Sod conflicts and violations: how to prevent them?

IN THIS ARTICLE
Table of Contents
Like it? Share it

In 2018, a former VP of IT at the Alberta Motor Association pled guilty to defrauding his ex-employer out of more than $8 million. In a huge segregation of duties (SoD) conflict, the man was able to both submit and pay invoices by making up fake vendors and paying into his account. SoD conflicts don’t always result in violations like this fraud, but they do increase the risk. In this piece, learn about how to maintain internal control, and identify and prevent SoD failings. Plus, compliment your strategy with the ultimate payment fraud prevention tool: Trustpair.

Get the ultimate protection against payment fraud – request a demo from Trustpair. 

Nouveau call-to-action

What is an Sod conflict?

The segregation of duties is a workplace practice aimed at increasing internal controls to prevent mistakes and fraudulent behavior. It involves dividing up the order of responsibilities in any process (typically in the finance department), to ensure that no single party has ultimate control.

SoD conflicts happen when an individual is able to overcome this rule and perform more than one part of the business process. It’s not always for malicious purposes– and can sometimes be because teams are busy and the only available person has already completed a previous section.

For example, if an employee approves a procure-to-pay sales order, they shouldn’t also be able to purchase the goods and pay the invoice. Otherwise, it leaves room for a perpetrator to approve a payment to themself by pretending to be a fake supplier.

But SoD conflicts– otherwise known as violations– can be very dangerous. Left unchallenged, employees could:

  • gain access to (or change) parts of the workflow they’re not supposed to
  • exploit the payments system to pay invoices to themselves
  • make mistakes on client accounts

Thus, users should take a zero tolerance policy towards the management of critical SoD conflicts. This approach becomes even more pertinent when an organization is under compliance with regulations like SOX Law. That’s because regulatory compliance isn’t optional, and ignoring their requirements could eventually land you with fines, or even imprisonment.

 

An example: SAP SoD conflicts

SAP is a very popular software system for business workflows like accounting. But there are some limitations – especially surrounding the access controls. Without proper configuration of these, organizations who use SAP could be placing their operations at risk of SoD conflicts, and the potentially disastrous financial and reputational consequences that follow.

One example of a SAP SoD conflict is during payment processing. Without external authorization for security, the SAP workflow won’t enable acceptance of payment methods, like credit cards. So the system automatically obtains real-time authorizations from the payment processor, to ensure the payment method is legitimate before the transaction goes through.

Without this, one single business may be totally responsible for validating the payment process (or worse, not do it at all). It leaves the door open for fraudulent customers, or third parties, to take advantage. But by separating the duties to an external authorization partner, the business can limit its damage.

Maintaining internal control

Fortunately, SAP’s governance, risk and compliance (GRC) management system is able to help you identify and prevent SoD risks.

The GRC process can combine risks from two functions, such as accounts payable and the vendor master data file. By looking at the possible role combinations of transactions and permissions from both functions, SAP can automatically create compliance risk rules to prevent SoD conflicts.

Here’s an example, all automatically done within the SAP platform:

  1. Identify: a potential conflict if the same individual is given access to payment approvals and bank reconciliations
  2. Risk: they could abuse their responsibilities, approve a payment to a rogue bank account and hide this within the bank reconciliation reports
  3. Solution: create a risk rule to automatically prevent access to both roles for the same person, they may only access one

By creating risk rules for every identified SoD conflict, you can bring the risk of incompatible conflicts down. But be prepared to invest both time and effort to protect your assets, operations and customers. One SAP member reported a violation count of 50,000 when they began transforming the risk rules, and it took approximately two years (on a part-time basis) to reduce this number to zero.

 

What’s the difference between SoD conflicts and SoD violations?

SoD conflicts describe the theoretical risks associated with one individual having more than one responsibility in a workflow. Finding SoD conflicts could become a part of your fraud detection strategies. For example, if a store manager is responsible for managing the inventory but also has access to the records and order system. The conflict is there, but no event has occurred yet.

On the other hand, SoD violations happen when the risks are realized and the events are discovered. In the same example as above, a violation would describe a store manager who:

  1. Counted the inventory
  2. Recorded less stock in the inventory than was really there
  3. Took home the extra stock and sold it for their own gain
  4. Ordered more and repeated the process

Clearly, the data link between SoD conflicts and violations is linear. Violations are not possible without the existence of conflicts. So institutions should focus on removing all of the possible duties conflicts and introducing controls in order to effectively prevent the risk of a violation.

 

How to identify an SoD conflict?

Identifying separation of duties conflicts begins with the identification of transactional tasks within any process.

Of course, doing this manually would require tons of time investment- so we recommend using an automated system that would reportl the right information into a matrix. It’s then about highlighting the overlaps- the tasks that should not be completed by the same individual.

In the procurement process, for example:

  • If approving a new vendor, you cannot also validate the chosen supplier’s credentials
  • If approving an invoice, you cannot also pay it (due to invoice fraud risks)

The matrix could work on logic to prevent conflicts of interests. But that depends on employees following the rules and internal procedures for fraud prevention.

A much more reliable way to prevent SoD violations (and stop malicious employees) is to set user access limits based on responsibilities. For example, the individual who is responsible for approving invoices is unable to access payment software and create a digital user account.

 

4 ways to prevent SoD conflicts

Here are four tips to prevent SoD conflicts:

  1. Define roles and responsibilities
  2. Information access requests
  3. Record access for audit
  4. Use fraud prevention software

Define roles and responsibilities

As new employees are brought onboard, it can be helpful to define their responsibilities, and therefore their access rights. Of course, roles change from time to time and new access rights might be given without removing older, conflicting ones. And even if the employee doesn’t misuse their access, there is still a risk if their account becomes compromised.

Defining roles and responsibilities can therefore prevent SoD conflicts as it automatically detects internal fraud risks and prevents access rights to conflicting tasks. Regular monitoring is required as roles evolve- which is when automating the identification of SoD conflicts can come in handy.

Information access requests

A structured workflow for information access will help to prevent SoD conflicts. Platforms like Sailpoint and Espressive can enable teams to automate their approval requests for access, even when multi-level approval is required. Simply ping a request to the appropriate user with as much (or as little) security context information, for an easy ‘approve’ or ‘deny’.

Record access for audit

One deterrence measure for SoD conflicts is through record-keeping. When employees know that their every move inside a digital platform will be logged and kept for review, they’re less likely to abuse their roles and responsibilities.

A good digital storage system paired with regular auditing are both required to ensure that this measure does deter bad actors, rather than a waste of resources.

Use fraud prevention software

The segregation of duties is a powerful internal control, but it doesn’t 100% guarantee the prevention of internal malicious actions. Instead, pairing SoD with a dedicated fraud prevention platform, such as Trustpair, can significantly strengthen your protection against fraudulent or suspicious activity.

Trustpair works thanks to automated account validation– verifying that your third parties are who they say they are, and that their banking information adds up. We prevent internal fraud born from SoD conflicts by making it impossible for employees to change the bank details and send money to themselves, automatically blocking the money from leaving your account.

To conclude: preventing SoD conflicts efficiently

Segregation of duties conflicts offer the potential for one individual to have too much control over transactional processes, leaving the door open for them to abuse their privileges. Identify and prevent SoD conflicts by defining roles, recording access and creating approval workflows. Use Trustpair’s fraud prevention software as a secondary barrier against fraud.

You’d like these articles

FAQ
Frequently asked questions
Browse through our different sections and find the answer to your question.

One example of an SoD conflict happened when a banker in Canada was able to falsify customer loans to himself. The bank manager was sentenced in 2004 for stealing almost $16 mil from his employer.

If the banker didn’t have access to both the loan creation and the approvals (as a segregation of duties) this would never have happened.

An example of the segregation of duties is separating the following tasks to different employees:

  • Collecting the cash in a till
  • Counting the cash
  • Storing the cash
  • Reconciling the accounts