Separation of Duties
A fundamental component of internal control is the separation of duties (SOD) for high-risk transactions. The underlying separation of duties concept is that no individual should be able to execute a high-risk transaction, conceal errors, or commit fraud in the normal course of their duties. You can apply separation of duties at either a transactional or an organizational level.
Layered Security Approach
The layered security approach involves having two or more layers of independent controls to reduce risk. Layered security leverages the redundancy of the layers so if one layer fails to catch the risk or threat, the next layer should. By this logic, more layers should mean better risk reduction. However, more layers can be burdensome and expensive. There needs to be a balance between cost and return in risk reduction. But in no case should there be a defensive strategy with a single layer.
The classic example of separation of duties is when it’s applied at the transactional level. If you have a high-risk transaction, or combination of transactions, then you want to separate them between two or more individuals. For example, suppose a business sets up vendor accounts and issues checks based on the goods received. That business has three distinct processes: setting up a vendor account, receiving goods, and paying the vendor. Having one individual control all three processes may prove too big a temptation for fraud. Such people could set themselves up as vendors and issue checks based on goods never received, as one example. This type of fraud is reduced by assigning responsibility for these processes to separate roles.
Domain of Responsibility and Accountability
Typically, separation of duties applies to transactions within a domain. It’s management’s responsibility within a domain to identify high-risk transactions and ensure adequate separation of duties. Ensuring adequate separation of duties means that you identify the opportunity for fraud within these transactions. It also means identifying the potential for human error within these transactions. Applying separation of duties can reduce both fraud and human errors.
The concept of separation of duties can also be applied across domains at an organizational level. Some organizational processes and functions come with risk; for example, ensuring an organization is compliant with regulations is vital and a high risk. As in the previous transaction example, you would not have one team responsible for all three tasks of designing, implementing, and validating solutions that ensure compliance. Typically, you create an organizational separation of duties between those teams that implement and validate compliance. Implementing an organizational separation of duties is less about fraud and more about reducing potential errors in vital processes and functions.
In the financial services sector, some organizations have adopted a three-lines-of-defense model. This risk management model is a good illustration of an organizational layered approach that creates a separation of duties. FIGURE 8-4 depicts a three-lines-of-defense model to risk management.
FIGURE 8-4 Three-lines-of-defense model.
First Line of Defense
The first line of defense is the business unit (BU). The business deals with controlling risk daily. They identify risk, assess the impact, and mitigate the risk whenever possible. The business is expected to follow policies and implement the enterprise risk management program. The BU owns the risk and develops short-term and long-term strategies. Ownership means they are directly accountable to ensure the risk is mitigated or reduced.
Second Line of Defense
The second line of defense is the enterprise risk management program. The risk management program can be made of multiple control partners (CPs), depending on the size and complexity of the organization. Operational risk management personnel and compliance personnel are examples of CPs. They are responsible for managing risk across the enterprise. They align controls and policies to ensure that the risk management program aligns with company goals. There is oversight of risk management across multiple risk committees and through various channels of risk reporting to stakeholders.
The second line is responsible for engaging the business to develop a risk strategy and gauging the risk appetite of the organization. Participants have an obligation to report to the board material noncompliance and risks that put the organization’s strategic goals in jeopardy. This should not be confused with the multilayered approach; this is a separate concept. In addition to the multilayered approach, enterprise risk management provides an additional line of defense.
Third Line of Defense
The third line of defense is the independent auditor. That role provides the board and executive management independent assurance that the risk function is designed and working well. Additionally, the auditor acts as an advisor to the first and second lines of defense in risk matters. The third line must keep his or her independence but also have input on risk strategies and direction.
Several views exist on how closely involved the third line of defense can be in advising leadership without losing independence. If the third line of defense advises a course of action, is he or she the right person to determine the success of that action? Many audit organizations develop rules to avoid this conflict. Views differ on whether external auditors belong in the third line of defense or actually compose a fourth line.
This model clearly demonstrates how organizational roles can be used to create a separation of duties. In this case, there is oversight, checks, and rechecks across three layers of the organization. In an ideal world, the first line of defense would self-assess and identify all the risks. It’s not realistic to expect such precision. The basic idea is that what’s not caught in the first line is caught in the second line. What the first and second lines do not catch, the third line catches. By the time you reach the third line, whatever risks still exist should not be significant and should therefore be manageable.