Millions Lost Due to Segregation of Duties Failings
August 12, 2016
The Alberta Motor Association (AMA) has filed a large-scale lawsuit against its former vice-president of information technology (IT) after it discovered he allegedly defrauded the company $8.2 million over a period of three years—one of the top five most costly cases of fraud to hit the province in 20 years.
In what appears to be an absence of segregation of duties (SoD), the employee was the only individual with authority to approve payments for goods and services invoices for the AMA’s IT department.
The AMA alleges that the worker devised a fraud scheme whereby he created false invoices for amounts ranging from $30,000 to $450,000 USD. It also involved funds being transferred electronically to banks in the U.S.
Segregation of Duties Failure in Edmonton
Following on the heels of the civil lawsuit, the Edmonton police have also begun a criminal investigation into the matter, which comes 14 years after one of the biggest cases of bank fraud in Canada’s history.
In this situation, an Edmonton banker was found to have stolen almost $16 million from the branch of a bank he managed by falsifying loans to non-existent customers—yet another case where appropriate SoD would have been beneficial.
The banker went on to plead guilty to 63 counts of fraud over $5,000 and was sentenced to more than seven years in prison. Just over $7 million of the funds were recouped by a court-appointed receiver.
Push for Stronger Segregation of Duties Policies
In the case of the fraud scheme that impacted the AMA, stronger SoD will be required to avoid this type of fraud going forward. Segregation of duties is an essential internal control that helps deter fraudsters by reducing the number of opportunities for abuse.
SoD conflicts can be caused by insufficient staffing, which makes it difficult to segregate duties appropriately because there are simply not enough employees.
These conflicts can then be exacerbated by poor or missing controls; for example, in the case of the AMA, having only one person rather than two authorized to approve invoice payments, or allowing just one individual to create and approve a company budget.
Unfortunately, breakdowns in internal controls for SoD can be difficult to detect—unless you have a solution that takes a holistic approach to monitoring SoD.
CaseWare RCM offers around-the-clock automated analysis of all data within ERP and custom applications, so any breaches in SoD are detected quickly.
For the AMA, controls would have been established in the solution that required at least two people to sign off on goods and services invoices. Had the employee attempted to authorize payments on his own, the system would have alerted the appropriate stakeholder and payment could have been stopped.