As reported by CNN recently1, European power and robotics firm ABB has taken a pre-tax hit of 100M USD on its 2016 results due to an employee taking advantage of company mismanagement – and more specifically, a breach in segregation of duties policies. These schemes and data breaches are becoming more prevalent by the day. According to the National White Collar Crime Center, employee theft results in losses ranging from $20 billion to $90 billion a year, and as much as $240 billion a year or more if you include intellectual property theft2. Marquet Embezzlement Reports3 and the Association of Certified Fraud Examiners Report on Occupational Fraud and Abuse4 clearly chart out common patterns after investigating more than 1500 cases of financial fraud:
- Nearly half of the victim organizations are not able to recover any of the fraud-related losses.
- Occupational frauds generally last over a period of 1.5-6 years before being detected.
- Fraud is mostly committed by internal employees, most of whom held finance/bookkeeping and accounting positions and resulted in the issuance of forged or unauthorized company checks. Interestingly very few perpetrators had a prior criminal history.
- Because of a lack of appropriate internal controls to prevent the fraud in the reported cases, managers did not do a sufficient job of reviewing transactions, accounts or processes.
Even in the recent incident at ABB1, CNN specifically pointed out that respective managers failed to maintain sufficient Segregation of Duties (SoD) in the treasury unit of its subsidiary in South Korea, and did not provide enough oversight of local treasury activities. The treasury function in an organization is one of the areas most exposed to risk as it deals with large sums of money daily and the key operational risks are fraud or error. Errors can usually be corrected (although the cost may be high), but the tangible losses are irretrievable.
SoD is a critical management control that is intended to reduce the risk of fraud and identify errors in a timely manner. Treasury, in particular, has front office operations from interfacing with internal commercial teams, pricing advice, cash management, deal entry and back office functions such as confirmations, settlements, bank reconciliations, treasury systems, accounting, and reporting.
A comprehensive governance framework should identify the distinct activities, decide what needs to be segregated, define a contingency plan, document procedures, implement segregation, and let relevant users verify and review access. Such controls should not only be restricted to the finance processes but be expanded to other business processes. Without such a system in place, not only will an enterprise be at risk of failing to meet regulatory and compliance requirements, but it will lose shareholder value and market confidence.
THE BOTTOM LINE
Analyzing risks and monitoring controls within business-critical applications is a challenge for most organizations. The use of manual, spreadsheet-based or consultant-driven SoD risk analysis and remediation techniques can be expensive, inefficient and complicated without the proper use of automation. Furthermore, there is an incremental cost of external auditors needing to validate and retest the systems. When such processes become too labor-intensive and expensive to satisfy an organization’s requirements, strong access governance tools must be used to automate the processes to provide more comprehensive coverage of risks, produce more timely reporting, and enforce preventive controls.
How Saviynt can help?
Saviynt Application GRC solution not only simplifies risk management but also automates the manual processes. In the recently published Gartner5 report on SOD controls monitoring, Saviynt scored 6 out of 6 for its completeness of capabilities. Saviynt provides this solution for all the leading financial management platforms including SAP, Oracle (EBS and Cloud ERP), Workday, PeopleSoft, JDEdwards, NetSuite. Watch this video to learn more about our solution.