Millions Lost Due to Segregation of Duties Failings
In 2016, the Alberta Motor Association (AMA) filed a large-scale lawsuit against its former vice-president of information technology (IT) after it discovered he allegedly defrauded the company $8.2 million over a period of three years—one of the top five most costly cases of fraud to hit the province in 20 years.
In what appears to be an absence of segregation of duties (SoD), the employee was the only individual with authority to approve payments for goods and services invoices for the AMA’s IT department.
The AMA alleged that the worker devised a fraud scheme whereby he created false invoices for amounts ranging from $30,000 to $450,000 USD. It also involved funds being transferred electronically to banks in the U.S.
2018 Update: The former VP of IT pleaded guilty to fraud and was sentenced to five years in prison. In an agreed statement of facts, the accused submitted and approved 55 fraudulent invoices to the AMA. In 34 of the 55 invoices, the AMA was directed to make payments to bank accounts operated by the accused but under different names.
AMA has recovered about $3 million of the $8 million identified in these criminal proceedings. The accused is said to have used the proceeds of his fraud scheme to purchase homes in Edmonton and Scottsdale, Arizona, a Sea-Doo, an ATV and a trailer. In AMA’s lawsuit against the accused, the court has ordered the former employee to pay the AMA $10.2 million.
Segregation of Duties Failure in Edmonton
Following on the heels of the civil lawsuit, the Edmonton police have also begun a criminal investigation into the matter, which comes 14 years after one of the biggest cases of bank fraud in Canada’s history.
In this situation, an Edmonton banker was found to have stolen almost $16 million from the branch of a bank he managed by falsifying loans to non-existent customers—yet another case where appropriate SoD would have been beneficial.
The banker went on to plead guilty to 63 counts of fraud over $5,000 and was sentenced to more than seven years in prison. Just over $7 million of the funds were recouped by a court-appointed receiver.
Push for Stronger Segregation of Duties Policies
In the case of the fraud scheme that impacted the AMA, stronger SoD are required to avoid this type of fraud going forward. Segregation of duties is an essential internal control that helps deter fraudsters by reducing the number of opportunities for abuse.
According to the Risk Unit at Marquette University, segregation of duties is one of the most effective internal controls. To be effective, no one person should be responsible for doing everything and authorization, recording, and custody of assets should be performed by different employees. The unit goes on to describe that different employees should be responsible for:
- Collecting incoming funds
- Preparing cash receipts/reports
- Approving deposits
- Reconciling funds deposited
SoD failings occur when there is lack of knowledge on best practices or lack of oversight on processes. Failings can also be caused by insufficient staffing. These conflicts can then be exacerbated by poor or missing controls; for example, in the case of the AMA, having only one person rather than two authorized to approve invoice payments, or allowing just one individual to create and approve a company budget.
Risk and Risk Scenarios Guidance from ISACA
ISACA offers a guide on implementing segregation of duties based on best practices. When looking at the SoD risk and risk scenarios, ISACA provides a sample framework to properly assess risk derived from conflicting duties.
The framework uses the most widely adopted SoD model which requires separation between authorization (AUT), custody (CUS), recording (REC) and verification (VER) duties.
According to the guidelines, an effective SoD mitigates all risk deriving from the risk scenarios presented in their sample framework. However, SoD governance may also benefit from using third-party audits by a separate function (e.g., internal audit) or an external entity (e.g., external audit).
Proper Risk Management Strategy Required
Unfortunately, breakdowns in internal controls for SoD can be difficult to detect—unless you have a proper risk management strategy that considers core SoD elements such as actors, duties, risk, scope, activities, roles, systems and applications, and user profiles. Technology can play a large role in enforcing SoD controls.
For the AMA, controls (or rules) would have been established in the technology solution that required at least two people to sign off on goods and services invoices. Had the employee attempted to authorize payments on his own, the system would have alerted the appropriate stakeholder and payment could have been stopped.
Regularly reviewing vendors and payees is also another internal control that might have reduced the risk of fraud.
Alessa offers automated analysis of all data within ERP and custom applications along with the ability to implement rules to enforce internal controls, so any breaches in SoD can be more readily be detected. To learn more about how Alessa can help you, contact us.