Segregation of duties – the key to internal control

Author

Harold Teasdale

7 min read

Segregation of duties – the key to internal control

Author

Harold Teasdale

Segregation of duties – sounds tedious? Probably. But to be honest, this access control principle is key to your cyber safety and to stabil workflows within your IT stack. Why? Let us show you why. 

Did you know that the most fraud-prone departments in a company are accounting and IT? 

And did you know that 42% of all fraud is caused by a lack of internal control?
segregation of duties

Oh, and just for your information:

  • 71.1 million people become victims of cybercrime every year
  • The top 5 cyber crimes in 2021 were:
    • Extortion
    • Identity theft
    • Personal data breach
    • Non-payment
    • Phishing attacks
  • On average, businesses needed 50 days to resolve an internal cyber attack and 23 days to recover from a ransomware attack.
  • On average, a malware attack costs a company over $2.5 million (including the time needed to resolve the attack).

We could go on with this list forever, but probably the above info is enough to show you that internal control is absolutely essential to keep your business and your data safe.

You might be worried now – and you should be

After reading some of the parts of the annual cyber security statistics, you inevitably might ask yourself: How can I avoid this for myself and my enterprise? How can I defend my company’s data from phishing attacks and other cyber security threats? How can I ensure that security is guaranteed through internal control?

Fortunately, we don’t have only bad news for you, quite the contrary. There are several ways to gain internal control. On the one hand, there are numerous, so-called security principles that help you to identify and eliminate risks and to optimize or make the procedures and processes in the workflow more secure. This is usually done through conscious and targeted (automated) access management, taking into account and optimizing the above-mentioned security principles. 

Access Control Principles – your keys to internal control 

Protecting one’s own data and resources against unauthorized disclosure and unauthorized changes is one of the most important tasks in the field of cyber security. The only problem is that wherever information is managed, there might be a high risk of security vulnerabilities to arise. Especially in these times of technical progress, the density of cyber security related problems grows daily. The internet and computers determine our everyday life, both in the private and in the business area, and this involves a lot of risks. 

The damage that can be caused by these risks is getting bigger and bigger. Ransomware for example is 57x more destructive in 2021 than it was in 2015. Cyber crime costs make up a value worth 1% of the Global GDP. This is huge! 

But we don’t want to dive into the negative aspects again, instead we want to show you how security principles like segregation of duties can avoid internal security gaps (and therefore lost money and data, too).

Here are some of the most common Cyber Security Principles and how they secure your workflows, data and business accesses: 

Fine- and coarse-specifications

meaning: 

  • Coarse: Employees can open a door.
  • Fine: Employees based in the UK can open or close a door during working hours.
  • Finer: Employees in the IT department and based in the UK can open or close a door during working hours if they are assigned to an active project.

Policies and exceptions

 

meaning: 

  • A policy exception is a method for maintaining a policy but allowing an individual or entity to circumvent one or more restrictions. For example, your organization may have a certain information security policy in place that a vendor is unable to meet.

Least privilege principle 

meaning: 

  • Only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary.

You can find out more about this important access control principle in this article

Segregation of Duties 

meaning: 

  • SoD policies are the processes, guidelines and/or rules that an organization has created to make sure security controls are in place while also balancing operational efficiencies and costs.

Segregation of Duties – Examples 

One of the best-known principles of segregation of duties is the dual control principle. For example, one employee should not be able to both submit and approve purchase orders at the same time. SoD principles dictate that such processes must be shared among multiple people within an organization. For high-risk processes, a process may even require multiple approval steps.

We would like to show you the importance of the segregation of duties principle with a few examples, so that you can clearly see how much more secure and controlled you can manage access and permissions and thus avoid cyberattacks and other internal risks.

Without SoD With SoD
Employees may be able to fraudulently transfer funds to themselves. Employees cannot request their own refunds or fill their own orders.
Employees who control their own work may not recognize errors or could exploit (even unknowingly) non-compliant access. Project managers are required to review and sign off on the work or documentation completed by their teams.
An employee could order goods for themselves when ordering and cover it up. Inventory ordering must be the responsibility of employees other than those who inspect and enter received goods into inventory systems.
A friend of a staff member may be given hiring preference. Human resources departments are not allowed to set salary levels.

Based on these examples, it is easy to see how important the separation and segregation of duties and functions actually is and in how many different areas it makes sense to pay close attention to roles and the distribution of tasks and authorizations. Applying the principle of segregation brings your company numerous advantages.

All the reasons to have SoDs

As we already demonstrated, SoD can help you prevent internal fraud and general cyber risks. 

But let’s dive into some specific goals and benefits you can reach when applying the Principle of Segregation within your IT stack and business workflows!

Guaranteed Benefits

  1. Clear roles and responsibilities

Task separation, authority and exceptions can be clearly regulated and defined for each individual role or employee. Transparency and clarity with regard to individual tasks immediately will have a positive impact on both staff and the quality of the day-to-day work, not to mention the fact that countless security gaps will be closed.

  1. Avoidance of conflicts of interest

Policies on the basis of SoD establish procedures, measures, documentation requirements and responsibilities for identifying and avoiding conflicts of interest. 

These procedures, requirements and responsibilities could be implemented to:

  • transfer conflicting tasks or transactions to different people
  • prevent employees who also work outside the enterprise from exerting undue influence within the enterprise with respect to these other activities
  • prevent members of the management body from holding management or supervisory positions in competing institutions
  • make remote working and home office work more safe
  1. Reduction of data breaches

The General Data Protection Regulation (GDPR) contains far-reaching regulations regarding data collection, storage and access. In the future, SoD policy will need to go beyond the question of who is performing what part of a process. Compliance requires enforcing that users only have appropriate access to data in your organization’s file system.

Requirements for IT compliance that can be achieved with the help of the segregation of duties principle are:

  • pseudonymization and encryption of personal data;
  • ability to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on an ongoing basis;
  • ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident.
  1. Protection against fraud and manipulation 

Building up a SoD setting and matrix and integrating the principle into your Access Management processes, you’ll be finally able to: 

  • discover potential accounting fraud
  • evaluate internal controls
  • financially safeguard your business
  • rebuild compromised systems.
  1. Cost and effort optimization

Remember the data from the cyber security statistics? How much it can cost a company if it fails to recognize internal risks and thus jeopardizes its data security? With the segregation of duties principle, it becomes possible for the company to close financially sensitive security gaps and avoid expensive damages.

The same applies to workload and benefits: Clearly defined roles and responsibilities, which can be controlled and regulated with the help of an automated access management tool, such as TheFence, allow you and all affected employees to really concentrate on their work and avoid labor-intensive errors in security.

If you’re curious about how much money you could potentially save, check out our calculator!

In summary:

Internal control separates incompatible responsibilities to close potential gaps and minimize human error. Protection against extortion or data misuse are important aspects to protect employees in key positions or those who handle sensitive data. 

Internal control means also control over your financial budget, workload, risks and optimization. With the segregation of duties not only will your accesses and money be safe, but your enterprise will be finally able to thrive, just as it should be.

A match made in cyber heaven: Segregation of duties and Access Management

After we showed you numerous advantages of SoD, you may be wondering how you can best manage to apply it yourself in your company. Nowadays, there are numerous technological possibilities for this. Audits, reporting and authorities can be easily managed using access management tools, in addition to defining, controlling and minimizing security risks.

The introduction of Role-Based Access Control (RBAC) through Identity and Access Management (IAM) is the foundation of many SoD processes. Roles can be defined according to department or function. RBAC ensures that users only have access to the resources their role requires – no more, no less.

IAM systems also create audit trails by logging any user activity. IT administrators can use these audit trails to demonstrate compliance at the touch of a button. In addition, audit trails help identify and fix gaps within the RBAC structure.

Many of those IAM systems do also operate with an employee self-service platform for request and approval workflows. With such a platform, users can request their additional access requirements. Their requests are then routed to one or more responsible parties for approval.

TheFence and the segregation of duties 

—-

Read more about access control principles here.

More information on the segregation of duties: https://csrc.nist.gov/glossary/term/separation_of_duty

7 min read

Share this post:

Scroll to Top