A payroll fraud dual approval postmortem teaches that two approvals do not prevent fraud unless the approver is independent, can see the underlying changes, and cannot be influenced by the same compromised account or workflow. The failed control in this incident had two people involved, but only one person had meaningful visibility into bank-account changes before payroll was released. For an ISO 27001 audit, the evidence must show that conflicting duties were actually segregated in system permissions, workflow design, and review records—not merely stated in a policy.
This composite incident involved Northstar Managed Services, a 185-person IT service provider with three offices and a distributed help desk. The organization used ADP Workforce Now for payroll, Microsoft 365 for email and Teams, Microsoft Entra ID for identity management, and ServiceNow for onboarding and offboarding requests. Payroll was processed biweekly by a payroll coordinator, reviewed by the finance director, and released through an ACH funding workflow.
How did the incident timeline unfold?
The fraud was discovered quickly enough to contain most of the loss, but not before three employee payments had been diverted. The attacker did not need to compromise the finance director’s ADP account. Instead, the attacker compromised the payroll coordinator, changed direct-deposit information, and relied on a rushed approval process that reviewed only the total payroll amount.
| Timestamp | Event | Control expectation | What actually happened |
|---|---|---|---|
| Tuesday, 8:14 a.m. | The payroll coordinator received a Microsoft 365-themed phishing message requesting review of a shared payroll file. | Phishing-resistant MFA and conditional access should block token theft. | The coordinator entered credentials and approved an MFA prompt through a proxy phishing site. |
| Tuesday, 9:03 a.m. | The attacker used the captured session token to access the coordinator’s Microsoft 365 mailbox. | Impossible-travel and token-protection alerts should trigger investigation. | Entra ID sign-in alerts were routed to a monitored security mailbox but were not reviewed until the next business day. |
| Tuesday, 9:21 a.m. | The attacker signed in to ADP Workforce Now using the coordinator’s existing password and MFA session. | The payroll role should permit entry of changes but not final release or unrestricted employee payment changes. | The coordinator’s security profile allowed direct-deposit edits, payroll preparation, and generation of the approval summary. |
| Tuesday, 9:37 a.m. | Direct-deposit accounts were changed for six employees whose accounts had not changed in more than two years. | Bank-account changes should create an exception report and require independent verification. | No exception workflow existed; the changes appeared only in an audit log that was not part of the approval package. |
| Tuesday, 10:18 a.m. | The coordinator’s account submitted the payroll batch for approval. | The finance director should review payroll totals and material employee-level changes. | The director received an ADP approval notification and a Teams message stating, “Payroll is ready; no exceptions.” |
| Tuesday, 10:31 a.m. | The finance director approved the ACH payroll release. | A separate approver should confirm direct-deposit changes against an independent source. | The director reviewed gross pay, tax totals, and headcount, but not the direct-deposit change report. |
| Friday, 11:23 a.m. | An employee reported a missing deposit to the ServiceNow HR support queue. | Employee reports should be triaged as potential payment fraud. | The help desk escalated the ticket after identifying two more similar reports. |
| Friday, 12:06 p.m. | Payroll and security began containment. | Access should be revoked, payment recalls initiated, and evidence preserved. | ADP access was suspended, Entra sessions were revoked, and the bank initiated ACH recall requests. |
Northstar recovered approximately $31,400 of the $48,700 diverted. The remaining amount was treated as a financial loss, but the larger finding was control-related: the organization’s documented dual-approval process did not create an independent decision about the risky activity.
What did the root-cause analysis find?
The investigation found no evidence that the finance director acted improperly. The director performed the review that the workflow presented: a high-level payroll total, a headcount comparison, and an approval button. The failure was that the organization had defined “approval” as authorization to release funds, rather than verification of the changes that could redirect those funds.
Three root causes were documented in the corrective-action record:
- Over-broad payroll permissions: The payroll coordinator’s ADP security profile combined employee payment-data maintenance, payroll preparation, and approval-package generation. These duties created a conflict because the same role could introduce and conceal an unauthorized change.
- Insufficient approval evidence: The finance director received payroll totals but not a mandatory report showing each direct-deposit addition or modification, the prior account value, the person making the change, and the time of change.
- Untrusted approval context: The attacker used the compromised mailbox and Teams session to reinforce the claim that there were “no exceptions.” The finance director relied partly on a message originating from the account that had made the changes.
The team mapped these findings to ISO 27001 Annex A control 5.3, Segregation of Duties. The requirement is clear: “Conflicting duties and conflicting areas of responsibility shall be segregated.” In this case, the conflict was not simply between payroll preparation and payroll release. It also existed between making a payment-detail change and producing the evidence used to validate that change.
What did this payroll fraud dual approval postmortem reveal about the control failure?
The organization had a two-person payroll review, but it did not have a reliable dual-approval design. The preparer could change sensitive employee payment data, assemble the review package, and characterize exceptions before the approver saw anything. The approver had a separate identity and did approve the final release, yet lacked the information needed to challenge the preparer’s work.
That distinction matters in an audit. A control can be present on paper and still fail operating effectiveness. An auditor examining this incident would reasonably ask for evidence that the approver reviewed direct-deposit changes, that the report was generated independently of the initiator, and that system access prevented one person from completing conflicting tasks.
The incident also exposed a common misconception: dual approval is not satisfied when the second person approves only the transaction total. Payroll diversion frequently occurs through changes that leave total gross payroll nearly unchanged. A fraudulent direct-deposit update can move money from a legitimate employee account to an attacker-controlled account without changing headcount, tax calculations, or total ACH funding.
Which corrective and preventive actions closed the gaps?
Northstar’s response was not to add another manual signature. The team redesigned the workflow so that each approval had a defined purpose, separate authority, and retained evidence.
- Separated ADP roles: The payroll coordinator retained the ability to enter payroll adjustments but lost permission to finalize direct-deposit changes and submit the ACH release. A separate HR operations role now validates employee payment-detail changes, while the finance director retains release authority.
- Created a mandatory exception report: Before every payroll release, ADP produces a report of new and changed direct-deposit records since the prior payroll. The report includes employee ID, change date, old and new routing numbers masked to the final four digits, initiating account, and ticket reference.
- Required independent verification: HR operations must validate bank-account changes using the employee’s established contact information in the HRIS, not a telephone number or email address supplied in a change request.
- Added a 48-hour hold: Direct-deposit changes submitted within 48 hours of payroll cutoff are deferred to the next cycle unless the CFO documents an emergency exception.
- Strengthened identity controls: Payroll, HR operations, and finance release roles moved to phishing-resistant FIDO2 security keys. Entra ID conditional access now blocks high-risk sign-ins and requires compliant managed devices for ADP access.
- Improved evidence retention: The ServiceNow payroll-release record now contains the exception report, approver identity, timestamp, verification ticket numbers, and any emergency exception approval.
During the next internal control test, the IT manager selected two payroll cycles and traced five direct-deposit changes from employee request through HR verification, ADP audit log, exception report, finance approval, and payroll release. That test produced stronger evidence than asking staff whether they followed the payroll dual-approval control.
What lessons generalize beyond payroll?
First, segregate the ability to make a high-risk change from the ability to approve, release, or certify that change. This applies equally to vendor banking changes, privileged-access assignments, firewall rule releases, and customer refund workflows.
Second, make the reviewer independent of both the initiator and the initiator’s evidence. An approver should receive system-generated exception data or data from a separately controlled source, not a summary curated by the person whose work is being approved.
Third, define what the second approval is meant to detect. In this case, the finance director was effective at detecting unusual payroll totals, but the fraud did not alter totals. A two-person payroll review must explicitly include review of payment-routing changes, not just release of the aggregate payment.
Finally, treat audit evidence as part of the control rather than an administrative afterthought. For ISO 27001 certification readiness, you should be able to demonstrate who requested a change, who verified it, who approved it, what system permissions each person held, and whether those roles remained segregated throughout the transaction.
Next step: Before your next certification audit, trace one recent payroll change end to end and confirm that no single account can create, validate, and release the associated payment.