The separation of duties concept prohibits the assignment of responsibility to one person for the acquisition of assets, their custody, and the related record keeping. For example, one person can place an order to buy an asset, but a different person must record the transaction in the accounting records. By separating duties, it is easier to prevent fraud, since at least two people would need to work together to do so - which is far less likely when compared to the situation where only one person is responsible for all aspects of accounting transaction.
From risk management’s point-of-view, the distribution of tasks, such as review and approval, should be a part of the business process in financial and accounting systems. Supervisory review combined with easy internal controls reduces the risks associated with fraud and human errors. Role-setting combined with access controls allows the payment service to provide accurate and concurrent access rights – thus, individuals performing the same tasks have the same access rights, and internal audit controls are easier to make. User roles also help minimize the risk of inaccurate or excessively large access rights when compared to user-specific access rights that are more difficult to administer.
In order to ensure a complete audit trail of transactions in the payment service, the organization should ensure that every person participating in the payment process has their own unique ID, the worst-case scenario is sharing user ID:s and access rights. That old way of working significantly increases the risk of fraud and error.
Unique roles allow the system administrator to define the necessary rights to access information of the companies to which the user is required to access. This ensures transparency and compliance in financial processes.
The individual certification rights allow different processes for various types of payment materials. For example, when working with payment files, users who have the right to approve certain payment files can be specified and those files must always be approved by a “human”. For the most critical payment files, the business process could be set up to require multiple approvals by different key users.
Primary users that can make changes in settings should also be controlled. For example, one single user should not be able to make changes or have the permissions to for example set up new bank accounts in a multibank or corporate web bank system without an approval process from other named users. This limits the exposure to fraud and error in critical payment processes.