Column
Continuous Occupational Fraud Cases... thorough Implementation of 'Segregation of Duties' to reduce potential risk
Seonghoon Moon, Finance & Accounting Planning Team, HMC
Since the External Audit Act was revised in 2019 and the audit of “Internal Control over Financial Reporting (ICFR)” became mandatory, many public companies and entities in financial services in Korea have been making special efforts to strengthen their internal processes and to prevent various types of fraudulent activities. However, there has been a flood of news about occupational fraud incidents reported, including Osstem Implant embezzlement case in Jan 2022(188 billion won, equivalent to 158 million USD) and NH Nonghyup Bank embezzlement case (11 billion won equivalent to 8.2 million USD) in March 2024.
Academia has proposed not only strengthening accountability for executives to prevent various types of fraud schemes but also implementing "certification for high-risk task employees" to detect fraud risks in a timely manner. Although specific procedures or guidelines for certification have not been published, there is a growing atmosphere where even stricter standards should be applied to minimize any types of occupational fraud schemes.
As stricter standard is applied to employees, there is a basic principle that needs more practical implementation -'Segregation of Duties (SOD)', which mandates separation between individuals performing incompatible duties. One of the major causes identified from recent fraud cases is the "abuse of authority in the absence of proper job separation.” When authority or access is excessively concentrated in one person, it is easier to exploit opportunities for fraud schemes. The basic concept underlying SOD is that no employees or group should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. The principal incompatible duties to be separated are: Authorization or approval of related transaction affecting the assets, Custody of assets, Recording of reporting of related transactions and verification of the relevant transactions.
Segregation of Duties is one of the measures to prevent misconduct by dividing responsibilities among individuals and promoting checks & balance. For example, there are many SOD implementations in payment process and purchasing process.
In payment process, the following tasks should be separated:
-Same person should not perform bank reconciliation and vendor payments.
-Same person should not manage vendor master and vendor payment.
-Same person should not post and approve payment journal entries etc.
In purchasing process, the following tasks should be separated:
-Same person should not purchase an order and approve an order.
-Same person should not request purchase order and place purchase order.
-Purchase order cannot be placed before purchase request etc.
Although many entities have adopted basic “SOD” principle as part of major operation, it is important to revisit the “incompatible roles” during the risk assessment and analyze the processes thoroughly to put compensating controls in place in case any conflicts are left. Let's remember that recent large-scale fraud cases occurred based on the loopholes in segregation of duties.
In addition to the “Segregation of Duties”, it is also important to clarify each person’s roles & responsibilities. Self-assessment will be a good starting point to identify each member’s roles & responsibilities to ultimately compare it with the actual access and authority. It can also provide incompatible tasks that need to be separated with others. Assessing potential misconduct by other positions or any members of your organization will also be helpful to identify risks. If there is any type of signals or potential risks, it is where SOD can be implemented.
While the continuous occurrence and scale of fraud cases are surprising, having the proper plans in place can significantly reduce fraudulent activities from occurring or cut losses if a fraud already occurred. When you check your team from the perspective of SOD, you can find the answer surprisingly easily. Consider what misconduct might be possible in your position or within your organization by asking questions. Is it technically possible for me or for any of the members of our organization? Are there any incompatible tasks to be separated? It is time to discuss openly with your team members, revisit responsibilities and authority within the organization, and establish awareness of 'fraudulent activities and SOD principle' to minimize potential risks within your organization.
[Contact Us]
Please contact to the email below if you have any questions.
sh.moon@hyundai.com (F&AP Team Seonghoon Moon Manager)
This newsletter has been sent for executives and employees to comply with K-SOX training obligation under the Korean External Audit Act (Enforcement Decree Article 9)
