Segregation of duties
Summary
Separate duties by allocating tasks and associated privileges for a business process to multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Systems help to enforce the strong separation of duties. This is also known as segregation of duties.
Why this countermeasure matters
Allowing a single person to perform all or multiple tasks within some processes may lead to:
- fraudulent payments
- unauthorised access, manipulation or disclosure of information
- poor management of decision-making and risk
- fraudulent requests or claims being processed
- the creation of fake vendors and fraudulent payments
- fraudsters concealing their activities.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- not allowing the same person to create and maintain vendor records as well as process invoices
- not allowing the same person to use a credit card as well as acquit and reconcile credit card payments
- not allowing the same person to approve grants as well as process grant payments
- not allowing the same person to order assets from suppliers as well as confirm the delivery of the assets in the accounting system
- not allowing the same person to record payroll information in the system as well as verify the calculation and reconcile records.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- consult staff or subject matter experts about separating duties and processes, and confirm they have a correct understanding of their purpose
- confirm the existence of separation of duties within the system
- obtain and review requirements for how duties should be separated
- review procedures or guidance to confirm it clearly specifies where separation of duties should apply
- review processes for requests for user permissions. Confirm the request processes identify conflicts in separation of duties. Actively test processes if required
- confirm request and approvals processes are consistently applied
- confirm that someone cannot override or bypass separation of duties even when pressure or coercion is applied
- review reports of user permissions to confirm if a single person can complete multiple functions that should be separated
- review a sample of completed requests/claims to confirm the separated of duties were applied
- undertake ‘pressure testing’ or a process walk-through to confirm that separation of duties are enforced
- confirm the existence of a review and reconciliation process and review the reports.
- review any past access breaches to identify how they occurred.
Related countermeasures
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale and impact of a potential breach.
To better protect personal information, the minimal data required for a transaction should be collected, used and retained.
Make sure sensitive or official information cannot leave your entity's network without authority or detection.
Only allow certain types of claims to be processed by staff with a specific type of user permission or skillset.
Use system workflows to make sure all requests, claims or activities are approved only by the appropriate decision-maker.
Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.
Have processes in place to prevent, identify and correct duplicate records, identities, requests or claims.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.