It is a well known fact that one of the main causes of fraud within an organisation is poor segregation of duties. The purpose of adequate segregation of duties is to prevent the ability of a single individual to complete all the necessary steps in a single transaction, thereby reducing the risk of fraudulent transactions occurring.

Many organisations believe that they have implemented adequate segregation of duties because they have separate individuals performing different tasks in a business process. But does it then stand to reason that they have successfully implemented adequate segregation of duties in the respective business process? No it does not. Organisations have evolved to using small to complex ERP systems to manage the operations of their businesses. Whilst these ERP systems are meant to increase the business productivity and efficiency of operations, there is a potential downside which lies in the access granted to the employees of the business.

Employees have to be granted access to a set of transaction codes within an ERP system in order to perform their necessary system-based job functions. It is within this list of transactions that lay potential vulnerabilities of the business.

Transactions codes are set within particular roles or profiles. Over time these roles or profiles are amended to add and remove transaction codes to the point where they no longer resemble the original format. Users are also often granted access to more than one transaction role or profile. Access profiles are being copied from one user to another instead to customising a separate role for that user’s respective job function. Often the system administrator and/or business process owner would grant an individual access to a role within the ERP system, not paying attention to the fact that the relevant individual should not have access to half of the transaction codes located within these roles. As a result you have a user whose access profile has segregation of duties conflicts between the transaction codes. For example, an accounts payable clerk whose job function requires them to process supplier invoices also has access to the vendor master file on the system and can make changes to the vendor master file. This represents a segregation of duty conflict which would not be picked up without carefully analysing the user’s access profile and all the transaction codes to which the user has access.

Business process owners need to be more cognisant of the access they grant to their employees. Failure to consider segregation of duty conflicts each time access is granted may result in a single individual being able to perform all the necessary steps to complete a fraudulent transaction without management being aware.

Thilen Pillay

Internal Audit Supervisor, Johannesburg