It is 6:30 in the morning and I'm about to get to ready to head to the airport and then home after a week-long business trip. On my way out the door I pick up my hotel bill; as I walk towards the elevator I look over the invoice and notice an additional restaurant charge from the night before. I go to the front desk and have the hotel staff check things over and quickly reverse the charges as someone else had accidentally charged their dinner to my room.
I know this has not been the first time it has happen to me or other colleagues. On my taxi ride to the airport, I keep wondering how does this happen? Why the server can’t realized someone just charged two different bills to the same room? Or, why aren’t there any measures within the restaurant management system in place to quickly pick up these anomalies?
To me, it should be a no brainer as the restaurant management systems should have some concept of Separation of Duties (SoD) to protect the restaurant and patrons from common errors like having guests accidentally charging their bill to other rooms. Ok, maybe I’m over-thinking this. However, it is too much to ask the restaurant management systems to at least warn the server closing the bill the same room number was used on another invoice less than hour ago? A simple pop up or warning message could have help the server realize a potential error or have the ability to correct before the invoice gets reconciled during the night and end up on someone else’s hotel bill.
Is separation of duties (SoD) the key to internal controls to increase protection from fraud and errors? Are today’s organizations taking more proactive measures to protect themselves against fraud or errors which can jeopardize their name brand or cost $$$$ in loss revenue, fines, etc.
The basis of segregation of duties (SoD) processing are rules that represent the technical implementation of prescribed guidelines. They are grouped according to different frameworks (e.g., “internal guidelines”, “SOX”, etc.) or according to content-related criteria, such as for individual application systems. They can either be preventive controls or detective controls. Either way, compliance with the rules established for employees and their access permissions in the enterprise need to be monitored with a SoD check.
Taking my hotel bill anomalies example and applying to real world scenarios, I see companies of all sizes starting to put more importance of not combing internal roles such as receiving and signing company checks. The separation of duties in this case fully restricts the amount of power an individual user has over its core responsibility and minimizes any potential risks.