If it can happen in Denmark, it can happen anywhere.
With just short of 6 million people we Danes are extremely proud of our small, progressive and innovative country where everything seems to be under control.
According to the annual World Happiness Report we are the second happiest country in the world, just surpassed by our fellow Nordic friends from Finland. For 3 out of the last 5 years we have topped the Corruption Perceptions Index table, meaning that we are one of the least corrupt countries in the world.
Ask OECD about countries with the best work-life balances, and you will notice that here we are constantly battling for 1st place with our like-minded Dutch friends. We have the shortest working week in the world, and yet, we are reported as one of the most productive and hardworking work-forces in Europe.
We have a well-functioning welfare system, free education and healthcare and all workers are statutorily entitled to 5 weeks of vacation each year.
Remember the saying ‘the grass is always greener on the other side’?
We do too. Though, we do not really believe in it. For us Danes the grass will always be greenest in Denmark.
Can it all be that perfect though? Or might there actually be something rotten in the state of Denmark as Marcellus would say?
During the past years we have witnessed several financial scandals raising a massive media attention. Financial scandals that we from time to time read about in newspapers from abroad, but never imagine could happen in our small country of Denmark. However, those scandals are now also a part of our reality.
The financial scandals in Denmark have two keywords attached to them – ‘State-owned companies’ and ‘Segregation of Duties’. Due to their lack of having an efficient Segregation of Duties system in place, we have witnessed several state-owned entities being scammed by enormous amounts from their own employees.
How could a regular social-service worker transfer public funds to her own accounts for more than 25 years without being caught? And how could she execute more than 300 transactions for a total amount equaling more than 15 million euros to her own accounts without anyone raising their eyebrows?
Segregation of Duties is the answer. Or to word it better; the lack of Segregation of Duties is the answer.
Segregation of Duties, or SoD, have often been neglected and down prioritized in both private and public companies due to the perception that an SoD tool is complex, expensive and has a long implementation time. Many larger companies are still handling their SoD process manually, which turns out to be an almost impossible task. With the almost endless combinations of SoD roles, t-codes, functionalities and objects, it is certain that one cannot be up to date with their SoD process at any given time. Those combinations are not intended to be manually handled by us humans. No matter of how brainy and nerdy we like to be, those SoD combinations can and will give headaches and nightmares for even the best of us.
From the example above, it is very likely that with the right SoD system in place, it would never have been possible for a regular worker to misuse her critical functions for 25 years and scamming the Danish welfare-state of more than 15 million euros. With Segregation of Duties in place she would have not been able to execute two critical functions at the same time.
In this specific example the convicted worker was able to create fictive projects and funds, and later performed more than 300 transactions over 25 years to a series of bank accounts belonging to herself. This could all have been prevented if the Segregation of Duties were in place. Then she would never have had the critical access to both create projects and transfer funds for the projects.
While the lack of Segregation of Duties might often be related to financial consequences, one also has to consider the reputational consequences it can have for a company. The cases we see in media are just the tip of the iceberg. Those are just the cases that has been exposed, while there are many others that has been swept under the rug. While private-owned companies have the possibility to keep these negative cases away from the public and the media, the public-owned companies have a much harder time keeping these scandals hidden from the outside world. The public-owned companies can be looking into a severe reputation-loss on the background of SoD scandals as well as enormous expenses in order to clean up after the damage has been done.
Therefore, having your Segregation of Duties in place is of the utmost importance for all public and private companies. Not just because of the example related to critical functions above. Segregation of Duties is important due to several factors:
- You can prevent SAP Security breaches.
- You always know who has access to personal data.
- You can define and document what is critical in your company.
- You can develop a fact based evaluation of access rights provisioning.
- You can secure your system against accidental errors.
- You can quickly and efficiently document audit requirements.
- SoD is the foundation for compensating controls.
Yet, many companies and organizations are still closing their eyes and hoping that a Segregation of Duties scandal will never affect them. Fortunately, the internal and external auditors are starting to become more aware of SoD. Auditors are slowly but consistently updating their requirements and demands towards a larger focus from public and private-owned companies towards Segregation of Duties. This trend will continue, and we will see a consistent increase in remarks from the auditors on this area. With so much focus on automation within larger companies all over the world, it is a mystery why so many still believe that Segregation of Duties should be handled manually. Is it optimism? Ignorance? Old traditions? Or maybe just a perception that it is too costly, complex and time-consuming to implement a more automated process of Segregation of Duties?
We do not know the reasons. However, can assure you that it does not have to be like that.
Since 2014 we have helped numerous international customers automating their Segregation of Duties process with the help of our Access Control tool – which is preventive, certified and integrated directly into SAP. Our focus has been on the key SoD functionality and ensuring the application is easy to implement and simple to use. The maintenance of the tool and the rule set must be manageable for any compliance consultant thus ensuring a first-rate compliance level, and at the same time ensuring low cost operation of the application in the long run.
In these times Segregation of Duties are more important than ever. Therefore, we would love to have an SoD discussion with you on how it is possible to automate your Segregation of Duties process without running into heavy cost and a complex and time-consuming implementation process. Your business could benefit from this already 2-3 days after the implementation.
And remember; if Segregation of Duties scandals can happen in Denmark, it can truly happen anywhere.
Follow us on LinkedIn and get instant access to our latest articles and posts on SAP and compliance.
Interested to learn more….?
We always look forward presenting Access Control to present customers, possible new customers, partners and network. So, if you want to learn more, have questions or would like to see a live demo of CN Access Control please contact us.