Fraud, both internal and external, is a big issue for corporate and public sector organisations. So much so, that in a poll carried out last year, Chief Financial Officers (CFOs) and Finance Directors named cyber-security and fraud prevention as two of the top five issues on their agendas. This is because fraud can potentially do more damage to your bottom line than any social media faux pas or customer complaint.
But there’s a solution which makes it easier to spot anomalies in financial processes, helping prevent fraud: Segregation of Duties. So, what is segregation of duties and how does it work?
The ever-present risks
The risk of fraud constantly looms over board-members. One of the most pressing issues is invoice fraud, where an employee is innocently duped into paying the wrong amount or sending money to an incorrect bank account. The numbers indicate that in the first half of 2018, an average of £17,200 was stolen from British businesses via invoice fraud, showing how serious the issue has become.
Employee payments fraud is another nightmare that CFOs and Finance Directors have to contend with. And the problem is only getting worse. There’s data to show that business losses from employee fraud doubled between 2017 and 2018, jumping from £50,000 on average to £62,000.
Luckily, there are a range of security tools and processes designed to tackle this problem. One is multi-factor authentication, which requires users to offer another form of authentication at the point of login besides username and password, adding an extra layer of security to your payments and cash management processes. Another is segregation of duties, which looks to implement extra checks and balances on payments processes so no one has the power to green-light transactions alone.
Segregation of duties in payments processing
So, what is the principle of ‘segregation of duties’? It’s a framework used to assign different roles to different members of the team, with the goal of making sure that all an organisation’s checks and balances for both data entry and data approval are adhered to. In the case of payments, they act to make sure that one person doesn’t have the ability to make a payment from beginning to end.
This involves giving tasks which might reasonably be done by one person to multiple employees, so no one person is solely in control of financial processes. This means that the staff member who enters the data is never the person who approves the data, or executes a payment as a result.
This versatile principle, typically enforced across finance and treasury departments via specialist software systems, offers greater control across your payments’ processes. You can assign different roles in your chosen payments’ application/online banking portal, as well as within your enterprise resource planning (ERP) software. In the latter case, this means the person responsible for adding new suppliers to your accounting system would not be the one who approves invoices or generates ‘payment files’.
How does this actually work?
That’s a bit abstract, so let’s flesh out our understanding of segregation of duties by looking at how it would apply to Accounts Payable (AP). This department often processes large volumes of electronic payments (e.g. Bacs, Faster Payments etc.), so the stakes are significant, creating a high risk of both internal and external fraud. Also, AP teams are actually quite susceptible to some of the most common types of business fraud including internal scams like invoice redirection, CEO fraud and whaling, as well as external ones like cyber-hacks.
Say your AP department is paying a large supplier bill. How would segregation of duties work here? Essentially, two people would have access to the invoice. One would be in charge of creating the payment, while the other would be given the task of approving and sending. The first would be barred from carrying out the second person’s role and vice versa, making sure that the second pair of eyes reviews the payment before it’s sent, so there’s less room for fraud.
Depending on the size of your organisation, segregation of duties can involve more than two people. For a large organisation, there might be four involved – one for invoice data entry, one for invoice approval, one for data entry in the payments application (uploading the file) and one for approving and sending the said file. It’s worth mentioning that there would be segregation of visibility (more on that later), between the two systems involved here – ERPs and payments applications.
When things go wrong: A case study
Those of you who remain unconvinced may be wondering whether it’s necessary to implement segregation of duties. Yes, it is. Just look at what happens when you don’t. To prove our point, let us regale you with the story of a Prescot-based home appliance factory.
The firm behind this factory hit headlines in the likes of the Liverpool Echo, when it emerged that 67-year-old staff member Shelagh Smith had embezzled £2.8million. This devious employee worked for the company for over 35 years, becoming a purchase ledger supervisor in 1985. In 2010, accountants discovered that Shelagh had been creating fake bank statements and false payments to suppliers to steal this money from the company’s accounts, moving it into her own, dating back as far as 2005.
Shelagh was taken to court and ordered to pay back the money, but the damage to the firm’s reputation was already done. If only they’d implemented a process to make sure Shelagh couldn’t compile, approve and send payments all by herself, things could have been very different.
Read more tales like this in The Little Book of Payment Horrors
Duties vs. visibility
To fully understand segregation of duties, we need to explore segregation of visibility too. This is a mechanism used to make sure no one person can see all the information involved in payment processes and/or payment files. The rationale behind this idea is that the more you know, the easier it is for you to exploit financial processes. Teamed with segregation of duties, you can use this to both control who sees what information, and how your team uses said info to process payments.
Let’s turn back to the AP example. If an employee is responsible for AP, then with segregation of visibility they would be restricted from being able to view other payment data such as Payroll and Accounts Receivable (AR). You could also deploy segregation of visibility on a deeper level, to prevent employees who have access to your ERP from accessing your payment application.
Solution: Enhanced workflows
Next question. How can you implement segregation of duties? There’s the manual approach – e.g. where you’d require paper invoices to be physically signed off by management before they can be approved – but this is riddled with issues. It’s labour intensive and there’s also the potential for abuse. This is because individuals still have significant control over who can compile and send payments, so there’s the potential for them to game the system.
An alternative is to deploy enhanced workflows from AccessPay. This solution keeps you in control of payment processes, so you can implement segregation of duties by using approvals to determine which users can see and perform key tasks in the payments’ lifecycle. Enhanced workflows offer role-based permissions to enforce robust rules and controls for payment processes, as well as multiple stages of authorisation and instant alerts. So, if there are questionable payments you’ll know straight away and can stop them going through.
Our enhanced workflows solution promotes flexibility above all else, enhancing the versatility of your payments processes. It offers configurable workflows, allowing you to adapt them easily to suit changes in the business. Also, it integrates seamlessly with your back-end systems including ERPs and treasury management systems (TMS), allowing you to upload files manually or automatically with minimal fuss and no upgrade costs.
How to do things right: Stena Line
If you want to determine the effectiveness of these approvals mechanisms, read about AccessPay success story Stena Line. As one of the world’s largest ferry operators, who handle vast sums of money daily, it was imperative for Stena Line to have complete visibility and control of their global AP, AR and Payroll operations, along with their Direct Debit collections in the UK.
AccessPay gave Stena Line the ability to submit high volumes of payments quickly and securely. We assigned user roles with submission approval levels, to make sure that no payments are submitted by Stena Line without a second or third pair of eyes signing off on them. There’s no such thing as a foolproof solution, but here at AccessPay HQ, we can provide you with the same high level of payments security as we did for Stena Line, so payments fraud becomes a thing of the past.
Get in touch now to learn more about enhanced workflows here at AccessPay.
This article was about: security