Sunday, 3 November 2013

When moving is a problem

Mobility of staff within an organisation can be perceived as a good thing - a result of an efficient HR department and a company that likes to remain agile. However, this causes an often neglected flaw in many companies and how they administer the system access of their employees and the resultant authorisation.

Many organisations have processes that involve multiple people. This is often for good reason, to spread risk and introduce checks and balances to prevent fraud or human error. Imagine that an employee starts off in a role within the organisation in the front office, answering phone calls. Let's call him Bob.... 

Bob has a set of screens that allow him to request functions for the back office to complete. Perhaps one of these functions is requesting refunds for defective products for the back office to process.

Then Bob gets a promotion that allows him to work in the back office, printing the same refund cheques that he used to request while he was in the front office. Most organisations will add the new functions, but they will rarely take away the old redundant authorisation.

Bob now has access to both front and back office functions that enable him to request and print cheques without scrutiny from the rest of the organisation.

So I would ask - how many of your colleagues have been put in this position? Are they even aware that they are exposed to fraud and excessive operational risk? Conduct an audit. See for yourself. You may be surprised by the results.