Barbie and Ken: When Separation of Duties no Longer Works

Ken and Barbie

GUEST BLOG POST
When I was working at a Big 4 audit firm, we always used to have a clause on our reports that went something like this:

“The engagement does not uncover all risks that relate from collusion between employees or with third-parties, that a more extensive review would uncover.”

Which basically means that if one of your employees is called Barbie and one is called Ken, then you cannot expect to be able to uncover fraud. This is because all of your nice controls concerning Separation of Duties are no longer valid. When two people are particularly close, especially when they are romantically involved, the risk for collusion rises, rendering separation of duties controls less effective.

It could be considered that Separation of Duties is the most important internal control. Let’s just imagine for a moment, if you set-up your SAP system, and you don’t have any Separation of Duties.

In that case, your system will be wide-open for fraud opportunities. Individuals could carry out fraud from their laptops, without even moving from their chairs:

  • Head of Payroll could create a fictitious employee and start paying them salaries;
  • The Warehouse Manager could steal stock and update the physical inventory in the system;
  • The Accounts Payable Clerk could enter a few copies of the same supplier invoice and split the proceeds with the supplier;
  • The CFO could enter some extra fixed assets and have them shipped to his parallel business;
  • The IT programmer could order some video games and consoles and validate his own Travel & Expenses;
  • Head of Sales and Marketing could employee all of her friends as marketing girls and pay them for not doing anything;

The possibilities are quite endless.

Closing Separation of Duties Loopholes

Luckily, in most companies Separation of Duties is taken rather seriously—or at least the internal auditors have enough evidence to feel that it could be being taken seriously. There are of course many loopholes that management may not be aware of. So, if your company does have strong Separation of Duties then a lot of risks should be mitigated.

In most organizations, over the years, employees and third-parties build up strong ties and strong relationships. Some going beyond the professional. If two individuals that have become very close have a particular need for some extra income, or that do not particularly like the company that they work for, they might come up with some creative ideas:

  • If Payroll and Personnel are very close, then the creation of ghost employees can become easy to do together;
  • If the Warehouse Manager is friends with the head of IT, then updates could be easily done to hide inventory leakage;
  • If the Accounts Payable Clerk is best friends with some of the suppliers, then some creative deals could be had on the side;
  • If the CFO has some relations with accounts clerks, he could get them to enter all kinds of entries, in order to hide his tracks, without his name being seen in the accounting records;
  • If the IT programmer is going out with the HR assistant, he could order lots of cool devices and software through the expense system;
  • If the Head of Sales and Marketing used to work for your promotions company, she could sign a lot of contracts with promoter girls you have never seen;

Luckily in most organizations, employees and third-parties do become close and do make friends. This is what makes coming to work fun. Well at least interesting!

Profiles of a Fraudster

According to KPMG, “Global profiles of the fraudster”: 65 percent of those who commit fraud are employed by the victim organization; 62 percent of fraud involved collusion; 38 percent worked for the organization for more than 6 years; and 35 percent are executive level.

It is also generally estimated that companies loose 5 percent of revenue to fraud.

So, within large organizations, those who are in high positions and have been around for a long time, that know each other well and have had time to form strong relationships are more likely to be the clever ones who are working together to boost those miserable salaries that you are paying them, or repay the bonus you should have given them last year, at least from their perspective.

So, what can the internal auditor do? Should we be sure to always include our clause at the beginning of the audit report to limit our scope to non-collusion cases, or is there something more that we can get out of the data? Please leave your ideas in the comments section below.  Internal audit end slug


Claire Worledge spent the first 10 years of here career at Deloitte, where she managed the Data Quality and Integrity team. She then set-up Aufinia in 2010 and has been helping internal audit teams of large organizations use data analytics. Claire is also the author of the book Data Analytics Secrets and hosts the Tuesday Data Leaders in Internal Audit Webclass.

2 Replies to “Barbie and Ken: When Separation of Duties no Longer Works”

  1. My experience actually shows the in large companies, segregation of duty usually is good because for each transaction, there are so many people involved. So it’s almost impossible to have a collusion.
    But for small to mid-size companies, segregation of duty issue is more serious. Lots of small to mid size companies don’t even have a policy forbidding in-office romance and one transaction sometimes only involves one or two functional groups and that gives fraudster plenty of opportunities.
    Under such situation, the internal auditor from parent company probably has no chance to find a collusion fraud.

Leave a Reply

Your email address will not be published. Required fields are marked *