Segregation of Duties (SoD) controls: A lesson learned from RepairPal’s $2.7 million mistake

by | Sep 12, 2023

Imagine waking up one day to discover that a single person diverted $2.7 million from your company’s accounts while operating right under your nose for nearly a decade. This isn’t a plot from a heist movie—it’s a real-life lesson on the importance of internal controls. Let’s dive into the recent RepairPal embezzlement scandal to understand why.

The case of Aubrey Shelton, the former vice president of finance at RepairPal, vividly illustrates the real risks businesses face when adequate internal controls are not in place.  Shelton allegedly exploited his sole control over the company’s payroll software to boost his salary and bonuses beyond approved levels. He’s also accused of directing the payroll processor to issue him substantial payments labeled as “executive loan,” “miscellaneous reimbursement,” “mileage reimbursement,” and other such reimbursements that he neither had authorization for nor genuinely incurred.

One specific control mechanism that might have thrown a wrench in Shelton’s plans is ‘Segregation of Duties’ or ‘SoD.’ But what exactly is SoD?

Understanding SoD: A defense against financial malfeasance

In simple terms, SoD ensures that tasks and responsibilities are divided among various employees so that no single individual controls all aspects of any critical business transaction. Think of it as a relay race: the baton is passed between multiple runners instead of one person running the entire distance. This relay-style approach in financial transactions makes it harder for errors or misconduct to slip through unnoticed.

In a broader organizational context, SoD provides multiple benefits:

  • Preventing insider threats: SoD ensures that no individual can take unauthorized or malicious actions without detection.
  • Risk mitigation: A core strategy to protect against unchecked authority, reducing the potential for mistakes. Example: Different individuals should manage the creation of user accounts and the assignment of access rights.
  • Regulatory compliance: SoD is essential for adherence to numerous global regulations, including GDPR, HIPAA, PCI DSS, and the NIS Directive. Non-compliance risks include financial penalties, legal actions, and reputational setbacks.
  • Maintaining cybersecurity posture: SoD fortifies organizational defenses against security vulnerabilities. It’s a proactive measure to guard against system compromises. You can find a more detailed explanation of the SoD principles in our earlier blog post, “The vital role of Segregation of Duties in cybersecurity and compliance.

Specifically, in Shelton’s case, the absence of SoD granted him unchecked authority to both initiate and authorize payments. This enabled him not only to submit and approve his own expense reports but also to double his own salary and request funds from payroll.

Had RepairPal implemented stringent SoD controls, separating duties like transaction initiation, authorization, and review among different individuals, the company likely would have spotted the gross misconduct sooner.

The dire need for Segregation of Duties

Shelton’s alleged embezzlement from RepairPal is a textbook example of how an organization’s lack of proper internal controls can create vulnerabilities. Let’s break down the sequence of events and see how SoD controls could have prevented the harm these events caused.

Manipulating payroll software

According to the United States Department of Justice findings,  Shelton had “exclusive control” over the company’s payroll processing software. With SoD controls in place, no single employee should have unchecked authority over financial software. Ideally, there should be separate roles for initializing, authorizing, and finalizing financial transactions, ensuring a solid checks-and-balances system.

False mileage and loan claims

Shelton allegedly claimed he was entitled to $5,000 of mileage reimbursements on twelve consecutive semi-monthly paychecks. Additionally, he is accused of supplementing these false mileage claims with fabricated “executive loans” and “miscellaneous reimbursements.” These findings point to an apparent breakdown in the review process. With SoD controls in place, a separate individual or department would be tasked with validating and approving these claims. This layered verification makes it challenging for unjustified claims, like Shelton’s alleged ones, to slip through unnoticed.

Misrepresentation to the IRS and company auditors

Shelton allegedly provided false payroll documentation to the CEO and submitted incorrect information to auditors. SoD controls typically involve different departments or individuals handling data submissions to external parties. Additionally, periodic internal audits and third-party checks can provide a multi-layered safeguard against policy violations.

Working in isolation

According to RepairPal, Shelton was the sole decision-maker on many important transactions. RepairPal Chief Revenue Officer and Communications Lead, Kathleen Long, stated that “Shelton acted alone, and no other company employees were involved,” which underscored the dangers of not having multiple eyes on crucial financial processes. Adequate SoD controls improve collaboration and oversight, ensuring no single individual can manipulate the system unchecked.

The RepairPal case illustrates the critical need for businesses to prioritize and implement strong internal controls, especially SoD, regardless of their size or industry. As the saying goes, “trust, but verify.” Not only do such controls protect a company’s financial integrity, but they also safeguard its reputation and trustworthiness in the eyes of its stakeholders and customers. 

How can Zilla Security help?

With the proliferation of cloud applications, companies frequently grapple with the number and complexity of sprawling permissions across many applications, each with its unique combination of roles and access rights. In this type of environment, the risk of missing both intentional and accidental SoD violations is much higher.

This is when Zilla Security’s Identity Security Solution, specifically designed for modern SaaS and cloud-native identity architectures, can help. Zilla navigates the maze of permissions and roles within an organization of any size. It detects SoD violations through automated policies and alerts security and compliance teams to potential risks, offering suggestions to address and remediate these risks quickly and efficiently. 

Where manual oversight is too complex and error-prone, a purpose-built, scalable SoD solution like Zilla Security makes it easier to maintain a robust and compliant internal control environment.

At Zilla, we understand the intricacies of SoD and have helped many customers of all sizes across many industries fortify their internal controls. Book a demo to see what Zilla Security can do for you.

Book a product demo

Author

  • Trevor Huntting

    Trevor Huntting is a Senior Sales Engineer at Zilla Security, where he’s been part of the team for two and a half years, joining as one of the first 20 employees.

    With six years of experience in identity and access management, Trevor plays a key role in proving out our platform’s capabilities for potential customers, ensuring Zilla delivers on its promises. He’s known for his passion for innovation and commitment to excellence in the cybersecurity field.

    Connect with Trevor via LinkedIn.

    View all posts

Recent Posts

Why Identity and Segregation of Duties Are the New Perimeter

Jeff Hare recently joined Zilla Channel VP Garrett Long to discuss the importance of identity governance best practices to an organization’s security posture. Check out the webinar recording here. Managing identity has become one of the most critical elements of...