviations could occur, if established governance policies and controls are not properly reflected in the system’s environment, include:

• Lack of Independent Review: In the same process structure, when the employee executing a transaction also has access to review or approve it, errors or fraud can go unnoticed and be difficult to detect. An example might be the creation and approval of a new supplier in a company's supplier master file.
• Improper Access: Employees with access to critical systems without the proper need can manipulate data or perform unauthorized transactions. As an example, if an employee of the financial function of a health company has access to the service system, they can create or eliminate records that impact the company's revenue.
• Combination of Incompatible Functions: A classic example is when the same employee is responsible for recording and reconciling financial transactions, allowing for the concealment of deviations. In this situation, identifying paid securities and outstanding securities may require a new financial reconciliation and even an audit.
• Lack of Continuous Monitoring: Without regular audits and continuous monitoring, SoD violations may not be detected in time, increasing the risk of fraud.

This is the reason why implementing robust internal controls and conducting periodic assessments are essential measures to mitigate these risks. Organizations can adopt preventive controls to validate a transaction prior to its conclusion or adopt monitoring tools to measure that the conclusion of an action is aligned with the governance policies adopted by the organization.

These factors are linked not only to the organization's ability to adapt and manage the internal control environment, but also to its risk appetite, need for efficiency, and history of fraud, deviations and operational errors. Organizations should integrate integrity and the strategic vision of the business with its internal governance controls.

Regulatory Context

SoD is addressed in several ISO standards, especially in the context of information security. Of note is ISO 27001, which in Control A.5.3[2] specifically addresses the segregation of duties as a measure to mitigate risks of fraud, errors and bypassing of security controls. It recommends that conflicting roles should be separated so that a single person does not have full control over a critical activity.

In the United States, SoD is a fundamental principle in various laws and regulations, especially those related to corporate governance and financial security, including:

• Sarbanes-Oxley Act (SOX): Enacted in 2002, SOX is one of the most important pieces of legislation that requires segregation of duties.[3] It is designed to protect investors by improving the accuracy and reliability of corporate disclosures. Section 404 requires organizations to implement robust internal controls, including segregation of duties, to ensure the integrity of financial reporting.
• Federal Information Security Management Act (FISMA): FISMA applies to federal agencies and requires those agencies to implement information security controls, including segregation of duties, to protect sensitive data and ensure the integrity of information systems.[4]
• Gramm-Leach-Bliley Act (GLBA): GLBA requires financial institutions to implement security measures to protect customer information. Segregation of duties is a best practice to ensure that customer data is protected from unauthorized access and misuse.[5]     
• Health Insurance Portability and Accountability Act (HIPAA): HIPPA requires healthcare organizations to implement administrative, physical and technical safeguards to protect patients' health information. Segregation of duties is a key instrument, ensuring that no professional has complete control over critical processes involving sensitive data.[6]

In Europe, SoD is a fundamental principle in various laws and regulations, especially in the context of corporate governance and information security. Some examples include:

• General Data Protection Regulation (GDPR): GDPR requires organizations to implement appropriate technical and organizational measures to protect personal data. Segregation of duties is one of them, ensuring that different people or teams are responsible for different aspects of data processing, reducing the risk of unauthorized access and misuse.[7]
• NIS (Network and Information Security) Directive: The NIS Directive requires operators of essential services and digital service providers to implement appropriate security measures, including segregation of duties, to protect critical infrastructure from cyberattacks and other threats.[8]
• Financial Sector Regulations: Various regulations, such as the Markets in Financial Instruments Directive (MiFID II)[9] and the Capital Requirements Directive (CRD IV),[10] require the implementation of robust internal controls, including segregation of duties, to ensure the integrity and transparency of financial operations.
• Corporate Governance Standards: Many European countries have corporate governance codes that recommend segregation of duties as a good governance practice. These codes aim to ensure that supervision, enforcement and control responsibilities are clearly separated to prevent conflicts of interest and fraud.

These regulations highlight the importance of SoD as an essential measure to prevent fraud, protect sensitive data and ensure regulatory compliance.

Regulations such as these are the reason why organizations began to improve their systems’ controls. Besides improving efficiency and performance, structuring segregation of duties in systems is crucial to ensure the safety and integrity of processes.

Organizations should consider carrying out the following activities:

1. Identify Critical Functions:
   • List all roles and responsibilities within the system.
   • Identify the roles that have the highest risk of fraud or error if they are not segregated.
2. Define Roles and Responsibilities:
   • Create clear descriptions of roles and responsibilities for each role.
   • Ensure that no employee has complete control over every step of a critical process.
3. Implement Access Controls:
   • Utilize role-based access control (RBAC) systems to ensure that users can only access the roles they need for their tasks.
   • Regularly review access privileges to avoid improper accumulation of permissions.
4. Segregate Functions in the Software:
   • Configure software to require multiple approvals for critical transactions.
   • Use audit logs to monitor and record all user activity.
5. Ongoing Review and Monitoring:
   • Conduct periodic audits to ensure that SoD is being maintained.
   • Utilize monitoring tools to detect and alert on potential SoD violations.
6. Training and Awareness:
   • Train employees on the importance of SoD and how it is applied in systems.
   • Foster a culture of compliance and accountability within the organization.

What are the main challenges?

Implementing SoD poses several challenges for organizations. Limited resources are often a major obstacle, as small, medium and even large businesses may lack sufficient staff to effectively segregate duties. This shortage can result in work overload and difficulties in establishing strong controls.

Process complexity is another significant challenge, particularly for large and complex organizations. Mapping out all roles and responsibilities can be a daunting task. Intricate processes can make it hard to identify conflicting roles and establish appropriate controls.

Employee resistance to change can further complicate SoD implementation. Changes in processes, assignments and responsibilities may be met with pushback, especially if change involves redistributing tasks or reducing individual control over certain activities.

The cost of implementation can also be prohibitive. Establishing effective SoD measures may require significant investments in access control systems, employee training and regular audits. Depending on the maturity of the organization, these expenses might present a major hurdle.

In environments with multiple IT systems, maintaining segregation of duties across all platforms is another challenge. Systems integration may demand complex technical solutions to ensure cohesive and effective controls.

Moreover, SoD is not a one-time endeavor; it requires continuous maintenance and adjustments. Changes in organizational structure, employee roles or processes may necessitate ongoing updates to SoD controls, highlighting the need for consistent monitoring.

Lastly, regulatory compliance adds further complexity. Industries vary in their regulatory requirements and ensuring that SoD adheres to all relevant regulations can be particularly challenging for organizations operating across multiple jurisdictions.

Overcoming these challenges requires careful planning, commitment from senior management and a systematic approach to implementing and maintaining SoD. Organizations should be aware of employee activities, understand how responsibilities and controls are distributed across the organization, and have insight into the organization’s overall risk profile.

Read Past Raising the Bar Issues